F5 Lifecycle Operator

The F5 Lifecycle Operator (FLO) is a custom controller designed to automate the management and lifecycle operations of BIG-IP Next for Kubernetes deployed within a cluster. It ensures that resources such as pods, services, and network configurations are provisioned, updated, scaled, and monitored based on the desired state defined in the CNE Instance Custom Resource Definition (CRD).

When the CNEInstance CR is applied, FLO deploys all required BIG-IP Next for Kubernetes components by instantiating a CR for each, including the Cluster Wide Controller (CWC), F5 Ingress, DSSM, and Traffic Management Microkernel (TMM). FLO continuously monitors the CNEInstance CR and automatically redeploys modified configurations to maintain optimal performance.

Key Features of the Lifecycle Operator:

  • Declarative Management: Ensures application states match the specifications provided in manifests or CRDs.

  • Continuous Monitoring and Reconciliation: Detects environment changes based on CNEInstance CR and reconciles resources to maintain their intended state.

  • CR Status Insights: Provides insights into FLO-specific Custom Resource (CR) status to help users track resource health, readiness, and key events. For more information, see FLO Custom Resource (CR) Status Conditions.

  • Simplified CRD Management: Enables seamless management of Gateway API Standard CRDs, BNKGateway Extension CRDs, and F5 CRDs, see Custom Resource Definitions (CRDs) Management.

  • Environment Discovery (Env-Discovery): Automatically identifies environment configurations (e.g., CNI plugins like Calico, OVN, and Flannel) and runtime settings (e.g., DPU nodes). This simplifies BIG-IP Next for Kubernetes installation, optimizes TMM workloads, and prevents control plane workloads from being scheduled on DPU nodes. For more information, see Automated Environment Discovery in BIG-IP Next for Kubernetes.

FLO Custom Resource (CR) Status Conditions

A Custom Resource (CR) Status Condition is a standardized way to represent the current state or operational status of a Custom Resource (CR) created for an application or controller. Conditions provide an easily readable summary of a resource’s state and allow controllers, operators, and end users to track key information about resource health, readiness, or any critical events. Users can run kubectl describe or API output to understand if the resource is ready or if there are issues.

The FLO Custom Resource (CR) Status Conditions are specific to the CRs that FLO creates to deploy BIG-IP Next for Kubernetes components. FLO includes three status condition types, Accepted, Reconciled, and Available. These condition types provide the basic details of the component CR’s current state and are updated to inform users of any issues.

Base Conditions

Accepted

The Accepted type indicates whether the resource has been received by the FLO and is valid for generating configurations for a managed component. It does not confirm whether the configuration has been applied to the managed component.

Status

Reason

Message

True

Accepted

The resource has been received by the FLO and is ready for further processing

False

Failed

A failure has occurred in the initial processing of the resource by the FLO

Unknown

Pending
The resource has not been received by the FLO.
NOTE: This state is unused

Reconciled

The Reconciled type indicates that the resource has been used to generate configurations applied to a managed component.

Note

The Unknown status should not be set after the resource is initially accepted. This status indicates that the FLO has not yet seen the resource, which is inaccurate if the controller is actively updating this status.

Status

Reason

Message

True

Reconciled

The resource has been received by FLO and used to generate configurations for managed components.

False

Waiting

The resource has been received by FLO, but additional resources are required before it can generate configurations for managed components.

False

Failed

A failure occurred during the processing of this resource into configurations for a managed component.

Unknown

Pending

The resource has not been received or initially processed by the f5-lifecycle-operator.

Available

The Available type represents the state of the managed component. Its Status and Message fields are displayed to the end user when running the kubectl get command or the platform-specific equivalent.

Note

The Unknown status should not be set after the resource is initially accepted. This status indicates that the FLO has not yet seen the resource, which is inaccurate if the controller is actively updating this status.

Status

Reason

Message

True

Available

The managed component is in a running state.

False

Failed

A failure occurred during the initialization of the managed component.

False

Pending

Initialization checks for the component are unavailable, possibly due to an environmental issue.

Unknown

Pending

The resource has not been received or processed by FLO.

CNEInstance Component Condition Types

CNEInstance includes additional condition types that are variants of the Available condition type. These conditions, such as CWCAvailable, correspond to specific components and align with the Available condition type’s structure in their respective Custom Resources (CRs). These component-specific conditions are consolidated into the Available condition type for CNEInstance, allowing any messages and the overall state of components to be reflected in a single Available condition.

For example, if the DSSM component encounters issues, its Available type to be in the False and Pending state.

status:
    conditions:
    - lastTransitionTime: "2025-08-12T04:14:44Z"
      message: Environment Discovery completed successfully
      observedGeneration: 3
      reason: EnvDiscoverySucceeded
      status: "True"
      type: EnvDiscoverySummary
    - lastTransitionTime: "2025-08-12T04:14:44Z"
      message: Environment Discovery completed successfully
      observedGeneration: 3
      reason: EnvDiscoverySucceeded
      status: "True"
      type: EnvDiscovery-arm64-sm-37
    - lastTransitionTime: "2025-08-12T04:14:42Z"
      message: Environment Discovery completed successfully
      observedGeneration: 3
      reason: EnvDiscoverySucceeded
      status: "True"
      type: EnvDiscovery-sm37-dpu1
    - lastTransitionTime: "2025-08-12T04:14:43Z"
      message: Environment Discovery completed successfully
      observedGeneration: 3
      reason: EnvDiscoverySucceeded
      status: "True"
      type: EnvDiscovery-sm37-dpu2
    - lastTransitionTime: "2025-08-12T04:14:44Z"
      message: Initial processing performed
      observedGeneration: 3
      reason: Accepted
      status: "True"
      type: Accepted
    - lastTransitionTime: "2025-08-12T04:29:49Z"
      message: ""
      observedGeneration: 3
      reason: Reconciled
      status: "True"
      type: Reconciled
    - lastTransitionTime: "2025-08-12T04:37:31Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: Available
    - lastTransitionTime: "2025-08-12T04:30:03Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: CRDInstallerAvailable
    - lastTransitionTime: "2025-08-12T04:30:31Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: F5IngressAvailable
    - lastTransitionTime: "2025-08-12T04:31:55Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: F5TmmAvailable
    - lastTransitionTime: "2025-08-12T04:15:12Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: NodeLabelerAvailable
    - lastTransitionTime: "2025-08-12T04:30:39Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: ObserverAvailable
    - lastTransitionTime: "2025-08-12T04:26:44Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: AfmAvailable
    - lastTransitionTime: "2025-08-12T04:15:20Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: OtelCollectorAvailable
    - lastTransitionTime: "2025-08-12T04:19:35Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: FluentdAvailable
    - lastTransitionTime: "2025-08-12T04:19:38Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: RabbitmqAvailable
    - lastTransitionTime: "2025-08-12T04:36:45Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: DSSMAvailable
    - lastTransitionTime: "2025-08-12T04:30:34Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: CRDConversionAvailable
    - lastTransitionTime: "2025-08-12T04:31:19Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: CwcAvailable
    - lastTransitionTime: "2025-08-12T04:30:34Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: IPAMControllerAvailable
    - lastTransitionTime: "2025-08-12T04:30:31Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: CoremondAvailable
    - lastTransitionTime: "2025-08-12T04:30:37Z"
      message: ""
      observedGeneration: 3
      reason: Available
      status: "True"
      type: CSRCAvailable
kind: List
metadata:
    resourceVersion: ""

Custom Resource Definitions (CRDs) Management

FLO manages the lifecycle of Gateway API standard CRDs and F5 CRDs in a cluster, including installation, upgrade, and uninstallation. During the installation or upgrade of F5 CRDs, the CRD Installer job validates the manifest version and installs the appropriate F5 CRDs required for the specified BIG-IP Next for Kubernetes version. If F5 CRDs are present, the CRD Installer job upgrades them if their version is older than the version defined in the manifest.

Important

FLO does not monitor CRD content or revert changes to F5 CRDs if they are manually edited.

Users who are upgrading from BIG-IP Next for Kubernetes v2.0.0 must uninstall the F5 CRDs before installing BIG-IP Next for Kubernetes v2.1.0

For Gateway API standard CRDs, the CRD Installer job checks whether they are already installed in the cluster. If not, it installs them based on the version specified in the manifest file. If the installed Gateway API standard CRDs are incompatible with the BIG-IP Next for Kubernetes version being installed, FLO blocks the BIG-IP Next for Kubernetes installation, as the CNE Controller requires compatible CRDs.

Important

FLO does not support the upgrade or uninstallation of Gateway API standard CRDs, even if they were initially installed by FLO.

If the installation or upgrade of F5 CRDs fails, FLO updates the CNEInstance CR with the component status and blocks the BNK installation. A message is provided to inform the user of the current F5 use case CRD version and the expected version required for installation.

BIG-IP Next for Kubernetes Uninstallation Scenarios

Scenario

Expected Behavior

Full Cleanup Disabled

F5 CRDs and Gateway API CRDs remain in the cluster after BIG-IP Next for Kubernetes uninstallation.

Full Cleanup Enabled

F5 use case CRs and CRDs are deleted after BIG-IP Next for Kubernetes uninstallation. However, Gateway API CRDs persist in the cluster, as they may be required for other vendors.

Automated Environment Discovery in BIG-IP Next for Kubernetes

FLO Environment Discovery (Env-Discovery) dynamically identifies and adapts to the environment configurations in which Kubernetes workloads operate. It detects applications and resources, such as CNI plugins and network configurations, to automatically detect the underlying environment. FLO Env-Discovery uses Kubernetes API calls with Read RBAC permissions to query Kubernetes resources and node configurations.

In BIG-IP Next for Kubernetes, Env-Discovery automatically detects environment required resources like Multus, SRIOV Device Plugin, ConfigMaps, and other components critical for TMM operation. Additionally, the Env-Discovery agent retrieves host node information, including SRIOV interfaces, Scalable Functions, Virtual Functions, and IP configurations. Runtime configurations are discovered to reduce manual workloads, such as detecting node types (e.g., DPUs) for adding labels and taints to target TMM workloads while ensuring control plane workloads do not deploy on DPU nodes.

To install the BIG-IP Next for Kubernetes application, users create the CNEInstance CR. FLO automatically creates a Job to run the Env-Discovery pod, which detects Kubernetes resources, host node information, and DPU node details. After completing the Env-Discovery Job, the pod logs the results and updates the CNEInstance CR status with a summarized report of each resource. The Env-Discovery Job runs every time the CNEInstance CR is reconciled, either due to configuration changes or at a 5-minute interval. FLO proceeds with the installation of BIG-IP Next for Kubernetes if the Env-Discovery pod detects some resources with a Warning status. However, the installation is halted if the Env-Discovery pod detects any resources with a FAIL status.

  • PASS Status: If all prerequisites are successfully verified, a summarized PASS status is added to the status section of the CNEInstance CR.

  • FAIL Status: If any checks fail, the status section displays FAIL along with detailed information about the failed item and steps to resolve the issue.

The table below lists the resources the Env-Discovery pod automatically detects:

Environment Discovery Resources

Resource

Description

BIG-IP Next for Kubernetes Installation Restrictions

Kubernetes Resources

Cert Manager

Required for zero-trust certification generation and rotation

NA

Clusterissuer

Required for certificate generation

NA

CNI

Checks for the CNI type such as Calico, Flannel, VPC-CNI (EKS), or OCI-CNI (Oracle) and runs additional checks for pod CIDR and TMM env var for Calico.

Blocks installation with ERROR

CNI SRIOV Plugins

SR-IOV Network Device Plugin advertises the SF on the DPU node to Kubernetes.

Allows installation with WARNING (WARN)

SRIOV ConfigMap

ConfigMap for SRIOV Plugin to attached SRIOV resources to K8S

Blocks installation with ERROR

CNI Multus Plugin

SFs created on the DPU nodes are exposed to the TMM pods for traffic processing

Blocks installation with ERROR

Network Attachment Definition

Connects underlying network (SF) to a TMM

Blocks installation with ERROR

SRIOV SF ConfigMap

ConfigMap for SRIOV Plugin to attached SRIOV resources to K8S

Allows installation with WARNING (WARN)

DPU Node Resources

DPU Node Taint

Restricts the DPU to run only the TMM and prevents Control Plane workloads to be scheduled on the DPU nodes

Allows installation with WARNING (WARN)

DOCA 2.9.2 on DPU Node

Enables hardware offload, accelerate, and isolate data center workloads

Allows installation with WARNING (WARN)

Scalable Functions

SRIOV Interface needed by TMM

Allows installation with WARNING (WARN)

VFIO

Used by TMM

Blocks installation with ERROR

CPU

Available CPU on the DPU node for TMM threads

Allows installation with WARNING (WARN)

Memory

Memory on DPU Node for TMM and other containers in the TMM pod

Allows installation with WARNING (WARN)

Hugepages

HugePages makes it possible for the operating system to support memory pages greater than the default (usually 4 KB). Hugepages are necessary for the proper functioning of both the Traffic Management Microkernel (TMM) and the Data Plane Development Kit (DPDK).

Allows installation with WARNING (WARN)

Openvswitch Configuration DPU Node

To establish connectivity between the host (VF) and the BlueField-3 (SF)

Allows installation with WARNING (WARN)

Host Node Resources

Host Node annotations routing

Used by TMM to route traffic via the fastest path via the CPU’s Virtual Function

Allows installation with WARNING (WARN)

Note

The status and messages will only update during the next job run; until then, the previous state will remain displayed.