Deploying F5 IPAM Controller

F5 IPAM Controller Deployment

f5-ipam-deployment.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     labels:
       name: f5-ipam-controller
     name: f5-ipam-controller
     namespace: kube-system
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: f5-ipam-controller
     template:
       metadata:
         labels:
           app: f5-ipam-controller
       spec:
         containers:
         - args:
           - --orchestration=kubernetes
           - --ip-range='{"Dev":"172.16.3.21-172.16.3.30","Test":"172.16.3.31-172.16.3.40", "Production":"172.16.3.41-172.16.3.50",
             "Default":"172.16.3.51-172.16.3.60"}'
           command:
           - /app/bin/f5-ipam-controller
           image: f5networks/f5-ipam-controller:latest
           imagePullPolicy: IfNotPresent
           name: f5-ipam-controller
         serviceAccount: ipam-ctlr
         serviceAccountName: ipam-ctlr

f5-ipam-deployment.yaml

ipam-deployment-with-ipv6-range.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Sample configuration for f5-ipam-controller with default provider. For persistent IP addresses upon restarts,
# volume mounts are used. securityContext is used to change mount permissions to controller user.
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    name: f5-ipam-controller
  name: f5-ipam-controller
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: f5-ipam-controller
  template:
    metadata:
      labels:
        app: f5-ipam-controller
    spec:
      containers:
        - args:
            - --orchestration
            - kubernetes
            - --ip-range
            - '{"Dev":"2001:db8:3::7-2001:db8:3::9","Test":"2001:db8:4::7-2001:db8:4::9",
                 "Production":"2001:db8:5::ffff-2001:db8:6::9","Default":"2001:0db8:85a3:0000:0000:8a2e:0370:7334-2001:0db8:85a3:0000:0000:8a2e:0370:7340"}'
            - --log-level
            - DEBUG
          command:
            - /app/bin/f5-ipam-controller
          image: f5networks/f5-ipam-controller:latest
          imagePullPolicy: IfNotPresent
          name: f5-ipam-controller
          terminationMessagePath: /dev/termination-log
          volumeMounts:
            - mountPath: /app/ipamdb
              name: samplevol
      securityContext:
        fsGroup: 1200
        runAsGroup: 1200
        runAsUser: 1200
      serviceAccount: ipam-ctlr
      serviceAccountName: ipam-ctlr
      volumes:
        - name: samplevol
          persistentVolumeClaim:
            claimName: pvc-local

Apply the configuration with the following command:

kubectl create -f f5-ipam-deployment.yaml

Apply the F5 IPAM Controller schema with the following command:

kubectl create -f https://raw.githubusercontent.com/F5Networks/f5-ipam-controller/main/docs/_static/schemas/ipam_schema.yaml

Using IPAM

To configure CIS to work with the F5 IPAM controller, you need to provide a parameter --ipam=true in the CIS deployment and also provide a parameter ipamLabel in the Kubernetes resource.

Note

ipamLabel can have values as mentioned in the ip-range parameter in the deployment. For example: -  ipamLabel : "Dev"

Configure ipamLabel in VirtualServer CRD:

virtual-server-crd.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
 name: coffee-virtual-server
 labels:
   f5cr: "true"
spec:
 host: coffee.example.com
 ipamLabel: Dev
 pools:
 - path: /coffee
   service: svc-2
   servicePort: 80

Configure ipamLabel in TransportServer CRD:

transport-server-crd.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: cis.f5.com/v1
kind: TransportServer
metadata:
  creationTimestamp: "2021-03-18T14:12:32Z"
  generation: 2
  labels:
    f5cr: "true"
spec:
  ipamLabel: Test
  mode: standard
  pool:
    monitor:
      interval: 20
      timeout: 10
      type: tcp
    service: test-svc
    servicePort: 1344
  snat: auto
  type: tcp
  virtualServerPort: 1344

volumeMount for IPAM DB

When IPAM controller is configured to use default ipam-provider, it uses lightweight sqliteDB for IP address management.

Use Kubernetes volume mounts to maintain persistent IP addresses during a restart or replacement of the F5 IPAM Controller container.

You can use any of the persistent storage options supported by Kubernetes.

The examples below showcase local persistent storage. Ensure mount directory (/tmp/localstorage in the example below) is present on the node.

Note

  • Users must review security aspects and limitations with each of the storage options as per their requirements.
  • Local storage ties your application to a specific node as mentioned in nodeAffinity of persistentVolume.
persistent-volume-claim.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
apiVersion: v1
kind: PersistentVolume
metadata:
  name: local-pv
spec:
  capacity:
    storage: 1Gi
  volumeMode: Filesystem
  accessModes:
  - ReadWriteOnce
  storageClassName: local-storage
  local:
    path: /tmp/localstorage
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - <node-name>
---

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-local
  namespace: kube-system
spec:
  storageClassName: local-storage
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 0.1Gi

Note

  • Use securityContext to modify mount directory permissions.
  • Do not modify 1200 as it is the UID of IPAM Controller user.
  • Update the IPAM deployment with volumeMount and securityContext.
ipam-deployment-with-pvc-seccontext.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    name: f5-ipam-controller
  name: f5-ipam-controller
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: f5-ipam-controller
  template:
    metadata:
      labels:
        app: f5-ipam-controller
    spec:
      containers:
      - args:
        - --orchestration
        - kubernetes
        - --ip-range
        - '{"Dev":"172.16.3.21-172.16.3.30","Test":"172.16.3.31-172.16.3.40","Production":"172.16.3.41-172.16.3.50",
          "Default":"172.16.3.51-172.16.3.60" } '
        command:
        - /app/bin/f5-ipam-controller
        image: f5networks/f5-ipam-controller:latest
        imagePullPolicy: IfNotPresent
        name: f5-ipam-controller
        terminationMessagePath: /dev/termination-log
        volumeMounts:
        - mountPath: /app/ipamdb
          name: samplevol
      securityContext:
        fsGroup: 1200
        runAsGroup: 1200
        runAsUser: 1200
      serviceAccount: bigip-controller
      serviceAccountName: bigip-controller
      volumes:
      - name: samplevol
        persistentVolumeClaim:
          claimName: pvc-local

Updating the Status in Virtual Server CRD

The main aim of IPAM is to provide an IP address corresponding to each hostname provided in the VS CRD.

You must provide the host and ipamLabel in the hostSpecs section of F5-CR. The F5 IPAM Controller, in turn, reads the hostSpecs of CR, processes it, and updates the IPStatus with each host provided in the hostSpecs with host, IP (which is generated from the range of IP address by FIC), and corresponding ipamLabel.

Below is an example of F5-CR for Virtual Server:

f5-ipam-cr-vs.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
apiVersion: "fic.f5.com/v1"
kind: F5IPAM
metadata:
  name: f5ipam.sample
  namespace: kube-system
spec:
  hostSpecs:
  - host: cafe.example.com
    ipamLabel: Dev
status:
  IPStatus:
  - host: cafe.example.com
    ip: 172.16.3.16
    ipamLabel: Dev

Updating the Status in Transport Server CRD

You must provide ipamLabel in the hostSpecs section of F5-CR. The F5 IPAM Controller, in turn, reads the hostSpecs of CR, processes it, and updates the IPStatus with each ipamlabel provided in the hostSpecs with IP (which is generated from the range of IP address by FIC), and corresponding ipamLabel and key which is the combination of <namespace>/<ts_crd_name>_ts.

Below is an example of F5-CR for Transport Server:

f5-ipam-cr-ts.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
apiVersion: "fic.f5.com/v1"
kind: F5IPAM
metadata:
  name: f5ipam.sample
  namespace: kube-system
spec:
  hostSpecs:
  - ipamLabel: Production
    key: default/test-cr-ts1_ts
  - ipamLabel: Test
    key: default/test-cr-ts_ts
status:
  IPStatus:
  - ip: 172.16.3.16
    ipamLabel: Production
    key: default/test-cr-ts1_ts
  - ip: 10.192.75.114
    ipamLabel: Test
    key: default/test-cr-ts_ts


Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.