F5 Service Proxy for Kubernetes (SPK) - v1.6.0
- The Otel Collector’s Helm parameters have moved to their own
stats_collectorparameter section. Previously, the OTEL parameters were located under the
controllerparameter sections. To update your configuration, review the Procedures section of the Otel Collectors installation guide.
New Features and Improvements¶
- The maximum transmission unit (MTU) has been increased to 9000 bytes. SPK versions prior to 1.6 supported an MTU of 8000 bytes.
- The SPK Controller can now watch multiple namespaces, and namespaces can be created before or after installing the SPK Controller.
- Manual NAT64 entries can now be created using the dSSM Sentinel Service, instead of having to first determine the dSSM master DB. Refer to the Manual DNS46 entry section of the F5SPKEgress guide.
PERSIST_TYPE_SRCADDRparameter enables the TMM Pod to direct connections to the same service endpoint based on the client’s source IP address. Refer to the Session persistence section of the F5SPKIngressTCP and F5SPKIngressUDP CR overviews.
- The SPK CWC has been enhanced to support the debug API to run diagnostic commands on any of the targeted TMMs. Refer to the Debug API overview.
- The new F5SPKIngressDiameter
internalWCSessionparameter enables egress forwarding to external diameter peers using a wildcard egress virtual server.
- The Calico Egress GW integrates with the Calico Container Network Interface (CNI) to provide egress gateway (GW) services to internal application Pods.
- The F5SPKIngressTCP, F5SPKIngressUDP, F5SPKVlan, F5SPKSnatpool, and F5SPKStaticRoute SPK CRs now provide installation status messages using oc and kubectl.
- The new F5SPKIngressHTTP2 CR supports ingress HTTP/2 application traffic.
- The new F5SPKIngressGTP CR supports ingress GPRS Tunneling Protocol (GTP) traffic.
- The new F5SPKIngressEgressUDP CR supports ingress UDP application traffic, enabling response packets to use the virtual IP address as a source IP.
- Early access (EA) feature: An improved QKView utility can now be run on a local workstation, collecting diagnostic data that can be uploaded to F5’s iHealth website. Refer to the QKView and iHealth overview.
- Jumbo Frames - The maximum transmission unit (MTU) must be the same size on both ingress and egress interfaces. Packets over 9000 bytes are dropped.
All TMM Pods now receive the F5SPKEgress custom resource (CR) configuration when the DnsNat46Enabled parameter is set to false (disabled).
Bidirectional Forwarding Detection (BFD) sessions with OVN-Kubernetes no longer fail to establish after deleting and reapplying the internal F5SPKVlan CR.
In dual-stack configurations, application traffic SPK CRs no longer remain in the TMM configuration when the watched application is scaled to 0.
When TMM is configured to use the F5SPKEgress CR’s DNS46 feature, processing performance is lower compared to earlier SPK software releases.
The F5SPKIngressHTTP2 CR requires SSL/TLS for both server and client side traffic. The CR does not currently support non-SSL/TLS traffic toward the service object endpoints.
Ingress transactions per section (TPS) is lower when TMM is configured with the maxiumum MTU of 9000.
TMM may stop processing network packets after numerous DPDK buffer allocation or DPDK transmission errors.
Static routes created by the F5SPKIngressGTP CR remain in the TMM configuration after the CR is deleted, or the service object endpoints are scaled down.
Delete the F5SPKIngressGTP CR, scale the TMM Pod to 0, reinstall the F5SPKIngressGTP CR, then scale the TMM Pod back.
1. oc delete -f f5-spk-ingressgtp.yaml 2. oc scale deploy/f5-tmm --replicas 0 3. oc get pods (ensure the Pods are not running) 4. oc apply -f f5-spk-ingressgtp.yaml 5. oc scale deploy/f5-tmm --replicas 1
When the F5SPKEgress CR’s
dnsNat46Enabled parameter is set to enabled, the SPK Controller does not validate that a required F5SPKDnscache CR is referenced using the
When TMM processes application traffic using an F5SPKIngressTCP CR, the virtual server used to process application traffic is not deleted from the configuration after the referenced service object is deleted.
Perform one of the following workarounds:
- Delete the F5SPKIngressTCP CR and re-apply it.
- Before deleting the service, scale the endpoints to zero.
TMM may send traffic to unavailable service endpoints (pool members) when the following conditions are met:
- TMM is procssing application traffic using an F5SPKIngressTCP or F5SPKIngressUDP CR.
spec.persist.modeparameter is set to
serviceDownActionparameter is set to
- The application Pod experiences a scale down event.
When the F5SPKIngressTCP or F5SPKIngressUDP CR
spec.persist.mode parameter is set to
PERSIST_TYPE_SRCADDR, persistence records may be deleted from the dSSM database after the configured timeout period, even though the session is active. The database entry should reset to the timeout value when connection responses are received.
When the F5SPKIngressHTTP2 CR’s
sslFileWatchMode parameter is set to SSL_FILE_WATCH_MODE_KUBERNETES_SECRET_STORE, TMM does not update the CR configuration after SSL/TLS key/certificate changes occur.
sslFileWatchMode parameter to SSL_FILE_WATCH_MODE_FILES_IN_SHARED_VOLUME to update TMM’s running configuration when Kubernetes Secret values change. This is the default setting.
New OVN BFD sessions may fail to establish after scaling the TMM Pod, causing traffic to flow to a single TMM Pod. F5 has worked with RedHat, and determined this is not an SPK software issue. Refer to RedHat bug OCPBUGS-712.
Use these steps to upgrade the SPK software components:
Important: Steps 2 through 5 should be performed together, and during a planned maintenance window.
- Review the New Features and Improvements section above, and integrate any updates into the existing configuration. Do not apply Custom Resource (CR) updates until after the SPK Controller has been upgraded (step 3).
- Follow Install the CRDs in the SPK Software guide to upgrade the CRDs. Be aware that newly applied CRDs will replace existing CRDs of the same name.
- Uninstall the previous version SPK Controller, and follow the Installation procedure in the SPK Controller guide to upgrade the Controller and TMM Pods. Upgrades have not yet been tested using Helm Upgrade.
- Once the SPK Controller and TMM Pods are available, apply any updated CR configurations (step 1) using the
oc apply -f <file>command.
- Follow the Upgrading DNS46 entries section of the F5SPKEgress CR guide to upgrade any entries created in versions 1.4.9 and earlier.
- Uninstall the previous version SPK CWC, and follow the Install the CWC procedure in the SPK CWC guide to upgrade the CWC Pod. Upgrades have not yet been tested using Helm Upgrade.
- The dSSM Databases can be upgraded at anytime using the Upgrading dSSM guide.
- The Fluentd Logging collector can be upgraded anytime using Helm Upgrade. Review Extract the Images in the SPK Software guide for the new Fluentd Helm chart location.