BIG-IP Next for Kubernetes, addressing today’s enterprise challenges

 

Enterprises have started adopting Kubernetes (K8s)—not just cloud service providers—as it offers strategic advantages in agility, cost efficiency, security, and future-proofing. 

• Cloud Native Functions account for around 60% TCO savings 
• Easier to deploy, manage, maintain, and scale.
• Easier to add and roll out new services.

 

Kubernetes complexities

With the move from traditional application deployments to microservices and containerized services, some complexities were introduced,

 Networking Challenges with Kubernetes Default Deployments

Kubernetes networking has some problems when using default settings. These problems can affect performance, security, and reliability in production environments.

 Core Networking Challenges

• • Flat Network Model
    • All pods can communicate with all other pods by default (east-west traffic)
    • No network segmentation between applications
    • Potential security risks from excessive inter-pod communication
  • Service Discovery Limitations
    • DNS-based service discovery has caching behaviors that can delay updates
    • No built-in load balancing awareness (can route to unhealthy pods during updates)
    • Limited traffic shaping capabilities (all requests treated equally)
  •  Ingress Challenges
    • No default ingress controller installed
    • Multiple ingress controllers can conflict if not properly configured
    • SSL/TLS termination requires manual certificate management
  • Network Policy Absence
    • No network policies applied by default (allow all traffic).
    • Difficult to implement zero-trust networking principles
    • No default segmentation between namespaces
  • DNS Issues
    • CoreDNS default cache settings may not be optimal.
    • Pod DNS policies may not match application requirements.
    • Nodelocal DNS cache not enabled by default
  • Load-Balancing Problems
    • Service `ClusterIP` is the default (no external access).
    • NodePort` services can conflict on port allocations.
    • Cloud provider load balancers can be expensive if overused
    • CNI (Container Network Interface) Considerations
    • Default CNI plugin may not support required features
    • Network performance varies significantly between CNI choices
    • IP address management challenges at scale 

Performance-Specific Issues

• • • • kube-proxy inefficiencies
        • Default iptables mode becomes slow with many services
        • IPVS (IP Virtual Server) mode requires explicit configuration
        • Service mesh sidecars can double latency
      • Pod Network Overhead
        • Additional hops for cross-node communication
        • Encapsulation overhead with some CNI plugins
        • No QoS guarantees for network traffic
      • Multicluster Communication
        • No default solution for cross-cluster networking
        • Complex to establish secure connections between clusters
        • Service discovery doesn’t span clusters by default

 Security Challenges

• • No default encryption between pods
    • No default authentication for service-to-service communication.
    • All namespaces are network-accessible to each other by default.
    • External traffic can bypass ingress controllers if misconfigured.

These challenges highlight why most production Kubernetes deployments require significant, complex customization beyond the default configuration.

Figure 1 shows those workarounds being implemented and how complicated our setup would be, with multiple add-ons required to overcome Kubernetes limitations.

In the following section, we are exploring how BIG-IP Next for Kubernetes simplifies and enhances application delivery and security within Kubernetes environment. 

 

BIG-IP Next for Kubernetes

Introducing BIG-IP Next for Kubernetes not only reduces complexity, but leverages the main networking components to the TMM pods rather than relying on the host server.

Think of where current network functions are applied, it’s the host kernel. Whether you are doing NAT or firewalling services, this requires intervention by the host side, which impacts the zero-trust architecture and traffic performance is limited by default kernel IP and routing capabilities. 

 

 

Deployment overview

Among the introduced features in 2.0.0 Release

• API GW CRs (Custom Resources). 

• F5 IPAM Controller to manage IP addresses for Gateway resource.

• Seamless firewall policy integration in Gateway API.

• Ingress DDoS protection in Gateway API.

• Enforced access control for Debug and QKView APIs with Admin Token.

In this section, we explore the steps to deploy BIG-IP Next for Kubernetes in your environment, 

• Infrastructure
  • Using different flavors depending on your needs and lab type (demo or production), for labs microk8s, k8s or kind, for example. 
• BIG-IP Next for Kubernetes
  • helm, docker are required packages for this installation. 
  • Follow the installation guide BIG-IP Next for Kubernetes  current 2.0.0 GA release is available. 
    
    • For the desired objective in this article, you may skip the Nvidia DOCA (that's the focus of the coming article) and go directly for BIG-IP Next for Kubernetes.
• Install additional CRDs 
  
  • Once the licensing and core pods are ready, you can move to adding additional CRDs (Customer Resources Definition). 
  • BIG-IP Next for Kubernetes CRDs BIG-IP Next for Kubernetes CRDs 
  • Custom CRDs Install F5 Use case Custom Resource Definitions 

 

Related Content

• BIG-IP Next for Kubernetes v2.0.0 Release Notes 
• System Requirements 
• BIG-IP Next for Kubernetes CRDs 
• BIG-IP Next for Kubernetes 
• BIG-IP Next SPK: a Kubernetes native ingress and egress gateway for Telco workloads 
• F5 BIG-IP Next for Kubernetes deployed on NVIDIA BlueField-3 DPUs 
• BIG-IP Next for Kubernetes running in Amazon EKS