Install the BIG-IP Controller in OpenShift

Task table
Step Task
Initial Set-up

Deploy the BIG-IP Controller

Attention

These instructions are for the OpenShift Kubernetes distribution. If you are using standard Kubernetes, see Install the BIG-IP Controller in Kubernetes.

Initial Set-up

Follow the steps in the guides linked to below to set up your BIG-IP device(s) and OpenShift cluster for use with the BIG-IP Controller.

Important

The steps in this section require either Administrator or Resource Administrator permissions on the BIG-IP system.

  1. If you want to use BIG-IP HA, set up two or more F5 BIG-IPs in a Device Service Cluster (DSC).

  2. Create a new partition on your BIG-IP system.

    Note

    • The BIG-IP Controller can not manage objects in the /Common partition.
    • [Optional] The Controller can decorate the IP addresses it configures on the BIG-IP with a Route Domain identifier. You may want to use route domains if you have many applications using the same IP address space that need isolation from one another. After you create the partition on your BIG-IP system, you can 1) create a route domain and 2) assign the route domain as the partition’s default. See create and set a non-zero default Route Domain for a partition for setup instructions.
    • [Optional] If you’re using a BIG-IP HA pair or cluster, sync your changes across the group.
  3. Store your BIG-IP login credentials in a Secret.

  4. If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a Secret.

Set up RBAC Authentication

You can create RBAC resources in the project in which you will run your BIG-IP Controller. Each Controller that manages a device in a cluster or active-standby pair can use the same Service Account, Cluster Role, and Cluster Role Binding.

Required RBAC Permissions
API groups Resources Actions
“” endpoints, namespaces, nodes, routes, services, secrets get, list, watch
“extensions” ingresses get, list, watch
“” configmaps, events get, list, watch, update, create, patch
“extensions” ingresses/status get, list, watch, update, create, patch

Tip

Create the RBAC resources in the same Project (or namespace) as the BIG-IP Controller, or in a Project the BIG-IP Controller can access.

If you need to be able to access the RBAC resources from all Projects, an OpenShift administrator should create them in the kube-system namespace (-n kube-system).

In these cases, you can either:

  • use the Controller’s default “watch all namespaces” setting (requires no additional configuration); or
  • set the Controller to watch both the kube-system namespace and the Project’s namespace.
  1. Create a Service Account for the BIG-IP Controller.

    oc create serviceaccount bigip-ctlr [-n kube-system]
    serviceaccount "bigip-ctlr" created
    
  2. Create a Cluster Role and Cluster Role Binding with the required permissions.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    # For use in OpenShift clusters
    apiVersion: v1
    kind: ClusterRole
    metadata:
      annotations:
        authorization.openshift.io/system-only: "true"
      name: system:bigip-ctlr
    rules:
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - nodes
      - services
      - endpoints
      - namespaces
      - ingresses
      - routes
      - secrets
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - configmaps
      - events
      - ingresses/status
      verbs:
      - get
      - list
      - watch
      - update
      - create
      - patch
    
    ---
    
    apiVersion: v1
    kind: ClusterRoleBinding
    metadata:
        name: bigip-ctlr-role
    userNames:
    - system:serviceaccount:kube-system:bigip-ctlr
    subjects:
    - kind: ServiceAccount
      name: bigip-ctlr
    roleRef:
      name: system:bigip-ctlr
    

    f5-kctlr-openshift-clusterrole.yaml

  3. Upload the Cluster Role and Cluster Role Binding to the API server.

    oc create -f f5-kctlr-openshift-clusterrole.yaml [-n kube-system]
    clusterrole "system:bigip-ctlr" created
    clusterrolebinding "bigip-ctlr-role" created
    

Deploy the BIG-IP Controller

The BIG-IP Controller has a subset of configuration parameters specific to OpenShift. Include the following required config parameters in all OpenShift Deployments:

  • --openshift-sdn-name=/path/to/bigip_openshift_vxlan
  • --pool-member-type=cluster

Define an OpenShift Deployment config using valid YAML or JSON.

Create a Deployment

Basic Deployment

The example below shows a Deployment with the basic config parameters required to run the BIG-IP Controller in OpenShift. With this configuration, you can Create BIG-IP virtual servers for Services and Deploy Application Services (iApps).

Example OpenShift Deployment
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      # Name of the Service Account bound to a Cluster Role with the required
      # permissions
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:1.4.2"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            # Replace with the IP address or hostname of your BIG-IP device
            "--bigip-url=10.190.24.171",
            # Replace with the name of the BIG-IP partition you want to manage
            "--bigip-partition=openshift",
            "--pool-member-type=cluster",
            # Replace with the path to the BIG-IP VXLAN connected to the
            # OpenShift HostSubnet
            "--openshift-sdn-name=/Common/openshift_vxlan"
            ]
      imagePullSecrets:
        - name: f5-docker-images
        - name: bigip-login

f5-k8s-bigip-ctlr_openshift-sdn.yaml

Deployments for Managing Routes

The BIG-IP Controller has a set of Route configuration parameters. See Manage Routes with the BIG-IP Controller for examples and set-up instructions.

Deployments for BIG-IP HA

If you want to manage a BIG-IP HA pair or group, you’ll need to deploy a BIG-IP Controller instance for each device. See BIG-IP High Availability in OpenShift for more information.

Upload the Deployment

Use the oc create command to upload the Deployment to the OpenShift API server.

oc create -f f5-k8s-bigip-ctlr_openshift-sdn.yaml
deployment "k8s-bigip-ctlr" created

Verify Pod(s)

You can verify that the Controller(s) created successfully using the oc get command.

You should see one k8s-bigip-ctlr Pod for each Node in the Cluster. The example below shows one k8s-bigip-ctlr Pod running in a test cluster with one worker node.

oc get pods
NAME                              READY     STATUS    RESTARTS   AGE
k8s-bigip-ctlr-1962020886-s31l4   1/1       Running   0          1m