F5 Container Integrations v1.2

Current Page

Application Services Proxy

Cloud Foundry


Mesos Marathon





Cloud Docs Home > F5 Container Integrations Index

F5 OpenShift Origin Container Integration


Red Hat’s OpenShift Origin is a containerized application platform with a native Kubernetes integration. The BIG-IP Controller for Kubernetes enables use of a BIG-IP device as an edge load balancer, proxying traffic from outside networks to pods inside an OpenShift cluster. OpenShift Origin uses a pod network defined by the OpenShift SDN.

The F5 Integration for Kubernetes overview describes how the BIG-IP Controller works with Kubernetes. Because OpenShift has a native Kubernetes integration, the BIG-IP Controller works essentially the same in both environments. It does have a few OpenShift-specific prerequisites, noted below.


The following are in addition to the F5 Integration for Kubernetes’ general prerequisites:

Required configuration parameters for OpenShift clusters

Define the following parameters in your Deployment when using BIG-IP Controller in an OpenShift cluster.

Parameter Description
pool-member-type Must be cluster.

TMOS path to the BIG-IP VXLAN tunnel providing access to the Openshift SDN and Pod network; include the partition and vxlan name.

Example: /Common/openshift_vxlan [1]

[1]The VXLAN tunnel does not need to reside in the same partition managed by the BIG-IP Controller for Kubernetes.

OpenShift Node Health

In OpenShift clusters, the Kubernetes NodeList records status for all nodes registered with the master.

When the BIG-IP Controller runs with pool-member-type set to cluster – which integrates the BIG-IP device into the OpenShift cluster network – it watches the NodeList in OpenShift’s underlying Kubernetes API server. The BIG-IP Controller creates/updates FDB (Forwarding DataBase) entries for the configured VXLAN tunnel according to the NodeList. This ensures the BIG-IP Controller only makes VXLAN requests to reported nodes.

As a function of the BIG-IP VXLAN, the BIG-IP device only communicates with healthy cluster nodes. The BIG-IP device does not attempt to route traffic to an unresponsive node, even if the node remains in the NodeList.

OpenShift Routes

In OpenShift, the BIG-IP Controller can manage BIG-IP objects for routes, in addition to managing virtual servers for Services or Ingress resources.

The BIG-IP Controller operates as follows when configured with OpenShift route resources :

  • runs as non-root, unique user;
  • listens for HTTP route events in OpenShift and can create/delete/expire routes on BIG-IP devices (including L7 config policies such as wildcard routes, prefixes, etc.);
  • can apply client SSL certificates from Kubernetes/OpenShift Secrets to BIG-IP LTM objects;
  • can apply existing BIG-IP SSL certificates to BIG-IP LTM objects;
  • provides edge, passthrough, and re-encryption modes of SSL termination.

The BIG-IP Controller OpenShift route integration follows what the OpenShift Origin documentation refers to as an F5 Native Integration. See Add your BIG-IP device to an OpenShift Cluster for deployment instructions.

The BIG-IP Controller integration for OpenShift Routes works as follows:

  • User creates a route in OpenShift –> The BIG-IP Controller creates corresponding virtual servers (one HTTP and one HTTPS), pools, and pool members on BIG-IP system with the policies defined for OpenShift.
  • User adds/removes endpoints in OpenShift –> The BIG-IP Controller adds/removes pool members from the route’s pool on the BIG-IP system.
  • User deletes all routes (and associated endpoints) in OpenShift –> The BIG-IP Controller deletes the associated virtual servers, pools, and pool members from the BIG-IP system.