F5 Container Integrations v1.1

Current Page

Application Services Proxy

Cloud Foundry

Kubernetes

Mesos Marathon

OpenShift

Support

Troubleshooting

Tutorials

Cloud Docs Home > F5 Container Integrations Index

Expose Kubernetes Services to External Traffic using an Ingress

As described in the Kubernetes documentation, the IP address assigned to a Kubernetes Pod is only accessible from within the cluster network.

You can use the BIG-IP Controller for Kubernetes as a Kubernetes Ingress controller to:

Attention

An Ingress resource corresponds to one (1) BIG-IP virtual server.

Allocate an external IP address for the virtual server before you set up the Ingress in Kubernetes.

Quick Start

You can add the F5 virtual server properties to any existing Ingress resource.

kubectl annotate ingress myIngress virtual-server.f5.com/ip="1.2.3.4"
                                   virtual-server.f5.com/partition="k8s"
                                   ingress.kubernetes.io/ssl-redirect="true"
                                   ingress.kubernetes.io/allow-http="false"
                                   kubernetes.io/ingress.class="f5"
                                   virtual-server.f5.com/balance="round-robin"
                                   virtual-server.f5.com/http-port="80"
                                   virtual-server.f5.com/health='[{"path": "svc1.bar.com/foo", "send": "HTTP GET /health/foo", "interval": 5, "timeout": 10}]'

At minimum, you should define the following properties:

  • virtual-server.f5.com/ip
  • virtual-server.f5.com/partition

Hint

The kubernetes.io/ingress.class property defaults to “f5”, so you don’t need to include it in your Ingress resource annotation. The BIG-IP Controller for Kubernetes ignores Ingress resources with any other ingress.class.

Create a Kubernetes Ingress Resource

Create a new Ingress Resource and annotate it with the desired F5 virtual server properties.

Single Service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress1
  namespace: default
  annotations:
    # Provide an IP address from the external VLAN on your BIG-IP device
    virtual-server.f5.com/ip: "10.190.25.70"
    # Specify the BIG-IP partition containing the virtual server
    virtual-server.f5.com/partition: "k8s"
spec:
  backend:
    # The name of the Kubernetes Service you want to expose to external traffic
    serviceName: myService
    servicePort: 80

f5-k8s-single-ingress.yaml

Simple Fanout

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ing-fanout
  namespace: default
  annotations:
    # IP address of a BIG-IP pool member
    virtual-server.f5.com/ip: "1.2.3.4"
    # BIG-IP partition
    virtual-server.f5.com/partition: "k8s"
    # Load balancing algorithm
    virtual-server.f5.com/balance: "round-robin"
spec:
  rules:
  - host: mysite.example.com
    http:
      paths:
      - path: /mysite/app1
        backend:
          serviceName: myService1
          servicePort: 80
      - path: /mysite/app2
        backend:
          serviceName: myService2
          servicePort: 80

f5-k8s-ingress-fanout.yaml

Name-based virtual hosting

Specific hosts
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: ing-virtual-hosting
 namespace: default
 annotations:
  # BIG-IP pool member IP address
  virtual-server.f5.com/ip: "1.2.3.4"
  # BIG-IP partition
  virtual-server.f5.com/partition: "k8s"
  # Load balancing algorithm
  virtual-server.f5.com/balance: "round-robin"
  # Specify the port you want to handle requests
  virtual-server.f5.com/http-port: "80"
spec:
 rules:
 # URL
 - host: mysite.example.com
   http:
     # path to Service from URL
     paths:
       - path: /myApp1
         backend:
           serviceName: myService1
           servicePort: 80
 # URL
 - host: yoursite.example.com
   http:
     # path to Service from URL
     paths:
       - path: /myApp2
         backend:
           serviceName: myService2
           servicePort: 80

f5-k8s-ingress-virtual-hosting.yaml

All hosts
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: ing-virtual-hosting
 namespace: default
 annotations:
  # BIG-IP pool member IP address
  virtual-server.f5.com/ip: "1.2.3.4"
  # BIG-IP partition
  virtual-server.f5.com/partition: "k8s"
  # Load balancing algorithm
  virtual-server.f5.com/balance: "round-robin"
  # Specify the port you want to handle requests
  virtual-server.f5.com/http-port: "80"
spec:
 rules:
 # omit host name (URL) to match all hosts
 - http:
     # Provide path to each Service you want to proxy
     paths:
     - path: /myApp1
       backend:
         serviceName: myService1
         servicePort: 80
     - path: /myApp2
       backend:
         serviceName: myService2
         servicePort: 80

f5-k8s-ingress-virtual-hosting_all.yaml

Use BIG-IP SSL Profiles to secure an Ingress

To use an existing BIG-IP SSL profile to secure traffic for an Ingress:

Specify the SSL profile(s) you’d like to use in the spec.tls section of the Ingress resource.

Add the ingress.kubernetes.io/ssl-redirect annotation.

OPTIONAL; defaults to "true"

Add the ingress.kubernetes.io/allow-http annotation.

OPTIONAL; defaults to "false"

Note

This option replaces the Kubernetes’ native TLS Ingress, which requires you to store a key and certificate as a Kubernetes Secret.

You can specify one (1) or more SSL profiles in your Ingress resource.

TLS Example
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingressTLS
  namespace: default
  annotations:
    # Provide an IP address for the BIG-IP pool you want to handle traffic.
    virtual-server.f5.com/ip: "1.2.3.4"
    # Specify the BIG-IP partition containing the virtual server.
    virtual-server.f5.com/partition: "k8s"
    # Allow/deny TLS connections
    ingress.kubernetes.io/ssl-redirect: "true"
    # Allow/deny HTTP connections
    ingress.kubernetes.io/allow-http: "false"
spec:
  tls:
    # Provide the BIG-IP SSL Profile you want to use.
    # Follows the format "/partition/profile_name".
    - secretName: /Common/clientssl
  backend:
    # The name of a single Kubernetes Service you want to expose to external
    # traffic using TLS
    serviceName: myService
    servicePort: 443

f5-k8s-ingress-tls.yaml

Attention

If you specify a spec.tls section without providing the TLS Ingress properties,the BIG-IP device uses Local traffic policies to redirect HTTP requests to HTTPS.

Add a Health Monitor to an Ingress Resource

Use the virtual-server.f5.com/health annotation with a JSON blob to create a BIG-IP health monitor for any Kubernetes Ingress.

Health Monitor Example
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ing1
  namespace: default
  annotations:
    virtual-server.f5.com/ip:        "1.2.3.4"
    virtual-server.f5.com/partition: "k8s"
    virtual-server.f5.com/health: |
      [
        {
          "path":     "svc1.example.com/app1",
          "send":     "HTTP GET /health/app1",
          "interval": 5,
          "timeout":  10
        }, {
          "path":     "svc2.example.com/app2",
          "send":     "HTTP GET /health/app2",
          "interval": 5,
          "timeout":  5
        }
      ]
spec:
  rules:
  - host: svc1.example.com
    http:
      paths:
      - backend:
          serviceName: svc1
          servicePort: 8080
        path: /app1
  - host: svc2.example.com
    http:
      paths:
      - backend:
          serviceName: svc2
          servicePort: 9090
        path: /app2

Deploy the Ingress Resource

Use kubectl create to upload the Ingress Resource to the Kubernetes API server.

kubectl create ingress -f <filename>.yaml
Ingress myIngress created

Verify creation of BIG-IP objects

You can use TMOS or the BIG-IP configuration utility to verify that the BIG-IP Controller for Kubernetes created the requested BIG-IP objects for your Ingress.

To verify using the BIG-IP configuration utility:

  1. Log in to the configuration utility at the management IP address (for example: https://10.190.25.225/tmui/login.jsp?).
  2. Select the correct partition from the Partition drop-down menu.
  3. Go to Local Traffic ‣ Virtual Servers to view all virtual servers, pools, and pool members.
  4. Go to Local Traffic ‣ Policies to view any new policies.

See the TMSH Reference Guide (PDF) for the relevant tmsh ltm commands.

Learn More

The BIG-IP Controller for Kubernetes supports each type of Kubernetes Ingress Resource.

  • Single Service ingress lets you create a BIG-IP virtual server to proxy traffic for a single Service.

  • Simple fanout ingress uses a BIG-IP device as an edge load balancer to proxy requests to endpoints within the cluster.

  • Name-based virtual hosting lets you match host names and paths to a single IP address allocated to a BIG-IP pool.

    Tip

    If you don’t specify any hosts or paths, the BIG-IP device will proxy traffic for all hosts/paths for the Service specified under backend.

Ingress Resource to BIG-IP mapping
Ingress Type Description
Single Service Create a BIG-IP virtual server and server pool for a single Kubernetes Service.
Simple Fanout Create a BIG-IP virtual server and server pools for a group of Kubernetes Services (one server pool per Service).
Name-based virtual hosting

Create a BIG-IP virtual server and server pools for Kubernetes Services.

Creates BIG-IP Local Traffic Policies to route requests to specific pools according to host name and path.