Use the BIG-IP Controller as a Kubernetes Ingress Controller

This document provides an overview of how you can use the BIG-IP Controller for Kubernetes as an Ingress Controller in Kubernetes. For set-up instructions, see Attach a Virtual Server to a Kubernetes Ingress.

Overview

You can use the BIG-IP Controller as a Kubernetes Ingress Controller. The BIG-IP Controller supports the following Kubernetes Ingress resource types:

Using Multiple Ingress Controllers

Important

The BIG-IP Controller automatically manages all Ingress resources that don’t have an ingress.class defined.

Because the Ingress resource’s ingress.class property is empty by default, the BIG-IP Controller will automatically try to manage all Ingress resources residing in the namespace(s) it watches. The BIG-IP Controller ignores Ingress resources that have any ingress.class other than “f5”.

If you’re using another Ingress Controller to manage Kubernetes Ingress resources:

  1. Set ingress.class to “f5” in all Ingress resources you want the BIG-IP Controller to manage.

    kubernetes.io/ingress.class="f5"

  2. Define the ingress.class as appropriate in Ingress resources managed by other Ingress Controllers.

IP address assignment

The Controller creates one virtual server for each unique IP address listed in an Ingress resource. You can manage IP address assignment using the options below.

See the k8s-bigip-ctlr configuration parameters table for more information about the required settings.

Use BIG-IP SNAT Pools and SNAT automap

Note

By default, the BIG-IP Controller uses BIG-IP Automap SNAT for all of the virtual servers it creates. From k8s-bigip-ctlr v1.5.0 forward, you can designate a specific SNAT pool in the Controller Deployment instead of using SNAT automap.

In environments where the BIG-IP connects to the Cluster network, the self IP used as the BIG-IP VTEP serves as the SNAT pool for all origin addresses within the Cluster. The subnet mask you provide when you create the self IP defines the addresses available to the SNAT pool.

See BIG-IP SNATs and SNAT automap for more information.

Set a Default, Shared IP address

When you set the BIG-IP Controller to use a default IP address, you can share that IP address across Ingress resources. When you share the default IP address across Ingress resources, the BIG-IP Controller

  • creates a shared virtual server with one pool for each Ingress resource, and
  • attaches a unique local traffic policy for each Ingress resource to the virtual server to ensure correct traffic routing.

Important

You can only define one default-ingress-ip per BIG-IP Controller instance.

If you’re using multiple Controllers to monitor separate namespaces, you can define a default IP address for each Controller. This type of deployment allows you to isolate the VIPs in each namespace from each other.

To share the default IP address across Ingress resources:

  1. Define the default-ingress-ip setting in your k8s-bigip-ctlr Deployment using the desired IP address.
  2. Add the virtual-server.f5.com/ip="controller-default" annotation to each Ingress resource for which you want to share the IP address.

When the BIG-IP Controller creates the virtual server on the BIG-IP system, it replaces “controller-default” with the default IP address.

Warning

Use caution when setting the --default-ingress-ip and specifying a BIG-IP SNAT pool.

If you choose to set both options, make sure the IP address defined for the virtual server falls within the range of the selected SNAT pool.

Use DNS lookup

The BIG-IP Controller uses DNS lookup to resolve hostnames by default. The BIG-IP Controller attempts to resolve the first hostname provided in the spec.rules.host section of the Ingress resource. It then assigns the resolved host’s IP address to the Ingress’ virtual server.

Use an IPAM system

If you want to assign IP addresses using an IPAM system, use the BIG-IP Controller to create unattached pools. To do so, just omit the virtual-server.f5.com/ip= annotation from your Ingress resource.

You can then add the virtual-server annotation to the Ingress using the IP address selected by the IPAM system. The BIG-IP Controller will create a new virtual server with the selected IP address and attach the previously-created pool(s) to it.

Beta feature

The F5 IPAM Controller can write the virtual-server.f5.com/ip annotation for you. See the f5-ipam-ctlr docs for more information.

URL Rewrite

The BIG-IP Controller has Annotations that provide Rewrite functionality for Ingress resources. See Rewrite URLs for more information.