F5BigDownloaderPolicy

Overview

The F5BigDownloaderPolicy Custom Resource (CR) configures the Cloud-Native Network Functions (CNFs) Downloader Pod to download the latest installation package from the specified locations at specified intervals. For example, the classification engine package in the CNFs Downloader Pod performs sanity checks on the list of applications and categories of the package downloaded. It also verifies the received Certificate Authority (CA) bundle, and the digital signature of the IM Package. The relevant classification data is converted into a Binary Large Object (BLOB), and sent to the Traffic Management Microkernel (TMM) Proxy Pod’s Downloader sidecar.

Downloader does supports only offline mode for intrusion prevention system (IPS) and classification engine core (CEC) packages. For other packages like URL categorisation (wr-urldb) and IP reputation intelligence (ipi), the Downloader does not support both online and offline mode as of now.

For example, in IPS offline mode, the users are able to upload IPS updates (IM packages) to the downloader pod manually at location: /var/downloader-localfile-upload/. This is a persistent volume attached to the container and the files uploaded will be persistent across container restarts. The Downloader will send the newest IM package to IPSD from uploaded files to the downloader Pod. The Downloader Pod should have the persistent storage available.

Package type

The Downloader Pod can be configured to download the IPS, DPI, WR-URLDB, IPI signatures package types.

This document guides you through understanding, configuring and installing the F5BigDownloaderPolicy CR.

CR parameters

spec

Parameter	Description
name	Specifies the name of the proxy that is getting configured..
kind	Specifies the type of proxy used. Currently only https proxy type is supported.
host	Specifies the IP address of the proxy.
port	Specifies the port number of the proxy: 1 to 65535.
components.type	Specifies the type of IM for the F5BigDownloaderPolicy: ips.
components.downloadUrl	Specifies the URL to download the IM installed package. For ips, an empty field uses the default F5 download endpoint.
components.pollInterval	Specifies the polling time interval for downloading the latest IM Packages.
components.proxy	The name of the proxy object.
components.mode	Specifies the type of the mode.

CR Examples

F5BigDownloaderPolicy

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDownloaderPolicy
metadata:
  name: "cnf-downloadpolicy"
  namespace: "cnf-gateway"
spec:
  components:
    - type: "ips"
      downloadUrl: "https://api.f5networks.net/product/big-ip/downloads/big-ip_v17.x/17.0.0/mbip-cnf-ips"
      pollInterval: "3m"
      mode: "offline"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDownloaderPolicy CR shortName is downpol.

View CR instance:

oc get downpol -n <namespace>

View CR configuration:

oc get downpol -n <namespace> -o yaml

By default, the Download Pod is disabled. To enable the Downloader Pod, add the following parameters to the BIG-IP Controller Helm values file:

f5-downloader:
  enabled: true
  downloader:
    image:
      repository: "registry.com"

blobd:
  enabled: true
  image:
    repository: "registry.com"

The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If you installed Fluentd, ensure the host parameter targets the Fluentd Pod’s namespace:

Note: In this example, the host value includes the Fluentd Pod’s cnf-gateway Namespace.

f5-downloader:
  downloader:

    fluentbit_sidecar:
      enabled: true
      image:
        repository: registry.com"

      fluentd:
        host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local'

Requirements

Ensure you have:

• Installed the BIG-IP Controller.
• A Linux based workstation.

Installation

Use these steps to install the example F5BigDownloaderPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

Tip: Open a second shell to view the CNFs Event Logs while installing.

1. Copy the example F5BigDownloaderPolicy CR into a YAML file:

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigDownloaderPolicy
   metadata:
     name: "cnf-downloadpolicy"
     namespace: "cnf-gateway"
   spec:
     components:
       - type: "ips"
         downloadUrl: "https://api.f5networks.net/product/big-ip/downloads/big-ip_v17.x/17.0.0/mbip-cnf-ips"
         pollInterval: "3m"
         mode: "offline"
   

2. Install the F5BigDownloaderPolicy CR:

   oc apply -f cnf-download-cr.yaml
   

3. User can upload the IM package files to downloader pod. Location: /var/downloader-localfile-upload/. This is a persistent volume attached to the container; files uploaded will be persistent across container restarts.

   Example

   oc cp pi_updates_17.0.0-20231110.0616.im f5-downloader-6498849466-6f9z8:/var/downloader-localfile-uploadI0624 
   

4. Once the file is uploaded in the above directory, it will be picked up by the downloader, and an IM package update will be sent to IPSD.

5. The newest (with the latest timestamp file) is selected from the folder in case multiple files are uploaded to the folder.

6. Copy the example F5BigContextSecure CR into a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigContextSecure
   metadata:
     name: "cnf-url-class-context"
     namespace: "cnf-gateway"
   spec:
      destinationAddress: "0.0.0.0/0"
      ipv6destinationAddress: "::/0"
      destinationPort: 80
      ipProtocol: "tcp"
      profile: "tcp"
   

7. Install the F5BigContextSecure CR:

   oc apply -f f5-cnf-context-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
   SecureContext cnf-gateway/cnf-url-class-context was added/updated
   

Connection statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify F5BigContextSecure statistics.

1. Log in to the TMM debug Pod:

   In this example, the TMM debug container is in the cnf-gateway namespace:

   oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
   

2. Verify the URL categorization stats:

   tmctl -d blade gpa_urlcat_stats
   

   name              count irule customdb wrdb cloud srdb bytes_in bytes_out
   ----------------- ----- ----- -------- ---- ----- ---- -------- ---------
   Unknown               0     0        0    0     0    0        0         0
   Search_Engines       10     0        0   10     0    0     4220      7550
   Social_Networking     5     0        0    5     0    0     1380      1380
   Shopping              7     0        0    7     0    0     2220      2220
   

3. Verify the F5BigContextSecure statistics:

   Clientside connections:

   tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
   

   name                                               clientside.tot_conns
   -------------------------------------------------- --------------------
   cnf-gateway-cnf-url-class-context-SecureContext_vs                    8
   

   Serverside connections:

   tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
   

   name                                               serverside.tot_conns
   -------------------------------------------------- --------------------
   cnf-gateway-cnf-url-class-context-SecureContext_vs                    8
   

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.