F5 Container Integrations

Current Page

Cloud Foundry

Kubernetes / OpenShift

Mesos Marathon

Support

Troubleshooting

Tutorials


View related articles on DevCentral

Cloud Docs Home > F5 Container Integrations Index

Install the BIG-IP Controller in Kubernetes

The BIG-IP Controller for Kubernetes installs via a Kubernetes Deployment. The Deployment creates a ReplicaSet that, in turn, launches a Pod running the BIG-IP Controller app.

Attention

These instructions are for a standard Kubernetes environment. If you are using OpenShift, see Install the BIG-IP Controller for Kubernetes in OpenShift Origin.

Initial Setup

Important

You should create all BIG-IP Controller resources in the kube-system namespace unless otherwise specified.

  1. Create a new partition on your BIG-IP system.

    Important

    The BIG-IP Controller can not manage objects in the /Common partition.

  2. Store your BIG-IP login credentials in a Secret.

  3. If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a Secret.

Set up RBAC Authentication

Note

If your cluster doesn’t use Role Based Access Control , you can skip this step.

  1. Create a Service Account for the BIG-IP Controller.

    kubectl create serviceaccount bigip-ctlr -n kube-system
    serviceaccount "bigip-ctlr" created
    
  2. Create a Cluster Role and Cluster Role Binding.

    You can restrict the permissions granted in the cluster role as needed for your deployment. The table below shows the supported permission set (these are also provided in the Cluster Role example below).

    API groups Resources Actions
    “” endpoints get, list, watch
    namespaces
    nodes
    pods
    services
    secrets
    “extensions” ingresses get, list, watch
    “” configmaps get, list, watch, update, create, patch
      events
    “extensions” ingresses/status get, list, watch, update, create, patch

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    # for use in k8s clusters using RBAC
    # for Openshift use the openshift specific examples
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: bigip-ctlr-clusterrole
    rules:
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - nodes
      - services
      - endpoints
      - namespaces
      - ingresses
      - secrets
      - pods
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - configmaps
      - events
      - ingresses/status
      verbs:
      - get
      - list
      - watch
      - update
      - create
      - patch
    
    ---
    
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: bigip-ctlr-clusterrole-binding
      namespace: kube-system
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: bigip-ctlr-clusterrole
    subjects:
    - kind: ServiceAccount
      name: bigip-ctlr
      namespace: kube-system
    

    f5-k8s-sample-rbac.yaml

Create a Deployment

Define the BIG-IP Controller configurations in a Kubernetes Deployment using valid JSON or YAML.

Important

If your BIG-IP device connects to the Cluster network via flannel VXLAN, be sure to define the following k8s-bigip-ctlr configuration parameters in your Deployment:

  • --pool-member-type=cluster (See Cluster mode for more information.)
  • --flannel-name=[bigip_tunnel_name]
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr-deployment
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          # replace the version as needed
          image: "f5networks/k8s-bigip-ctlr:1.4.0"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            "--bigip-url=10.11.12.13",
            "--bigip-partition=k8s",
            # The Controller watches all namespaces by default.
            # To manage a single namespace, or multiple namespaces, provide a
            # single entry for each. For example:
            # "--namespace=test",
            # "--namespace=prod"
            # The Controller can access Secrets by default;
            # set to "false" if you only want to use SSL profiles that are
            # already set up on your BIG-IP device, e.g.
            # "--use-secrets=false",
            # The Controller can use local DNS to resolve hostnames;
            # defaults to LOOKUP; can be replaced with custom DNS server IP
            # or left blank (introduced in v1.3.0)
            "--resolve-ingress-names=<DNS_SERVER_IP_ADDRESS>",
            # The Controller can assign an IP address to Ingress resources
            # using the "controller-default" annotation;
            # provide the IP address to use as the default below
            # (introduced in v1.4.0)
            "--default-ingress-ip=1.2.3.4",
            # Runs the BIG-IP Controller in cluster mode (see docs for info:
            # http://clouddocs.f5.com/containers/latest/kubernetes/kctlr-modes.html)
            "--pool-member-type=cluster",
            # If the BIG-IP is connected to a flannel network, provide the
            # BIG-IP tunnel name (introduced in v1.4.0):
            "--flannel-name=<bigip_tunnel_name>"
            ]
      imagePullSecrets:
        - name: f5-docker-images
        - name: bigip-login

f5-k8s-bigip-ctlr_image-secret.yaml

Upload the resources to the Kubernetes API server

Upload the Deployment, Cluster Role, and Cluster Role Binding to the Kubernetes API server using kubectl apply. Be sure to create all resources in the kube-system namespace.

kubectl apply -f f5-k8s-bigip-ctlr_image-secret.yaml --namespace=kube-system
kubectl apply -f f5-k8s-sample-rbac.yaml --namespace=kube-system
deployment "k8s-bigip-ctlr-deployment" created
cluster role "bigip-ctlr-clusterrole" created
cluster role binding "bigip-ctlr-clusterrole-binding" created

Verify creation

Use kubectl get to verify all of the objects launched successfully.

You should see one (1) Deployment, as well as one (1) k8s-bigip-ctlr Pod for each node in the cluster. The example below shows one (1) Pod running the k8s-bigip-ctlr in a test cluster with one worker node.

kubectl get deployments --namespace=kube-system
NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
k8s-bigip-ctlr   1         1         1            1           1h

kubectl get pods --namespace=kube-system
NAME                                  READY     STATUS    RESTARTS   AGE
k8s-bigip-ctlr-331478340-ke0h9        1/1       Running   0          1h
kube-apiserver-172.16.1.19            1/1       Running   0          2d
kube-controller-manager-172.16.1.19   1/1       Running   0          2d
kube-dns-v11-2a66j                    4/4       Running   0          2d
kube-proxy-172.16.1.19                1/1       Running   0          2d
kube-proxy-172.16.1.21                1/1       Running   0          2d
kube-scheduler-172.16.1.19            1/1       Running   0          2d
kubernetes-dashboard-172.16.1.19      1/1       Running   0          2d