F5 CES Solution Architecture and Capabilities for Kubernetes Egress Policy Management

CES is a solution that helps users manage Kubernetes egress policies more effectively, addressing the challenges of high‑dynamic IP environments by providing rich outbound control strategies and a hierarchical design that facilitates collaboration among security, network, platform, and application operations teams.

Solution Architecture

Component Composition

CES consists of the following components:

CES Controller: a container running inside Kubernetes that translates internal egress policies into configurations for external data‑plane components.

F5 BIG‑IP: the external data‑plane component that receives configurations from the CES controller and enforces access control lists, rate limiting, traffic programming, etc.

CNI: the user‑chosen container network interface, recommended to use kube-ovn . The kube-ovn CNI offers rich enterprise‑grade features and integrates well with F5 to enable the full set of egress policies.

Architecture Diagram

Policy Scopes and Roles

The solution provides three policy scopes— cluster global , namespace , and service —each mapped to specific user roles as shown in the table below.

Policy Scope

Meaning

Applicable Roles

Cluster global

Cluster‑wide policies controlling common services such as NTP and DNS for all workloads.

Cluster administrators, foundational security team

Namespace

Policies applied to a single namespace or project, isolating traffic per namespace.

Project teams, application operations

Service level

Policies targeting a specific Kubernetes Service and its endpoints.

Project teams, application operations, micro‑service owners

Tenant Isolation

CES supports strong isolation based on both network and namespace attributes, allowing overlapping CIDRs across namespaces while ensuring data‑plane configuration objects are isolated both logically and at the network layer. This feature requires specific CNI support .

Solution Value

Challenges Addressed

Frequent changes in egress policies due to dynamic container IPs.

Diverse role‑based requirements for policy scopes.

Dynamic bandwidth limitation needs for outbound traffic.

Deep protocol security inspection.

Advanced programmable traffic based on access events.

Outbound traffic visualization.

Provided Capabilities

Dynamic IP ACL control at Cluster/Pod/Namespace granularity.

FQDN ACL control at the same granularity.

Time‑based access control.

Event‑driven programmable traffic matching and redirection.

Protocol security and compliance detection.

IP intelligence database.

Traffic matching logs and visual reports.

Protocol detection visual reports.

TCP/IP error reporting.

NAT control and logging.

Data flow visualization and tracking.

Access rule simulation.

Transparent detection mode.

High‑speed log export.

For more details on installing F5 CES, refer to the provided GitHub link.