F5 IPAM Controller for Gateway API¶
Overview¶
About F5 IPAM Controller (FIC)¶
The F5 IPAM Controller (FIC) in BIG-IP Next for Kubernetes manages the dual-stack IP addresses (IPv4 and IPv6) for the Gateway resource. The FIC ensures that the allocated IP address is within the defined range in the BNKGateway (bnkgateway.yaml). This allows the CNE controller to dynamically allocate IP addresses to the various Gateway API resources.
FIC can manage both dynamic and static IP addresses.
FIC implementation¶
Using F5 Lifecycle Operator (FLO), the FIC component is installed and enabled by default as part of the BIG-IP Next for Kubernetes configuration. FLO uses the FIC operator to manage the F5 IPAM controller (FIC). To allow IP address management by FIC, the BNKGateway CR must be applied to the namespace of the pod in which the CNE controller is implemented. You must also ensure that IP address ranges are defined in BNKGateway for the specified default network.
For more details about FLO, see F5 Lifecycle Operator
You can now access all the FIC logs and diagnostic reports for the deployed FIC controller by using the below command.
kubectl -n <namespace-where-FIC-operator-is-running> logs deploy/f5-ipam-operator
Note:
You can not access reports using Coremond, FluentBit, or Qkview for the FIC operator.
CNE controller is implemented using FLO.
Refer to FLO documentation and BNKGateway for details.
Sample report¶
This section shows sample code and output.
Code
kubectl -n default logs deployment/f5-ipam-operator
Output
{"level":"info","ts":"2025-03-19T11:20:13Z","logger":"cmd","msg":"Version","Go Version":"go1.23.4","GOOS":"linux","GOARCH":"arm64","helm-operator":"v0.8.0","commit":"xxxxxx"}
{"level":"info","ts":"2025-03-19T11:20:13Z","logger":"cmd","msg":"Setting manager options","Options":{"HealthProbeAddress":":8081","LeaderElection":true,"LeaderElectionId":"f5-ipam-operator","MetricsBindAddress":"127.0.0.1:8080"}}
{"level":"info","ts":"2025-03-19T11:20:13Z","logger":"cmd","msg":"watching all namespaces"}
{"level":"info","ts":"2025-03-19T11:20:13Z","logger":"controllers.Helm","msg":"Watching resource","group":"fic.f5.com","version":"v1","kind":"F5IpamCtlr"}
Use cases of FIC¶
This section describes how FIC behaves in two different scenarios when BNKGateway is configured with a CIDR range. For details about BNKGateway, see BNKGateway
Use case 1: IP address is defined in the Gateway
Use case 2: IP address is not defined in the Gateway
Use case 1: IP address is defined in the Gateway¶
The FIC verifies if the configured IP address in the Gateway resource is within the CIDR range defined in the BNKGateway resource.
When the IP address is within the range, the TMM is configured and the Gateway CR status shows the successful message. However, the TMM will not be configured if the IP address is not within the range. The Gateway CR status shows an error message.
Sample Gateway CR with static IP address¶
This example CR shows that a static IP address (192.168.17.170) is defined using the addresses.value parameter for the IPv4 network.
Sample CR when static IP address is defined
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: my-gateway
namespace: app-ns-2
spec:
gatewayClassName: my-gatewayclass
addresses:
- type: IPAddress
value: 192.168.17.170
infrastructure:
parametersRef:
group: k8s.f5net.com
kind: F5BnkGateway
name: test-bnkgateway
listeners:
- allowedRoutes:
kinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespaces:
from: Same
name: http
port: 8000
protocol: HTTP
Use case 2: IP address is not defined in the Gateway¶
When the IP address is not configured in the Gateway resource, FIC allocates a static IP address based on the defined CIDR range. The Gateway CR status shows the relevant message.
Sample Gateway CR without static IP address¶
In this example, CR does not have the IP address defined. The infrastructure.parametersRef parameter is used to refer to the BNKGateway in which the range is defined.
Gateway CR without IP address
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: my-gateway
namespace: app-ns-2
spec:
gatewayClassName: my-gatewayclass
infrastructure:
parametersRef:
group: k8s.f5net.com
kind: F5BnkGateway
name: test-bnkgateway
listeners:
- allowedRoutes:
kinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespaces:
from: Same
name: http
port: 8000
protocol: HTTP
Status CR¶
This sample CR shows the status of the Gateway.
Name: my-gateway
Namespace: app-ns-2
Labels: <none>
Annotations: <none>
API Version: gateway.networking.k8s.io/v1
Kind: Gateway
Metadata:
Creation Timestamp: 2025-03-14T04:32:25Z
Generation: 1
Resource Version: 8846315
UID: 99fcdc81-177e-4b14-afb5-cbd5474a07e5
Spec:
Gateway Class Name: my-gatewayclass
Infrastructure:
Parameters Ref:
Group: k8s.f5net.com
Kind: F5BnkGateway
Name: test-bnkgateway
Listeners:
Allowed Routes:
Kinds:
Group: gateway.networking.k8s.io
Kind: HTTPRoute
Namespaces:
From: Same
Name: http
Port: 8000
Protocol: HTTP
Status:
Addresses:
Type: IPAddress
Value: 192.168.17.170
Conditions:
Last Transition Time: 2025-03-14T04:32:25Z
Message: Gateway is accepted
Observed Generation: 1
Reason: Accepted
Status: True
Type: Accepted
Last Transition Time: 2025-03-14T04:32:25Z
Message: Gateway is programmed
Observed Generation: 1
Reason: Programmed
Status: True
Type: Programmed
Listeners:
Attached Routes: 1
Conditions:
Last Transition Time: 2025-03-14T04:32:25Z
Message: Listener is accepted
Observed Generation: 1
Reason: Accepted
Status: True
Type: Accepted
Last Transition Time: 2025-03-14T04:32:25Z
Message: Listener is programmed
Observed Generation: 1
Reason: Programmed
Status: True
Type: Programmed
Last Transition Time: 2025-03-14T04:32:25Z
Message: All references are resolved
Observed Generation: 1
Reason: ResolvedRefs
Status: True
Type: ResolvedRefs
Name: http
Supported Kinds:
Group: gateway.networking.k8s.io
Kind: HTTPRoute
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Added/Updated 25m spk-controller Gateway app-ns-2/my-gateway was added/updated