F5BigDownloaderPolicy

The F5BigDownloaderPolicy Custom Resource (CR) configures the Cloud-Native Network Functions (CNFs) Downloader Pod to download and manage installation packages (Intrusion Metadata (IM)) and supporting databases, to enable advanced traffic inspection, classification, and security features. Depending on the configuration, downloads can be scheduled at specified intervals (online mode) or be triggered manually by the user (offline mode).

For example, when processing Deep Packet Inspection (DPI) packages, the Downloader Pod performs the following:

• Validation checks on the application and category lists.

• Verification of the Certificate Authority (CA) bundle.

• Confirmation of the digital signature of the IM package.

Once validated, the processed data is converted into a Binary Large Object (BLOB) and sent to the Downloader sidecar within the Traffic Management Microkernel (TMM) Proxy Pod. Similarly, for Intrusion Prevention System (IPS) packages, validated files are forwarded to both the Intrusion Prevention System Daemon (IPSD) and the TMM for enforcement.

Packages and Database Types

The Downloader Pod supports downloading the following package and database types. Each type may support either online or offline deployment modes:

Package and Database Types	Supported Deployment Modes
Deep Packet Inspection (DPI)	Offline
Intrusion Prevention System (IPS)	Offline
URL categorisation (wr-urldb)	Online
IP Intelligence (IPI)	Online
GeoIP Database	Online

Deployment Modes

• Online: In online mode, the Downloader Pod fetches packages and databases directly from the internet. Downloads occur automatically based on the interval specified in the pollInterval parameter.
  

• Offline: In offline mode, packages and databases must be downloaded manually from MyF5 and placed in the Downloader Pod’s persistent volume at the following location:
  

  /var/downloader-localfile-upload/
  

  The Downloader Pod automatically identifies the latest file based on its timestamp, validates and extracts its contents, and then forwards the processed data to the TMM Pods using the f5ingress service.
  

  Note: If the Downloader Pod is deleted and recreated, the files must be manually copied back to the persistent volume.

Parameters

spec

Parameter	Description
name	Specifies the name of the proxy configuration.
kind	Specifies the type of proxy. Currently, only the https proxy type is supported.
host	Specifies the IP address or hostname of the proxy server.
port	Specifies the port number used by the proxy. Valid values range from 1 to 65535.
components.type	Specifies the type of IM package. For example: dpi, ips, geoip.
components.downloadUrl	Specifies the URL to download the IM package.
components.pollInterval	Specifies the polling time interval for checking updates. For example: "5m".
components.proxy	Specifies the name of the proxy object to be used for downloading packages.
components.mode	Specifies the download mode for the component. Valid values: offline (default) and online.

CR Example

F5BigDownloaderPolicy

apiVersion: "k8s.f5net.com/v1"
kind: F5BigDownloaderPolicy
metadata:
  name: "cnf-downloadpolicy"
  namespace: "cnf-gateway"
spec:
  components:
    - type: "dpi"
      pollInterval: "3m"
      mode: "offline"

CR ShortName

CR shortNames provide a convenient way to view installed CRs and their configuration parameters. They can also be used to delete CR instances more easily. The F5BigDownloaderPolicy CR shortName is downpol.

View CR instance:

oc get downpol -n <namespace>

View CR configuration:

oc get downpol -n <namespace> -o yaml

Enabling the Downloader and BLOBD Pods

By default, the Download Pod is disabled. To enable the Downloader feature, both the Downloader and BLOBD Pods must be enabled in the BIG-IP Controller Helm values file:

f5-downloader:
  enabled: true
  downloader:
    image:
      repository: "registry.com"

blobd:
  enabled: true
  image:
    repository: "registry.com"

Note: The BLOBD pod is required for handling and sending data packages (such as GEOs or IP addresses) to the TMM pods.

Configuring Fluentd Logging

The Fluentd Logging collector is enabled by default. To configure it, set the f5-toda-logging.fluentd.host parameter to point to the Fluentd Pod’s namespace.

Note: In this example, the host value includes the cnf-gateway namespace of the Fluentd pod.

f5-downloader:
  downloader:

    fluentbit_sidecar:
      enabled: true
      image:
        repository: registry.com"

      fluentd:
        host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local'

Requirements

Ensure you have the following:

• Installed the BIG-IP Controller.

• A Linux based workstation.

Deployment

Follow these steps to install the example F5BigDownloaderPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

Tip: Open a second shell to view the CNFs Event Logs while installing.

1. The example F5BigDownloaderPolicy CR is defined to handle the DPI package in offline mode. To use this configuration, copy the example into a YAML file and save it.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigDownloaderPolicy
   metadata:
     name: "cnf-downloadpolicy"
     namespace: "cnf-gateway"
   spec:
     components:
       - type: "dpi"
         pollInterval: "3m"
         mode: "offline"
   

2. Apply the F5BigDownloaderPolicy CR that you have created.

   oc apply -f cnf-download-dpi-cr.yaml
   

3. The example F5BigDownloaderPolicy CR is defined to handle the GeoIP database in offline mode. To use this configuration, copy the example into a YAML file and save it.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigCneDownloader
   metadata:
     name: "cnf-downloader"
   spec:
     components:
       - type: "geoip"
         pollInterval: "5m"
         mode: "offline"
   

4. Apply the F5BigDownloaderPolicy CR that you have created.

   oc apply -f cnf-download-geoip-cr.yaml
   

5. Optional: The example F5BigContextSecure CR defines a security context for traffic classification. To use this configuration, copy the example into a YAML file and save it.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigContextSecure
   metadata:
     name: "cnf-url-class-context"
     namespace: "cnf-gateway"
   spec:
      destinationAddress: "0.0.0.0/0"
      ipv6destinationAddress: "::/0"
      destinationPort: 80
      ipProtocol: "tcp"
      profile: "tcp"
   

6. Apply the F5BigContextSecure CR that you have created.

   oc apply -f f5-cnf-context-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-url-class-context was added/updated
   

Verifying Connection Statistics with TMM Debug Sidecar

If the TMM Debug sidecar is enabled (default), follow these steps to verify F5BigContextSecure statistics.

1. Log in to the TMM debug Pod.

   In this example, the TMM debug container is in the cnf-gateway namespace:

   oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
   

2. Verify the F5BigContextSecure statistics.

   Clientside connections:

   tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
   

   name                                               clientside.tot_conns
   -------------------------------------------------- --------------------
   cnf-gateway-cnf-url-class-context-SecureContext_vs                    8
   

   Serverside connections:

   tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
   

   name                                               serverside.tot_conns
   -------------------------------------------------- --------------------
   cnf-gateway-cnf-url-class-context-SecureContext_vs                    8
   

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.