CIS Installation¶

Overview¶

CIS can be configured for Kubernetes and OpenShift, varying by resources (ConfigMap, Ingress, Routes, CRD, serviceTypeLB), BIG-IP deployment (stand alone, HA), and cluster networking (Flannel/Calico/Cilium/Antrea/OVNKuberentes).

Prerequisites¶

Installing CIS Using Helm Charts¶

Chart parameters¶

Parameter	Required	Default	Description
bigip_login_secret	Optional	f5-bigip-ctlr-login	Secret that contains BIG-IP login credentials.
bigip_secret.create	Optional	false	Create Kubernetes secret using username and password.
bigip_secret.username	Optional	N/A	BIG-IP username to create the Kubernetes secret.
bigip_secret.password	Optional	N/A	BIG-IP password to create the Kubernetes secret.
args.bigip_url	Required	N/A	The management IP for your BIG-IP device.
args.bigip_partition	Required	f5-bigip-ctlr	BIG-IP partition the CIS Controller will manage.
args.namespaces	Optional	N/A	List of Kubernetes namespaces which CIS will monitor.
rbac.create	Optional	true	Create ClusterRole and ClusterRoleBinding.
serviceAccount.name	Optional	f5-bigip-ctlr- serviceaccount	Name of the ServiceAccount for CIS controller.
serviceAccount.create	Optional	true	Create service account for the CIS controller.
namespace	Optional	kube-system	Name of namespace CIS will use to create deployment and other resources.
image.user	Optional	f5networks	CIS Controller image repository username.
image.repo	Optional	k8s-bigip-ctlr	CIS Controller image repository name.
image.pullPolicy	Optional	Always	CIS Controller image pull policy.
image.pullSecrets	Optional	N/A	List of secrets of container registry to pull image.
version	Optional	latest	CIS Controller image tag.
nodeSelector	Optional	N/A	Dictionary of Node selector labels.
tolerations	Optional	N/A	Array of labels.
limits_cpu	Optional	100m	CPU limits for the pod.
limits_memory	Optional	512Mi	Memory limits for the pod.
requests_cpu	Optional	100m	CPU request for the pod.
requests_memory	Optional	512Mi	Memory request for the pod.
affinity	Optional	N/A	Dictionary of affinity.
securityContext	Optional	N/A	Dictionary of deployment securityContext.
podSecurityContext	Optional	N/A	Dictionary of pod securityContext.
ingressClass.ingressClassName	Optional	f5	Name of ingress class.
ingressClass.isDefaultIngressController	Optional	false	CIS will monitor all the ingress resources if set true.
ingressClass.create	Optional	true	Create ingress class.

Note:- The parameters bigip_login_secret and bigip_secret are mutually exclusive. If both are defined in the values.yaml file, bigip_secret will be given priority.

Uninstalling Helm Chart¶

Run the command to uninstall the chart.

helm delete <new-chart>
helm repo remove f5-stable

Optionally, Run the command to delete the secrets created.

For Kubernetes, use the following command:

kubectl delete secret f5-bigip-ctlr-login -n kube-system

For Openshift, use the following command:

oc delete secret f5-bigip-ctlr-login -n kube-system

Mandatory with nextGen Routes, Run the command to delete the extended cm.

oc delete -f ./docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml

Delete the trusted certs configMap

For Kubernetes, use the following command:

kubectl delete configmap trusted-certs -n kube-system rm -rf server_cert.pem

For OpenShift, use the following command:

oc delete configmap trusted-certs -n kube-system rm -rf server_cert.pem

Installing CIS Manually¶

Clone the GitHub repository

git clone https://github.com/F5Networks/k8s-bigip-ctlr.git

Download the CA/BIG IP certificate and use it with CIS controller.

For Kubernetes, use the following command:

echo | openssl s_client -showcerts -servername <server-hostname>  -connect <server-ip-address>:<server-port> 2>/dev/null | openssl x509 -outform PEM > server_cert.pem kubectl create configmap trusted-certs --from-file=./server_cert.pem -n kube-system

For Openshift, use the following command:

echo | openssl s_client -showcerts -servername <server-hostname>  -connect <server-ip-address>:<server-port> 2>/dev/null | openssl x509 -outform PEM > server_cert.pem oc create configmap trusted-certs --from-file=./server_cert.pem -n kube-system

Alternatively, for non-prod environment you can use ``–insecure=true``parameter.

Note:- If you are updating the BIGIP/CA Certificates, don’t miss to rotate them on k8s cluster and restart the CIS.

Create a Cluster Role, Cluster Role Binding and Service account for CIS Controller

For Kubernetes, use the following command:

kubectl create -f ./docs/config_examples/rbac/k8s_rbac.yml

For Openshift, use the following command:

oc create -f ./docs/config_examples/rbac/openshift_rbac.yaml

Note:- The command has the broadest supported permission set. You can narrow the permissions down to specific resources, namespaces, etc. to suit your needs. See the Kubernetes RBAC documentation for more information.

Important: You can substitute a Role and RoleBinding if your Controller does not need access to the entire Cluster.

Optionally, Install Custom Resource Definitions for CIS Controller if you are using custom resources or nextGen Routes or multi-cluster

For Kubernetes, use the following command:

        export CIS_VERSION=<cis-version>
        # For example
        # export CIS_VERSION=v2.20.0
        # or
        # export CIS_VERSION=master
        # the latter if using a CIS image with :latest label
        kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION}/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml

-  For Openshift, use the following command:

   .. code:: shell

      export CIS_VERSION=<cis-version>
      # For example
      # export CIS_VERSION=v2.20.0
      # or
      # export CIS_VERSION=master
      # the latter if using a CIS image with :latest label
      oc create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION}/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml

Mandatory with nextGen Routes, Modify the extended ConfigMap file as required and deploy it

oc create -f ./docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml

Create the kubernetes secret with BIG IP credentials

For Kubernetes, use the following command:

kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=<password> --from-literal=url=<bigip-uri>``

For Openshift, use the following command:

oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=<password> --from-literal=url=<bigip-uri>

Update the CIS deployment file with required image and config parameters and install the CIS Controller.

For Kubernetes, use following cmd:

kubectl create -f ./docs/config_examples/Install/k8s/sample-k8s-bigip-ctlr.yaml

For Openshift, use following cmd:

oc create -f ./docs/config_examples/Install/openshift/f5-k8s-bigip-ctlr-openshift.yaml

Uninstalling CIS¶

To uninstall CIS, run the following commands:

For Kubernetes, use following cmd:

kubectl delete -f ./docs/config_examples/Install/k8s/sample-k8s-bigip-ctlr.yaml
kubectl delete -f ./docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
kubectl delete -f ./docs/config_examples/rbac/k8s_rbac.yml

For Openshift, use following cmd:

oc delete -f ./docs/config_examples/Install/openshift/f5-k8s-bigip-ctlr-openshift.yaml
oc delete -f ./docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
oc delete -f ./docs/config_examples/rbac/openshift_rbac.yaml

Optionally, Run the command to delete the secrets created.

For Kubernetes, use the following command:

kubectl delete secret f5-bigip-ctlr-login -n kube-system

For Openshift, use the following command:

oc delete secret f5-bigip-ctlr-login -n kube-system

Mandatory with nextGen Routes,Run the command to delete the extended cm.

oc delete -f ./docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml

Delete the trusted certs configMap

For Kubernetes, use the following command:

kubectl delete configmap trusted-certs -n kube-system rm -rf server_cert.pem

For OpenShift, use the following command:

oc delete configmap trusted-certs -n kube-system rm -rf server_cert.pem

Installing CIS using Operators on OpenShift Cluster¶

An Operator is a method of packaging, deploying, and managing a Kubernetes application. A Kubernetes application is an application that is both deployed on Kubernetes and managed using the Kubernetes APIs and kubectl/oc tooling. You can think of Operators as the runtime that manages this type of application on Kubernetes. Conceptually, an Operator takes human operational knowledge and encodes it into software that is more easily packaged and shared with consumers.

The F5 BIG-IP CIS (k8s-bigip-ctlr) is a cloud-native connector that can use either Kubernetes or OpenShift as a BIG-IP orchestration platform. F5 BIG-IP CIS Operator is a Service Operator which installs F5 BIG-IP CIS on OpenShift platforms 4.x.

Before you install CIS using Operators on OpenShift, you must create BIG-IP login credentials to use with Operator Helm Charts:

oc create secret generic <SECRET-NAME> -n kube-system
--from-literal=username=<USERNAME> --from-literal=password=<PASSWORD>

Access the OCP web console: From CLI, login as admin using CRC given credentials. In the example below, the username is kubeadmin and the password is db9Dr-J2csc-8oP78-9sbmf.
```
$ eval $(crc  oc-env)
$ oc login -u kubeadmin -p db9Dr-J2csc-8oP78-9sbmf https://api.crc.testing:6443
```
Within the OCP web console, in the left Menu bar, click Operator Hub and search for “f5” to see the Certified F5 BIG-IP CIS Operator.
Click Install to go through the guided installation process.

When Operator is Subscribed, Operator is installed based on approval strategy. The default approval strategy is Automatic.
- Manual: Requires administrator approval to install new updates.
- Automatic: When a new release is available, updated automatic.

Creating VXLAN Tunnels¶

This section is required only if you plan to use CIS in a ClusterIP Deployment. See BIG IP Networking with CIS for more information.

Creating VXLAN Tunnels on Kubernetes Cluster¶

This configuration is for Standalone BIG-IP.

Create a VXLAN profile.

tmsh create net tunnels vxlan fl-vxlan port 8472 flooding-type none

Create a VXLAN tunnel.

tmsh create net tunnels tunnel fl-vxlan key 1 profile fl-vxlan local-address 10.1.1.4

Create the VXLAN tunnel self IP.

tmsh create net self 10.1.1.4 address 10.244.20.4/255.255.0.0 allow-service none vlan fl-vxlan

Save the configuration.
```
tmsh save sys config
```
Before deploying CIS in ClusterIP mode, you need to configure BIG-IP as a node in the Kubernetes cluster. To do so you will need to modify ./docs/config_examples/Install/k8s/bigip-node.yaml with the MAC address auto-created from the previous steps. From the jumpbox terminal, run the following command at bigip1. Copy the displayed MAC Address.
```
tmsh show net tunnels tunnel k8s-tunnel all-properties
```
Update the MAC address obtained in ./docs/config_examples/Install/k8s/bigip-node.yaml

Create the BIG-IP node:

kubectl create -f ./docs/config_examples/Install/k8s/bigip-node.yaml

Verify “bigip1” node is created:
```
kubectl get nodes
```

Creating VXLAN Tunnels on Openshift Cluster for OpenshiftSDN CNI¶

This configuration is for Standalone BIG-IP.

create net tunnels vxlan vxlan-mp flooding-type multipoint
create net tunnels tunnel openshift_vxlan key 0 profile vxlan-mp local-address 10.1.1.4

Add the BIG-IP device to the OpenShift overlay network.

create net self 10.131.0.83/14 allow-service all vlan openshift_vxlan

Create a new HostSubnet for BIG-IP on the OpenShift/Kubernetes cluster. This will provide the subnet for creating the tunnel self IP.
```
oc create -f .docs/config_examples/Install/openshift/StandAlone/f5-kctlr-openshift-hostsubnet.yaml
```
Verify “bigip1” node is created:
```
oc get nodes
```

Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.

Previous Next