Deploying F5 IPAM Controller¶
F5 IPAM Controller Deployment¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | apiVersion: apps/v1 kind: Deployment metadata: labels: name: f5-ipam-controller name: f5-ipam-controller namespace: kube-system spec: replicas: 1 selector: matchLabels: app: f5-ipam-controller template: metadata: labels: app: f5-ipam-controller spec: containers: - args: - --orchestration=kubernetes - --ip-range='{"Dev":"172.16.3.21-172.16.3.30","Test":"172.16.3.31-172.16.3.40", "Production":"172.16.3.41-172.16.3.50", "Default":"172.16.3.51-172.16.3.60"}' command: - /app/bin/f5-ipam-controller image: f5networks/f5-ipam-controller:latest imagePullPolicy: IfNotPresent name: f5-ipam-controller serviceAccount: ipam-ctlr serviceAccountName: ipam-ctlr |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | # Sample configuration for f5-ipam-controller with default provider. For persistent IP addresses upon restarts, # volume mounts are used. securityContext is used to change mount permissions to controller user. apiVersion: apps/v1 kind: Deployment metadata: labels: name: f5-ipam-controller name: f5-ipam-controller namespace: kube-system spec: replicas: 1 selector: matchLabels: app: f5-ipam-controller template: metadata: labels: app: f5-ipam-controller spec: containers: - args: - --orchestration - kubernetes - --ip-range - '{"Dev":"2001:db8:3::7-2001:db8:3::9","Test":"2001:db8:4::7-2001:db8:4::9", "Production":"2001:db8:5::ffff-2001:db8:6::9","Default":"2001:0db8:85a3:0000:0000:8a2e:0370:7334-2001:0db8:85a3:0000:0000:8a2e:0370:7340"}' - --log-level - DEBUG command: - /app/bin/f5-ipam-controller image: f5networks/f5-ipam-controller:latest imagePullPolicy: IfNotPresent name: f5-ipam-controller terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /app/ipamdb name: samplevol securityContext: fsGroup: 1200 runAsGroup: 1200 runAsUser: 1200 serviceAccount: ipam-ctlr serviceAccountName: ipam-ctlr volumes: - name: samplevol persistentVolumeClaim: claimName: pvc-local |
Deploy RBAC and F5 IPAM Controller deployment:
kubectl create -f https://raw.githubusercontent.com/F5Networks/f5-ipam-controller/main/docs/config_examples/rbac.yaml
kubectl create -f f5-ipam-deployment.yaml
Using IPAM¶
To configure CIS to work with the F5 IPAM controller, you need to provide a parameter --ipam=true
in the CIS deployment and also provide a parameter ipamLabel
in the Kubernetes resource.
Note
ipamLabel
can have values as mentioned in the ip-range parameter in the deployment. For example: - ipamLabel : "Dev"
Configure ipamLabel
in VirtualServer CRD:
1 2 3 4 5 6 7 8 9 10 11 12 13 | apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: coffee-virtual-server labels: f5cr: "true" spec: host: coffee.example.com ipamLabel: Dev pools: - path: /coffee service: svc-2 servicePort: 80 |
Configure ipamLabel
in TransportServer CRD:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | apiVersion: cis.f5.com/v1 kind: TransportServer metadata: creationTimestamp: "2021-03-18T14:12:32Z" generation: 2 labels: f5cr: "true" spec: ipamLabel: Test mode: standard pool: monitor: interval: 20 timeout: 10 type: tcp service: test-svc servicePort: 1344 snat: auto type: tcp virtualServerPort: 1344 |
volumeMount for IPAM DB¶
When IPAM controller is configured to use default ipam-provider, it uses lightweight sqliteDB for IP address management.
Use Kubernetes volume mounts to maintain persistent IP addresses during a restart or replacement of the F5 IPAM Controller container.
You can use any of the persistent storage options supported by Kubernetes.
The examples below showcase local persistent storage. Ensure mount directory (/tmp/localstorage
in the example below) is present on the node.
Note
- Users must review security aspects and limitations with each of the storage options as per their requirements.
- Local storage ties your application to a specific node as mentioned in nodeAffinity of persistentVolume.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | apiVersion: v1 kind: PersistentVolume metadata: name: local-pv spec: capacity: storage: 1Gi volumeMode: Filesystem accessModes: - ReadWriteOnce storageClassName: local-storage local: path: /tmp/localstorage nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - <node-name> --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pvc-local namespace: kube-system spec: storageClassName: local-storage accessModes: - ReadWriteOnce resources: requests: storage: 0.1Gi |
Note
- Use securityContext to modify mount directory permissions.
- Do not modify 1200 as it is the UID of IPAM Controller user.
- Update the IPAM deployment with volumeMount and securityContext.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | apiVersion: apps/v1 kind: Deployment metadata: labels: name: f5-ipam-controller name: f5-ipam-controller namespace: kube-system spec: replicas: 1 selector: matchLabels: app: f5-ipam-controller template: metadata: labels: app: f5-ipam-controller spec: containers: - args: - --orchestration - kubernetes - --ip-range - '{"Dev":"172.16.3.21-172.16.3.30","Test":"172.16.3.31-172.16.3.40","Production":"172.16.3.41-172.16.3.50", "Default":"172.16.3.51-172.16.3.60" } ' command: - /app/bin/f5-ipam-controller image: f5networks/f5-ipam-controller:latest imagePullPolicy: IfNotPresent name: f5-ipam-controller terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /app/ipamdb name: samplevol securityContext: fsGroup: 1200 runAsGroup: 1200 runAsUser: 1200 serviceAccount: bigip-controller serviceAccountName: bigip-controller volumes: - name: samplevol persistentVolumeClaim: claimName: pvc-local |
Updating the Status in Virtual Server CRD¶
The main aim of IPAM is to provide an IP address corresponding to each hostname provided in the VS CRD.
You must provide the host and ipamLabel in the hostSpecs section of F5-CR. The F5 IPAM Controller, in turn, reads the hostSpecs of CR, processes it, and updates the IPStatus with each host provided in the hostSpecs with host, IP (which is generated from the range of IP address by FIC), and corresponding ipamLabel.
Below is an example of F5-CR for Virtual Server:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | apiVersion: "fic.f5.com/v1" kind: F5IPAM metadata: name: f5ipam.sample namespace: kube-system spec: hostSpecs: - host: cafe.example.com ipamLabel: Dev status: IPStatus: - host: cafe.example.com ip: 172.16.3.16 ipamLabel: Dev |
Updating the Status in Transport Server CRD¶
You must provide ipamLabel in the hostSpecs section of F5-CR. The F5 IPAM Controller, in turn, reads the hostSpecs of CR, processes it, and updates the IPStatus with each ipamlabel provided in the hostSpecs with IP (which is generated from the range of IP address by FIC), and corresponding ipamLabel and key which is the combination of <namespace>/<ts_crd_name>_ts
.
Below is an example of F5-CR for Transport Server:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | apiVersion: "fic.f5.com/v1" kind: F5IPAM metadata: name: f5ipam.sample namespace: kube-system spec: hostSpecs: - ipamLabel: Production key: default/test-cr-ts1_ts - ipamLabel: Test key: default/test-cr-ts_ts status: IPStatus: - ip: 172.16.3.16 ipamLabel: Production key: default/test-cr-ts1_ts - ip: 10.192.75.114 ipamLabel: Test key: default/test-cr-ts_ts |
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.