Configuration Parameters¶
All of the configuration parameters below are global.
General¶
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| http-listen-address | string | Optional | “0.0.0.0:8080” | Address at which to serve HTTP-based
information (for example, /metrics,
health) to Prometheus |
Both AS3 and CCCL | |
| log-level | string | Optional | INFO | Log level | INFO, DEBUG, CRITICAL, WARNING, ERROR | Both AS3 and CCCL |
| node-poll-interval | integer | Optional | 30 | In seconds, the interval at which the CIS polls the cluster to find all node members. | Both AS3 and CCCL | |
| python-basedir | string | Optional | /app/python | Path to the python utilities directory | CCCL | |
| schema-db-base-dir | string | Optional | file:///app/vendor/src/f5/schemas | Path to the directory containing the F5 schema db | CCCL | |
| verify-interval | integer | n/a | 30 | In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system. This value is not currently configurable |
For CCCL, LTM and NET For AS3, only NET |
|
| vs-snat-pool-name | string | Optional | n/a | Name of the SNAT pool that all virtual servers will reference. If it is not set, virtual servers use automap SNAT. | CCCL | |
| –agent | string | Optional | AS3 | You can also change the value to CCCL
for CCCL mode. |
AS3, CCCL | Both AS3 and CCCL |
| version | boolean | Optional | false | Print CIS version | Both AS3 and CCCL |
Note
- The
python-basedirsetting lets you specify the path to an alternate python agent that can bridge between the CIS and F5 CCCL. - The time it takes for the CIS to reapply the system configurations to the BIG-IP device is normally low (a few ms) and won’t cause service disruption.
- Use
vs-snat-pool-nameif you want virtual servers to reference a SNAT pool that already exists in the/Commonpartition on the BIG-IP device. See Overview of SNAT features on AskF5 for more information.
BIG-IP system¶
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| bigip-partition | string | Required | n/a | The BIG-IP partition in which to configure objects. | Both AS3 and CCCL | |
| bigip-password | string | Required | n/a | BIG-IP iControl REST password You can secure your BIG-IP credentials using a Kubernetes Secret. |
Both AS3 and CCCL | |
| bigip-url | string | Required | n/a | BIG-IP admin IP address | Both AS3 and CCCL | |
| bigip-username | string | Required | n/a | BIG-IP iControl REST username The BIG-IP user account must have the appropriate role defined: For For |
Both AS3 and CCCL | |
| credentials-directory | string | Optional | n/a | Directory that contains the BIG-IP username, password, or url files | Both AS3 and CCCL |
Important
The credentials-directory option is an alternative to using the bigip-username, bigip-password, or
bigip-url arguments.
When you use this argument, the controller looks for three files in the specified directory:
- “username”, “password”, and “url”
If any of these files do not exist, the controller falls back to using the CLI arguments as parameters.
Each file should contain only the username, password, and url, respectively. You can create and mount the files as Kubernetes Secrets.
It is important to not project the Secret keys to specific paths, as the controller looks for the “username”, “password”, and “url” files directly within the credentials directory.
See example-bigip-credentials-directory.yaml
for a deployment example.
VXLAN¶
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| openshift-sdn-name | string | Optional | n/a | Name of the VXLAN tunnel on the BIG-IP system that corresponds to an Openshift SDN HostSubnet. Only applicable in OpenShift. |
Both AS3 and CCCL | |
| flannel-name | string | Optional | n/a | Name of the VXLAN tunnel on the BIG-IP system that corresponds to a Flannel subnet. | CCCL |
Kubernetes¶
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| default-ingress-ip | string | Optional | n/a | The controller configures a virtual
server at this IP address for all
Ingresses with the annotation:
virtual-server.f5.com/ip:
'controller-default' |
Both AS3 and CCCL | |
| kubeconfig | string | Optional | ./config | Path to the kubeconfig file | Both AS3 and CCCL | |
| manage-configmaps | boolean | Optional | true | Tells the controller whether or not to watch Kubernetes ConfigMaps and apply their configuration. If false, the controller will ignore ConfigMap events. | true, false | Both AS3 and CCCL |
| namespace | string | Optional | All | Kubernetes namespace(s) to watch
|
Both AS3 and CCCL | |
| namespace-label | string | Optional | n/a | Tells the k8s-bigip-ctlr to watch
any namespace with this label |
Both AS3 and CCCL | |
| node-label-selector | string | Optional | n/a | Tells the k8s-bigip-ctlr to watch
only nodes with this label |
Both AS3 and CCCL | |
| pool-member-type | string | Optional | nodeport | The type of BIG-IP pool members you want to create. Use Use |
cluster, nodeport | Both AS3 and CCCL |
| resolve-ingress-names | string | Optional | n/a | Tells the controller to resolve the first Host in an Ingress resource to an IP address. This IP address will be used as the virtual server address for the Ingress resource. A value of “LOOKUP” will use local DNS to resolve the Host. Any other value is a custom DNS server and the controller sends resolution queries through that server instead. Specifying the flag with no argument will default to LOOKUP. |
Not Supported | |
| running-in-cluster | boolean | Optional | true | Indicates whether or not a
kubernetes cluster started
k8s-bigip-ctlr |
true, false | Both AS3 and CCCL |
| use-node-internal | boolean | Optional | true | filter Kubernetes InternalIP addresses for pool members | true, false | Both AS3 and CCCL |
| use-secrets | boolean | Optional | true | Tells the controller whether or not to load SSL profiles from Kubernetes Secrets for Ingresses and ConfigMaps. If false, the controller will only use profiles from the BIG-IP system. | true, false | Both AS3 and CCCL |
| manage-ingress | boolean | Optional | true | Tells the controller whether or not to watch Kubernetes ingress and apply their configuration. If false, the controller will ignore ingress events. | true, false | Both AS3 and CCCL |
| manage-ingress-class- only | boolean | Optional | true | Process all ingress resources without
kubernetes.io/ingress.class +
“annotation and ingresses with
annotation
kubernetes.io/ingress.class=f5”. |
true, false | AS3 |
| ingress-class | string | Optional | F5 | A class of the Ingress controller. The
Ingress controller only processes
Ingress resources that belong to its
class–i.e. have the annotation
kubernetes.io/ingress.class equal
to the class. Additionally, the Ingress
controller processes Ingress resources
that do not have that annotation, which
can be disabled by setting the
-manage-ingress-class-only flag. |
true, false | AS3 |
Note
Use the node-label-selector parameter if you only want the controller to manage specific nodes from the cluster.
For example, the BIG-IP device may not be able to reach certain nodes, or the BIG-IP device already manages certain
nodes. Therefore, the controller should only watch the nodes that match the environmental constraints (by using a label).
OpenShift Routes¶
The following configuration parameters only apply to OpenShift.
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| custom-client-ssl | string | Optional | n/a | Specifies the name of a custom client SSL profile attached to the route HTTPS virtual server and used as default for SNI. This profile must have the Default for SNI field enabled. | CCCL | |
| custom-server-ssl | string | Optional | n/a | Specifies the name of a custom server SSL profile attached to the route HTTPS virtual server and used as default for SNI. This profile must have the Default for SNI field enabled. | CCCL | |
| manage-routes | boolean | Optional | false | Indicates if k8s-bigip-ctlr should
handle OpenShift Route objects. |
true, false | Both AS3 and CCCL |
| route-http-vserver | string | Optional | ose-vserver | The name of the http virtual server for OpenShift Routes. | Both AS3 and CCCL | |
| route-https-vserver | string | Optional | https-ose-vserver | The name of the https virtual server for OpenShift Routes. | Both AS3 and CCCL | |
| route-label | string | Optional | n/a | Tells the k8s-bigip-ctlr to only
watch for OpenShift Route objects with
the f5type label set to this value. |
Both AS3 and CCCL | |
| route-vserver-addr | string | Optional | n/a | Bind address for virtual server for OpenShift Route objects. | Both AS3 and CCCL | |
| default-client-ssl | string | Optional | n/a | Name of the default client ssl profile. | Both AS3 and CCCL | |
| default-server-ssl | string | Optional | n/a | Name of the default server ssl profile. | Both AS3 and CCCL | |
| tls-version | string | Optional | 1.2 | Configures TLS version to be enabled on BIG-IP. TLS 1.3 is only supported on TMOS version 14.0+. | Only AS3 | |
| cipher-group | string | Optional | n/a | Configures a cipher group in BIG-IP and reference it here. Cipher group and ciphers are mutually exclusive, only use one. | Only AS3 | |
| ciphers | string | Optional | n/a | Configures a ciphersuite selection string. Cipher-group and ciphers are mutually exclusive, only use one. | Only AS3 |
Note
If the custom-client-ssl or custom-server-ssl parameters are not provided, then the controller creates default
clientssl and serverssl profiles for the OpenShift Route HTTPS virtual server. The controller sets these profiles as
Default for SNI.
AS3 Parameters¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| as3-validation | boolean | Optional | true | When set to false, this disables AS3 template validation on the controller. |
| insecure | boolean | Optional | false | When set to true, this enables insecure SSL communication to the BIG-IP system. |
| trusted-certs-cfgmap | string | Required | n/a | When certificates are provided, adds them to controller’s trusted certificate store. |
| as3-post-delay | int | Optional | n/a | Specifies the time, in seconds, that CIS waits to post the available AS3 declaration. |
| log-as3-response | boolean | Optional | false | When set to true, adds the body of AS3 API response in Controller logs. |
| override-as3- declaration | string | Optional | n/a | Provide Namespace and Name of the ConfigMap as <namespace>/<configmap-name>. The JSON key/values from this ConfigMap will oerride key/values from internally generated AS3 declaration. |
| filter-tenants | boolean | Optional | false | Specifies whether or not the use tenant filtering API for AS3 declaration. |
CIS Health Checks¶
Kubernetes has two types of health checks:
- Readiness Probes: To determine when a pod is ready
- Liveness Probes: To determine when a pod is healthy or unhealthy after it has become ready
Readiness Probes Kubernetes uses readiness probes to decide when the container is available for accepting traffic. The readiness probe controls which pods to use as the backend for a service. A pod is considered ready when all of its containers are ready. If a pod is not ready, it is removed from service load balancers. For example, if a container loads a large cache at start-up and takes minutes to start, you should not send requests to this container until it is ready, or the requests will fail. Instead, route requests to other pods, which are capable of servicing requests.
Liveness Probes Kubernetes uses liveness probes to know when to restart a container. If a container is unresponsive, the application could be deadlocked due to a multi-threading defect. Restarting the container can make the application more available.
These are the methods you can use to check container status:
- HTTP request to the pod
- Command execution to the pod
- TCP request to the pod
Probes are defined on a container in a deployment.
Here is an example of the deployment using HTTP method:
| Parameter | Description |
|---|---|
| periodSeconds | specifies that the kubelet should perform a liveness probe every 3 seconds. |
| initialDelaySeconds | tells the kubelet that it should wait 3 seconds before performing the first probe |
| timeOutSeconds | how long to wait for the probe to finish. If this time is exceeded, OpenShift Container Platform considers the probe to have failed. |
The kubelet uses a web hook to determine the healthiness of the container. The check is successful if the HTTP response code is between 200 and 399.
To perform a probe, the kubelet sends an HTTP GET request to the server that is running in the Container and listening on port 8080. The handler for the server’s /health path returns a success code. For example:
livenessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 15
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 15
To view the liveness and readiness of the deployed pod, run the command Kubectl describe pod <pod_name> -n kube-system. Here is the example output:
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
- --log-level=debug
terminationMessagePolicy: Fileermination-log
--log-level=debug
--namespace=default
--route-label=systest
--insecure=true
--agent=cccl
Liveness: http-get http://:8080/health delay=15s timeout=15s period=15s #success=1 #failure=3
Readiness: http-get http://:8080/health delay=30s timeout=15s period=30s #success=1 #failure=3
Environment: <none>
Mounts: <none>
Volumes: <none>
curl http://<self-ip>:<port no>/health shows a response of OK.