VirtualServer¶
VirtualServer resource defines the load balancing configuration for a domain name.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: coffee-virtual-server labels: f5cr: "true" spec: host: coffee.example.com virtualServerAddress: "172.16.3.4" pools: - path: /coffee service: svc-2 servicePort: 80 serviceAddress: - icmpEcho: "enable" arpEnabled: true routeAdvertisement: "all" |
Important
- CIS will only process custom resources with
f5crlabel set astrue. See lines 5-6 above. - The above VirtualServer is insecure. Attach a TLSProfile to make it secure.
Open API Schema Validation for VirtualServer
Components¶
VirtualServer Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| host | String | Optional | N/A | Virtual Host. |
| pools | List of pools | Required | N/A | List of BIG-IP Pools. |
| virtualServerAddress | String | Optional | N/A | IP4/IP6 Address of BIG-IP Virtual Server. IP address can also be replaced by a reference to a Service_Address. |
| serviceAddress | List of service addresses | Optional | N/A | Service address definition allows you to add a number of properties to your (virtual) server address. |
| ipamLabel | String | Optional | N/A | IPAM label name for IP address management which is map to ip-range in IPAM controller deployment. |
| virtualServerName | String | Optional | N/A | Custom name of BIG-IP Virtual Server. |
| virtualServerHTTPPort | Integer | Optional | 80 | Custom HTTP port for the Virutal Server. |
| virtualServerHTTPSPort | Integer | Optional | 443 | Custom HTTPS port for the Virtual Server. |
| tlsProfileName | String | Optional | N/A | Describes the TLS configuration for BIG-IP Virtual Server. |
| rewriteAppRoot | String | Optional | N/A | Rewrites the path in the HTTP Header (and Redirects) from “/” (root path) to specifed path. |
| waf | String | Optional | N/A | Reference to WAF policy on BIG-IP. |
| snat | String | Optional | auto | Reference to SNAT pool on BIG-IP. The other allowed value is: none. |
| allowVlans | List of VLANs | Optional | N/A | List of VLAN objects from which to allow traffic. |
| httpTraffic | String | Optional | allow | Configure behavior of HTTP Virtual Server. The allowed values are: allow: allow HTTP (default), none: only HTTPs, redirect: redirect HTTP to HTTPS. |
| hostGroup | String | Optional | N/A | Associated VirutalServers are grouped based on “hostGroup” parameter. MultiHost support for VS CRD is achieved using this parameter. See the section below on MultiHost support using hostGroup Parameter. |
| persistenceProfile | String | Optional | cookie | CIS uses the AS3 default persistence profile. VirtualServer CRD resource takes precedence over Policy CRD. Allowed values are existing BIG-IP Persistence profiles. |
| dos | String | Optional | N/A | Pathname of existing BIG-IP DoS policy. |
| botDefense | String | Optional | N/A | Pathname of existing BIG-IP botDefense policy. |
| profileMultiplex | String | Optional | N/A | CIS uses the AS3 default profileMultiplex profile. Allowed values are existing BIG-IP profileMultiplex profiles.. |
| profiles | Object | Optional | N/A | BIG-IP TCP Profiles. |
| tcp | Object | Optional | N/A | BIG-IP TCP client and server profiles. |
| policyName | String | Optional | N/A | Name of Policy CRD to attach profiles/policies defined in it. |
| iRules | Array of strings | Optional | N/A | iRules to be attached to the VirtualServer. |
| allowSourceRange | String | Optional | N/A | Comma-separated list of CIDR addresses to allow inbound to services corresponding to VirtualServer CRD. Allowed values are comma-separated, CIDR formatted, IP addresses. For example: 1.2.3.4/32,2.2.2.0/24 |
| httpMrfRoutingEnabled | Boolean | Optional | false | Specifies whether to use the HTTP message routing framework (MRF) functionality. This property is available on BIG-IP 14.1 and above. |
| additionalVirtualServerAddresses | String | Optional | N/A | List of virtual addresses additional to virtualServerAddress to which virtual will be listening. Uses AS3 virtualAddresses parameter to expose Virtual server which will listen to each IP address in the list. |
| partition | String | Optional | N/A | BIG-IP Partition. |
Pool Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| path | String | Required | N/A | Path to access the service. |
| service | String | Required | N/A | Service deployed in Kubernetes cluster. |
| waf | String | Optional | N/A | Reference to WAF policy on BIG-IP |
| loadBalancingMethod | String | Optional | N/A | Allowed values are existing BIG-IP Load Balancing methods for pools. |
| nodeMemberLabel | String | Optional | N/A | List of Nodes to consider in NodePort mode as BIG-IP pool members. This option is only applicable for NodePort mode. |
| servicePort | String | Required | N/A | targetPort to access service. |
| monitor | Monitor | Optional | N/A | Health Monitor to check the health of Pool Members. |
| monitors | Monitor | Optional | N/A | Specifies multiple monitors for VS Pool. |
| rewrite | String | Optional | N/A | Rewrites the path in the HTTP Header while submitting the request to Server in the pool. |
| serviceNamespace | String | Optional | N/A | Namespace of service. Define it if service is present in a namespace other than the one where Virtual Server Custom Resource is present. |
| serviceDownAction | String | Optional | N/A | Specifies connection handling when member is non-responsive. Examples: drop, none, reselect, reset |
| reselectTries | Integer | Optional | 0 | Maximum number of attempts to find a responsive member for a connection. |
| hostRewrite | String | Optional | N/A | Rewrites the hostname http header while submitting the request to pool members. |
| weight | Integer | Optional | N/A | weight allocated to service A in AB deployment |
| alternateBackends | List of string | Optional | N/A | List of alternate backends for AB deployment |
Note
The parameter monitors takes priority over monitor if both are provided in the VirtualServer spec.
alternateBackends Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| service | String | Required | N/A | service name for alternate backend |
| serviceNamespace | String | Required | N/A | namespace of the backend service if its present in namespace different than virtual server CR |
| weight | Integer | Required | N/A | weight allocated for the alternate backend service |
Monitor Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| type | String | Required | N/A | HTTP, HTTPS, or TCP. |
| send | String | Required | GET /rn |
HTTP request string to send. |
| recv | String | Optional | N/A | String or RegEx pattern to match in first 5,120 bytes of backend response. |
| interval | Int | Required | 5 | Seconds between health queries. |
| timeout | Int | Optional | 16 | Seconds before query fails. |
| targetPort | Int | Optional | 0 | The port (if any) that the monitor should probe. If 0 (default) then pool member port is used. Translates to “Alias Server Port” on BIG-IP pool. |
| name | String | Required | N/A | Reference to health monitor name existing on BIG-IP. |
| reference | String | Required | N/A | Value should be bigip for referencing custom monitor on the BIG-IP. |
Note
- Health Monitor associated with the first path will be considered if multiple paths have the same backend.
- The monitor can be a reference to an existing healthmonitor on the BIG-IP system, in which case
nameandreferenceare required parameters. - For creating a health monitor object on the BIG-IP with UserInput,
type,send, andintervalare required parameters.
TCP Profile Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| client | String | Required | Custom_TCP | CIS uses the AS3 default TCP client profile. Allowed values are existing BIG-IP TCP Client profiles. |
| server | String | Optional | N/A | Allowed values are existing BIG-IP TCP Server profiles. Note: Server TCP Profile can only be used along with Client profile. |
Service Address Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| arpEnabled | Boolean | Optional | true | If true (default), the system services ARP requests on this address. |
| icmpEcho | String | Optional | enable | If enabled (default), the system answers ICMP echo requests on this address. Values: enable, disable, and selective. |
| routeAdvertisement | String | Optional | disable | If enabled, the route is advertised. Values: enable, disable, selective, always, any, and all. |
| spanningEnabled | Boolean | Optional | false | If true, this enables all BIG-IP systems in the device group to listen for and process traffic on the same virtual address. |
| trafficGroup | String | Optional | default | Specifies the traffic group to which the Service_Address belongs. |
Custom Virtual Server Name¶
CRD allows the user to create a custom name for the virtual servers on BIG-IP using the virtualServerName parameter.
By deploying this yaml file in your cluster, CIS will create a Virtual Server on BIG-IP as “<virtual server name>_<virtual server port>”. For example: cafe_virtual_server_80.
This is optional to use. The default name for a virtual server created on BIG-IP is “crd_<virtual IP address>_<virtual server port>”. For example: crd_172_16_3_4_80.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: my-new-virtual-server labels: f5cr: "true" spec: # This is an insecure virtual, Please use TLSProfile to secure the virtual # check out tls examples to understand more. host: cafe.example.com virtualServerAddress: "172.16.3.4" virtualServerName: "cafe-virtual-server" pools: - path: /coffee service: svc-2 servicePort: 80 |
Custom Virtual Port in CRD¶
You can configure the virtual address port number in CRD. This is required if you want to use the same VIP with different port numbers for different domains. There are two options for configuring:
virtualServerHTTPPort¶
By deploying this yaml file in your cluster, CIS will create a Virtual Server on BIG-IP with VIP custom http port as 500. It will load balance the traffic for domain cafe.example.com.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: my-new-virtual-server labels: f5cr: "true" spec: host: cafe.example.com virtualServerAddress: "172.16.3.4" virtualServerHTTPPort: 8080 pools: - path: /coffee service: svc-2 servicePort: 80 |
virtualServerHTTPSPort¶
By deploying this yaml file in your cluster, CIS will create a Virtual Server on BIG-IP with VIP custom https port as 500. It will load balance the traffic for domain cafe.example.com.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: my-new-virtual-server labels: f5cr: "true" spec: host: cafe.example.com virtualServerAddress: "172.16.3.4" virtualServerHTTPSPort: 8443 pools: - path: /coffee service: svc-2 servicePort: 80 |
Virtual Server Custom Resource without Host Parameter¶
You can create a simple HTTP Virtual Server without the Host parameter. By deploying the following YAML file in your cluster, CIS will create a Virtual Server on BIG-IP with VIP 172.16.3.4 and attach a policy that forwards the traffic to pool svc-1 when the URI path segment is /coffee.
Important
This is an insecure virtual server, please use TLSProfile to secure the virtual.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: hoHost-single-pool labels: f5cr: "true" spec: # This is an insecure virtual, Please use TLSProfile to secure the virtual # check out tls examples to understand more. virtualServerAddress: "172.16.3.4" pools: - path: /coffee service: svc-1 servicePort: 80 |
MultiHost support using hostGroup Parameter¶
The Multi-host feature allows CIS to support a single HTTP VirtualServer on BIG-IP for different hostnames. This is similar to how OpenShift routes work today. The benefit of using the multi-host feature is the ability to reuse the public IP Address on BIG-IP, which helps when Public IP addresses are limited.
You can configure VirtualServer CRD using the hostGroup parameter to club virtual servers with different hostnames into one in BIG-IP.
By deploying the following YAML file in your cluster, CIS will create a single HTTP Virtual Server on the BIG-IP system with different hostnames (in this example, coffee.example.com and tea.example.com) having the same hostGroup “cafe” and same ipamLabel “Dev”.
Important
- This is an insecure virtual server, please use TLSProfile to secure the virtual.
- You must use either
virtualServerAddressoripamLabelparameters with the same value in all VirtualServer CRDs.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: coffee-virtual-server labels: f5cr: "true" spec: # This is an insecure virtual, Please use TLSProfile to secure the virtual # check out tls examples to understand more. host: coffee.example.com hostGroup: cafe ipamLabel: Dev pools: - path: /mocha service: svc-2 servicePort: 80 --- apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: tea-virtual-server labels: f5cr: "true" spec: # This is an insecure virtual, Please use TLSProfile to secure the virtual # check out tls examples to understand more. host: tea.example.com hostGroup: cafe ipamLabel: Dev pools: - path: /greentea service: svc-2 servicePort: 80 |
MultiPartition Support using partition spec parameter¶
CRD supports the MultiPartition feature for VirtualServer CR, where the user can provision BIG-IP in multiple partitions. This helps to easily manage the bigipConfig among the partitions. The MultiPartition feature also improves performance, as CIS processes only the partition when there is a change, instead of sending a unified AS3 declaration to all of the partitions on the BIG-IP every time a change/event is detected.
CIS processes multiple tenant information and still sends the single unified declaration to BIG-IP to avoid multiple posts to BIG-IP for the first time.
Note
AS3 post call is formed as mgmt/shared/appsvcs/declare/tenant1,tenant2.
Multiple VirtualServers do not share the same virtual server address across multiple partitions. F5 does not currently support VS sharing the same host group or host with the same address in multiple partitions. The following rules apply for all VS resources. - Virtual servers with the same host group should be in one partition. - Virtual servers with the same host should be in one partition. - Virtual servers with the same VS address should be in one partition. - Virtual servers cannot share the same VIP across multiple partitions, irrespective of port.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | apiVersion: cis.f5.com/v1 kind: VirtualServer metadata: labels: f5cr: "true" name: cr-foo1 namespace: default spec: # This is an insecure virtual, Please use TLSProfile to secure the virtual # check out tls examples to understand more. host: foo.example.com partition: dev pools: - monitor: interval: 20 recv: a send: / timeout: 10 type: http path: /foo service: pytest-svc-1 servicePort: 80 snat: auto virtualServerAddress: 10.8.3.11 |
Virtual Server Custom Resource with IPv6 Address¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: cafe-virtual-server labels: f5cr: "true" spec: # This is an insecure virtual, Please use TLSProfile to secure the virtual # check out TLS examples to understand more. host: cafe.example.com virtualServerAddress: "2001:0db8:85a3:0000:0000:8a2e:0370:7335" virtualServerName: "cafe-virtual-server" pools: - path: /coffee service: svc-2 servicePort: 80 |
Examples Repository¶
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.