Custom Resource Definitions¶
Overview of CRDs¶
This page describes CIS in CRD Mode.
What are CRDs?
- Custom resources are extensions of the Kubernetes API.
- A resource is an endpoint in the Kubernetes API that stores a collection of API objects. For example, the built-in pods resource contains a collection of Pod objects.
- A custom resource is an extension of the Kubernetes API that is not necessarily available in a default Kubernetes installation. It represents a customization of a particular Kubernetes installation. However, many core Kubernetes functions are now built using custom resources, making Kubernetes more modular.
- Custom resources can appear and disappear in a running cluster through dynamic registration, and cluster admins can update custom resources independently of the cluster itself. Once a custom resource is installed, users can create and access its objects using kubectl, just as they do for built-in resources like Pods.
- CIS supports the following Custom Resources:
How CIS works with CRDs
- CIS registers to the Kubernetes client-go using informers to retrieve Virtual Server, TLSProfile, Service, Endpoint and Node create, update and delete events. Resources identified from such events will be pushed to a Resource Queue maintained by CIS.
- The Resource Queue holds the resources to be processed.
- Virtual Server is the Primary citizen. Any changes in TLSProfile, Service, Endpoint, or Node will process their affected Virtual Servers. For example, If svc-a is part of foo-VirtualServer and bar-VirtualServer, any changes in svc-a will put foo-VirtualServer and bar-VirtualServer in the resource queue.
- Worker fetches the affected Virtual Servers from Resource Queue to populate a common structure which holds the configuration of all the Virtual Servers such as TLSProfile, Virtual Server IP, Pool Members and L7 LTM policy actions.
- VXLAN Manager prepares the BIG-IP NET configuration as AS3 cannot process FDB and ARP entries.
- LTM Configuration (using AS3) and NET Configuration (using CCCL) is created in CIS Managed Partition defined by the user.
- Migrating from AS3 ConfigMaps to CRDs
Important
- You must configure the CRD schema before creating CIS. Run the command
kubectl create -f customresourcedefinitions.yml [-n kube-system]after you install F5 CRDs. The customresourcefinitions file is available on GitHub. --custom-resource-mode=truedeploys CIS in Custom Resource Mode.- CIS does not watch for Ingress/Routes/ConfigMaps when deployed in CRD Mode.
- CIS does not support combination of CRDs with any of Ingress/Routes and ConfigMaps.
- CRDs are supported in Kubernetes from versions 1.16+.
Valid Configuration Parameters for CRDs¶
AS3 Parameters¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| as3-validation | Boolean | Optional | true | When set to false, this disables AS3 template validation on the controller. |
| insecure | Boolean | Optional | false | When set to true, this enables insecure SSL communication to the BIG-IP system. |
| trusted-certs-cfgmap | String | Required | N/A | When certificates are provided, adds them to controller’s trusted certificate store. |
| log-as3-response | Boolean | Optional | false | When set to true, adds the body of AS3 API response in Controller logs. |
| enable-ipv6 | Boolean | Optional | false | When set to true, it enables IPv6 network support. Available with CIS version 2.7.0+. |
Kubernetes Parameters¶
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| kubeconfig | String | Optional | ./config | Path to the kubeconfig file | Both AS3 and CCCL | |
| namespace | String | Optional | All | Kubernetes namespace(s) to watch
|
Both AS3 and CCCL | |
| namespace-label | String | Optional | N/A | Tells the k8s-bigip-ctlr to watch
any namespace with this label |
Both AS3 and CCCL | |
| node-label-selector | String | Optional | N/A | Tells the k8s-bigip-ctlr to watch
only nodes with this label |
Both AS3 and CCCL | |
| pool-member-type | String | Optional | nodeport | The type of BIG-IP pool members you want to create. Use Use |
cluster, nodeport | Both AS3 and CCCL |
| running-in-cluster | Boolean | Optional | true | Indicates whether or not a
Kubernetes cluster started
k8s-bigip-ctlr |
true, false | Both AS3 and CCCL |
| use-node-internal | Boolean | Optional | true | filter Kubernetes InternalIP addresses for pool members | true, false | Both AS3 and CCCL |
General Parameters¶
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| http-listen-address | String | Optional | “0.0.0.0:8080” | Address at which to serve HTTP-based
information (for example, /metrics,
health) to Prometheus. |
Both AS3 and CCCL | |
| log-level | String | Optional | INFO | Log level | INFO, DEBUG, CRITICAL, WARNING, ERROR | Both AS3 and CCCL |
| node-poll-interval | Integer | Optional | 30 | In seconds, the interval at which the CIS polls the cluster to find all node members. | Both AS3 and CCCL | |
| python-basedir | String | Optional | /app/python | Path to the python utilities directory. | CCCL | |
| schema-db-base-dir | String | Optional | file:///app/vendor/src/f5/schemas | Path to the directory containing the F5 schema db. | CCCL | |
| verify-interval | Integer | N/A | 30 | In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system. | For CCCL, LTM and NET For AS3, only NET |
|
| agent | String | Optional | AS3 | You can also change the value to CCCL
for CCCL mode. |
AS3, CCCL | Both AS3 and CCCL |
| version | Boolean | Optional | false | Print CIS version | Both AS3 and CCCL |
BIG-IP system Parameters¶
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| bigip-partition | String | Required | N/A | The BIG-IP partition in which to configure objects. | Both AS3 and CCCL | |
| bigip-password | String | Required | N/A | BIG-IP iControl REST password You can secure your BIG-IP credentials using a Kubernetes Secret. |
Both AS3 and CCCL | |
| bigip-url | String | Required | N/A | BIG-IP admin IP address | Both AS3 and CCCL | |
| bigip-username | String | Required | N/A | BIG-IP iControl REST username The BIG-IP user account must have the appropriate role defined: For For |
Both AS3 and CCCL | |
| credentials-directory | String | Optional | N/A | Directory that contains the BIG-IP username, password, or url files | Both AS3 and CCCL |
VXLAN Parameters¶
| Parameter | Type | Required | Default | Description | Allowed Values | Agent |
|---|---|---|---|---|---|---|
| openshift-sdn-name | String | Optional | N/A | Name of the VXLAN tunnel on the BIG-IP system that corresponds to an OpenShift SDN HostSubnet. Only applicable in OpenShift. |
Both AS3 and CCCL | |
| flannel-name | String | Optional | N/A | Name of the VXLAN tunnel on the BIG-IP system that corresponds to a Flannel subnet. | CCCL |
Examples Repository¶
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.