F5BigContextSecure¶
Overview¶
The F5BigContextSecure Custom Resource (CR) configures the Traffic Management Microkernel (TMM) to perform as an application layer gateway (ALG) for low-latency 5G workloads. The F5BigContextSecure CR provides granular connection management using the following F5 protocol profiles: TCP, UDP and FastL4, and is an integral part of the DNS44, DNS46, and DNS64 implementations.
This document guides you through understanding, configuring and installing a simple F5BigContextSecure CR.
CR parameters¶
The tables below describe the F5BigSecureContext CR parameters used in this document, refer to the F5BigContextSecure Reference for the full list of parameters.
spec¶
Parameter | Description |
---|---|
destinationAddress |
Creates an IPv4 virtual server address that listens for ingress connections: host 10.10.10.50, subnet 10.10.10.0/24". |
ipv6destinationAddress |
Creates an IPv6 virtual server address that listens for ingress connections: host "4001::1", subnet "4001::/64". |
destinationPort |
Defines the service port for ingress connections. any (default). |
ipProtocol |
Specifies the virtual server IP protocol: tcp, udp, or any (default). |
selfipAsDest |
Specify whether to use selfip as the destination IP address for the secure context. If selfipAsDest is set to true and destination addresses are not specified, then the selfIPs from the vlans.vlanList get configured as destination IPs. The default is false. |
profile |
Specifies the profile to be used by the virtual server: tcp, udp, fastl4(default), or ipother. |
fastL4Settings.profileName |
Specifies how TMM handles connections using the F5BigFastl4Setting CR's metadata.name value. |
tcpSettings.clientSide |
Specifies how TMM handles clientside TCP connections using the F5BigTcpSetting CR's metadata.name value. |
tcpSettings.serverSide |
Specifies how TMM handles serverside TCP connections using the F5BigTcpSetting CR's metadata.name value. |
udpSettings.clientSide |
Specifies how TMM handles clientside UDP connections using the F5BigUdpSetting CR's metadata.name value. |
udpSettings.serverSide |
Specifies how TMM handles serverside UDP connections using the F5BigUdpSetting CR's metadata.name value. |
snat.type |
Specifies the type of address translation: none (default), automap, or snat. |
snat.pool |
When snat.type is snat, specifies the F5BigCneSnatpool CR to reference using the spec.name parameter. |
vlans.vlanList |
Specifies one or more F5BigNetVlan CRs using the metadata.name parameter, that listen for application traffic. |
CR Example¶
apiVersion: k8s.f5net.com/v1
kind: F5BigContextSecure
metadata:
name: "cnf-context"
namespace: "cnf-gateway"
spec:
ipv6destinationAddress: "2002::200:200:200:0/112"
destinationPort: 0
iRules: ["cnf-irule"]
ipProtocol: "tcp"
profile: "tcp"
tcpSettings:
clientSide: "tcp-high-bw-profile"
serverSide: "tcp-high-bw-profile"
vlans:
vlanList:
- "subscriber-vlan"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigContextSecure CR shortName is secctx.
View CR instance:
kubectl get secctx -n <namespace>
View CR configuration:
kubectl get secctx -n <namespace> -o yaml
Installation¶
Use these steps to install the example F5BigContextSecure CR, and the optional CNFs F5BigTcpSetting CR. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: The example F5BigTcpSetting CR increases a number of packets buffers to increase performance. Copy and paste the example into a YAML file:
Note: The F5BigTcpSetting CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigTcpSetting metadata: name: "tcp-high-bw-profile" namespace: "cnf-gateway" spec: sendBufferSize: 150000 receiveWindowSize: 70000 proxyBufferHigh: 20000 proxyBufferLow: 5000 idleTimeout: 150 resetOnTimeout: false
Install the F5BigTcpSetting CR:
kubectl apply -f cnf-tcp-high-bw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CRs were added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting", TcpSetting cnf-gateway/tcp-high-bw-profile was added/updated
The example F5BigContextSecure CR listens for connections destined to IP addresses in the 2002::200:200:200:0/112 subnet, and only on the subscriber-vlan interface. The CR also references the F5BigTcpsettings profile. Copy and paste the example into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "2002::200:200:200:0/112" destinationPort: 0 iRules: ["cnf-irule"] ipProtocol: "tcp" profile: "tcp" tcpSettings: clientSide: "tcp-high-bw-profile" serverSide: "tcp-high-bw-profile" vlans: vlanList: - "subscriber-vlan"
Install the F5BigContextSecure CR:
kubectl apply -f f5-cnf-context.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-context was added/updated
Continue to the Additional CRs and ContextSecure statistics sections.
Additional CRs¶
The F5BigContextSecure CR can also reference these CNFs CRs:
- F5BigFwPolicy - Granular network packet filtering using access control lists.
- F5BigNatPolicy - Carrier-grade NAT (CG-NAT) functionality.
- F5BigDnsApp - High-performance DNS resolution, caching, and DNS64 translations.
- F5BigIpsPolicy - DNS packet inspection for protection against malignant network traffic.
- F5BigCneSnatpool - Provides TMMs with additional IP addresses for source IP address translation.
- F5BigLogProfile - Capture and send traffic processing events to remote logging servers.
ContextSecure statistics¶
If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall filtering statics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the F5BigContextSecure statistics:
Clientside connections:
tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
name clientside.tot_conns ------------------------------------------ -------------------- cnf-gateway-cnf-context-SecureContext_vs 8
Serverside connections:
tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
name serverside.tot_conns ------------------------------------------ -------------------- cnf-gateway-cnf-context-SecureContext_vs 8
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.
Supplemental¶
- F5BigCneIrule - CNF supports iRules with Context Secure or any other usecase CRs (example: DNS Virtual Server and F5BigAlgFtp).