Skip to content

BNK Egress

This lab guide assumes there will be two namespaces for tenant workload red and blue and that their egress/ingress is configured through VXLAN overlay. The following diagram shows tenant VXLAN config with focus on the red tenant knowing that blue tenant would be the same.

bnk-lab-tnt-vxlan

Configure VXLAN overlay

To configure this we use F5SPKVxlan CR which establishes the overlay configurations to the host, a F5SPKSnatpool CR to set IP addresses used for SNATing egress traffic towards the network infrastructure, and F5SPKEgress CR that assigns the egress rules for namespace to specific VXLAN.

The following F5SPKVxlan CRs configures two VXLANs red with VNI 100 and blue with VNI 200

NOTE: The virtual function created on host on PF1 is assumed to be enp83s0f1v0 in this guide. Replace every instance of enp83s0f1v0 with the actual configured host-side virtual function.

NOTE: The remote_nodes represent the host nodes only. Modify the list to properly reflect cluster node names and configured IP addresses as required. DPU nodes are not required here since workload is only expected on the host.

Apply bnk-vxlan.yaml to create VXLAN tunnels for red and blue namespaces.

Show bnk-vxlan.yaml content
YAML
---
apiVersion: "k8s.f5net.com/v1"
kind: F5SPKVxlan
metadata:
  name: "red"
spec:
  name: "red"
  port: 4789
  key: 100
  # Interface name on host nodes that is used for underlay.
  # This is the previously configured Virtual Functionon PF1.
  remote_interface_name: "enp83s0f1v0"
  # Host nodes
  remote_nodes:
     # host node name in Kubernetes cluster.
   - node_name: "host-1"
     # Underlay IP address as configured on virtual function.
     # Change if different in your infrastructure.
     node_ip: "192.168.20.41"
     # Mac address and IP addresses that will be assigned to the
     # Host side VXLAN overlay interface.
     peer_mac: "00:f5:00:00:00:02"
     peerip_v4: "198.18.100.1"
     peerip_v6: "fd50::192:18:100:1"
   - node_name: "host-2"
     node_ip: "192.168.20.42"
     peer_mac: "00:f5:00:00:00:03"
     peerip_v4: "198.18.100.2"
     peerip_v6: "fd50::192:18:100:2"
   - node_name: "host-3"
     node_ip: "192.168.20.43"
     peer_mac: "00:f5:00:00:00:04"
     peerip_v4: "198.18.100.3"
     peerip_v6: "fd50::192:18:100:3"
  local_ips:
   - "192.168.20.201"
   - "192.168.20.202"
   - "192.168.20.203"
  selfip_v4s:
   - "198.18.100.201"
   - "198.18.100.202"
   - "198.18.100.203"
  prefixlen_v4: 24
  selfip_v6s:
   - "fd50::192:18:100:201"
   - "fd50::192:18:100:202"
   - "fd50::192:18:100:203"
  prefixlen_v6: 112
---
apiVersion: "k8s.f5net.com/v1"
kind: F5SPKVxlan
metadata:
  name: "blue"
spec:
  name: "blue"
  port: 4789
  key: 200
  remote_interface_name: "enp83s0f1v0"
  remote_nodes:
   - node_name: "host-1"
     node_ip: "192.168.10.41"
     peer_mac: "00:f5:01:00:00:02"
     peerip_v4: "198.18.200.1"
     peerip_v6: "fd50::192:18:200:1"
   - node_name: "host-2"
     node_ip: "192.168.10.42"
     peer_mac: "00:f5:01:00:00:03"
     peerip_v4: "198.18.200.2"
     peerip_v6: "fd50::192:18:200:2"
   - node_name: "host-3"
     node_ip: "192.168.10.43"
     peer_mac: "00:f5:01:00:00:04"
     peerip_v4: "198.18.200.3"
     peerip_v6: "fd50::192:18:200:3"
  local_ips:
   - "192.168.20.201"
   - "192.168.20.202"
   - "192.168.20.203"
  selfip_v4s:
   - "198.18.200.201"
   - "198.18.200.202"
   - "198.18.200.203"
  prefixlen_v4: 24
  selfip_v6s:
   - "fd50::192:18:200:201"
   - "fd50::192:18:200:202"
   - "fd50::192:18:200:203"
  prefixlen_v6: 112

Configure SNATPool

the addressList section is a list of lists of SNAT IP addresses that are assigned to each TMM. Since we have 3 TMMs here, we will create 3 lists one for each TMM.

The SNAT addresess are unique per TMM. And they are picked based on the closest IP address to the nexthop (gateway or direct network) for intended destination.

Apply bnk-snatpool.yaml to create SNAT addresses for workload in red and blue namespace.

Show bnk-snatpool.yaml content
YAML
---
apiVersion: "k8s.f5net.com/v1"
kind: F5SPKSnatpool
metadata:
  name: "red-snat"
spec:
  name: "red-snat"
  addressList:
    - - 192.168.10.221
      - 2001::192:168:10:221
      - 192.168.20.221
      - 2001::192:168:20:221
    - - 192.168.10.222
      - 2001::192:168:10:222
      - 192.168.20.222
      - 2001::192:168:20:222
    - - 192.168.10.223
      - 2001::192:168:10:223
      - 192.168.20.223
      - 2001::192:168:20:223
---
apiVersion: "k8s.f5net.com/v1"
kind: F5SPKSnatpool
metadata:
  name: "blue-snat"
spec:
  name: "blue-snat"
  addressList:
    - - 192.168.10.231
      - 2001::192:168:10:231
      - 192.168.20.231
      - 2001::192:168:20:231
    - - 192.168.10.232
      - 2001::192:168:10:232
      - 192.168.20.232
      - 2001::192:168:20:232
    - - 192.168.10.233
      - 2001::192:168:10:233
      - 192.168.20.233
      - 2001::192:168:20:233

Configure F5SPKEgress to assign tenants egress to their prespective VXLAN

Now we can apply bnk-egress.yaml egress path in TMM with refernce to VXLAN and SNAT pools we just created.

Show bnk-egress.yaml content
YAML
---
apiVersion: k8s.f5net.com/v3
kind: F5SPKEgress
metadata:
  name: red-egress
spec:
  dualStackEnabled: true
  snatType: SRC_TRANS_SNATPOOL
  egressSnatpool: red-snat
  pseudoCNIConfig:
    namespaces:
      - red
    # Routing default pod interface eth0.
    # Assumes pod does not have additional interfaces configured.
    appPodInterface: eth0
    # Name of VXLAN interface created on the host
    # This is basically the same name as the VXLAN name in CR.
    appNodeInterface: red
    # Name of VXLAN interface on TMM which is the VXLAN CR name.
    vlanName: red
---
apiVersion: k8s.f5net.com/v3
kind: F5SPKEgress
metadata:
  name: blue-egress
spec:
  dualStackEnabled: true
  snatType: SRC_TRANS_SNATPOOL
  egressSnatpool: blue-snat
  pseudoCNIConfig:
    namespaces:
      - blue
    appPodInterface: eth0
    appNodeInterface: blue
    vlanName: blue