F5BigZeroratingPolicy

Overview

The F5BigZeroratingPolicy Custom Resource (CR) is an integral part of the Cloud-Native Network Functions (CNFs) Zero-Rating DNS solution; enabling subscriber access to applications with no impact, or increase, to billing quotas. CNFs Zero-Rating solution accomplishes this by steering application traffic using split-view DNS. When configured as a DNS resolver, the Traffic Management Microkernel (TMM) Proxy Pod provides clientside DNS responses using custom IP addresses, bypassing quota management, then resolving and routing traffic to the DNS domain name on the serverside.

The CNFs Zero-Rating solution requires the CRs listed below:

  • F5BigDatagroup
  • F5BigDnsCache
  • F5BigDnsApp
  • F5BigContextSecure

This document guides you through understanding, configuring and installing a simple CNFs Zero-Rating solution.

Zero-Rating example:

_images/cnf_zero_rating.png

CR parameters

F5BigZeroratingPolicy

The table below describes the F5BigZeroratingPolicy CR spec parameters.

Parameter Description
dnsResolver Specifies the F5BigDnsCache by metadata.name that will be used by TMM will resolve and cache external DNS queries.
dataGroup Specifies the F5BigDatagroup CR by metadata.name that will provide IP address to domain name mapping.
debugZeroRating Enables zero rating policy logging: true or false (default).

F5BigDatagroup

The table below describes the F5BigDatagroup CR spec parameters.

Parameter Description
recordType Specifies the type of the datagroup record. The current available option is address.
records Specifies a list of key and value pairs. The key represents an IPv4 or IPv6 address, and the value represents the domain name.

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigContextSecure CR shortName is secctx.

View CR instance:

oc get secctx -n <namespace>

View CR configuration:

oc get secctx -n <namespace> -o yaml

Requirements

Ensure you have:

Installation

Use the following steps to install the F5BigDnsApp and F5BigDnsCache CRs that will create a DNS record in the transparent cache for the domain example.com..

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. The F5BigDatagroup CR defines the clientside domain name to IP address mappings. Copy the example CR into a YAML file:

    Note: The CR provides IPv4 and IPv6 clientside mappings for the web.example.net domain name.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDatagroup
    metadata:
      name: "cnf-datagroup"
      namespace: "cnf-gateway"
    spec:
      recordType: "address"
      records: [
         { "key": "10.20.2.37",
           "value": "web.example.net"
         },
         { "key": "2002::10:20:2:37",
           "value": "v6web.example.net"
         }
      ]
    
  2. The transparent F5BigDnsCache CR defines the DNS record types for the clientside mappings. Copy the example transparent F5BigDnsCache CR into a YAML file:

    Note: The CR defines the DNS A and AAAA DNS record types for the clientside mappings.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsCache
    metadata:
      name: "cnf-transparent-cache"
      namespace: "cnf-gateway"
    spec:
      cacheType: transparent
      transparent:
        localZones:
        - name: example.net
          zoneType: static
          records:
            - web.example.net. IN A 10.20.2.37
            - v6web.example.net. IN AAAA 2002::10:20:2:37
    
  3. Install the F5BigDatagroup CR:

    oc apply -f cnf-datagroup-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigDatagroup CR was added/updated:

    I0223 12:00:00.12345  1 event.go:282] Event(v1.ObjectReference{Kind:\"F5BigDatagroup\", 
    F5BigDatagroup cnf-gateway/cnf-datagroup was added/updated
    
  4. Install the transparent F5BigDnsCache CR:

    oc apply -f cnf-transparent-dns.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigDnsCache CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dnscache",
    F5Dnscache cnf-gateway/cnf-transparent-cache was added/updated
    
  5. The net-resolver F5BigKDnsCache CR defines both a domain name, and the domain name server to query. Copy one of the example F5BigDnsCache CRs into a YAML file: Example 1 queries and caches all domains, while Example 2 queries and caches two specific domains:

    Example 1:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsCache
    metadata:
      name: cnf-resolver-cache
      namespace: cnf-gateway
    spec:
      cacheType: net-resolver
      netResolver:
        forwardZones:
          - forwardZone: .
            nameServers:
              - ipAddress: 10.30.2.1
                port: 53
    

    Example 2:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsCache
    metadata:
      name: cnf-resolver-cache
      namespace: cnf-gateway
    spec:
      cacheType: net-resolver
      netResolver:
        forwardZones:
          - forwardZone: example.net
            nameServers:
              - ipAddress: 10.30.2.1
                port: 53
          - forwardZone: internal.org
            nameServers:
              - ipAddress: 10.10.10.1
                port: 53
    
  6. Install the net-resolver F5BigDnsCache CR:

    oc apply -f cnf-netresolv-dns.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigDnsCache CR was added/updated:

    I0208 12:00:00.12345   1 event.go:282] Event(v1.ObjectReference{Kind:"F5Dnscache",
    F5Dnscache cnf-gateway/cnf-resolver-cache was added/updated
    
  7. The F5BigZeroratingPolicy CR groups the clientside domain name mappings and the serverside DNS resolver. Copy the example F5BigZeroratingPolicy CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigZeroratingPolicy
    metadata:
      name: "cnf-zerorate-policy"
      namespace: "cnf-gateway"
    spec:
      dnsResolver: "cnf-resolver-cache"
      dataGroup: "cnf-datagroup"
      debugZeroRating: true
    
  8. Install the F5BigZeroratingPolicy CR:

    oc apply -f cnf-zerorate-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigZeroratingPolicy CR was added/updated:

    I0223 12:00:00.12345  1 event.go:282] Event(v1.ObjectReference{Kind:\"F5BigZeroratingPolicy\",
    F5SPKZERORATINGPOLICY cnf-gateway/cnf-zerorate-policy was added/updated
    
  9. The F5BigDnsApp CR specifies the IP address that subscribers will use to resolve DNS. The CR also references the transparent F5BigDnsCache CR. Copy the example F5BigDnsApp CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDnsApp
    metadata:
      name: "cnf-dnsapp"
      namespace: "cnf-gateway"
    spec:
      destination:
        address: "10.20.22.94"
        port: 53
      ipProtocol: "udp"
      dns:
        useLocalBind: false
        dnsCache: "cnf-transparent-cache"
      udp:
        allowNoPayload: true
    
  10. Install the F5BigDnsApp CR:

    oc apply -f cnf-dnsapp-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added/updated:

    I0224 12:00::00.12345  1 event.go:282] Event(v1.ObjectReference{Kind:\"F5Dns\",
    F5Dns cnf-gateway/cnf-dnsapp was added/updated
    
  11. The F5BigContextSecure CR will process subscriber application traffic. The CR also references the F5BigZeroratingPolicy CR. Copy the example F5BigContextSecure CR into a YAML file:

    _images/spk_warn.png Important: Set the destinationAddress and ipv6destinationAddress to the IP address subnets used in the DNS mappings.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigContextSecure
    metadata:
      name: "cnf-secure-context"
      namespace: "cnf-gateway"
    spec:
      destinationAddress: "10.20.2.37/32"
      ipv6destinationAddress: "2002::10:20:2:37/128"
      destinationPort: 80
      ipProtocol: "tcp"
      profile: "tcp"
      iRules: [ "cnf-zerorate-policy" ]
    
  12. Install the F5BigContextSecure CR:

    oc apply -f cnf-context-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

    I0224 12:00::00.12345  1 event.go:282] Event(v1.ObjectReference{Kind:\"F5SecureContext\",
    SecureContext cnf-gateway/cnf-secure-context was added/updated
    

Traffic statistics

If you installed the CNF Controller with the Debug Sidecar enabled, connect to the sidecar to view the DNS statistics.

  1. Log in to the TMM debug Pod:

    In this example, the TMM debug container is in the cnf-gateway namespace:

    oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. Verify the DNS statistics:

    tmctl -d blade dns_cache_resolver_stat -s name,cache_index,queries,responses,responses_rate
    
    name                              cache_index queries responses responses_rate
    --------------------------------- ----------- ------- --------- --------------
    cnf-gateway-cnf-resolver-cache              0       9         9              0
    cnf-gateway-cnf-transparent-cache           0      13        13              0
    
  3. Verify the Application traffic statstics:

    tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
    
    name                                            clientside.tot_conns
    ----------------------------------------------- --------------------
    cnf-gateway-cnf-secure-context-SecureContext_vs                    5
    cnf-gateway-cnf-secure-context-SecureContext_vs                    4
    cnf-gateway-big-dns-virtual_server                                 9
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.