F5 Container Integrations v2.0

Current Page

Cloud Foundry

Kubernetes / OpenShift

Mesos Marathon

Support

Troubleshooting

Tutorials

Cloud Docs Home > F5 Container Integrations Index

Install the BIG-IP Controller in OpenShift

Use a Deployment to install the BIG-IP Controller for Kubernetes in OpenShift. The Deployment creates a ReplicaSet that, in turn, launches the BIG-IP Controller app in Pods.

Attention

These instructions are for the Openshift Kubernetes distribution. If you are using standard Kubernetes, see Install the BIG-IP Controller in Kubernetes.

Task table
Step Task
Complete Initial Setup.
Set up RBAC Authentication
Create an OpenShift Deployment
Upload the Deployment to OpenShift

Initial Setup

Important

You should create all BIG-IP Controller resources in the kube-system namespace unless otherwise specified.

  1. Add your BIG-IP device to the OpenShift Cluster.

  2. Create a new partition on your BIG-IP system.

    Important

    The BIG-IP Controller can not manage objects in the /Common partition.

  3. Store your BIG-IP login credentials in a Secret.

  4. If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a Secret.

Set up RBAC Authentication

  1. Create a Service Account for the BIG-IP Controller.

    oc create serviceaccount bigip-ctlr -n kube-system
    serviceaccount "bigip-ctlr" created
    
  2. Create a Cluster Role and Cluster Role Binding. The BIG-IP Controller for OpenShift requires the permissions shown in the table below.

    API groups Resources Actions
    “” endpoints get, list, watch
    namespaces
    nodes
    routes
    services
    secrets
    “extensions” ingresses get, list, watch
    “” configmaps get, list, watch, update, create, patch
      events
    “extensions” ingresses/status get, list, watch, update, create, patch

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    # For use in OpenShift clusters
    apiVersion: v1
    kind: ClusterRole
    metadata:
      annotations:
        authorization.openshift.io/system-only: "true"
      name: system:bigip-ctlr
    rules:
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - nodes
      - services
      - endpoints
      - namespaces
      - ingresses
      - routes
      - secrets
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - configmaps
      - events
      - ingresses/status
      verbs:
      - get
      - list
      - watch
      - update
      - create
      - patch
    
    ---
    
    apiVersion: v1
    kind: ClusterRoleBinding
    metadata:
        name: bigip-ctlr-role
    userNames:
    - system:serviceaccount:kube-system:bigip-ctlr
    subjects:
    - kind: ServiceAccount
      namespace: kube-system
      name: bigip-ctlr
    roleRef:
      name: system:bigip-ctlr
    

    f5-kctlr-openshift-clusterrole.yaml

  3. Upload the Cluster Role and Cluster Role Binding to the API server.

    oc create -f f5-kctlr-openshift-clusterrole.yaml
    clusterrole "system:bigip-ctlr" created
    clusterrolebinding "bigip-ctlr-role" created
    

Deploy the BIG-IP Controller

Create an OpenShift Deployment

The BIG-IP Controller has a subset of configuration parameters specific to OpenShift. At minimum, you must include the following configuration parameters in your Deployment:

  • --openshift-sdn-name=/path/to/bigip_openshift_vxlan
  • --pool-member-type=cluster

If using the BIG-IP Controller to manage OpenShift Routes, include the desired Route configuration parameters.

The Deployment must consist of valid JSON or YAML.

Ingress Deployment

The example below shows the BIG-IP Controller configurations required if you want to expose OpenShift Services to external traffic using an Ingress.

Example OpenShift Ingress Deployment
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      # Name of the Service Account bound to a Cluster Role with the required
      # permissions
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:1.3.0"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            # Replace with the IP address or hostname of your BIG-IP device
            "--bigip-url=10.190.24.171",
            # Replace with the name of the BIG-IP partition you want to manage
            "--bigip-partition=openshift",
            # To manage a single namespace, enter it below
            # (required in v1.0.0), e.g.:
            #"--namespace=default",
            # To manage multiple namespaces, enter a separate flag for each
            # namespace below (as of v1.1.0)
            # To manage all namespaces, omit the `namespace` entry
            # (default as of v1.1.0)
            "--pool-member-type=cluster",
            # Replace with the path to the BIG-IP VXLAN connected to the
            # OpenShift HostSubnet
            "--openshift-sdn-name=/Common/openshift_vxlan"
            ]
      imagePullSecrets:
        - name: f5-docker-images

f5-k8s-bigip-ctlr_openshift-sdn.yaml

Routes Deployment

The example below shows the BIG-IP Controller configurations required if you want to expose OpenShift Services to external traffic using Routes.

Example OpenShift Route Deployment
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      # Name of the Service Account bound to a Cluster Role with the required
      # permissions
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:1.3.0"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            # Replace with the IP address or hostname of your BIG-IP device
            "--bigip-url=10.190.24.171",
            # Replace with the name of the BIG-IP partition you want to manage
            "--bigip-partition=openshift",
            # To manage a single namespace, enter it below
            # (required in v1.0.0), e.g.:
            #"--namespace=default",
            # To manage multiple namespaces, enter a separate flag for each
            # namespace below (as of v1.1.0)
            # To manage all namespaces, omit the `namespace` entry
            # (default as of v1.1.0)
            "--pool-member-type=cluster",
            # Replace with the path to the BIG-IP VXLAN connected to the
            # OpenShift HostSubnet
            "--openshift-sdn-name=/Common/openshift_vxlan"
            ]
      imagePullSecrets:
        - name: f5-docker-images

Upload the Deployment

  1. Upload the Deployment to the OpenShift API server using oc create.

    oc create -f f5-k8s-bigip-ctlr_openshift-sdn.yaml --namespace=kube-system
    deployment "k8s-bigip-ctlr" created
    
  2. Verify creation using oc get.

    You should see one (1) ReplicaSet, as well as one (1) k8s-bigip-ctlr Pod for each Node in the Cluster. The example below shows one (1) Pod running the k8s-bigip-ctlr in a test cluster with one worker node.

    oc get deployments --namespace=kube-system
    NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
    k8s-bigip-ctlr   1         1         1            1           1h
    
    oc get replicasets --namespace=kube-system
    NAME                       DESIRED   CURRENT   AGE
    k8s-bigip-ctlr-331478340   1         1         1h
    
    oc get pods --namespace=kube-system
    user@k8s-master:~oc get pods --namespace=kube-system
    NAME                              READY     STATUS    RESTARTS   AGE
    k8s-bigip-ctlr-1962020886-s31l4   1/1       Running   0          1m