BIG-IP Next CIS Configuration Overview¶
Deployment Options¶
These options are configured using pool-member-type
parameter in BIG-IP Next CIS deployment.
NodePort¶
This section documents Kubernetes with integration of CIS and BIG-IP Next using
NodePort configuration. Benefits of NodePort
are:
- It works in any environment (no requirement for SDN).
- No persistence/visibility to backend Pod.
Similar to Docker, BIG-IP Next communicates with an ephemeral port, but in this case the kube-proxy keeps track of the backend Pod (container). This works well, but you will have an additional layer of load balancing with the kube-proxy.
When using NodePort, pool members represent the kube-proxy service on the node. BIG-IP Next needs a local route to the nodes. There is no need for VXLAN tunnels or Calico. BIG-IP Next can dynamically do the ARP resolution for the Kube-proxy running on node.
ClusterIP¶
This section documents Kubernetes with integration of CIS and BIG-IP Next using clusterIP configuration. The BIG-IP Next CIS also supports a cluster mode where Ingress traffic bypasses the Kube-proxy and routes traffic directly to the pod. This requires that the BIG-IP have the ability to route to the pod. This is achieved by the Static Routing Mode, where CIS adds the static routes for Kubernetes nodes on BIG-IP Next, managing them for node updates. Currently, this is supported with ovn-k8s and flannel CNIs.
It leaves the kube-proxy intact (no changes to underlying Kubernetes infrastructure).
Benefits of clusterIP
are:
- Ability to directly route the traffic to the Pod.
- No Flannel VXLAN, OpenShift VXLAN config is required.
- No kube-proxy is needed.
- Alternately, pod routable through network, for example:
- Calico BGP
- Public Cloud network.
Auto¶
This section documents Kubernetes with integration of CIS and BIG-IP Next using the auto configuration.
Auto mode is a combination of clusterip and nodeport mode. In auto mode, CIS will learn the service type and populates the BIG-IP Next with the respective pool members.
- If the service type is ClusterIP, then the pod IPs are populated on the BIGIP Next for the respective pool.
- If the service type is NodePort, then the node IPs are populated on the BIG-IP NEXT for the respective pool.
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.