F5BigGlobalOptions¶

Overview¶

The F5BigGlobalOptions Custom Resource (CR) contains optional settings that allow ‌users to enable non-standard behaviors or features. By default, these non-standard behaviors and features are disabled in the global settings and these values may need to be enabled for some use cases. If a user has to change these non-standard optional behaviors or features, they must understand and acknowledge the consequences before changing the global settings from their default values.

These settings affect the global operation of the system. Currently, there is no provision to selectively enable any of them on a per-object basis. Any configured entities recognizing a F5BigGlobalOptions setting will be affected.

CR Parameters¶

The following tables list the F5BigGlobalOptions CR parameters:

Metadata¶

Parameter	Description
name	Name of the GlobalOptions Reference CR by which the k8s identifies the CR.

spec.dnscache¶

Parameter	Description
`matchWildcardVip`	This parameter controls the instances of the DNS cache to match a catch-all (`wildcard`) listener that will be used when sending out DNS queries.

spec.ip¶

Parameter Description

acceptIpOptions This setting controls whether IPv4 packets with Options field specified are accepted at the global level. The default value for acceptIpOptions parameter is false. This means that all IPv4 packets that have Options field are dropped, except for a few such as Router Alert with IGMP option.
Note: This option can be set only if the user wants to have custom control over allowing traffic with IPv4 Option at global level.

Parameter	Description
`acceptIpOptions`	This setting controls whether IPv4 packets with `Options` field specified are accepted at the global level. The default value for `acceptIpOptions` parameter is `false`. This means that all IPv4 packets that have `Options` field are dropped, except for a few such as `Router Alert` with `IGMP` option. Note: This option can be set only if the user wants to have custom control over allowing traffic with IPv4 Option at global level.

matchWildcardVip setting¶

By default, queries from the DNS cache towards upstream DNS servers are sent out with the self-IP address of the Traffic Management Microkernel (TMM) pod by default. However, for more control and security of the queries, an optional feature is provided. The user can configure F5BigContextSecure (listener), which is an endpoint whose destination matches all outgoing traffic, such as one targeting 0.0.0.0/0 and/or ::/0 networks, and attach a F5BigCneSnatpool to it.

If an endpoint is available when the cache attempts to connect to an external DNS server for recursive resolution, it will be used as the originator of the query. This IP address from the SNAT pool attached to the listener will be used as the source address. This helps to hide the internal network information of the user, specifically, the self-IP of the system. If a wildcard listener is not present, or one was configured without an SNAT pool, enabling this option has no effect. As par for the course with global options, this setting affects all instances of the cache configured on the system.

Example CR¶

Following is an example configuration for the F5BigGlobalOptions CR:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigGlobalOptions
metadata:
  name: "globaloptions"
spec:
  ip:
    acceptIpOptions: true
  dnscache:
    matchWildcardVip: true

Installation¶

Following are the steps to install an example F5BigGlobalOptions CR:

Before applying the F5BigGlobalOptions CR, check for an instance of the same resource as the F5BigGlobalOptions CR needs to be a singleton. Creating additional instance of the F5BigGlobalOptions CR will cause an exceeded quota error.
The example F5BigGlobalOptions CR modifies acceptIpOptions parameter under the ip section, and matchWildcardVip parameter under the dnscache section, setting both the values to true. Copy and paste the following example into a YAML file (for example globaloptions-cr.yaml).
Install the F5BigGlobalOptions CR by running the following command:
```
kubectl apply -f globaloptions-cr.yaml
```

Verify whether the F5BigGlobalOptions CR was added/updated. Check the BIG-IP Controller logs, which will show that the F5BigGlobalOptions CR was added/updated.

I0822 12:00:00.123456      13 event.go:364] Event(v1.ObjectReference{Kind:"F5BigGlobalOptions", …}): type: 'Normal' reason: 'Added/Updated' globalOptions default/globaloptions-cr was added/updated

In the example setup, acceptIpOptions is enabled, which allows IPv4 packets with Options field specified. As an example, if a F5BigDdosGlobal CR is also applied to rate-limit ipv4OptFrame vector (a flood of too many IPv4 packets with an IP options frame), then the traffic has to be rate-limited according to the ratelimit parameter specified in the F5BigDdosGlobal CR, to avoid any traffic getting dropped.
In the example setup, matchWildcardVip is also enabled, having the instances of the DNS cache match a catch-all listener for DNS queries.
If an instance of the F5BigGlobalOptions CR is created or not created, and the ip (or dnscache) section is not specified, then the ip.acceptIpOptions or dnscache.matchWildcardVip parameter value is set to false by default.

Additional CRs¶

Feedback¶

Provide your feedback to improve this document by sending an email to cnfdocs@f5.com.