F5 Container Integrations

Current Page

Cloud Foundry

Kubernetes / OpenShift

Mesos Marathon

Support

Troubleshooting

Tutorials


View related articles on DevCentral

Cloud Docs Home > F5 Container Integrations Index

Install the BIG-IP Controller in OpenShift

Use a Deployment to install the BIG-IP Controller for OpenShift.

Attention

These instructions are for the Openshift Kubernetes distribution. If you are using standard Kubernetes, see Install the BIG-IP Controller in Kubernetes.

Task table
Step Task
Complete Initial Setup.
Set up RBAC Authentication
Create an OpenShift Deployment
Upload the Deployment to OpenShift

Initial Setup

Important

You should create all BIG-IP Controller resources in the kube-system namespace unless otherwise specified.

  1. Add your BIG-IP device to the OpenShift Cluster.

  2. Create a new partition on your BIG-IP system.

    Important

    The BIG-IP Controller can not manage objects in the /Common partition.

  3. Store your BIG-IP login credentials in a Secret.

  4. If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a Secret.

Set up RBAC Authentication

  1. Create a Service Account for the BIG-IP Controller.

    oc create serviceaccount bigip-ctlr -n kube-system
    serviceaccount "bigip-ctlr" created
    
  2. Create a Cluster Role and Cluster Role Binding. The BIG-IP Controller for OpenShift requires the permissions shown in the table below.

    API groups Resources Actions
    “” endpoints get, list, watch
    namespaces
    nodes
    routes
    services
    secrets
    “extensions” ingresses get, list, watch
    “” configmaps get, list, watch, update, create, patch
      events
    “extensions” ingresses/status get, list, watch, update, create, patch

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    # For use in OpenShift clusters
    apiVersion: v1
    kind: ClusterRole
    metadata:
      annotations:
        authorization.openshift.io/system-only: "true"
      name: system:bigip-ctlr
    rules:
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - nodes
      - services
      - endpoints
      - namespaces
      - ingresses
      - routes
      - secrets
      verbs:
      - get
      - list
      - watch
    - apiGroups:
      - ""
      - "extensions"
      resources:
      - configmaps
      - events
      - ingresses/status
      verbs:
      - get
      - list
      - watch
      - update
      - create
      - patch
    
    ---
    
    apiVersion: v1
    kind: ClusterRoleBinding
    metadata:
        name: bigip-ctlr-role
    userNames:
    - system:serviceaccount:kube-system:bigip-ctlr
    subjects:
    - kind: ServiceAccount
      namespace: kube-system
      name: bigip-ctlr
    roleRef:
      name: system:bigip-ctlr
    

    f5-kctlr-openshift-clusterrole.yaml

  3. Upload the Cluster Role and Cluster Role Binding to the API server.

    oc create -f f5-kctlr-openshift-clusterrole.yaml
    clusterrole "system:bigip-ctlr" created
    clusterrolebinding "bigip-ctlr-role" created
    

Deploy the BIG-IP Controller

Create an OpenShift Deployment

The BIG-IP Controller has a subset of configuration parameters specific to OpenShift. At minimum, you must include the following configuration parameters in your Deployment:

  • --openshift-sdn-name=/path/to/bigip_openshift_vxlan
  • --pool-member-type=cluster

The Deployment must consist of valid JSON or YAML. The example below shows the basic BIG-IP Controller configurations. You can customize this for your environment using the k8s-bigip-ctlr configuration parameters.

Example OpenShift Deployment
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      # Name of the Service Account bound to a Cluster Role with the required
      # permissions
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:1.4.0"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            # Replace with the IP address or hostname of your BIG-IP device
            "--bigip-url=10.190.24.171",
            # Replace with the name of the BIG-IP partition you want to manage
            "--bigip-partition=openshift",
            "--pool-member-type=cluster",
            # Replace with the path to the BIG-IP VXLAN connected to the
            # OpenShift HostSubnet
            "--openshift-sdn-name=/Common/openshift_vxlan"
            ]
      imagePullSecrets:
        - name: f5-docker-images
        - name: bigip-login

f5-k8s-bigip-ctlr_openshift-sdn.yaml

The example below shows the basic BIG-IP Controller Route configuration parameters needed to manage Routes. See Use Route Resources to Expose OpenShift Services to External Traffic for additional information.

Example OpenShift Route Deployment
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      # Name of the Service Account bound to a Cluster Role with the required
      # permissions
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:1.4.0"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            # Replace with the IP address or hostname of your BIG-IP device
            "--bigip-url=10.190.24.171",
            # Replace with the name of the BIG-IP partition you want to manage
            "--bigip-partition=openshift",
            "--pool-member-type=cluster",
            # Replace with the path to the BIG-IP VXLAN connected to the
            # OpenShift HostSubnet
            "--openshift-sdn-name=/Common/openshift_vxlan",
            # Enables use of a BIG-IP device as an OpenShift Router
            "--manage-routes=true",
            # Assign an IP address to the BIG-IP virtual server
            # Be sure to use an IP address from the HostSubnet to which the
            # BIG-IP device connects
            "--route-vserver-addr=1.2.3.4",
            # OPTIONAL: Provide an "f5type" label you want the BIG-IP Controller
            # to watch for. This information should be defined in a Route
            # Resource (for example, "f5type: App1")
            "--route-label=App1"
            ]
      imagePullSecrets:
        - name: f5-docker-images
        - name: bigip-login

Upload the Deployment

  1. Upload the Deployment to the OpenShift API server using oc create.

    oc create -f f5-k8s-bigip-ctlr_openshift-sdn.yaml
    deployment "k8s-bigip-ctlr" created
    
  2. Verify creation using oc get.

    You should see one (1) ReplicaSet, as well as one (1) k8s-bigip-ctlr Pod for each Node in the Cluster. The example below shows one (1) Pod running the k8s-bigip-ctlr in a test cluster with one worker node.

    oc get deployments
    NAME             DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
    k8s-bigip-ctlr   1         1         1            1           1h
    
    oc get replicasets
    NAME                       DESIRED   CURRENT   AGE
    k8s-bigip-ctlr-331478340   1         1         1h
    
    oc get pods
    NAME                              READY     STATUS    RESTARTS   AGE
    k8s-bigip-ctlr-1962020886-s31l4   1/1       Running   0          1m
    

What’s next

Now that you have the BIG-IP Controller up and running, here are a few things you can do with it: