This section documents K8S with integration of CIS and BIG-IP using NodePort configuration. Benefits of NodePort are:
- It works in any environment (no requirement for SDN)
- No persistence/visibility to backend Pod
- Can be deployed for “static” workloads (not ideal)
Similar to Docker, BIG-IP is communicating with an ephemeral port, but in this case the kube-proxy is keeping track of the backend Pod (container). This works well, but the downside is that you have an additional layer of load balancing with the kube-proxy.
When using nodeport, pool members represent the kube-proxy service on the node. BIG-IP needs a local route to the nodes. There is no need for VXLAN tunnels, or Calico. BIG-IP can dynamically ARP for the Kube-proxy running on node.
This section documents K8S with integration of CIS and BIG-IP using clusterIP configuration. Benefits of clusterIP are:
- Requires ability to route to Pod
- Flannel VXLAN, OpenShift VXLAN
- Alternately Pod routable through network, for example:
- Calico BGP
- Public Cloud network
VXLAN and Kubernetes are not supported today when using a BIG-IP cluster, but it works with standalone. OpenShift and VXLAN are supported, see the OpenShift section for more information.
The BIG-IP CIS also supports a cluster mode where Ingress traffic by-passes the Kube-proxy and route traffic directly to the pod. This requires that the BIG-IP have the ability to route to the pod. This could be by using an overlay network that we support (Flannel VXLAN, or OpenShift VXLAN). Leave the kube-proxy intact (no changes to underlying kubernetes infrastructure).
To provide feedback on Container Ingress Services or this documentation, you can file a GitHub Issue.