F5BigDownloaderPolicy¶
Overview¶
The F5BigDownloaderPolicy Custom Resource (CR) configures the Cloud-Native Network Functions (CNFs) Downloader Pod to download the latest IM installation packages from specified locations and at specified intervals. The CNFs Downloader Pod performs sanity checks on the downloaded IM package’s lists of applications and catagories, verifies the received Certificate Authority (CA) bundle, and the digital signature of the IM Package. The relevant classification data is converted into a Binary Large OBject (BLOB), and sent to the Traffic Management Microkernel (TMM) Proxy Pod’s Downloader sidecar.
Currently, Downloader supports only offline mode. In offline mode, users are able to upload IPS updates (IM packages) to the downloader pod manually. Downloader will send the newest IM package to IPSD from uploaded files to the downloader POD.
Package type¶
The Downloader Pod can be configured to download the IPS (intrusion prevention system) signatures package type.
This document guides you through understanding, configuring and installing the F5BigDownloaderPolicy CR.
CR parameters¶
spec¶
| Parameter | Description |
|---|---|
name |
Specifies the name of the proxy that is getting configured.. |
kind |
Specifies the type of proxy used. Currently only https proxy type is supported. |
host |
Specifies the IP address of the proxy. |
port |
Specifies the port number of the proxy: 1 to 65535. |
components.type |
Specifies the type of IM for the F5BigDownloaderPolicy: ips. |
components.downloadUrl |
Specifies the URL to download the IM installed package. For ips, an empty field uses the default F5 download endpoint. |
components.pollInterval |
Specifies the polling time interval for downloading the latest IM Packages. |
components.proxy |
The name of the proxy object. |
components.mode |
Specifies the type of the mode. |
CR Examples¶
F5BigDownloaderPolicy
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDownloaderPolicy
metadata:
name: "cnf-downloadpolicy"
namespace: "cnf-gateway"
spec:
components:
- type: "ips"
downloadUrl: "https://api.f5networks.net/product/big-ip/downloads/big-ip_v17.x/17.0.0/mbip-cnf-ips"
pollInterval: "3m"
mode: "offline"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDownloaderPolicy CR shortName is downpol.
View CR instance:
kubectl get downpol -n <namespace>
View CR configuration:
kubectl get downpol -n <namespace> -o yaml
By default, the Download Pod is disabled. To enable the Downloader Pod, add the following parameters to the BIG-IP Controller Helm values file:
f5-downloader:
enabled: true
downloader:
image:
repository: "registry.com"
blobd:
enabled: true
image:
repository: "registry.com"
The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If you installed Fluentd, ensure the host parameter targets the Fluentd Pod’s namespace:
Note: In this example, the host value includes the Fluentd Pod’s cnf-gateway Namespace.
f5-downloader:
downloader:
fluentbit_sidecar:
enabled: true
image:
repository: registry.com"
fluentd:
host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local'
Installation¶
Use these steps to install the example F5BigDownloaderPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Copy the example F5BigDownloaderPolicy CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigDownloaderPolicy metadata: name: "cnf-downloadpolicy" namespace: "cnf-gateway" spec: components: - type: "ips" downloadUrl: "https://api.f5networks.net/product/big-ip/downloads/big-ip_v17.x/17.0.0/mbip-cnf-ips" pollInterval: "3m" mode: "offline"
Install the F5BigDownloaderPolicy CR:
kubectl apply -f cnf-download-cr.yaml
User can upload the IM package files to downloader pod. Location:
/var/downloader-localfile-upload/. This is a persistent volume attached to the container; files uploaded will be persistent across container restarts.Example
kubectl cp pi_updates_17.0.0-20231110.0616.im f5-downloader-6498849466-6f9z8:/var/downloader-localfile-uploadI0624
Once the file is uploaded in the above directory, it will be picked up by the downloader, and an IM package update will be sent to IPSD.
The newest (with the latest timestamp file) is selected from the folder in case multiple files are uploaded to the folder.
Copy the example F5BigContextSecure CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-url-class-context" namespace: "cnf-gateway" spec: destinationAddress: "0.0.0.0/0" ipv6destinationAddress: "::/0" destinationPort: 80 ipProtocol: "tcp" profile: "tcp"
Install the F5BigContextSecure CR:
kubectl apply -f f5-cnf-context-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-url-class-context was added/updated
Connection statistics¶
If the TMM Debug sidecar is enabled (default), use the steps below to verify F5BigContextSecure statistics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the URL categorization stats:
tmctl -d blade gpa_urlcat_stats
name count irule customdb wrdb cloud srdb bytes_in bytes_out ----------------- ----- ----- -------- ---- ----- ---- -------- --------- Unknown 0 0 0 0 0 0 0 0 Search_Engines 10 0 0 10 0 0 4220 7550 Social_Networking 5 0 0 5 0 0 1380 1380 Shopping 7 0 0 7 0 0 2220 2220
Verify the F5BigContextSecure statistics:
Clientside connections:
tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
name clientside.tot_conns -------------------------------------------------- -------------------- cnf-gateway-cnf-url-class-context-SecureContext_vs 8
Serverside connections:
tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
name serverside.tot_conns -------------------------------------------------- -------------------- cnf-gateway-cnf-url-class-context-SecureContext_vs 8
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.