Gateway API

The BIG-IP Next for Kubernetes can be set up with Gateway API CRs to balance low-latency TCP and UDP application traffic between networks using a virtual server and load-balancing pool.

Gateway API is an open-source project managed by the SIG-NETWORK community. It is an API (collection of resources) that model service networking in Kubernetes. These resources — GatewayClass, Gateway, L4Route, and others, along with the Kubernetes Service resource — aim to evolve Kubernetes service networking through expressive, extensible, and role-oriented interfaces that many vendors implement and have broad industry support.

Benefits of Gateway API

• Role-oriented: Gateway API kinds are modeled after organizational roles that are responsible for managing Kubernetes service networking:

  • Infrastructure Provider: Manages infrastructure that allows multiple isolated clusters to serve multiple tenants, for example, a cloud provider.

  • Cluster Operator: Manages clusters and is typically concerned with policies, network access, application permissions, and so on.

  • Application Developer: Manages an application running in a cluster and is typically concerned with application-level configuration and Service composition.

• Portable: Gateway API specifications are defined as custom resources and are supported by many implementations.

• Expressive: Gateway API kinds support functionality for common traffic routing use cases such as header-based matching, traffic weighting, and others that were only possible in Ingress by using custom annotations.

• Extensible: Gateway allows for custom resources to be linked at various layers of the API. This makes granular customization possible at the appropriate places within the API structure.

Introduction to roles in Gateway API

The Infrastructure Provider is responsible for defining the GatewayClass, a cluster-scoped resource that represents a class of Gateways that can be instantiated.

The Cluster Operator manages the Gateway CR which acts as the entry point for external traffic and configures how incoming requests should be processed and forwarded to the right services within the cluster.

The Application Developer leverages resources such as HTTPRoute, L4Route, and gRPCRoute to define routing rules and manage traffic flow.

Gateway API Architecture

The architecure diagram of Gateway API in BIG-IP Next for Kubernetes.

Prerequisites

Make sure you,

• Install F5 Lifecycle Operator (FLO)

• Deploy all the CRDs

• Apply the CNEInstance to the Kubernetes cluster

CNE controller

The CNE controller supports GW API CRs to align with industry standards. The F5 controller will have a common way to handle all adapter CRs, like BNKSecPolicy and BNKNetPolicy. It will also manage the attachment of specific objects, like F5BigFwPolicy or iRule, with easy support for soft references.

Gateway API CRs

This Gateway API supports the standard features of v1.2.0. The list of CRs that are managed by the CNE controller,

Adapter CRs

F5 supports different adapter CRDs to enable customization and manage complexity. There are the CRDs:

• BNKSecPolicy: Designed to define or extend security settings. This CR can reference resources such as Firewall Policies (FWPolicy) or DOS Policies. Its targets include GatewayClass and Gateway. Security operators manage this policy.

• BNKNetPolicy: Facilitates general extensions by referencing resources like iRules, TCPSettings, HSL, and more. Its target is the Gateway. Cluster operators manage this policy.

F5 CRs:

• L4Route

Community CRs:

• Gateway

• GatewayClass

• HTTPRoute

• GRPCRoute

Note: You can apply or delete the CRs based on a specific usecase scenarios. If you need to reapply all the CR, first clear the existing TMM configuration. To perform a clean configuration, it is recommended to delete all CRs while the controller is in a running state.

Gateway API Conformance tests

The Gateway API includes a comprehensive set of conformance tests. These tests check the implementation against the API specification by creating a series of Gateways and Routes with the specified GatewayClass. To view the tests and status, see Conformance Report

Using F5 IPAM Controller

You can use the F5 IPAM Controller to manage IP addresses. Refer to F5 IPAM Controller for Gateway API for more details.

Firewall policy in Gateway API

You can apply firewall policy to control traffic flow. Refer to Firewall policy in Gateway API

F5 iRules in Gateway API

You can apply the F5 specific iRules to Gateway API to customize and control network traffic. Refer to F5 iRules in Gateway API

High-Speed Log (HSL) profiles in Gateway API

You can apply HSL profiles in Gateway API to enable high-speed logging of events such as firewall rules. Refer to High-Speed Log profiles in Gateway API

Ingress DDoS protection in Gateway API

You can enable DDoS policies to defend DDoS attack over protocols. Refer to Ingress DDoS protection in Gateway API

Supplemental

For more information on Gateway API and CR, refer to

• Gateway API guide

• Gateway API Specification guide

Feedback

Provide feedback to improve this document by emailing spkdocs@f5.com.