F5BigContextSecure

Overview

The F5BigContextSecure Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to perform as an application layer gateway (ALG) for low-latency 5G workloads. The F5BigContextSecure CR provides granular connection management using the following F5 protocol profiles: TCP, UDP and FastL4, and is an integral part of the DNS44, DNS46, and DNS64 implementations.

This document guides you through understanding, configuring and installing a simple F5BigContextSecure CR.

CR parameters

The tables below describe the F5BigSecureContext CR parameters used in this document, refer to the F5BigContextSecure Reference for the full list of parameters.

spec

Parameter	Description
destinationAddress	Creates an IPv4 virtual server address that listens for ingress connections: host 10.10.10.50, subnet 10.10.10.0/24".
ipv6destinationAddress	Creates an IPv6 virtual server address that listens for ingress connections: host "4001::1", subnet "4001::/64".
destinationPort	Defines the service port for ingress connections. any (default).
ipProtocol	Specifies the virtual server IP protocol: tcp, udp, or any (default).
selfipAsDest	Specify whether to use selfip as the destination IP address for the secure context. If selfipAsDest is set to true and destination addresses are not specified, then the selfIPs from the vlans.vlanList get configured as destination IPs. The default is false.
profile	Specifies the profile to be used by the virtual server: tcp, udp, fastl4(default), or ipother.
fastL4Settings.profileName	Specifies how TMM handles connections using the F5BigFastl4Setting CR's metadata.name value.
tcpSettings.clientSide	Specifies how TMM handles clientside TCP connections using the F5BigTcpSetting CR's metadata.name value.
tcpSettings.serverSide	Specifies how TMM handles serverside TCP connections using the F5BigTcpSetting CR's metadata.name value.
udpSettings.clientSide	Specifies how TMM handles clientside UDP connections using the F5BigUdpSetting CR's metadata.name value.
udpSettings.serverSide	Specifies how TMM handles serverside UDP connections using the F5BigUdpSetting CR's metadata.name value.
snat.type	Specifies the type of address translation: none (default), automap, or snat.
snat.pool	When snat.type is snat, specifies the F5BigCneSnatpool CR to reference using the spec.name parameter.
vlans.vlanList	Specifies one or more F5BigNetVlan CRs using the metadata.name parameter, that listen for application traffic.

CR Example

apiVersion: k8s.f5net.com/v1
kind: F5BigContextSecure
metadata:
  name: "cnf-context"
  namespace: "cnf-gateway"
spec:
   ipv6destinationAddress: "2002::200:200:200:0/112"
   destinationPort: 0
   iRules: ["cnf-irule"]
   ipProtocol: "tcp"
   profile: "tcp"
   tcpSettings:
     clientSide: "tcp-high-bw-profile"
     serverSide: "tcp-high-bw-profile"
   vlans:
     vlanList:
       - "subscriber-vlan"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigContextSecure CR shortName is secctx.

View CR instance:

kubectl get secctx -n <namespace>

View CR configuration:

kubectl get secctx -n <namespace> -o yaml

Requirements

Ensure you have:

• Installed the BIG-IP Controller.
• A Linux based workstation.

Installation

Use these steps to install the example F5BigContextSecure CR, and the optional CNFs F5BigTcpSetting CR. Each step offers a brief description of the example CR.

Tip: Open a second shell to view the CNFs Event Logs while installing.

1. Optional: The example F5BigTcpSetting CR increases a number of packets buffers to increase performance. Copy and paste the example into a YAML file:

   Note: The F5BigTcpSetting CR will be referenced by the F5BigContextSecure CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigTcpSetting
   metadata:
     name: "tcp-high-bw-profile"
     namespace: "cnf-gateway"
   spec:
     sendBufferSize: 150000
     receiveWindowSize: 70000
     proxyBufferHigh: 20000
     proxyBufferLow: 5000
     idleTimeout: 150
     resetOnTimeout: false
   

2. Install the F5BigTcpSetting CR:

   kubectl apply -f cnf-tcp-high-bw-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CRs were added/updated:

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting",
   TcpSetting cnf-gateway/tcp-high-bw-profile was added/updated
   

3. The example F5BigContextSecure CR listens for connections destined to IP addresses in the 2002::200:200:200:0/112 subnet, and only on the subscriber-vlan interface. The CR also references the F5BigTcpsettings profile. Copy and paste the example into a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigContextSecure
   metadata:
     name: "cnf-context"
     namespace: "cnf-gateway"
   spec:
      ipv6destinationAddress: "2002::200:200:200:0/112"
      destinationPort: 0
      iRules: ["cnf-irule"]
      ipProtocol: "tcp"
      profile: "tcp"
      tcpSettings:
        clientSide: "tcp-high-bw-profile"
        serverSide: "tcp-high-bw-profile"
      vlans:
        vlanList:
          - "subscriber-vlan"
   

4. Install the F5BigContextSecure CR:

   kubectl apply -f f5-cnf-context.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", 
   SecureContext cnf-gateway/cnf-context was added/updated
   

5. Continue to the Additional CRs and ContextSecure statistics sections.

Additional CRs

The F5BigContextSecure CR can also reference these CNFs CRs:

• F5BigFwPolicy - Granular network packet filtering using access control lists.
• F5BigNatPolicy - Carrier-grade NAT (CG-NAT) functionality.
• F5BigDnsApp - High-performance DNS resolution, caching, and DNS64 translations.
• F5BigIpsPolicy - DNS packet inspection for protection against malignant network traffic.
• F5BigCneSnatpool - Provides TMMs with additional IP addresses for source IP address translation.
• F5BigLogProfile - Capture and send traffic processing events to remote logging servers.

ContextSecure statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall filtering statics.

1. Log in to the TMM debug Pod:

   In this example, the TMM debug container is in the cnf-gateway namespace:

   kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
   

2. Verify the F5BigContextSecure statistics:

   Clientside connections:

   tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
   

   name                                       clientside.tot_conns
   ------------------------------------------ --------------------
   cnf-gateway-cnf-context-SecureContext_vs                    8
   

   Serverside connections:

   tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
   

   name                                       serverside.tot_conns
   ------------------------------------------ --------------------
   cnf-gateway-cnf-context-SecureContext_vs                    8
   

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental

• F5BigCneIrule - CNF supports iRules with Context Secure or any other usecase CRs (example: DNS Virtual Server and F5BigAlgFtp).