F5 IPAM Controller

Overview of F5 IPAM Controller

The F5 IPAM Controller (FIC) is a Docker container that runs in a container environment. It allocates IP addresses from an IPAM system’s address pool for hostnames in an orchestration environment. The F5 IPAM Controller watches orchestration-specific resources and consumes the hostnames within each resource.

IPAM Compatibility Matrix

Resource Minimum CIS Version Supported
Virtual Server CRD v2.3
Transport Server CRD v2.4
Service type: Loadbalancer v2.4
IngressLink CRD v2.4

To see information on the upgrade process for CIS and IPAM releases, see GitHub documentation.

Diagrams

This is an architectural diagram of how F5-IPAM-Controller (FIC) fits in the environment:

../../_images/ipam-1.png



Flow Chart for CIS-FIC:

../../_images/ipam-2.png

Note

You must run BIG-IP Container Ingress Services with the options below to interface with FIC.

  • Use --custom-resource-mode=true in your CIS deployment to enable Custom Resource Mode.
  • Use --ipam=true in your CIS deployment to interface with FIC. With this parameter set to true, CIS decides if it needs to retrieve an IP address from the IPAM Controller or not.
    • If a Virtual Server address is specified in the Kubernetes resource, CIS will not leverage the IPAM Controller for IP address even if a CIDR parameter is specified.
    • If No Virtual Server address is specified in the Kubernetes resource and the ipamLabel parameter is specified, CIS will leverage the IPAM Controller for allocation of IP address.
  • Limitations when CIS deployed in CRD mode:
    • CIS does not watch for Ingress/Routes/ConfigMaps when deployed in CRD Mode.
    • CIS does not support the combination of CRDs with any of Ingress/Routes and ConfigMaps.

How to Deploy FIC

Configuration Parameters

Parameter Type Required Default Description
orchestration String Required N/A

Holds the orchestration environment.

Example: --orchestration=kubernetes

ipam-provider String Required f5-ip-provider ipam-provider parameter holds the IP provider that holds the ownership of providing IP addresses such as Infoblox, f5-ip-provider.
log-level String Optional N/A Log level parameter specifies various logging levels such as DEBUG, INFO, WARNING, ERROR, CRITICAL.

Deployment options for Provider f5-ip-provider

Parameter Type Required Default Description
ip-range String Required N/A

The IP address ranges from which FIC creates a pool of IP address range which gets allocated corresponding to the requested resources.

Example: --ip-range='{"Dev":"172.16.3.21-172.16.3.30","Test":"172.16.3.31-172.16.3.40", "Production":"172.16.3.41-172.16.3.50","Default":"172.16.3.51-172.16.3.60"}'

Example: --ip-range='{"Dev":"2001:db8:3::7-2001:db8:3::9","Test":"2001:db8:4::7-2001:db8:4::9", "Production":"2001:db8:5::ffff-2001:db8:6::9","Default":"2001:0db8:85a3:0000:0000:8a2e:0370:7334-2001:0db8:85a3:0000:0000:8a2e:0370:7340"}'


RBAC for F5 IPAM Controller

f5-ipam-rbac.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
   kind: ClusterRole
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: ipam-ctlr-clusterrole
   rules:
     - apiGroups: ["fic.f5.com"]
       resources: ["f5ipams", "f5ipams/status"]
       verbs: ["get", "list", "watch", "update", "patch", "create", "delete"]

   ---

   kind: ClusterRoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: ipam-ctlr-clusterrole-binding
     namespace: kube-system
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: ipam-ctlr-clusterrole
   subjects:
     - apiGroup: ""
       kind: ServiceAccount
       name: ipam-ctlr
       namespace: kube-system
   ---
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: ipam-ctlr
     namespace: kube-system

f5-ipam-rbac.yaml

Apply this configuration with the following command:

kubectl create -f f5-ipam-rbac.yaml


Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.