F5 Container Integrations v1.3

Current Page

Application Services Proxy

Cloud Foundry

Kubernetes / OpenShift

Mesos Marathon

Support

Troubleshooting

Tutorials

Cloud Docs Home > F5 Container Integrations Index

Install the BIG-IP Controller in Kubernetes

The BIG-IP Controller for Kubernetes installs via a Kubernetes Deployment. The Deployment creates a ReplicaSet that, in turn, launches a Pod running the BIG-IP Controller app.

Attention

These instructions are for a standard Kubernetes environment. If you are using OpenShift, see Install the BIG-IP Controller for Kubernetes in OpenShift Origin.

Initial Setup

Important

You should create all BIG-IP Controller resources in the kube-system namespace unless otherwise specified.

  1. Create a new partition on your BIG-IP system.

    Important

    The BIG-IP Controller can not manage objects in the /Common partition.

  2. Store your BIG-IP login credentials in a Secret.

  3. If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a Secret.

Set up RBAC Authentication

Note

If your cluster doesn’t use Role Based Access Control , you can skip this step.

  1. Create a Service Account for the BIG-IP Controller.

    kubectl create serviceaccount bigip-ctlr -n kube-system
    serviceaccount "bigip-ctlr" created
    
  2. Create a Cluster Role and Cluster Role Binding.

    You can restrict the permissions granted in the cluster role as needed for your deployment. The table below shows the supported permission set (these are also provided in the Cluster Role example below).

    API groups Resources Actions
    “” endpoints get, list, watch
    namespaces
    nodes
    services
    secrets
    “extensions” ingresses get, list, watch
    “” configmaps get, list, watch, update, create, patch
      events
    “extensions” ingresses/status get, list, watch, update, create, patch

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    # for use in k8s clusters using RBAC
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: bigip-ctlr-clusterrole
    rules:
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - nodes
      - services
      - endpoints
      - namespaces
      - ingresses
      - secrets
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - configmaps
      - events
      - ingresses/status
      verbs:
      - get
      - list
      - watch
      - update
      - create
      - patch
    
    ---
    
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: bigip-ctlr-clusterrole-binding
      namespace: kube-system
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: bigip-ctlr-clusterrole
    subjects:
    - kind: ServiceAccount
      name: bigip-ctlr-serviceaccount
      namespace: kube-system
    

    f5-k8s-sample-rbac.yaml

Create a Deployment

  1. Define the BIG-IP Controller configurations in a Kubernetes Deployment using valid JSON or YAML.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: k8s-bigip-ctlr-deployment
      namespace: kube-system
    spec:
      replicas: 1
      template:
        metadata:
          name: k8s-bigip-ctlr
          labels:
            app: k8s-bigip-ctlr
        spec:
          serviceAccountName: bigip-ctlr-serviceaccount
          containers:
            - name: k8s-bigip-ctlr
              # replace the version as needed
              image: "f5networks/k8s-bigip-ctlr:1.3.0"
              env:
                - name: BIGIP_USERNAME
                  valueFrom:
                    secretKeyRef:
                      name: bigip-login
                      key: username
                - name: BIGIP_PASSWORD
                  valueFrom:
                    secretKeyRef:
                      name: bigip-login
                      key: password
              command: ["/app/bin/k8s-bigip-ctlr"]
              args: [
                "--bigip-username=$(BIGIP_USERNAME)",
                "--bigip-password=$(BIGIP_PASSWORD)",
                "--bigip-url=10.190.24.171",
                "--bigip-partition=kubernetes",
                # To manage a single namespace, enter it below
                # (required in v1.0.0), e.g.:
                #"--namespace=default",
                # To manage multiple namespaces, enter a separate flag for each
                # namespace below (as of v1.1.0), e.g.:
                #"--namespace=myNamespace1",
                #"--namespace=myNamespace2",
                # To manage all namespaces, omit the `namespace` entry or comment
                # it out
                # (default as of v1.1.0)
                # Tell the k8s-bigip-ctlr to load SSL profiles from Kubernetes
                # Secrets; set to "false" if you only want to use preconfigured
                # BIG-IP SSL profiles
                # (available as of v1.3.0)
                "--use-secrets=true",
                # Tells the k8s-bigip-ctlr to use local DNS to resolve hostnames
                # Can be replaced with custom DNS server IP or left blank
                # (available as of v1.3.0)
                "--resolve-ingress-names=LOOKUP"
                ]
          imagePullSecrets:
            - name: f5-docker-images
    

    f5-k8s-bigip-ctlr_image-secret.yaml

Upload the resources to the Kubernetes API server

Upload the Deployment, Cluster Role, and Cluster Role Binding to the Kubernetes API server using kubectl apply. Be sure to create all resources in the kube-system namespace.

kubectl apply -f f5-k8s-bigip-ctlr_image-secret.yaml --namespace=kube-system
kubectl apply -f f5-k8s-sample-rbac.yaml --namespace=kube-system
deployment "k8s-bigip-ctlr-deployment" created
cluster role "bigip-ctlr-clusterrole" created
cluster role binding "bigip-ctlr-clusterrole-binding" created

Verify creation

Use kubectl get to verify all of the objects launched successfully.

You should see one (1) Deployment, as well as one (1) k8s-bigip-ctlr Pod for each node in the cluster. The example below shows one (1) Pod running the k8s-bigip-ctlr in a test cluster with one worker node.

kubectl get deployments --namespace=kube-system
NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
k8s-bigip-ctlr   1         1         1            1           1h

kubectl get pods --namespace=kube-system
NAME                                  READY     STATUS    RESTARTS   AGE
k8s-bigip-ctlr-331478340-ke0h9        1/1       Running   0          1h
kube-apiserver-172.16.1.19            1/1       Running   0          2d
kube-controller-manager-172.16.1.19   1/1       Running   0          2d
kube-dns-v11-2a66j                    4/4       Running   0          2d
kube-proxy-172.16.1.19                1/1       Running   0          2d
kube-proxy-172.16.1.21                1/1       Running   0          2d
kube-scheduler-172.16.1.19            1/1       Running   0          2d
kubernetes-dashboard-172.16.1.19      1/1       Running   0          2d