F5 Container Integrations v1.1

Current Page

Application Services Proxy

Cloud Foundry

Kubernetes

Mesos Marathon

OpenShift

Support

Troubleshooting

Tutorials

Cloud Docs Home > F5 Container Integrations Index

Add BIG-IP device to an OpenShift Cluster

Summary

Complete the following tasks to set up a BIG-IP device and BIG-IP Controller for use in an OpenShift cluster:

  1. Create a host subnet in your OpenShift cluster.
  2. Create a VXLAN tunnel on the BIG-IP device.
  3. Assign an overlay address from the subnet to a BIG-IP Self IP address.
  4. Create an OpenShift service account for the BIG-IP Controller with permission to manage the following:
    • nodes
    • endpoints
    • services
    • configmaps
    • namespaces
    • ingresses
    • ingresses/status
    • events

Tip

The examples deploy the BIG-IP Controller to the namespace ‘default’ and the create the serviceAccountName named ‘bigip-ctlr’.

Create a new OpenShift HostSubnet

  1. Define a HostSubnet using valid JSON or YAML.

    user@openshift:~$ oc create -f f5-kctlr-openshift-hostsubnet.yaml
    

    Important

    You must include the “annotation” section shown in the example below.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    apiVersion: v1
    kind: HostSubnet
    metadata:
      name: f5-server
      annotations:
        pod.network.openshift.io/fixed-vnid-host: "0"
        pod.network.openshift.io/assign-subnet: "true"
    # provide a name for the node that will serve as BIG-IP's entry into the cluster
    host: f5-server
    # The hostIP address will be the BIG-IP interface address routable to the
    # OpenShift Origin nodes.
    # This address is the BIG-IP VTEP in the SDN's VXLAN.
    hostIP: 172.16.1.28
    

    f5-kctlr-openshift-hostsubnet.yaml

  2. Verify creation of the HostSubnet.

    $ oc get hostsubnet
    NAME                  HOST                  HOST IP         SUBNET
    f5-server             f5-server             172.16.1.28     10.129.2.0/23
    master.internal.net   master.internal.net   172.16.1.10     10.129.0.0/23
    node1.internal.net    node1.internal.net    172.16.1.24     10.130.0.0/23
    node2.internal.net    node2.internal.net    172.16.1.25     10.128.0.0/23
    

Create a BIG-IP VXLAN

  1. Create a new VXLAN profile on the BIG-IP device using multi-point flooding.

    admin@BIG-IP(cfg-sync Standalone)(Active)(/Common)(tmos)$ create net \\
    tunnels vxlan vxlan-mp flooding-type multipoint
    
  2. Verify creation of the profile.

    admin@BIG-IP(cfg-sync Standalone)(Active)(/Common)(tmos)$ list net \\
    tunnels vxlan vxlan-mp
    
  3. Create a BIG-IP VXLAN using the new vxlan-mp profile.

    admin@BIG-IP(cfg-sync Standalone)(Active)(/Common)(tmos)$ create net \\
    tunnels tunnel openshift_vxlan key 0 profile vxlan-mp local-address 172.16.1.28
    
    • The hostIP address defined in the OpenShift HostSubnet is the local-address (the VTEP).
    • The key must be 0 if you want to give the BIG-IP access to all OpenShift subnets.
  4. Verify creation of the VXLAN tunnel.

    admin@BIG-IP(cfg-sync Standalone)(Active)(/Common)(tmos)$ list net \\
    tunnels tunnel openshift_vxlan
    

Assign an OpenShift overlay address to the BIG-IP device

  1. Create a Self IP address on the BIG-IP device. Use an address in the range you defined in the HostSubnet subnet field.

    admin@BIG-IP(cfg-sync Standalone)(Active)(/Common)(tmos)$ create net self \\
    10.129.2.10/14 allow-service all vlan openshift_vxlan
    

    Note

    • Specify a subnet mask of /14 when creating the Self IP; this is the subnet range of the default OpenShift cluster network. [1] This ensures that all VXLAN traffic is correctly routed via the openshift_vxlan tunnel.
    • If you don’t specify a traffic group when creating the Self IP, it will use the default traffic group.
  2. Verify creation of the Self IP.

    admin@BIG-IP(cfg-sync Standalone)(Active)(/Common)(tmos)$ list net self 10.129.2.10/14
    
[1]https://docs.openshift.org/latest/architecture/additional_concepts/sdn.html#sdn-design-on-masters

Create an OpenShift service account and policy

  1. Create a serviceaccount for the BIG-IP Controller.

    user@openshift:~$ oc create serviceaccount bigip-ctlr -n default
    serviceaccount "bigip-ctlr" created
    
  2. Create a valid clusterrole.

    user@openshift:~$ oc create -f f5-kctlr-openshift-clusterrole.yaml
    clusterrole "system:bigip-ctlr" created
    
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    apiVersion: v1
    kind: ClusterRole
    metadata:
      annotations:
        authorization.openshift.io/system-only: "true"
      name: system:bigip-ctlr
    rules:
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - nodes
      - services
      - endpoints
      - namespaces
      - ingresses
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - configmaps
      - events
      - ingresses/status
      verbs:
      - get
      - list
      - watch
      - update
      - create
      - patch
    

    f5-kctlr-openshift-clusterrole.yaml

  3. Create a valid clusterrole.

    user@openshift:~$ oc create -f f5-kctlr-openshift-clusterrole-binding.yaml
    clusterrolebinding "bigip-ctlr-role" created
    
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    apiVersion: v1
    kind: ClusterRoleBinding
    metadata:
        name: bigip-ctlr-role
    userNames:
    - system:serviceaccount:default:bigip-ctlr
    subjects:
    - kind: ServiceAccount
      namespace: default
      name: bigip-ctlr
    roleRef:
      name: system:bigip-ctlr
    

    f5-kctlr-openshift-clusterrole-binding.yaml