Configuration Parameters¶
All of the configuration parameters below are global.
General¶
Parameter | Type | Required | Default | Description | Allowed Values | Agent |
---|---|---|---|---|---|---|
http-listen-address | String | Optional | “0.0.0.0:8080” | Address at which to serve HTTP-based
information (for example, /metrics ,
health ) to Prometheus. |
Both AS3 and CCCL | |
log-level | String | Optional | INFO | Log level | INFO, DEBUG, CRITICAL, WARNING, ERROR | Both AS3 and CCCL |
node-poll-interval | Integer | Optional | 30 | In seconds, the interval at which the CIS polls the cluster to find all node members. | Both AS3 and CCCL | |
python-basedir | String | Optional | /app/python | Path to the python utilities directory. | CCCL | |
schema-db-base-dir | String | Optional | file:///app/vendor/src/f5/schemas | Path to the directory containing the F5 schema db. | CCCL | |
verify-interval | Integer | N/A | 30 | In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system. | For CCCL, LTM and NET For AS3, only NET |
|
vs-snat-pool-name | String | Optional | N/A | Name of the SNAT pool that all virtual servers will reference. If it is not set, virtual servers use automap SNAT. | CCCL | |
agent | String | Optional | AS3 | You can also change the value to CCCL
for CCCL mode. |
AS3, CCCL | Both AS3 and CCCL |
version | Boolean | Optional | false | Print CIS version | Both AS3 and CCCL |
Note
- The
python-basedir
setting lets you specify the path to an alternate python agent that can bridge between the CIS and F5 CCCL. - The time it takes for the CIS to reapply the system configurations to the BIG-IP device is normally low (a few ms) and won’t cause service disruption.
- Use
vs-snat-pool-name
if you want virtual servers to reference a SNAT pool that already exists in the/Common
partition on the BIG-IP device. See Overview of SNAT features on AskF5 for more information.
BIG-IP system¶
Parameter | Type | Required | Default | Description | Allowed Values | Agent |
---|---|---|---|---|---|---|
bigip-partition | String | Required | N/A | The BIG-IP partition in which to configure objects. | Both AS3 and CCCL | |
bigip-password | String | Required | N/A | BIG-IP iControl REST password You can secure your BIG-IP credentials using a Kubernetes Secret. |
Both AS3 and CCCL | |
bigip-url | String | Required | N/A | BIG-IP admin IP address | Both AS3 and CCCL | |
bigip-username | String | Required | N/A | BIG-IP iControl REST username The BIG-IP user account must have the appropriate role defined: For For |
Both AS3 and CCCL | |
credentials-directory | String | Optional | N/A | Directory that contains the BIG-IP username, password, or url files | Both AS3 and CCCL |
Important
The credentials-directory
option is an alternative to using the bigip-username
, bigip-password
, or
bigip-url
arguments.
When you use this argument, the controller looks for three files in the specified directory:
- “username”, “password”, and “url”
If any of these files do not exist, the controller falls back to using the CLI arguments as parameters.
Each file should contain only the username, password, and url, respectively. You can create and mount the files as Kubernetes Secrets.
It is important to not project the Secret keys to specific paths, as the controller looks for the “username”, “password”, and “url” files directly within the credentials directory.
See example-bigip-credentials-directory.yaml
for a deployment example.
GTM BIG-IP system¶
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
gtm-bigip-password | String | Required | N/A | Password for the GMT BIG-IP user account. You can secure your GTM BIG-IP credentials using a Kubernetes Secret. |
gtm-bigip-url | String | Required | N/A | URL for the GTM BIG-IP |
gtm-bigip-username | String | Required | N/A | Username for the GTM BIG-IP user account. |
gtm-credentials-directory | String | Optional | N/A | The directory that contains the GTM BIG-IP username, password, and/or URL files. To be used instead of username, password, and/or URL arguments. |
Important
The credentials-directory
option is an alternative to using the gtm-bigip-username
, gtm-bigip-password
, or
gtm-bigip-url
arguments.
When you use this argument, the controller looks for three files in the specified directory:
- “username”, “password”, and “url”
If any of these files do not exist, the controller falls back to using the CLI arguments as parameters.
Each file should contain only the username, password, and url, respectively. You can create and mount the files as Kubernetes Secrets.
It is important to not project the Secret keys to specific paths, as the controller looks for the “username”, “password”, and “url” files directly within the credentials directory.
See example-gtm-bigip-credentials-directory.yaml
for a deployment example.
VXLAN¶
Parameter | Type | Required | Default | Description | Allowed Values | Agent |
---|---|---|---|---|---|---|
openshift-sdn-name | String | Optional | N/A | Name of the VXLAN tunnel on the BIG-IP system that corresponds to an OpenShift SDN HostSubnet. Only applicable in OpenShift. |
Both AS3 and CCCL | |
flannel-name | String | Optional | N/A | Name of the VXLAN tunnel on the BIG-IP system that corresponds to a Flannel subnet. | CCCL |
Kubernetes¶
Parameter | Type | Required | Default | Description | Allowed Values | Agent |
---|---|---|---|---|---|---|
default-ingress-ip | String | Optional | N/A | The controller configures a virtual
server at this IP address for all
Ingresses with the annotation:
virtual-server.f5.com/ip:
'controller-default' |
Both AS3 and CCCL | |
kubeconfig | String | Optional | ./config | Path to the kubeconfig file | Both AS3 and CCCL | |
manage-configmaps | Boolean | Optional | true | Tells the controller whether or not to watch Kubernetes ConfigMaps and apply their configuration. If false, the controller will ignore ConfigMap events. | true, false | Both AS3 and CCCL |
namespace | String | Optional | All | Kubernetes namespace(s) to watch
|
Both AS3 and CCCL | |
namespace-label | String | Optional | N/A | Tells the k8s-bigip-ctlr to watch
any namespace with this label |
Both AS3 and CCCL | |
node-label-selector | String | Optional | N/A | Tells the k8s-bigip-ctlr to watch
only nodes with this label |
Both AS3 and CCCL | |
pool-member-type | String | Optional | nodeport | The type of BIG-IP pool members you want to create. Use Use |
cluster, nodeport | Both AS3 and CCCL |
resolve-ingress-names | String | Optional | N/A | Tells the controller to resolve the first Host in an Ingress resource to an IP address. This IP address will be used as the virtual server address for the Ingress resource. A value of “LOOKUP” will use local DNS to resolve the Host. Any other value is a custom DNS server and the controller sends resolution queries through that server instead. Specifying the flag with no argument will default to LOOKUP. |
Not Supported | |
running-in-cluster | Boolean | Optional | true | Indicates whether or not a
kubernetes cluster started
k8s-bigip-ctlr |
true, false | Both AS3 and CCCL |
use-node-internal | Boolean | Optional | true | filter Kubernetes InternalIP addresses for pool members | true, false | Both AS3 and CCCL |
use-secrets | Boolean | Optional | true | Tells the controller whether or not to load SSL profiles from Kubernetes Secrets for Ingresses and ConfigMaps. If false, the controller will only use profiles from the BIG-IP system. | true, false | Both AS3 and CCCL |
manage-ingress | Boolean | Optional | true | Tells the controller whether or not to watch Kubernetes ingress and apply their configuration. If false, the controller will ignore ingress events. | true, false | Both AS3 and CCCL |
manage-ingress-class- only | Boolean | Optional | true | Process all ingress resources without
kubernetes.io/ingress.class +
“annotation and ingresses with
annotation
kubernetes.io/ingress.class=f5 ”. |
true, false | AS3 |
ingress-class | String | Optional | F5 | A class of the Ingress controller. The
Ingress controller only processes
Ingress resources that belong to its
class–i.e. have the annotation
kubernetes.io/ingress.class equal
to the class. Additionally, the Ingress
controller processes Ingress resources
that do not have that annotation, which
can be disabled by setting the
-manage-ingress-class-only flag. |
true, false | AS3 |
Note
Use the node-label-selector
parameter if you only want the controller to manage specific nodes from the cluster.
For example, the BIG-IP device may not be able to reach certain nodes, or the BIG-IP device already manages certain
nodes. Therefore, the controller should only watch the nodes that match the environmental constraints (by using a label).
OpenShift Routes¶
The following configuration parameters only apply to OpenShift.
Parameter | Type | Required | Default | Description | Allowed Values | Agent |
---|---|---|---|---|---|---|
custom-client-ssl | String | Optional | N/A | Specifies the name of a custom client SSL profile attached to the route HTTPS virtual server and used as default for SNI. This profile must have the Default for SNI field enabled. | CCCL | |
custom-server-ssl | String | Optional | N/A | Specifies the name of a custom server SSL profile attached to the route HTTPS virtual server and used as default for SNI. This profile must have the Default for SNI field enabled. | CCCL | |
manage-routes | Boolean | Optional | false | Indicates if k8s-bigip-ctlr should
handle OpenShift Route objects. |
true, false | Both AS3 and CCCL |
route-http-vserver | String | Optional | ose-vserver | The name of the http virtual server for OpenShift Routes. | Both AS3 and CCCL | |
route-https-vserver | String | Optional | https-ose-vserver | The name of the https virtual server for OpenShift Routes. | Both AS3 and CCCL | |
route-label | String | Optional | N/A | Tells the k8s-bigip-ctlr to only
watch for OpenShift Route objects with
the f5type label set to this value. |
Both AS3 and CCCL | |
route-vserver-addr | String | Optional | N/A | Bind address for virtual server for OpenShift Route objects. | Both AS3 and CCCL | |
default-client-ssl | String | Optional | N/A | Name of the default client ssl profile. | Both AS3 and CCCL | |
default-server-ssl | String | Optional | N/A | Name of the default server ssl profile. | Both AS3 and CCCL | |
tls-version | String | Optional | 1.2 | Configures TLS version to be enabled on BIG-IP. TLS 1.3 is only supported on TMOS version 14.0+. | Only AS3 | |
cipher-group | String | Optional | N/A | Configures a cipher group in BIG-IP and reference it here. Cipher group and ciphers are mutually exclusive, only use one. | Only AS3 | |
ciphers | String | Optional | N/A | Configures a ciphersuite selection string. Cipher-group and ciphers are mutually exclusive, only use one. | Only AS3 |
Note
If the custom-client-ssl
or custom-server-ssl
parameters are not provided, then the controller creates default
clientssl and serverssl profiles for the OpenShift Route HTTPS virtual server. The controller sets these profiles as
Default for SNI.
AS3 Parameters¶
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
as3-validation | Boolean | Optional | true | When set to false, this disables AS3 template validation on the controller. |
insecure | Boolean | Optional | false | When set to true, this enables insecure SSL communication to the BIG-IP system. |
trusted-certs-cfgmap | String | Required | N/A | When certificates are provided, adds them to controller’s trusted certificate store. |
as3-post-delay | int | Optional | N/A | Specifies the time, in seconds, that CIS waits to post the available AS3 declaration. |
log-as3-response | Boolean | Optional | false | When set to true, adds the body of AS3 API response in Controller logs. |
override-as3- declaration | String | Optional | N/A | Provide Namespace and Name of the ConfigMap as <namespace>/<configmap-name>. The JSON key/values from this ConfigMap will oerride key/values from internally generated AS3 declaration. |
filter-tenants | Boolean | Optional | false | Specifies whether or not the use tenant filtering API for AS3 declaration. |
share-nodes | Boolean | Optional | false | When set to true, the pool member node
is created on /Common partition,
which can be shared among multiple
tenants. |
CIS Health Checks¶
Kubernetes has two types of health checks:
- Readiness Probes: To determine when a pod is ready
- Liveness Probes: To determine when a pod is healthy or unhealthy after it has become ready
Readiness Probes Kubernetes uses readiness probes to decide when the container is available for accepting traffic. The readiness probe controls which pods to use as the backend for a service. A pod is considered ready when all of its containers are ready. If a pod is not ready, it is removed from service load balancers. For example, if a container loads a large cache at start-up and takes minutes to start, you should not send requests to this container until it is ready, or the requests will fail. Instead, route requests to other pods, which are capable of servicing requests.
Liveness Probes Kubernetes uses liveness probes to know when to restart a container. If a container is unresponsive, the application could be deadlocked due to a multi-threading defect. Restarting the container can make the application more available.
These are the methods you can use to check container status:
- HTTP request to the pod
- Command execution to the pod
- TCP request to the pod
Probes are defined on a container in a deployment.
Here is an example of the deployment using HTTP method:
Parameter | Description |
---|---|
periodSeconds | specifies that the kubelet should perform a liveness probe every 3 seconds. |
initialDelaySeconds | tells the kubelet that it should wait 3 seconds before performing the first probe |
timeOutSeconds | how long to wait for the probe to finish. If this time is exceeded, OpenShift Container Platform considers the probe to have failed. |
The kubelet uses a web hook to determine the healthiness of the container. The check is successful if the HTTP response code is between 200
and 399
.
To perform a probe, the kubelet sends an HTTP GET request to the server that is running in the Container and listening on port 8080. The handler for the server’s /health path returns a success code. For example:
livenessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 15
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 15
To view the liveness and readiness of the deployed pod, run the command Kubectl describe pod <pod_name> -n kube-system
. Here is the example output:
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
- --log-level=debug
terminationMessagePolicy: Fileermination-log
--log-level=debug
--namespace=default
--route-label=systest
--insecure=true
--agent=cccl
Liveness: http-get http://:8080/health delay=15s timeout=15s period=15s #success=1 #failure=3
Readiness: http-get http://:8080/health delay=30s timeout=15s period=30s #success=1 #failure=3
Environment: <none>
Mounts: <none>
Volumes: <none>
curl http://<self-ip>:<port no>/health
shows a response of OK.