F5SPKIngressUDP¶
The F5SPKIngressUDP CR configures the Traffic Management Microkernel (TMM) to proxy and load balance low-latency UDP application traffic between networks using a virtual server and load balancing pool. The F5SPKIngressUDP CR also provides options to tune how connections are processed, and to monitor the health of Service object Endpoints. To access the complete list of CRs, see BIG-IP Next for Kubernetes CRs.
CR parameters¶
The CR parameters used in this document are detailed in the table below. For a complete list of parameters, see F5SPKIngressUDP Reference.
service¶
The table below describes the CR service parameters.
| Parameter | Description |
|---|---|
name |
Selects the Service object name for the internal applications (Pods), and creates a round-robin load balancing pool using the Service Endpoints. |
port |
Selects the Service object port value. |
spec¶
The table below describes the CR spec parameters.
| Parameter | Description |
|---|---|
destinationAddress |
Creates an IPv4 virtual server address for ingress connections. |
destinationPort |
Defines the service port for inbound connections. When the Kubernetes service being load balanced has multiple ports, install one CR per service, or use port 0 for all ports. |
ipv6destinationAddress |
Creates an IPv6 virtual server address for ingress connections. |
idleTimeout |
The UDP connection idle timeout period in seconds (1-4294967295). The default value is 60 seconds. |
loadBalancingMethod |
Specifies the load balancing method used to distribute traffic across pool members: ROUND_ROBIN distributes connections evenly across all pool members (default), and RATIO_LEAST_CONN_MEMBER distributes connections first to members with the least number of active connections. |
snat |
Enables translating the source IP address of ingress packets to TMM's self IP addresses: SRC_TRANS_AUTOMAP to enable, or SRC_TRANS_NONE to disable (default). Note: Currently the Ingress usecase with SRC_TRANS_NONE type is not supported for LA. |
vlans.vlanList |
Specifies a list of F5SPKVlan CRs to listen for ingress traffic, using the CR's metadata.name. The list can also be disabled using disableListedVlans. |
vlans.category |
Specifies an F5SPKVlan CR category to listen for ingress traffic. The category can also be disabled using disableListedVlans. |
monitors¶
The table below describes the CR monitors parameters.
| Parameter | Description |
|---|---|
icmp.interval |
Specifies in seconds the monitor check frequency: 1 to 86400. The default is 5. |
icmp.timeout |
Specifies in seconds the time in which the target must respond: 1 to 86400. The default is 16. |
CR example¶
apiVersion: "ingressudp.k8s.f5net.com/v1"
kind: F5SPKIngressUDP
metadata:
name: "bind-dns-cr"
namespace: "udp-apps"
service:
name: "bind-dns"
port: 53
spec:
destinationAddress: "192.168.1.123"
destinationPort: 53
ipv6destinationAddress: "2001::100:100"
idleTimeout: 30
loadBalancingMethod: "RATIO_LEAST_CONN_MEMBER"
snat: "SRC_TRANS_AUTOMAP"
persist:
mode: "PERSIST_TYPE_SRCADDR"
timeout: 60
ipv4PrefixLength: 24
vlans:
vlanList:
- vlan-external
monitors:
icmp:
- interval: 3
timeout: 10
Dual-Stack environments¶
BIG-IP Next for Kubernetes TMM’s load balancing pool is created by discovering the Kubernetes Service Endpoints in the Project. In IPv4/IPv6 dual-stack environments, to populate the load balancing pool with IPv6 members, set the Service PreferDualStack parameter to IPv6. For example:
kind: Service
metadata:
name: bind-dns
: udp-apps
labels:
app: bind-dns
spec:
ipFamilyPolicy: PreferDualStack
ipFamilies:
- IPv6
- IPv4
Important: When enabling PreferDualStack, ensure TMM’s internal F5SPKVlan interface configuration includes both IPv4 and IPv6 addresses.
Ingress traffic¶
To enable ingress network traffic, TMM must be configured to advertise virtual server IP addresses to external networks using the Border Gateway Protocol (BGP) dynamic routing protocol. Alternatively, you can configure appropriate routes on upstream devices. To configure BGP, see ZebOS ConfigMaps
Session persistence¶
Session persistence enables the TMM to direct session requests to the same endpoint based on the client’s source IP address. To enable Persistence, set the F5SPKIngressUDP CR’s spec.persist.mode parameter to PERSIST_TYPE_SRCADDR.
Important: The spec.persist parameters requires the dSSM Database to store session persistence records.
The table below describes the spec.persist parameters.
| Parameter | Description |
|---|---|
spec.persist.mode |
Specifies the type of persistence: PERSIST_TYPE_NONE (default) or PERSIST_TYPE_SRCADDR - direct session requests to the same endpoint based on the client's source IP address. Requires the dSSM Database. |
spec.persist.timeout |
Specifies the duration for the session persistence entries. The default value is 180 seconds. |
spec.persist.hashAlg |
Specifies the algorithm the system uses for hash persistence load balancing: PERSIST_HASH_DEFAULT (default) - use an index of the pool members (endpoints) to determine the hash, or PERSIST_HASH_CARP - use the Cache Array Routing Protocol (CARP) to determine the hash. |
spec.persist.ipv4PrefixLength |
Specifies the IPv4 prefix length that you want to use as the mask: 0-32. The default value is 32. |
spec.persist.ipv6PrefixLength |
Specifies the IPv6 prefix length that you want to use as the mask: 0-128. The default value is 128. |
Requirements¶
Ensure you have:
- Installed a K8S Service object and application.
- Have a Linux based workstation.
Installation¶
Use the following steps to obtain the application’s Service object configuration, and configure and apply the F5SPKIngressUDP CR.
Switch to the application Project:
kubectl project <project>
In this example, the application is installed to the udp-apps Project:
kubectl project udp-apps
Obtain the Service object NAME and PORT to configure the CR
service.nameandservice.portparameters:kubectl get service
In this example, the Service object NAME** is bind-dns and the PORT is 53:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) bind-dns NodePort 10.99.99.99 <none> 53:30714/UDP
Copy the example CR into a YAML file:
apiVersion: "ingressudp.k8s.f5net.com/v1" kind: F5SPKIngressUDP metadata: namespace: "udp-apps" name: "bind-dns-cr" service: name: "bind-dns" port: 53 spec: destinationAddress: "192.168.1.123" destinationPort: 53 ipv6destinationAddress: "2001::100:100" idleTimeout: 30 loadBalancingMethod: "RATIO_LEAST_CONN_MEMBER" snat: "SRC_TRANS_AUTOMAP" persist: mode: "PERSIST_TYPE_SRCADDR" timeout: 60 ipv4PrefixLength: 24 vlans: vlanList: - vlan-external monitors: icmp: - interval: 3 timeout: 10
Apply the F5SPKIngressUDP CR:
kubectl apply -f spk-ingress-udp.yaml
Verify the status of the installed CR:
kubectl get f5-spk-ingressudp -n udp-apps
In this example, the CR has installed successfully. Installation failures may indicate a missing CR dependancy such as a referenced VLAN.
NAME STATUS MESSAGE bind-dns-cr SUCCESS CR config sent to all grpc endpoints
DNS clients should now be able to connect to the application through the BIG-IP Next for Kubernetes TMM.
Connectivity statistics¶
Connect to the Debug Sidecar in the BIG-IP Next for Kubernetes TMM to view virtual server and pool member connectivity statistics.
Log in to the BIG-IP Next for Kubernetes Debug container:
kubectl exec -it f5-tmm-6cdbc6bb65-j2r7d -c debug -n default -- bash
View the virtual server connection statistics:
tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
For example:
name serverside.tot_conns ----------------------------------- -------------------- udp-apps-bind-dns-crd-virtual-server 31
View the load balancing pool connection statistics:
tmctl -d blade pool_member_stat -s pool_name,serverside.tot_conns
For example:
udp-apps-bind-dns-crd-pool 15 udp-apps-bind-dns-crd-pool 16