Install the BIG-IP Controller in Kubernetes

The BIG-IP Controller for Kubernetes installs via a Kubernetes Deployment. The Deployment creates a ReplicaSet that, in turn, launches a Pod running the BIG-IP Controller app.

Attention

These instructions are for a standard Kubernetes environment. If you are using OpenShift, see Install the BIG-IP Controller for Kubernetes in OpenShift Origin.

Initial Setup

Important

The steps in this section require either Administrator or Resource Administrator permissions on the BIG-IP system.

  1. If you want to use BIG-IP HA, set up two or more F5 BIG-IPs in a Device Service Cluster (DSC).

  2. Create a new partition on your BIG-IP system.

    Note

    • The BIG-IP Controller can not manage objects in the /Common partition.
    • [Optional] The Controller can decorate the IP addresses it configures on the BIG-IP with a Route Domain identifier. You may want to use route domains if you have many applications using the same IP address space that need isolation from one another. After you create the partition on your BIG-IP system, you can 1) create a route domain and 2) assign the route domain as the partition’s default. See create and set a non-zero default Route Domain for a partition for setup instructions.
    • [Optional] If you’re using a BIG-IP HA pair or cluster, sync your changes across the group.
  3. Store your BIG-IP login credentials in a Secret.

  4. If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a Secret.

Set up RBAC Authentication

  1. Create a Service Account for the BIG-IP Controller.

    kubectl create serviceaccount bigip-ctlr -n kube-system
    serviceaccount "bigip-ctlr" created
    
  2. Create a Cluster Role and Cluster Role Binding.

    You can restrict the permissions granted in the cluster role as needed for your deployment. The table below shows the supported permission set (these are also provided in the Cluster Role example below).

    API groups Resources Actions
    “” endpoints get, list, watch
    namespaces
    nodes
    pods
    services
    secrets
    “extensions” ingresses get, list, watch
    “” configmaps get, list, watch, update, create, patch
      events
    “extensions” ingresses/status get, list, watch, update, create, patch

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    # for use in k8s clusters using RBAC
    # for Openshift use the openshift specific examples
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: bigip-ctlr-clusterrole
    rules:
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - nodes
      - services
      - endpoints
      - namespaces
      - ingresses
      - secrets
      - pods
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - configmaps
      - events
      - ingresses/status
      verbs:
      - get
      - list
      - watch
      - update
      - create
      - patch
    
    ---
    
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: bigip-ctlr-clusterrole-binding
      namespace: kube-system
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: bigip-ctlr-clusterrole
    subjects:
    - kind: ServiceAccount
      name: bigip-ctlr
      namespace: kube-system
    

    f5-k8s-sample-rbac.yaml

Create a Deployment

Define the BIG-IP Controller configurations in a Kubernetes Deployment using valid JSON or YAML.

Important

If your BIG-IP device connects to the Cluster network via flannel VXLAN, be sure to define the following k8s-bigip-ctlr configuration parameters in your Deployment:

  • --pool-member-type=cluster (See Cluster mode for more information.)
  • --flannel-name=[bigip_tunnel_name]
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr-deployment
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          # replace the version as needed
          image: "f5networks/k8s-bigip-ctlr:1.4.2"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            "--bigip-url=10.11.12.13",
            "--bigip-partition=k8s",
            # The Controller watches all namespaces by default.
            # To manage a single namespace, or multiple namespaces, provide a
            # single entry for each. For example:
            # "--namespace=test",
            # "--namespace=prod"
            # The Controller can access Secrets by default;
            # set to "false" if you only want to use SSL profiles that are
            # already set up on your BIG-IP device, e.g.
            # "--use-secrets=false",
            # The Controller can use local DNS to resolve hostnames;
            # defaults to LOOKUP; can be replaced with custom DNS server IP
            # or left blank (introduced in v1.3.0)
            "--resolve-ingress-names=<DNS_SERVER_IP_ADDRESS>",
            # The Controller can assign an IP address to Ingress resources
            # using the "controller-default" annotation;
            # provide the IP address to use as the default below
            # (introduced in v1.4.0)
            "--default-ingress-ip=1.2.3.4",
            # Runs the BIG-IP Controller in cluster mode (see docs for info:
            # http://clouddocs.f5.com/containers/latest/kubernetes/kctlr-modes.html)
            "--pool-member-type=cluster",
            # If the BIG-IP is connected to a flannel network, provide the
            # BIG-IP tunnel name (introduced in v1.4.0):
            "--flannel-name=<bigip_tunnel_name>"
            ]
      imagePullSecrets:
        - name: f5-docker-images
        - name: bigip-login

f5-k8s-bigip-ctlr_image-secret.yaml

Upload the resources to the Kubernetes API server

Upload the Deployment, Cluster Role, and Cluster Role Binding to the Kubernetes API server using kubectl apply. Be sure to create all resources in the kube-system namespace.

kubectl apply -f f5-k8s-bigip-ctlr_image-secret.yaml --namespace=kube-system
kubectl apply -f f5-k8s-sample-rbac.yaml --namespace=kube-system
deployment "k8s-bigip-ctlr-deployment" created
cluster role "bigip-ctlr-clusterrole" created
cluster role binding "bigip-ctlr-clusterrole-binding" created

Verify creation

Use kubectl get to verify all of the objects launched successfully.

You should see one (1) Deployment, as well as one (1) k8s-bigip-ctlr Pod for each node in the cluster. The example below shows one (1) Pod running the k8s-bigip-ctlr in a test cluster with one worker node.

kubectl get deployments --namespace=kube-system
NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
k8s-bigip-ctlr   1         1         1            1           1h

kubectl get pods --namespace=kube-system
NAME                                  READY     STATUS    RESTARTS   AGE
k8s-bigip-ctlr-331478340-ke0h9        1/1       Running   0          1h
kube-apiserver-172.16.1.19            1/1       Running   0          2d
kube-controller-manager-172.16.1.19   1/1       Running   0          2d
kube-dns-v11-2a66j                    4/4       Running   0          2d
kube-proxy-172.16.1.19                1/1       Running   0          2d
kube-proxy-172.16.1.21                1/1       Running   0          2d
kube-scheduler-172.16.1.19            1/1       Running   0          2d
kubernetes-dashboard-172.16.1.19      1/1       Running   0          2d