F5SPKIngressUDP

Overview

This overview discusses the F5SPKIngressUDP Custom Resource (CR). For the full list of CRs, refer to the SPK CRs overview. The F5SPKIngressUDP CR configures the Service Proxy Traffic Management Microkernel (TMM) to proxy and load balance low-latency UDP application traffic between networks using a virtual server and load balancing pool. The F5SPKIngressUDP CR also provides options to tune how connections are processed, and to monitor the health of Service object Endpoints.

This document guides you through understanding, configuring and installing a simple F5SPKIngressUDP CR.

CR integration

SPK CRs should be integrated into the cluster after the Kubernetes application Deployment and application Service object have been installed. The SPK Controller uses the CR service.name to discover the application Endpoints, and use them to create TMM’s load balancing pool. The recommended method for installing SPK CRs is to include them in the application’s Helm release. Refer to the Helm CR Integration guide for more information.

CR parameters

The table below describes the CR parameters used in this document, refer to the F5SPKIngressUDP Reference for the full list of parameters.

service

The table below describes the CR service parameters.

Parameter Description
name Selects the Service object name for the internal applications (Pods), and creates a round-robin load balancing pool using the Service Endpoints.
port Selects the Service object port value.

spec

The table below describes the CR spec parameters.

Parameter Description
destinationAddress Creates an IPv4 virtual server address for ingress connections.
destinationPort Defines the service port for inbound connections. When the Kubernetes service being load balanced has multiple ports, install one CR per service, or use port 0 for all ports.
ipv6destinationAddress Creates an IPv6 virtual server address for ingress connections.
idleTimeout The UDP connection idle timeout period in seconds (1-4294967295). The default value is 60 seconds.
loadBalancingMethod Specifies the load balancing method used to distribute traffic across pool members: ROUND_ROBIN distributes connections evenly across all pool members (default), and RATIO_LEAST_CONN_MEMBER distributes connections first to members with the least number of active connections.
snat Enables translating the source IP address of ingress packets to TMM's self IP addresses: SRC_TRANS_AUTOMAP to enable, or SRC_TRANS_NONE to disable (default).
vlans.vlanList Specifies a list of F5SPKVlan CRs to listen for ingress traffic, using the CR's metadata.name. The list can also be disabled using disableListedVlans.
vlans.category Specifies an F5SPKVlan CR category to listen for ingress traffic. The category can also be disabled using disableListedVlans.

monitors

The table below describes the CR monitors parameters.

Parameter Description
icmp.interval Specifies in seconds the monitor check frequency: 1 to 86400. The default is 5.
icmp.timeout Specifies in seconds the time in which the target must respond: 1 to 86400. The default is 16.

CR example

apiVersion: "ingressudp.k8s.f5net.com/v1"
kind: F5SPKIngressUDP
metadata:
  name: "bind-dns-cr"
  namespace: "udp-apps"
service:
  name: "bind-dns"
  port: 53
spec:
  destinationAddress: "192.168.1.123"
  destinationPort: 53
  ipv6destinationAddress: "2001::100:100"
  idleTimeout: 30
  loadBalancingMethod: "RATIO_LEAST_CONN_MEMBER"
  snat: "SRC_TRANS_AUTOMAP"
  persist:
    mode: "PERSIST_TYPE_SRCADDR"
    timeout: 60
    ipv4PrefixLength: 24
  vlans:
    vlanList:
    - vlan-external
monitors:
  icmp:
  - interval: 3
    timeout: 10

Application Project

The SPK Controller and Service Proxy TMM Pods install to a different Project than the UDP application (Pods). When installing the SPK Controller, set the controller.watchNamespace parameter to the UDP Pod Project(s) in the Helm values file. For example:

Note: The watchNamespace parameter accepts multiple namespaces.

controller:
  watchNamespace: 
    - "udp-apps"
    - "udp-apps2"

Dual-Stack environments

Service Proxy TMM’s load balancing pool is created by discovering the Kubernetes Service Endpoints in the Project. In IPv4/IPv6 dual-stack environments, to populate the load balancing pool with IPv6 members, set the Service PreferDualStack parameter to IPv6. For example:

kind: Service
metadata:
  name: bind-dns
  namespace: udp-apps
  labels:
    app: bind-dns
spec:
  ipFamilyPolicy: PreferDualStack
  ipFamilies:
  - IPv6
  - IPv4

_images/spk_warn.png Important: When enabling PreferDualStack, ensure TMM’s internal F5SPKVlan interface configuration includes both IPv4 and IPv6 addresses.

Ingress traffic

To enable ingress network traffic, the Service Proxy Pod must be configured to advertise virtual server IP addresses to remote networks, using the BGP dynamic routing protocol. Alternatively, you can configure appropriate routes on upstream devices. For BGP configuration assistance, refer to the BGP Overview.

Session persistence

Session persistence enables the Service Proxy TMM to direct session requests to the same endpoint based on the client’s source IP address. To enable Persistence, set the F5SPKIngressUDP CR’s spec.persist.mode parameter to PERSIST_TYPE_SRCADDR.

_images/spk_warn.png Important: The spec.persist parameters requires the dSSM Database to store session persistence records.

The table below describes the spec.persist parameters.

Parameter Description
spec.persist.mode Specifies the type of persistence: PERSIST_TYPE_NONE (default) or PERSIST_TYPE_SRCADDR - direct session requests to the same endpoint based on the client's source IP address. Requires the dSSM Database.
spec.persist.timeout Specifies the duration for the session persistence entries. The default value is 180 seconds.
spec.persist.hashAlg Specifies the algorithm the system uses for hash persistence load balancing: PERSIST_HASH_DEFAULT (default) - use an index of the pool members (endpoints) to determine the hash, or PERSIST_HASH_CARP - use the Cache Array Routing Protocol (CARP) to determine the hash.
spec.persist.ipv4PrefixLength Specifies the IPv4 prefix length that you want to use as the mask: 0-32. The default value is 32.
spec.persist.ipv6PrefixLength Specifies the IPv6 prefix length that you want to use as the mask: 0-128. The default value is 128.

Requirements

Ensure you have:

  • Installed a K8S Service object and application.
  • Installed the SPK Controller.
  • Have a Linux based workstation.
  • Installed the dSSM Database when enabling persistence.

Installation

Use the following steps to obtain the application’s Service object configuration, and configure and install the F5SPKIngressUDP CR.

  1. Switch to the application Project:

    oc project <project>
    

    In this example, the application is installed to the udp-apps Project:

    oc project udp-apps
    
  2. Obtain the Service object NAME and PORT to configure the CR service.name and service.port parameters:

    oc get service
    

    In this example, the Service object NAME** is bind-dns and the PORT is 53:

    NAME        TYPE       CLUSTER-IP    EXTERNAL-IP   PORT(S)       
    bind-dns    NodePort   10.99.99.99   <none>        53:30714/UDP 
    
  3. Copy the example CR into a YAML file:

    apiVersion: "ingressudp.k8s.f5net.com/v1"
    kind: F5SPKIngressUDP
    metadata:
      namespace: "udp-apps"
      name: "bind-dns-cr"
    service:
      name: "bind-dns"
      port: 53
    spec:
      destinationAddress: "192.168.1.123"
      destinationPort: 53 
      ipv6destinationAddress: "2001::100:100"
      idleTimeout: 30
      loadBalancingMethod: "RATIO_LEAST_CONN_MEMBER"
      snat: "SRC_TRANS_AUTOMAP"
      persist:
        mode: "PERSIST_TYPE_SRCADDR"
        timeout: 60
        ipv4PrefixLength: 24
      vlans:
        vlanList:
        - vlan-external
    monitors:
      icmp:
      - interval: 3
        timeout: 10
    
  4. Install the F5SPKIngressUDP CR:

    oc apply -f spk-ingress-udp.yaml
    
  5. Verify the status of the installed CR:

    oc get f5-spk-ingressudp -n udp-apps
    

    In this example, the CR has installed successfully. Installation failures may indicate a missing CR dependancy such as a referenced VLAN.

    NAME          STATUS    MESSAGE
    bind-dns-cr   SUCCESS   CR config sent to all grpc endpoints
    
  6. DNS clients should now be able to connect to the application through the Service Proxy TMM.

Connectivity statistics

If you installed the SPK Controller with the Debug Sidecar enabled, connect to the sidecar to view virtual server and pool member connectivity statistics.

  1. Log in to the Service Proxy Debug container:

    oc exec -it deploy/f5-tmm -c debug -n spk-ingress -- bash
    
  2. View the virtual server connection statistics:

    tmctl -d blade virtual_server_stat -s name,clientside.tot_conns
    

    For example:

    name                                serverside.tot_conns
    ----------------------------------- --------------------
    udp-apps-bind-dns-crd-virtual-server                 31
    
  3. View the load balancing pool connection statistics:

    tmctl -d blade pool_member_stat -s pool_name,serverside.tot_conns
    

    For example:

    udp-apps-bind-dns-crd-pool                        15
    udp-apps-bind-dns-crd-pool                        16
    

Persistence records

If you installed the SPK Controller with the Debug Sidecar enabled, connect to the sidecar to view the persistence record entries.

  1. Obtain the IP address of the dSSM Sentinel:

    In this example, dSSM is installed in the spk-utilities Project.

    oc get svc -n spk-utilities
    

    In this example, the Sentinel IP address is 10.203.180.204.

    NAME               TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)
    f5-dssm-db         ClusterIP   10.108.254.57    <none>        6379/TCP
    f5-dssm-sentinel   ClusterIP   10.103.180.204   <none>        26379/TCP
    
  2. Login to the debug sidecar container:

    In this example, the debug sidecar is in the spk-ingress Project.

    oc exec -it deploy/f5-tmm -c debug -n spk-ingress -- bash
    
  3. View the persistent record statistics:

    mrfdb -ipport=10.103.180.204:26379 -serverName=server -display=all -type=tcp_udp_persist
    
    ClientAddress       PoolMemberAddress      ClientPort      PoolMemberPort  Timeout   PoolName
    ---------------------------------------------------------------------------------------------------------------
    192.168.43.128      192.168.238.109        45468           80              60        udp-apps-bind-dns-crd-pool
    

Feedback

Provide feedback to improve this document by emailing spkdocs@f5.com.

Supplemental