F5BigDownloaderPolicy¶
Overview¶
The F5BigDownloaderPolicy Custom Resource (CR) configures the Cloud-Native Network Functions (CNFs) Downloader Pod to download the latest IM installation packages from specified locations and at specified intervals. The CNFs Downloader Pod performs sanity checks on the downloaded IM package’s lists of applications and catagories, verifies the received Certificate Authority (CA) bundle, and the digital signature of the IM Package. The relevant classification data is converted into a Binary Large OBject (BLOB), and sent to the Traffic Management Microkernel (TMM) Proxy Pod’s Downloader sidecar. TMM uses the classification data when processing application traffic with the following traffic processing CRs; F5BigClassificationprofile, F5BigPePolicy and F5BigContextSecure.
Package types¶
The Downloader Pod can be configured to download the following package types:
- IPS (intrusion prevention system) signatures.
- IPI (IP reputation intelligence) databases.
- CEC (classification engine core) signatures>
- URLCAT (URL catagorization) databases.
This document guides you through understanding, configuring and installing the F5BigDownloaderPolicy CR.
CR parameters¶
spec¶
| Parameter | Description |
|---|---|
name |
A unique name for the downloader policy. |
kind |
|
host |
|
port |
|
components.type |
Specifies the type of IM for the F5BigDownloaderPolicy: cec, wr-urldb or ips. |
components.downloadUrl |
Specifies the URL to download the IM installed package. For cec and ips, an empty field uses the default F5 download endpoint. |
components.pollInterval |
Specifies the polling time interval for downloading the latest IM Packages. |
components.proxy |
The name of the proxy object. |
CR Examples¶
F5BigDownloaderPolicy
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDownloaderPolicy
metadata:
name: "cnf-downloadpolicy"
namespace: "cnf-gateway"
spec:
components:
- type: "cec"
downloadUrl: "https://api.f5networks.net/product/big-ip/downloads/big-ip_v17.x/17.0.0/mbip-cnf-cec"
pollInterval: "3m"
- type: "wr-urldb"
downloadUrl: "api-dualstack.bcti.brightcloud.com"
pollInterval: "2m"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigDownloaderPolicy CR shortName is downpol.
View CR instance:
kubectl get downpol -n <namespace>
View CR configuration:
kubectl get downpol -n <namespace> -o yaml
By default, the Download Pod is disabled. To enable the Downloader Pod, add the following parameters to the BIG-IP Controller Helm values file:
f5-downloader:
enabled: true
downloader:
image:
repository: "registry.com"
blobd:
enabled: true
image:
repository: "registry.com"
The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If you installed Fluentd, ensure the host parameter targets the Fluentd Pod’s namespace:
Note: In this example, the host value includes the Fluentd Pod’s cnf-gateway Namespace.
f5-downloader:
downloader:
fluentbit_sidecar:
enabled: true
image:
repository: registry.com"
fluentd:
host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local'
Installation¶
Use these steps to install the example F5BigDownloaderPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Copy the example F5BigDownloaderPolicy CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigDownloaderPolicy metadata: name: "cnf-downloadpolicy" namespace: "cnf-gateway" spec: components: - type: "cec" downloadUrl: "https://api.f5networks.net/product/big-ip/downloads/big-ip_v17.x/17.0.0/mbip-cnf-cec" pollInterval: "3m" - type: "wr-urldb" downloadUrl: "api-dualstack.bcti.brightcloud.com" pollInterval: "2m"
Install the F5BigDownloaderPolicy CR:
kubectl apply -f cnf-download-cr.yaml
Copy the example F5BigClassificationprofile CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigClassificationprofile metadata: name: "cnf-url-class-profile" namespace: "cnf-gateway" spec: name: "url-class-profile" enableUrlCategorization: true
Install the F5BigClassificationprofile CR:
kubectl apply -f cnf-class-profile.yaml
In this example, the BIG-IP Controller logs indicate the F5BigClassificationprofile CR was added/updated:
I0624 12:00:00.12347 1 event.go:282] Event(v1.ObjectReference{Kind:"F5ClassificationProfile", F5ClassificationProfile cnf-gateway/cnf-url-class-profile was added/updated
Copy the example F5BigPePolicy CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigPePolicy metadata: name: "cnf-url-pe-policy" namespace: "cnf-gateway" spec: state: "Enabled" rule: - name: "url-rule-1" precedence: 1 filter: url_categorization: - match: "match" category: "Search_Engines" action: gate: "Enabled"
Install the F5BigPePolicy CR:
kubectl apply -f cnf-pe-policy-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigPePolicy CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5PemPolicy", PemPolicy cnf-gateway/cnf-url-pe-policy was added/updated
Copy the example F5BigPeProfile CR into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigPeProfile metadata: name: "cnf-url-pe-profile" namespace: "cnf-gateway" spec: unknownSubscriberpolicy: - "cnf-url-pe-policy"
Install the F5BigPeProfile CR:
kubectl apply -f cnf-pe-profile-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigPeProfile CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5PemProfile", PemProfile cnf-gateway/cnf-url-pe-profile was added/updated
Copy the example F5BigContextSecure CR into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-url-class-context" namespace: "cnf-gateway" spec: destinationAddress: "0.0.0.0/0" ipv6destinationAddress: "::/0" destinationPort: 80 ipProtocol: "tcp" profile: "tcp" classificationProfile: "cnf-url-class-profile" pemProfile: "cnf-url-pe-profile"
Install the F5BigContextSecure CR:
kubectl apply -f f5-cnf-context-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-url-class-context was added/updated
Connection statistics¶
If the TMM Debug sidecar is enabled (default), use the steps below to verify F5BigClassificationprofile , F5BigPePolicy, and F5BigContextSecure statistics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the URL categorization stats:
tmctl -d blade gpa_urlcat_stats
name count irule customdb wrdb cloud srdb bytes_in bytes_out ----------------- ----- ----- -------- ---- ----- ---- -------- --------- Unknown 0 0 0 0 0 0 0 0 Search_Engines 10 0 0 10 0 0 4220 7550 Social_Networking 5 0 0 5 0 0 1380 1380 Shopping 7 0 0 7 0 0 2220 2220
Verify the F5BigClassificationprofile statistics:
tmctl -d blade gpa_classification_stats -w 200
result count cec flbl srdb custom bytes_in bytes_out pkts_in pkts_out ------ ----- --- ---- ---- ------ -------- --------- ------- -------- tcp 0 0 0 0 0 0 0 0 0 udp 0 0 0 0 0 0 0 0 0 tcp.http.google 2 2 0 0 0 952 1096 9 7 tcp.ssl.goole 1 1 0 0 0 618 152 3 2 tcp.ssl.facebook 4 4 0 0 0 10226 127795 102 126 tcp.http.cnn 4 4 0 0 0 2226 4018 20 20 tcp.ssl.cnn 2 2 0 0 0 40332 2515790 540 1846 tcp.ssl.yahoo.yahoo_search 1 1 0 0 0 620 152 3 2 tcp.http.bing 1 1 0 0 0 359 152 3 2
Verify the F5BigPePolicy statistics:
tmctl -d blade pem_actions_stat -s pass,drop,tcpopt_to_net,tcpopt_to_sub
In this example, optimization is applied to both uplink (tcpopt_to_net) and downlink (tcpopt_to_sub) traffic.
pass drop tcpopt_to_net tcpopt_to_sub ---- ---- ------------- ------------- 6 0 6 6
Verify the F5BigContextSecure statistics:
Clientside connections:
tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
name clientside.tot_conns -------------------------------------------------- -------------------- cnf-gateway-cnf-url-class-context-SecureContext_vs 8
Serverside connections:
tmctl -d blade virtual_server_stat -s name,serverside.tot_conns
name serverside.tot_conns -------------------------------------------------- -------------------- cnf-gateway-cnf-url-class-context-SecureContext_vs 8
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.