Configuration Parameters

All of the configuration parameters below are global.

General

Parameter Type Required Default Description Allowed Values Agent
http-listen-address string Optional “0.0.0.0:8080” Address at which to serve HTTP-based information (for example, /metrics, health) to Prometheus   Both AS3 and CCCL
log-level string Optional INFO Log level INFO, DEBUG, CRITICAL, WARNING, ERROR Both AS3 and CCCL
node-poll-interval integer Optional 30 In seconds, the interval at which the CIS polls the cluster to find all node members.   Both AS3 and CCCL
python-basedir string Optional /app/python Path to the python utilities directory   CCCL
schema-db-base-dir string Optional file:///app/vendor/src/f5/schemas Path to the directory containing the F5 schema db   CCCL
verify-interval integer n/a 30

In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system.

This value is not currently configurable

 

For CCCL, LTM and NET

For AS3, only NET

vs-snat-pool-name string Optional n/a Name of the SNAT pool that all virtual servers will reference. If it is not set, virtual servers use automap SNAT.   CCCL
–agent string Optional AS3 You can also change the value to CCCL for CCCL mode. AS3, CCCL Both AS3 and CCCL
version boolean Optional false Print CIS version   Both AS3 and CCCL

Note

  • The python-basedir setting lets you specify the path to an alternate python agent that can bridge between the CIS and F5 CCCL.
  • The time it takes for the CIS to reapply the system configurations to the BIG-IP device is normally low (a few ms) and won’t cause service disruption.
  • Use vs-snat-pool-name if you want virtual servers to reference a SNAT pool that already exists in the /Common partition on the BIG-IP device. See Overview of SNAT features on AskF5 for more information.

BIG-IP system

Parameter Type Required Default Description Allowed Values Agent
bigip-partition string Required n/a The BIG-IP partition in which to configure objects.   Both AS3 and CCCL
bigip-password string Required n/a

BIG-IP iControl REST password

You can secure your BIG-IP credentials using a Kubernetes Secret.

  Both AS3 and CCCL
bigip-url string Required n/a BIG-IP admin IP address   Both AS3 and CCCL
bigip-username string Required n/a

BIG-IP iControl REST username

The BIG-IP user account must have the appropriate role defined:

For nodeport type pool members, the role must be Administrator.

For cluster type pool members, the role must be Administrator.

  Both AS3 and CCCL
credentials-directory string Optional n/a Directory that contains the BIG-IP username, password, or url files   Both AS3 and CCCL

Important

The credentials-directory option is an alternative to using the bigip-username, bigip-password, or bigip-url arguments.

When you use this argument, the controller looks for three files in the specified directory:

  • “username”, “password”, and “url”

If any of these files do not exist, the controller falls back to using the CLI arguments as parameters.

Each file should contain only the username, password, and url, respectively. You can create and mount the files as Kubernetes Secrets.

It is important to not project the Secret keys to specific paths, as the controller looks for the “username”, “password”, and “url” files directly within the credentials directory.

See example-bigip-credentials-directory.yaml for a deployment example.

VXLAN

Parameter Type Required Default Description Allowed Values Agent
openshift-sdn-name string Optional n/a

Name of the VXLAN tunnel on the BIG-IP system that corresponds to an Openshift SDN HostSubnet.

Only applicable in OpenShift.

  Both AS3 and CCCL
flannel-name string Optional n/a Name of the VXLAN tunnel on the BIG-IP system that corresponds to a Flannel subnet.   CCCL

Kubernetes

Parameter Type Required Default Description Allowed Values Agent
default-ingress-ip string Optional n/a The controller configures a virtual server at this IP address for all Ingresses with the annotation: virtual-server.f5.com/ip: 'controller-default'   Both AS3 and CCCL
kubeconfig string Optional ./config Path to the kubeconfig file   Both AS3 and CCCL
manage-configmaps boolean Optional true Tells the controller whether or not to watch Kubernetes ConfigMaps and apply their configuration. If false, the controller will ignore ConfigMap events. true, false Both AS3 and CCCL
namespace string Optional All

Kubernetes namespace(s) to watch

  • may be a comma-separated list
  • watches all namespaces by default
  Both AS3 and CCCL
namespace-label string Optional n/a Tells the k8s-bigip-ctlr to watch any namespace with this label   Both AS3 and CCCL
node-label-selector string Optional n/a Tells the k8s-bigip-ctlr to watch only nodes with this label   Both AS3 and CCCL
pool-member-type string Optional nodeport

The type of BIG-IP pool members you want to create.

Use cluster to create pool members for each of the endpoints for the Service (the pod’s InternalIP)

Use nodeport to create pool members for each schedulable node using the Service’s NodePort.

cluster, nodeport Both AS3 and CCCL
resolve-ingress-names string Optional n/a

Tells the controller to resolve the first Host in an Ingress resource to an IP address. This IP address will be used as the virtual server address for the Ingress resource.

A value of “LOOKUP” will use local DNS to resolve the Host. Any other value is a custom DNS server and the controller sends resolution queries through that server instead.

Specifying the flag with no argument will default to LOOKUP.

  Not Supported
running-in-cluster boolean Optional true Indicates whether or not a kubernetes cluster started k8s-bigip-ctlr true, false Both AS3 and CCCL
use-node-internal boolean Optional true filter Kubernetes InternalIP addresses for pool members true, false Both AS3 and CCCL
use-secrets boolean Optional true Tells the controller whether or not to load SSL profiles from Kubernetes Secrets for Ingresses and ConfigMaps. If false, the controller will only use profiles from the BIG-IP system. true, false Both AS3 and CCCL
manage-ingress boolean Optional true Tells the controller whether or not to watch Kubernetes ingress and apply their configuration. If false, the controller will ignore ingress events. true, false Both AS3 and CCCL
manage-ingress-class- only boolean Optional true Process all ingress resources without kubernetes.io/ingress.class + “annotation and ingresses with annotation kubernetes.io/ingress.class=f5”. true, false AS3
ingress-class string Optional F5 A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class–i.e. have the annotation kubernetes.io/ingress.class equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation, which can be disabled by setting the -manage-ingress-class-only flag. true, false AS3

Note

Use the node-label-selector parameter if you only want the controller to manage specific nodes from the cluster. For example, the BIG-IP device may not be able to reach certain nodes, or the BIG-IP device already manages certain nodes. Therefore, the controller should only watch the nodes that match the environmental constraints (by using a label).

OpenShift Routes

The following configuration parameters only apply to OpenShift.

Parameter Type Required Default Description Allowed Values Agent
custom-client-ssl string Optional n/a Specifies the name of a custom client SSL profile attached to the route HTTPS virtual server and used as default for SNI. This profile must have the Default for SNI field enabled.   CCCL
custom-server-ssl string Optional n/a Specifies the name of a custom server SSL profile attached to the route HTTPS virtual server and used as default for SNI. This profile must have the Default for SNI field enabled.   CCCL
manage-routes boolean Optional false Indicates if k8s-bigip-ctlr should handle OpenShift Route objects. true, false Both AS3 and CCCL
route-http-vserver string Optional ose-vserver The name of the http virtual server for OpenShift Routes.   Both AS3 and CCCL
route-https-vserver string Optional https-ose-vserver The name of the https virtual server for OpenShift Routes.   Both AS3 and CCCL
route-label string Optional n/a Tells the k8s-bigip-ctlr to only watch for OpenShift Route objects with the f5type label set to this value.   Both AS3 and CCCL
route-vserver-addr string Optional n/a Bind address for virtual server for OpenShift Route objects.   Both AS3 and CCCL
default-client-ssl string Optional n/a Name of the default client ssl profile.   Both AS3 and CCCL
default-server-ssl string Optional n/a Name of the default server ssl profile.   Both AS3 and CCCL
tls-version string Optional 1.2 Configures TLS version to be enabled on BIG-IP. TLS 1.3 is only supported on TMOS version 14.0+.   Only AS3
cipher-group string Optional n/a Configures a cipher group in BIG-IP and reference it here. Cipher group and ciphers are mutually exclusive, only use one.   Only AS3
ciphers string Optional n/a Configures a ciphersuite selection string. Cipher-group and ciphers are mutually exclusive, only use one.   Only AS3

Note

If the custom-client-ssl or custom-server-ssl parameters are not provided, then the controller creates default clientssl and serverssl profiles for the OpenShift Route HTTPS virtual server. The controller sets these profiles as Default for SNI.

AS3 Parameters

Parameter Type Required Default Description
as3-validation boolean Optional true When set to false, this disables AS3 template validation on the controller.
insecure boolean Optional false When set to true, this enables insecure SSL communication to the BIG-IP system.
trusted-certs-cfgmap string Required n/a When certificates are provided, adds them to controller’s trusted certificate store.
as3-post-delay int Optional n/a Specifies the time, in seconds, that CIS waits to post the available AS3 declaration.
log-as3-response boolean Optional false When set to true, adds the body of AS3 API response in Controller logs.
override-as3- declaration string Optional n/a Provide Namespace and Name of the ConfigMap as <namespace>/<configmap-name>. The JSON key/values from this ConfigMap will oerride key/values from internally generated AS3 declaration.
filter-tenants boolean Optional false Specifies whether or not the use tenant filtering API for AS3 declaration.

CIS Health Checks

Kubernetes has two types of health checks:

  • Readiness Probes: To determine when a pod is ready
  • Liveness Probes: To determine when a pod is healthy or unhealthy after it has become ready

Readiness Probes Kubernetes uses readiness probes to decide when the container is available for accepting traffic. The readiness probe controls which pods to use as the backend for a service. A pod is considered ready when all of its containers are ready. If a pod is not ready, it is removed from service load balancers. For example, if a container loads a large cache at start-up and takes minutes to start, you should not send requests to this container until it is ready, or the requests will fail. Instead, route requests to other pods, which are capable of servicing requests.

Liveness Probes Kubernetes uses liveness probes to know when to restart a container. If a container is unresponsive, the application could be deadlocked due to a multi-threading defect. Restarting the container can make the application more available.

These are the methods you can use to check container status:

  • HTTP request to the pod
  • Command execution to the pod
  • TCP request to the pod

Probes are defined on a container in a deployment.

Here is an example of the deployment using HTTP method:

Parameter Description
periodSeconds specifies that the kubelet should perform a liveness probe every 3 seconds.
initialDelaySeconds tells the kubelet that it should wait 3 seconds before performing the first probe
timeOutSeconds how long to wait for the probe to finish. If this time is exceeded, OpenShift Container Platform considers the probe to have failed.

The kubelet uses a web hook to determine the healthiness of the container. The check is successful if the HTTP response code is between 200 and 399.

To perform a probe, the kubelet sends an HTTP GET request to the server that is running in the Container and listening on port 8080. The handler for the server’s /health path returns a success code. For example:

livenessProbe:
   failureThreshold: 3
   httpGet:
      path: /health
      port: 8080
      scheme: HTTP
   initialDelaySeconds: 15
   periodSeconds: 15
   successThreshold: 1
   timeoutSeconds: 15
readinessProbe:
   failureThreshold: 3
   httpGet:
      path: /health
      port: 8080
      scheme: HTTP
   initialDelaySeconds: 30
   periodSeconds: 30
   successThreshold: 1
   timeoutSeconds: 15

To view the liveness and readiness of the deployed pod, run the command Kubectl describe pod <pod_name> -n kube-system. Here is the example output:

        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        - --log-level=debug
        terminationMessagePolicy: Fileermination-log
      --log-level=debug
      --namespace=default
      --route-label=systest
      --insecure=true
      --agent=cccl
   Liveness:      http-get http://:8080/health delay=15s timeout=15s period=15s #success=1 #failure=3
   Readiness:     http-get http://:8080/health delay=30s timeout=15s period=30s #success=1 #failure=3
   Environment:   <none>
   Mounts:        <none>
Volumes:          <none>

curl http://<self-ip>:<port no>/health shows a response of OK.