Custom Resource Definitions

This page describes CIS in CRD Mode.

What are CRDs?

  • Custom resources are extensions of the Kubernetes API.
  • A resource is an endpoint in the Kubernetes API that stores a collection of API objects. For example, the built-in pods resource contains a collection of Pod objects.
  • A custom resource is an extension of the Kubernetes API that is not necessarily available in a default Kubernetes installation. It represents a customization of a particular Kubernetes installation. However, many core Kubernetes functions are now built using custom resources, making Kubernetes more modular.
  • Custom resources can appear and disappear in a running cluster through dynamic registration, and cluster admins can update custom resources independently of the cluster itself. Once a custom resource is installed, users can create and access its objects using kubectl, just as they do for built-in resources like Pods.
  • CIS supports the following Custom Resources:

How CIS works with CRDs

  • CIS registers to the Kubernetes client-go using informers to retrieve Virtual Server, TLSProfile, Service, Endpoint and Node create, update and delete events. Resources identified from such events will be pushed to a Resource Queue maintained by CIS.
  • The Resource Queue holds the resources to be processed.
  • Virtual Server is the Primary citizen. Any changes in TLSProfile, Service, Endpoint, or Node will process their affected Virtual Servers. For example, If svc-a is part of foo-VirtualServer and bar-VirtualServer, any changes in svc-a will put foo-VirtualServer and bar-VirtualServer in the resource queue.
  • Worker fetches the affected Virtual Servers from Resource Queue to populate a common structure which holds the configuration of all the Virtual Servers such as TLSProfile, Virtual Server IP, Pool Members and L7 LTM policy actions.
  • VXLAN Manager prepares the BIG-IP NET configuration as AS3 cannot process FDB and ARP entries.
  • LTM Configuration (using AS3) and NET Configuration (using CCCL) is created in CIS Managed Partition defined by the user.

Important

  • You must configure the CRD schema before creating CIS. Run the command kubectl create -f customresourcedefinitions.yml [-n kube-system] after you install F5 CRDs. The customresourcefinitions file is available on GitHub.
  • --custom-resource-mode=true deploys CIS in Custom Resource Mode.
  • CIS does not watch for Ingress/Routes/ConfigMaps when deployed in CRD Mode.
  • CIS does not support combination of CRDs with any of Ingress/Routes and ConfigMaps.
  • CRDs are supported in Kubernetes from versions 1.16+.

Examples Repository

View more examples on GitHub.

Valid Configuration Parameters for CRDs

AS3 Parameters

Parameter Type Required Default Description
as3-validation Boolean Optional true When set to false, this disables AS3 template validation on the controller.
insecure Boolean Optional false When set to true, this enables insecure SSL communication to the BIG-IP system.
trusted-certs-cfgmap String Required N/A When certificates are provided, adds them to controller’s trusted certificate store.
log-as3-response Boolean Optional false When set to true, adds the body of AS3 API response in Controller logs.

Kubernetes Parameters

Parameter Type Required Default Description Allowed Values Agent
kubeconfig String Optional ./config Path to the kubeconfig file   Both AS3 and CCCL
namespace String Optional All

Kubernetes namespace(s) to watch

  • To specify multiple namespace, use multiple --namespace flags.
  • Watches all namespaces by default.
  Both AS3 and CCCL
namespace-label String Optional N/A Tells the k8s-bigip-ctlr to watch any namespace with this label   Both AS3 and CCCL
node-label-selector String Optional N/A Tells the k8s-bigip-ctlr to watch only nodes with this label   Both AS3 and CCCL
pool-member-type String Optional nodeport

The type of BIG-IP pool members you want to create.

Use cluster to create pool members for each of the endpoints for the Service (the pod’s InternalIP)

Use nodeport to create pool members for each schedulable node using the Service’s NodePort.

cluster, nodeport Both AS3 and CCCL
running-in-cluster Boolean Optional true Indicates whether or not a Kubernetes cluster started k8s-bigip-ctlr true, false Both AS3 and CCCL
use-node-internal Boolean Optional true filter Kubernetes InternalIP addresses for pool members true, false Both AS3 and CCCL

General Parameters

Parameter Type Required Default Description Allowed Values Agent
http-listen-address String Optional “0.0.0.0:8080” Address at which to serve HTTP-based information (for example, /metrics, health) to `Prometheus`_.   Both AS3 and CCCL
log-level String Optional INFO Log level INFO, DEBUG, CRITICAL, WARNING, ERROR Both AS3 and CCCL
node-poll-interval Integer Optional 30 In seconds, the interval at which the CIS polls the cluster to find all node members.   Both AS3 and CCCL
python-basedir String Optional /app/python Path to the python utilities directory.   CCCL
schema-db-base-dir String Optional file:///app/vendor/src/f5/schemas Path to the directory containing the F5 schema db.   CCCL
verify-interval Integer N/A 30 In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system.  

For CCCL, LTM and NET

For AS3, only NET

agent String Optional AS3 You can also change the value to CCCL for CCCL mode. AS3, CCCL Both AS3 and CCCL
version Boolean Optional false Print CIS version   Both AS3 and CCCL

BIG-IP system Parameters

Parameter Type Required Default Description Allowed Values Agent
bigip-partition String Required N/A The BIG-IP partition in which to configure objects.   Both AS3 and CCCL
bigip-password String Required N/A

BIG-IP iControl REST password

You can secure your BIG-IP credentials using a Kubernetes Secret.

  Both AS3 and CCCL
bigip-url String Required N/A BIG-IP admin IP address   Both AS3 and CCCL
bigip-username String Required N/A

BIG-IP iControl REST username

The BIG-IP user account must have the appropriate role defined:

For nodeport type pool members, the role must be Administrator.

For cluster type pool members, the role must be Administrator.

  Both AS3 and CCCL
credentials-directory String Optional N/A Directory that contains the BIG-IP username, password, or url files   Both AS3 and CCCL

VXLAN Parameters

Parameter Type Required Default Description Allowed Values Agent
openshift-sdn-name String Optional N/A

Name of the VXLAN tunnel on the BIG-IP system that corresponds to an OpenShift SDN HostSubnet.

Only applicable in OpenShift.

  Both AS3 and CCCL
flannel-name String Optional N/A Name of the VXLAN tunnel on the BIG-IP system that corresponds to a Flannel subnet.   CCCL

Note

To provide feedback on Container Ingress Services or this documentation, you can file a GitHub Issue.