CNFs CRs

Overview

Cloud-Native Network Functions (CNFs) Custom Resource Definitions (CRDs) extend the Kubernetes API; enabling AFM and TMM to be configured using CNFs Custom Resources (CRs). CNFs CRs configure AFM and TMM to support low-latency 5G application traffic, and apply networking configurations such as interface IP addresses and static routes.

This document describes the available CNFs CRs, and lists them in the order they should be configured and installed.

Protection and NAT

Protection and NAT CRs can be referenced by Traffic Management CRs to protect applications from unauthorized and malignant network traffic.

• GlobalDdos - Denial of Service (DoS/DDoS) event detection and mitigation.
• PercontextDdos - Percontext DDoS enables CNF to apply DDoS protection for each application or per virtual server.
• F5BigFwPolicy - Granular stateful-flow filtering based on access control list (ACL) policies.
• F5BigIpsPolicy - Intelligent packet inspection protects applications from malignant network traffic.
• F5BigDownloaderPolicy - - Downloads only IPS package type.
• F5BigNatPolicy - Carrier-grade NAT (CG-NAT) using large-scale NAT (LSN) pools.
• F5BigFwRulelist - Enables rule-lists in the AFM ACL Policy.
• F5BigCneZone - List of VLANs for Zones.

Traffic management

Traffic management CRs configure TMM to provide secure application layer gateway services to remote subscribers.

• F5BigContextSecure - Full proxy TCP and UDP application layer gateway services.
• F5BigCneIrule - CNF supports iRules with Context Secure or any other usecase CRs (example: DNS Virtual Server and F5BigAlgFtp).
• F5BigZeroratingPolicy - Part of Zero-Rating DNS solution; enabling subscribers to bypass rate limits.
• F5BigDnsApp - High-performance DNS resolution, caching, and DNS64 translations.
• F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
• F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.
• F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.
• F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.
• F5BigDohApp - High-performance DNS resolution, caching, and DNS64 translations over secure HTTPs connections.

Profiles and global settings

Profiles and global setting CRs can be reference by CNFs Traffic Management CRs to customize and enhance traffic processing.

• F5BigTcpSetting - TCP options to fine-tune how application traffic is managed.
• F5BigUdpSetting - UDP options to fine-tune how application traffic is managed.
• F5BigFastl4Setting - FastL4 option to fine-tune how application traffic is managed.
• F5BigContextGlobal - Modifies the F5BigFwPolicy CR’s default firewall action.

Networking CRs

Networking CRs configure TMM’s networking components such as network interfaces and static routes.

Available network management CRs:

• F5BigNetVlan - TMM interface configuration: VLANs, Self IP addresses, MTU sizes, etc.
• F5BigCneSnatpool - Modify the source IP address of egress packets to TMM self IP address.
• F5BigNetStaticroute - TMM static routing table management.

Event logging

Event logging CRs can be referenced by Traffic Management CRs to log a wide variety of application traffic events to remote logging servers.

• F5BigLogProfile - Specifies subscriber connection information sent to remote logging servers.
• F5BigLogHslpub - Defines remote logging server endpoints for the F5BigLogProfile.

Application traffic CRs

Note: We support these SPK CRDs to efficiently handle incoming traffic across various communication protocols, ensuring seamless connectivity.

• F5SPKEgress - Egress application traffic for Pods using SNAT or DNS/NAT46.
• F5SPKIngressDiameter - Ingress Diameter traffic management using TCP or SCTP.
• F5SPKIngressEgressUDP - Ingress UDP application traffic, enabling response packets to use a virtual IP address.
• F5SPKIngressGTP - Ingress GTP application traffic management.
• F5SPKIngressHTTP2 - Ingress HTTP/2 application traffic management.
• F5SPKIngressNGAP - Ingress datagram load balancing for SCTP or NGAP signaling.
• F5SPKIngressTCP - Ingress layer 4 TCP application traffic management.
• F5SPKIngressUDP - Ingress layer 4 UDP application traffic management.

Installation status

Once a CNFs Custom Resource (CR) has been installed, you can view the status of the installation using the following command:

oc get <cr type> <cr name> -n <namespace>

For example:

oc get natpol cnf-46-nat -n cnf-gateway

NAME         STATUS    MESSAGE
cnf-46-nat   SUCCESS   CR config sent to all grpc endpoints

Finalizers

1. Finalizers are namespaced keys that instruct Kubernetes to wait until specific conditions are met before fully deleting resources marked for deletion. The BIG-IP controller utilizes Kubernetes finalizers to maintain consistency between Custom Resources (CRs) and backend configurations.
2. When a CR is created, the BIG-IP controller adds a finalizer to it.
3. Upon CR deletion, the BIG-IP controller first removes the respective configuration from the backends and then eliminates the finalizer, allowing Kubernetes to complete the deletion process. As long as the finalizer is present in the CR, it will not be completely deleted.
4. In the event that a CR is deleted while the BIG-IP controller is offline, finalizers prevent it from being deleted. When the controller comes back online, it removes the configuration from the backend and subsequently eliminates the finalizer. This ensures that CRs are deleted only after the corresponding configuration is removed from the backends.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental

• Kubernetes Custom Resources
• Kubernetes Service