BIG-IP Next CIS Configuration Overview

Deployment Options

These options are configured using pool-member-type parameter in BIG-IP Next CIS deployment.

NodePort

This section documents Kubernetes with integration of CIS and BIG-IP Next using NodePort configuration. Benefits of NodePort are:

  • It works in any environment (no requirement for SDN).
  • No persistence/visibility to backend Pod.

Similar to Docker, BIG-IP Next communicates with an ephemeral port, but in this case the kube-proxy keeps track of the backend Pod (container). This works well, but you will have an additional layer of load balancing with the kube-proxy.

_images/CIS-Config-overvw.png

When using NodePort, pool members represent the kube-proxy service on the node. BIG-IP Next needs a local route to the nodes. There is no need for VXLAN tunnels or Calico. BIG-IP Next can dynamically do the ARP resolution for the Kube-proxy running on node.

ClusterIP

This section documents Kubernetes with integration of CIS and BIG-IP Next using clusterIP configuration. The BIG-IP Next CIS also supports a cluster mode where Ingress traffic bypasses the Kube-proxy and routes traffic directly to the pod. This requires that the BIG-IP have the ability to route to the pod. This is achieved by the Static Routing Mode, where CIS adds the static routes for Kubernetes nodes on BIG-IP Next, managing them for node updates. Currently, this is supported with ovn-k8s and flannel CNIs.

It leaves the kube-proxy intact (no changes to underlying Kubernetes infrastructure).

Benefits of clusterIP are:

  • Ability to directly route the traffic to the Pod.
  • No Flannel VXLAN, OpenShift VXLAN config is required.
  • No kube-proxy is needed.
  • Alternately, pod routable through network, for example:
    • Calico BGP
    • Public Cloud network.
_images/CIS-Config-ClstIP.png

Auto

This section documents Kubernetes with integration of CIS and BIG-IP Next using the auto configuration.

Auto mode is a combination of clusterip and nodeport mode. In auto mode, CIS will learn the service type and populates the BIG-IP Next with the respective pool members.

  • If the service type is ClusterIP, then the pod IPs are populated on the BIGIP Next for the respective pool.
  • If the service type is NodePort, then the node IPs are populated on the BIG-IP NEXT for the respective pool.

Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.