F5BigDownloaderPolicy

Overview

The F5BigDownloaderPolicy Custom Resource (CR) configures the Cloud-Native Network Functions (CNFs) Downloader Pod to download the latest installation package from the specified locations at specified intervals. For example, the classification engine package in the CNFs Downloader Pod performs sanity checks on the list of applications and categories of the package downloaded. It also verifies the received Certificate Authority (CA) bundle, and the digital signature of the IM Package. The relevant classification data is converted into a Binary Large Object (BLOB), and sent to the Traffic Management Microkernel (TMM) Proxy Pod’s Downloader sidecar.

Downloader does supports only offline mode for intrusion prevention system (IPS) and classification engine core (CEC) packages. For other packages like URL categorisation (wr-urldb) and IP reputation intelligence (ipi), the Downloader does not support both online and offline mode as of now.

For example, in IPS offline mode, the users are able to upload IPS updates (IM packages) to the downloader pod manually at location: /var/downloader-localfile-upload/. This is a persistent volume attached to the container and the files uploaded will be persistent across container restarts. The Downloader will send the newest IM package to IPSD from uploaded files to the downloader Pod. The Downloader Pod should have the persistent storage available.

Package type

The Downloader Pod can be configured to download the IPS, DPI, WR-URLDB, IPI signatures package types.

This document guides you through understanding, configuring and installing the F5BigDownloaderPolicy CR.

CR parameters

spec

Parameter Description
name Specifies the name of the proxy that is getting configured..
kind Specifies the type of proxy used. Currently only https proxy type is supported.
host Specifies the IP address of the proxy.
port Specifies the port number of the proxy: 1 to 65535.
components.type Specifies the type of IM for the F5BigDownloaderPolicy: ips.
components.downloadUrl Specifies the URL to download the IM installed package. For ips, an empty field uses the default F5 download endpoint.
components.pollInterval Specifies the polling time interval for downloading the latest IM Packages.
components.proxy The name of the proxy object.
components.mode Specifies the type of the mode.

CR Examples

F5BigDownloaderPolicy

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDownloaderPolicy
metadata:
  name: "cnf-downloadpolicy"
  namespace: "cnf-gateway"
spec:
  components:
    - type: "ips"
      pollInterval: "3m"
      mode: "offline"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDownloaderPolicy CR shortName is downpol.

View CR instance:

kubectl get downpol -n <namespace>

View CR configuration:

kubectl get downpol -n <namespace> -o yaml

By default, the Download Pod is disabled. To enable the Downloader Pod, add the following parameters to the BIG-IP Controller Helm values file:

f5-downloader:
  enabled: true
  downloader:
    image:
      repository: "registry.com"

blobd:
  enabled: true
  image:
    repository: "registry.com"

The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If you installed Fluentd, ensure the host parameter targets the Fluentd Pod’s namespace:

Note: In this example, the host value includes the Fluentd Pod’s cnf-gateway Namespace.

f5-downloader:
  downloader:

    fluentbit_sidecar:
      enabled: true
      image:
        repository: registry.com"

      fluentd:
        host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local'

Requirements

Ensure you have:

Installation

Use these steps to install the example F5BigDownloaderPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Copy the example F5BigDownloaderPolicy CR into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigDownloaderPolicy
    metadata:
      name: "cnf-downloadpolicy"
      namespace: "cnf-gateway"
    spec:
      components:
        - type: "ips"
          pollInterval: "3m"
          mode: "offline"
    
  2. Install the F5BigDownloaderPolicy CR:

    kubectl apply -f cnf-download-cr.yaml
    
  3. User can upload the IM package files to downloader pod. Location: /var/downloader-localfile-upload/. This is a persistent volume attached to the container; files uploaded will be persistent across container restarts.

    Example

    kubectl cp pi_updates_17.0.0-20231110.0616.im f5-downloader-6498849466-6f9z8:/var/downloader-localfile-uploadI0624 
    
  4. Once the file is uploaded in the above directory, it will be picked up by the downloader, and an IM package update will be sent to IPSD.

  5. The newest (with the latest timestamp file) is selected from the folder in case multiple files are uploaded to the folder.

  6. Copy the example F5BigContextSecure CR into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextSecure
    metadata:
      name: "cnf-url-class-context"
      namespace: "cnf-gateway"
    spec:
       destinationAddress: "0.0.0.0/0"
       ipv6destinationAddress: "::/0"
       destinationPort: 80
       ipProtocol: "tcp"
       profile: "tcp"
    
  7. Install the F5BigContextSecure CR:

    kubectl apply -f f5-cnf-context-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

    I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
    SecureContext cnf-gateway/cnf-url-class-context was added/updated
    

Connection statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify F5BigContextSecure statistics.

  1. Log in to the TMM debug Pod:

    In this example, the TMM debug container is in the cnf-gateway namespace:

    kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. Verify the URL categorization stats:

    tmctl -d blade gpa_urlcat_stats
    
    name              count irule customdb wrdb cloud srdb bytes_in bytes_out
    ----------------- ----- ----- -------- ---- ----- ---- -------- ---------
    Unknown               0     0        0    0     0    0        0         0
    Search_Engines       10     0        0   10     0    0     4220      7550
    Social_Networking     5     0        0    5     0    0     1380      1380
    Shopping              7     0        0    7     0    0     2220      2220
    
  3. Verify the F5BigContextSecure statistics:

    Clientside connections:

    tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
    
    name                                               clientside.tot_conns
    -------------------------------------------------- --------------------
    cnf-gateway-cnf-url-class-context-SecureContext_vs                    8
    

    Serverside connections:

    tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
    
    name                                               serverside.tot_conns
    -------------------------------------------------- --------------------
    cnf-gateway-cnf-url-class-context-SecureContext_vs                    8
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.