Deployment Options

These options are configured using pool-member-type parameter in CIS deployment.

NodePort

This section documents K8S with integration of CIS and BIG-IP using NodePort configuration. Benefits of NodePort are:

  • It works in any environment (no requirement for SDN)
  • No persistence/visibility to backend Pod
  • Can be deployed for “static” workloads (not ideal)

Similar to Docker, BIG-IP communicates with an ephemeral port, but in this case the kube-proxy keeps track of the backend Pod (container). This works well, but the downside is that you have an additional layer of load balancing with the kube-proxy.

../_images/nodeport-diagram.png

When using NodePort, pool members represent the kube-proxy service on the node. BIG-IP needs a local route to the nodes. There is no need for VXLAN tunnels or Calico. BIG-IP can dynamically ARP for the Kube-proxy running on node.


ClusterIP

This section documents K8S with integration of CIS and BIG-IP using clusterIP configuration. Benefits of clusterIP are:

  • Requires ability to route to Pod
  • Flannel VXLAN, OpenShift VXLAN
  • Alternately Pod routable through network, for example:
    • Calico BGP
    • Public Cloud network

The BIG-IP CIS also supports a cluster mode where Ingress traffic bypasses the Kube-proxy and routes traffic directly to the pod. This requires that the BIG-IP have the ability to route to the pod. This could be by using an overlay network that F5 supports (Flannel VXLAN, or OpenShift VXLAN). Leave the kube-proxy intact (no changes to underlying Kubernetes infrastructure).

../_images/clusterip-diagram.png


Note

To provide feedback on Container Ingress Services or this documentation, you can file a GitHub Issue.