F5BigContextSecure

Overview

The F5BigContextSecure Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to perform as an application layer gateway (ALG) for low-latency 5G workloads. The F5BigContextSecure CR provides granular connection management using the following F5 protocol profiles: TCP, UDP and FastL4, and is an integral part of the DNS44, DNS46, and DNS64 implementations.

This document guides you through understanding, configuring and installing a simple F5BigContextSecure CR.

Service

The table below describes the CR service parameters.

Parameter Description
name Selects the Service object name for the internal applications (Pods), and creates a round-robin load balancing pool using the Service Endpoints.
port Selects the Service object port value.

CR parameters

The tables below describe the F5BigSecureContext CR parameters used in this document, refer to the F5BigContextSecure Reference for the full list of parameters.

spec

Parameter Description
destinationAddress Creates an IPv4 virtual server address that listens for ingress connections: host 10.10.10.50, subnet 10.10.10.0/24".
ipv6destinationAddress Creates an IPv6 virtual server address that listens for ingress connections: host "4001::1", subnet "4001::/64".
destinationPort Defines the service port for ingress connections. any (default).
ipProtocol Specifies the virtual server IP protocol: tcp, udp, or any (default).
selfipAsDest Specify whether to use selfip as the destination IP address for the secure context. If selfipAsDest is set to true and destination addresses are not specified, then the selfIPs from the vlans.vlanList get configured as destination IPs. The default is false.
profile Specifies the profile to be used by the virtual server: tcp, udp, fastl4(default), or ipother.
fastL4Settings.profileName Specifies how TMM handles connections using the F5BigFastl4Setting CR's metadata.name value.
tcpSettings.clientSide Specifies how TMM handles clientside TCP connections using the F5BigTcpSetting CR's metadata.name value.
tcpSettings.serverSide Specifies how TMM handles serverside TCP connections using the F5BigTcpSetting CR's metadata.name value.
udpSettings.clientSide Specifies how TMM handles clientside UDP connections using the F5BigUdpSetting CR's metadata.name value.
udpSettings.serverSide Specifies how TMM handles serverside UDP connections using the F5BigUdpSetting CR's metadata.name value.
snat.type Specifies the type of address translation: none (default), automap, or snat.
snat.pool When snat.type is snat, specifies the F5BigCneSnatpool CR to reference using the spec.name parameter.
vlans.vlanList Specifies one or more F5BigNetVlan CRs using the metadata.name parameter, that listen for application traffic.

CR Example

apiVersion: k8s.f5net.com/v1
kind: F5BigContextSecure
metadata:
  name: "cnf-context"
  namespace: "cnf-gateway"
spec:
   ipv6destinationAddress: "2002::200:200:200:0/112"
   destinationPort: 0
   iRules: ["cnf-irule"]
   ipProtocol: "tcp"
   profile: "tcp"
   tcpSettings:
     clientSide: "tcp-high-bw-profile"
     serverSide: "tcp-high-bw-profile"
   vlans:
     vlanList:
       - "subscriber-vlan"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigContextSecure CR shortName is secctx.

View CR instance:

oc get secctx -n <namespace>

View CR configuration:

oc get secctx -n <namespace> -o yaml

Application Project

The Controller and Service Proxy TMM Pods install to a different Project than the TCP application (Pods). When installing the Controller, set the controller.watchNamespace parameter to the TCP Pod Project(s) in the Helm values file. For example:

_images/spk_info.png _Note: The watchNamespace parameter accepts multiple namespaces.

  controller:
    watchNamespace: 
      - "web-apps"
      - "web-apps2"

Dual-Stack environments

Service Proxy TMM’s load balancing pool is created by discovering the Kubernetes Service Endpoints in the Project. In IPv4/IPv6 dual-stack environments, to populate the load balancing pool with IPv6 members, set the Service PreferDualStack parameter to IPv6. For example:

kind: Service
metadata:
  name: nginx-web-app
  namespace: web-apps
  labels:
    app: nginx-web-app
spec:
  ipFamilyPolicy: PreferDualStack
  ipFamilies:
  - IPv6
  - IPv4

_images/spk_warn.png _Important:: When enabling preferDualStack, ensure TMM’s internal F5SPKVlan interface configuration includes both IPv4 and IPv6 addresses.

Requirements

Ensure you have:

Installation

Secure Context on Controller namespace

Use the following steps to obtain the application’s Service object configuration, and configure and install the F5CNFIngressTCP CR.

  1. Switch to the application Project:

    oc project <project>
    

    In this example, the application is in the web-apps Project:

    oc project web-apps
    
  2. Use the Service object NAME and PORT to configure the CR service.name and service.port parameters:

    oc get service 
    

    In this example, the Service object NAME is nginx-web-app and the PORT is 80:

    NAME           TYPE       CLUSTER-IP    EXTERNAL-IP   PORT(S) 
    nginx-web-app  NodePort   10.99.99.99   <none>        80:30714/TCP
    
  3. Copy the example CR into a YAML file:

        apiVersion: "ingresstcp.k8s.f5net.com/v1"
      kind: F5CNFIngressTCP
      metadata:
        name: "nginx-web-cr"
        namespace: "web-apps"
      service:
        name: "nginx-web-app"
        port: 80
      spec:
        destinationAddress: "192.168.1.123"
        destinationPort: 80
        ipv6destinationAddress: "2001::100:100"
        idleTimeout: 30
        loadBalancingMethod: "ROUND_ROBIN"
        snat: "SRC_TRANS_AUTOMAP"
        persist:
          mode: "PERSIST_TYPE_SRCADDR"
          timeout: 60
          ipv4PrefixLength: 24
        vlans:
          vlanList:
          - vlan-external
      monitors:
        tcp:
        - interval: 3
          timeout: 10
    
  4. Install the F5CNFIngressTCP CR:

    oc apply -f cnf-ingress-tcp.yaml
    
  5. Verify the status of the installed CR:

    oc get f5-cnf-ingresstcp -n nginx-apps
    

    In this example, the CR has installed successfully. Installation failures may indicate a missing CR dependancy such as a referenced VLAN.

    NAME           STATUS    MESSAGE                               
    nginx-web-cr   SUCCESS   CR config sent to all grpc endpoints 
    
  6. Web clients should now be able to connect to the application through the Service Proxy TMM.

Secure Context on Application Namespace

Use these steps to install the example F5BigContextSecure CR, and the optional CNFs F5BigTcpSetting CR. Each step offers a brief description of the example CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: The example F5BigTcpSetting CR increases a number of packets buffers to increase performance. Copy and paste the example into a YAML file:

    Note: The F5BigTcpSetting CR will be referenced by the F5BigContextSecure CR.

     apiVersion: k8s.f5net.com/v2
     kind: F5BigContextSecure
     metadata:
         name: sc-udp
     service:
       name: udpsvc
       port: 9300
     spec:
         destinationAddress: "192.168.16.48"
         ipv6destinationAddress: "fdc0:168:16::aa"
         destinationPort: 9090
         ipProtocol: udp
    
  2. Install the F5BigTcpSetting CR:

    oc apply -f cnf-tcp-high-bw-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CRs were added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting",
    TcpSetting cnf-gateway/tcp-high-bw-profile was added/updated
    
  3. The example F5BigContextSecure CR listens for connections destined to IP addresses in the 2002::200:200:200:0/112 subnet, and only on the subscriber-vlan interface. The CR also references the F5BigTcpsettings profile. Copy and paste the example into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextSecure
    metadata:
      name: "cnf-context"
      namespace: "cnf-gateway"
    spec:
       ipv6destinationAddress: "2002::200:200:200:0/112"
       destinationPort: 0
       iRules: ["cnf-irule"]
       ipProtocol: "tcp"
       profile: "tcp"
       tcpSettings:
         clientSide: "tcp-high-bw-profile"
         serverSide: "tcp-high-bw-profile"
       vlans:
         vlanList:
           - "subscriber-vlan"
    
  4. Install the F5BigContextSecure CR:

    oc apply -f f5-cnf-context.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

    I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", 
    SecureContext cnf-gateway/cnf-context was added/updated
    
  5. Continue to the Additional CRs and ContextSecure statistics sections.

Additional CRs

The F5BigContextSecure CR can also reference these CNFs CRs:

  • F5BigFwPolicy - Granular network packet filtering using access control lists.
  • F5BigNatPolicy - Carrier-grade NAT (CG-NAT) functionality.
  • F5BigDnsApp - High-performance DNS resolution, caching, and DNS64 translations.
  • F5BigIpsPolicy - DNS packet inspection for protection against malignant network traffic.
  • F5BigCneSnatpool - Provides TMMs with additional IP addresses for source IP address translation.
  • F5BigLogProfile - Capture and send traffic processing events to remote logging servers.

ContextSecure statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall filtering statics.

  1. Log in to the TMM debug Pod:

    In this example, the TMM debug container is in the cnf-gateway namespace:

    oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. Verify the F5BigContextSecure statistics:

    Clientside connections:

    tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
    
    name                                       clientside.tot_conns
    ------------------------------------------ --------------------
    cnf-gateway-cnf-context-SecureContext_vs                    8
    

    Serverside connections:

    tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
    
    name                                       serverside.tot_conns
    ------------------------------------------ --------------------
    cnf-gateway-cnf-context-SecureContext_vs                    8
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental

  • F5BigCneIrule - CNF supports iRules with Context Secure or any other usecase CRs (example: DNS Virtual Server and F5BigAlgFtp).