F5 Container Connector - OpenShift

This document provides general information regarding the F5 Integration for OpenShift. For deployment and usage instructions, please refer to the guides below.

Overview

The BIG-IP Controller for OpenShift enables use of a BIG-IP device in OpenShift. Because OpenShift has a native Kubernetes integration, the F5 Integration for OpenShift utilizes the same controller as the F5 Container Connector - Kubernetes (k8s-bigip-ctlr). The BIG-IP Controller configures BIG-IP objects for applications in an OpenShift cluster, serving North-South traffic.

Solution design: The Container Connector runs as an App within the cluster; it configures the BIG-IP device as needed to handle traffic for Apps in the cluster

In OpenShift, you can use the BIG-IP Controller to use a BIG-IP device(s) to:

Note

Integration with OpenShift SDN requires a BIG-IP Better or Best license with SDN services.

Installation

Important

The BIG-IP Controller requires Administrator permissions in order to provide full functionality.

OpenShift Node Health

In OpenShift clusters, the Kubernetes NodeList records status for all nodes registered with the master. Because the BIG-IP Controller integrates with the cluster network, it can access the NodeList in OpenShift’s underlying Kubernetes API server and watch it for changes. The BIG-IP Controller creates/updates FDB (Forwarding DataBase) entries for the configured VXLAN tunnel according to the NodeList. This ensures the BIG-IP Controller only makes VXLAN requests to reported nodes.

As a function of the BIG-IP VXLAN, the BIG-IP device only communicates with healthy cluster nodes. The BIG-IP device does not attempt to route traffic to an unresponsive node, even if the node remains in the NodeList.

Tip

You can also set up BIG-IP health monitors for OpenShift Services.

OpenShift Routes

In OpenShift, the BIG-IP Controller can manage BIG-IP objects for routes.

Tip

See manage OpenShift Routes with the BIG-IP Controller for configuration instructions.

Setting up OpenShift Route resources provides the following functionality:

  • listen for HTTP route events in OpenShift and create/delete/expire routes on BIG-IP devices (including L7 config policies such as wildcard routes, prefixes, etc.);
  • apply client SSL certificates from Kubernetes/OpenShift Secrets to BIG-IP LTM objects;
  • apply existing BIG-IP SSL certificates to BIG-IP LTM objects;
  • SSL termination using edge, passthrough, or re-encryption mode.

The table below shows what BIG-IP configurations the BIG-IP Controller applies for common admin tasks in OpenShift.

User action Controller action
Create OpenShift Route
  • Create two virtual servers:
    • one (1) HTTP
    • one (1) HTTPS
  • Create pools and pool members with policies attached.
  • Attach defined policies to virtual servers.
Add/remove endpoint(s)
  • Add/remove the pool member(s) that correspond to the endpoint(s) from the Route’s pool.
Delete all Routes
  • Remove all objects associated with the Routes (virtual servers, pools, and pool members) from the BIG-IP system.

Advanced Deployments

The BIG-IP Controller for OpenShift supports the following OpenShift Advanced Deployment Strategies:

Follow the instructions provided in the OpenShift documentation to use these deployment strategies with your BIG-IP Controller and BIG-IP device(s).

Important

The BIG-IP Controller for OpenShift provides the following advantages over the native HAProxy when working with alternate backends:

  • You use any of the BIG-IP load balancing algorithms the Controller supports (not just round robin). [1]
  • When you assign a weight to a Service in an OpenShift Route, the BIG-IP Controller assigns that weight to the Service’s pool on the BIG-IP device. The weight isn’t split across the Service’s endpoints and there are no per-endpoint weight restrictions.

What’s Next

Refer to the docs below for setup and configuration instructions.

Footnotes

[1]The BIG-IP Controller supports BIG-IP load balancing algorithms that do not require additional configuration parameters. You can view the full list of supported algorithms in the f5-cccl schema. See the BIG-IP Local Traffic Management Basics user guide for information about each load balancing mode.