F5 Cloud-Native Network Functions (CNF) - 1.0.2 Policy Enforcement (PE)
This release represents the PE Production Ready (PR) release. PR releases are made available for testing in pre-production environments, and for F5 to obtain feedback on feature functionality and stability.
New Features and Improvements¶
- Classification signatures have been added to the F5BigPePolicy Custom Resource (CR), enabling subscriber policies based on application type, URL category, and other high-level packet flow information.
- The new F5BigClassificationprofile CR provides options to configure dynamic identification and classification of application traffic.
- A new f5-big-classification_mapping CRD template has been added to the CNFs CRD bundle. Review Install the CRDs in the CNFs Software guide for help installing the template.
- The new F5BigCecPeGlobaloptions CR is an early access (EA) feature, providing options to modify the default behavior of the installed F5BigPePolicy CRs.
This release contains no bug fixes.
The TMM Proxy Pod may restart when the F5BigContextSecure CR processes UDP packets. This issue occurs when the F5BigContextSecure CR
profile value is set to fastL4, the
ipProtocol value is set to any, and the CR references a F5BigPeProfile CR.
Workaround: When setting the F5BigContextSecure CR
profile value to fastL4, ensure the
ipProtocol value is set to tcp.
When trying to identify applications detected by the F5BigClassificationprofile CR, the
tmctl -d blade gpa_classification_stats command output displays application IDs (205.5460) instead of application names (tcp.open_ssh).
Workaround: Perform the following steps to display the application names.
Helm uninstall the f5ingress deployment.
helm uninstall f5ingress -n cnf-gateway
Delete the mapping CR that was provided in the CRD bundle, and apply it again.
kubectel delete -f f5-cnf-crds-n6lan/templates/f5-big-classification_mapping.yaml
kubectel apply -f f5-cnf-crds-n6lan/templates/f5-big-classification_mapping.yaml
Delete the F5BigClassificationprofile CR.
kubectl delete -f cnf-class-profile.yaml
Helm install the f5ingress delployment.
helm uninstall f5ingress tar/f5ingress-6.0.14.tgz -n cnf-gateway
Check the f5ingress logs for Adding or Updating F5DynamicAppsCategories message.
Reapply the classification CR
kubectl apply -f cnf-class-profile.yaml
When modifying the value of the F5BigPePolicy CR’s
ratePacing.udp.maxRate parameter, the new value may not be applied to the TMM Proxy Pod.
Workaround: Delete and reapply the F5BigPePolicy CR after updating the
kubectl delete -f <policy-name>.yaml kubectl apply -f <policy-name>.yaml
The F5BigNatPolicy configuration may appear missing after restarting the TMM Proxy Pod, causing subscriber NAT connections to fail.
Workaround: Delete the AFM Pod to spawn a new instance, and restore gRPC communication between the BIG-IP controller and PCCD.
kubectl delete pod <afm-pod-name> -n <namespace>
When multiple TMMs are running in a single Namespace, the IP addresses allocated by the F5BigNatPolicy are not reclaimed and reallocated after scaling the TMM deployment down and back up. Client connections may fail due to NAT IP address exhaustion.
Workaround: Delete and reinstall the F5BigNatPolicy CR.
TMM Proxy Pods may fail to receive a self-IP address when the F5BigNetVlan CR allocates the same number self-IPs as running TMM Proxy Pods.
Workaround: Configure the F5BigNetVlan to allocate twice the number of self-IP addresses as running TMM Proxy Pods.
Use these steps to upgrade the CNFs software components:
Important: Steps 2 through 4 should be performed together, and during a planned maintenance window.
- Review the New Features and Improvements section above, and integrate any updates into the existing configuration. Do not apply Custom Resource (CR) updates until after the BIG-IP Controller has been upgraded.
- Follow Install the CRDs in the CNFs Software guide to upgrade the CRDs. Be aware that newly applied CRDs will replace existing CRDs of the same name.
- Uninstall the previous version BIG-IP Controller, and follow the Installation procedure in the BIG-IP Controller guide to upgrade the Controller and TMM Proxy Pods. Upgrades have not yet been tested using Helm Upgrade.
- Once the BIG-IP Controller and TMM Proxy Pods are available, apply any updated CR configurations (step 1) using the
kubectl apply -f <file>command.
- The dSSM Databases can be upgraded at anytime using the Upgrading dSSM guide.
- The Fluentd Logging collector can be upgraded anytime using Helm Upgrade. Review Extract the Images in the CNF Software guide for the new Fluentd Helm chart location.