F5 Container Integrations v2.0

Current Page

Cloud Foundry

Kubernetes / OpenShift

Mesos Marathon

Support

Troubleshooting

Tutorials

Cloud Docs Home > F5 Container Integrations Index

Expose Services to External Traffic using Ingresses

You can use the BIG-IP Controller for Kubernetes and OpenShift to expose Services to external traffic on BIG-IP virtual servers. The BIG-IP Controller has a set of supported Ingress annotations that allow you to define the objects to create on the BIG-IP system.

The BIG-IP Controller supports four (4) types of Kubernetes Ingress Resource:

Attention

The BIG-IP Controller creates one (1) BIG-IP virtual server per Ingress resource. If the Ingress resource incorporates multiple Services, the BIG-IP Controller creates a pool for each Service.

If you set setting allowHttp or sslRedirect to “True”, the Controller creates two (2) virtual servers.

Tasks
Step Description
Create a BIG-IP Self IP address for the virtual server.
Create an Ingress Resource with the F5 virtual-server annotation.
Create a BIG-IP Health Monitor for an Ingress.
Upload the Ingress to the API server.
Verify creation of BIG-IP objects.

Initial Setup

  1. Create a BIG-IP Self IP address.

    Allocate a Self IP address from the external network on the BIG-IP system. This is the IP address you should assign to the Ingress’ virtual server.

Quick Start

You can add the supported Ingress annotations to any existing Ingress resource using kubectl annotate or oc annotate. At minimum, define the following properties:

  • virtual-server.f5.com/ip
  • virtual-server.f5.com/partition

Hint

In Kubernetes/OpenShift, the default for the ingress.class property is unset. The BIG-IP Controller automatically manages any Ingress resources for which this property is unset.

To avoid conflicts with other Ingress controllers, set the ingress.class property to “f5”, as shown below:

kubernetes.io/ingress.class="f5"

Specify a different value for Ingress resources that other controllers should manage. The BIG-IP Controller ignores Ingress resources with any ingress.class other than “f5”.

Kubernetes

kubectl annotate ingress myIngress virtual-server.f5.com/ip="1.2.3.4"
kubectl annotate ingress myIngress virtual-server.f5.com/partition="k8s"
                                   virtual-server.f5.com/balance="round-robin"
                                   virtual-server.f5.com/http-port="80"
                                   virtual-server.f5.com/health='[{"path": "svc1.bar.com/foo", "send": "HTTP GET /health/foo", "interval": 5, "timeout": 10}]'
                                   ingress.kubernetes.io/ssl-redirect="true"
                                   ingress.kubernetes.io/allow-http="false"
                                   kubernetes.io/ingress.class="f5"

OpenShift

oc annotate ingress myIngress virtual-server.f5.com/ip="1.2.3.4"
oc annotate ingress myIngress virtual-server.f5.com/partition="openshift"
                              virtual-server.f5.com/balance="round-robin"
                              virtual-server.f5.com/http-port="80"
                              virtual-server.f5.com/health='[{"path": "svc1.bar.com/foo", "send": "HTTP GET /health/foo", "interval": 5, "timeout": 10}]'
                              ingress.kubernetes.io/ssl-redirect="true"
                              ingress.kubernetes.io/allow-http="false"
                              kubernetes.io/ingress.class="f5"

Create an Ingress Resource with the F5 virtual-server annotation

Define the supported Ingress annotations in a Kubernetes Ingress Resource using valid JSON.

Single Service

A Single Service Ingress creates a BIG-IP virtual server and server pool for a single Kubernetes Service.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress1
  namespace: default
  annotations:
    # Provide an IP address from the external VLAN on your BIG-IP device
    virtual-server.f5.com/ip: "10.190.25.70"
    # Specify the BIG-IP partition containing the virtual server
    virtual-server.f5.com/partition: "kubernetes"
spec:
  backend:
    # The name of the Service you want to expose to external traffic
    serviceName: myService
    servicePort: 80

f5-k8s-single-ingress.yaml

Simple Fanout

A Simple Fanout Ingress creates a BIG-IP virtual server and pools for a group of Kubernetes Services (one pool per Service).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ing-fanout
  namespace: default
  annotations:
    # IP address of a BIG-IP pool member
    virtual-server.f5.com/ip: "1.2.3.4"
    # BIG-IP partition
    virtual-server.f5.com/partition: "kubernetes"
    # Load balancing algorithm
    virtual-server.f5.com/balance: "least-connections-node"
spec:
  rules:
  - host: mysite.example.com
    http:
      paths:
      - path: /mysite/app1
        backend:
          serviceName: myService1
          servicePort: 80
      - path: /mysite/app2
        backend:
          serviceName: myService2
          servicePort: 80

f5-k8s-ingress-fanout.yaml

Name-based virtual hosting

A Name-based virtual hosting ingress creates the following BIG-IP objects:

  • One (1) virtual server with one (1) pool for each Service.
  • Local traffic policies that route requests to specific pools based on host name and path.

Tip

If you don’t specify any hosts or paths, the BIG-IP device will proxy traffic for all hosts/paths for the Service specified in the backend section of the virtual-server annotation.

Specific hosts
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: ing-virtual-hosting
 namespace: default
 annotations:
  # BIG-IP pool member IP address
  virtual-server.f5.com/ip: "1.2.3.4"
  # BIG-IP partition
  virtual-server.f5.com/partition: "kubernetes"
  # Load balancing algorithm
  virtual-server.f5.com/balance: "least-connections-node"
  # Specify the port you want to handle requests
  virtual-server.f5.com/http-port: "80"
spec:
 rules:
 # URL
 - host: mysite.example.com
   http:
     # path to Service from URL
     paths:
       - path: /myApp1
         backend:
           serviceName: myService1
           servicePort: 80
 # URL
 - host: yoursite.example.com
   http:
     # path to Service from URL
     paths:
       - path: /myApp2
         backend:
           serviceName: myService2
           servicePort: 80

f5-k8s-ingress-virtual-hosting.yaml

All hosts
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: ing-virtual-hosting
 namespace: default
 annotations:
  # BIG-IP pool member IP address
  virtual-server.f5.com/ip: "1.2.3.4"
  # BIG-IP partition
  virtual-server.f5.com/partition: "kubernetes"
  # Load balancing algorithm
  virtual-server.f5.com/balance: "least-connections-node"
  # Specify the port you want to handle requests
  virtual-server.f5.com/http-port: "80"
spec:
 rules:
 # omit host name (URL) to match all hosts
 - http:
     # Provide path to each Service you want to proxy
     paths:
     - path: /myApp1
       backend:
         serviceName: myService1
         servicePort: 80
     - path: /myApp2
       backend:
         serviceName: myService2
         servicePort: 80

f5-k8s-ingress-virtual-hosting_all.yaml

TLS

You can secure an Ingress using Secrets or BIG-IP SSL profiles.

  1. Specify the SSL profile(s) or the Secret containing the cert and key in the spec.tls section of the Ingress resource.
  2. Add the ingress.kubernetes.io/ssl-redirect annotation (OPTIONAL; defaults to "true").
  3. Add the ingress.kubernetes.io/allow-http annotation (OPTIONAL; defaults to "false").

Note

  • You can specify one (1) or more SSL profiles in your Ingress resource.
  • If you specify a spec.tls section without providing the TLS Ingress properties,the BIG-IP device uses local traffic policies to redirect HTTP requests to HTTPS.

See also

Refer to the Kubernetes TLS Ingress documentation for details regarding supported port(s) and termination.

BIG-IP SSL profiles

TLS Example
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingressTLS
  namespace: default
  annotations:
    # Provide a BIG-IP Self IP address to assign to the virtual server.
    virtual-server.f5.com/ip: "1.2.3.4"
    # Specify the BIG-IP partition where the Controller should create the virtual server.
    virtual-server.f5.com/partition: "kubernetes"
    # Allow/deny TLS connections
    ingress.kubernetes.io/ssl-redirect: "true"
    # Allow/deny HTTP connections
    ingress.kubernetes.io/allow-http: "false"
spec:
  tls:
    # Provide the BIG-IP SSL Profile you want to use.
    # Follows the format "/partition/profile_name".
    - secretName: /Common/clientssl
  backend:
    # The name of a single Kubernetes Service you want to expose to external
    # traffic using TLS
    serviceName: myService
    servicePort: 443

f5-k8s-ingress-tls.yaml

Kubernetes Secrets

TLS Example
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingressTLS
  namespace: default
  annotations:
    # Provide a BIG-IP Self IP address to assign to the virtual server.
    virtual-server.f5.com/ip: "1.2.3.4"
    # Specify the BIG-IP partition where the Controller should create the virtual server.
    virtual-server.f5.com/partition: "kubernetes"
    # Allow/deny TLS connections
    ingress.kubernetes.io/ssl-redirect: "true"
    # Allow/deny HTTP connections
    ingress.kubernetes.io/allow-http: "false"
spec:
  tls:
    # Provide the name of the Secret containing the cert and key you want to use.
    - secretName: myTLSSecret
  backend:
    # The name of a single Kubernetes Service you want to expose to external
    # traffic using TLS
    serviceName: myService
    servicePort: 443


apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: no-rules-map
spec:
  tls:
  - secretName: testsecret
  backend:
    serviceName: s1
    servicePort: 80

f5-k8s-ingress-tls-secret.yaml

Create a BIG-IP Health Monitor for an Ingress

  1. Add the virtual-server.f5.com/health annotation to your Ingress resource.

    Health Monitor Example
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: ing1
      namespace: default
      annotations:
        virtual-server.f5.com/ip:        "1.2.3.4"
        virtual-server.f5.com/partition: "kubernetes"
        virtual-server.f5.com/health: |
          [
            {
              "path":     "svc1.example.com/app1",
              "send":     "HTTP GET /health/app1",
              "interval": 5,
              "timeout":  10
            }, {
              "path":     "svc2.example.com/app2",
              "send":     "HTTP GET /health/app2",
              "interval": 5,
              "timeout":  5
            }
          ]
    spec:
      rules:
      - host: svc1.example.com
        http:
          paths:
          - backend:
              serviceName: svc1
              servicePort: 8080
            path: /app1
      - host: svc2.example.com
        http:
          paths:
          - backend:
              serviceName: svc2
              servicePort: 9090
            path: /app2
    

Upload the Ingress to the API server

Use kubectl create to upload the Ingress Resource to the Kubernetes API server.

kubectl create ingress -f <filename>.yaml
Ingress "myIngress" created

Verify creation of BIG-IP objects

You can use TMOS or the BIG-IP configuration utility to verify that the BIG-IP Controller created the requested BIG-IP objects for your Ingress.

To verify using the BIG-IP configuration utility:

  1. Log in to the configuration utility at the management IP address (for example: https://10.190.25.225/tmui/login.jsp?).
  2. Select the correct partition from the Partition drop-down menu.
  3. Go to Local Traffic ‣ Virtual Servers to view all virtual servers, pools, and pool members.
  4. Go to Local Traffic ‣ Policies to view any new policies.

See the TMSH Reference Guide (PDF) for the relevant tmsh ltm commands.