Kubernetes

CIS Installation

Overview

CIS can be configured in multiple ways depending on the customer scenario. CIS can be deployed on Kubernetes platform. CIS installation may differ based on the resources (for example: ConfigMap, Ingress, Routes, and CRD) used by the customer to expose the Kubernetes services. CIS installation also depends on BIG-IP deployment (Standalone and High Availability configuration) and Kubernetes cluster networking (Flannel/Calico).

Prerequisites

These are the mandatory requirements for deploying CIS:

  • Kubernetes Cluster must be up and running.

  • AS3: 3.18+ must be installed on your BIG-IP system.

  • Create a BIG-IP partition to manage Kubernetes objects. This partition can be created either via the GUI (System > Users > Partition List) or via our TMOS CLI:

    create auth partition <cis_managed_partition>
    
  • You need a user with administrative access to this partition.

  • If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a Secret.

Additionally, if you are deploying CIS in Cluster Mode you need to have the following prerequisites. For more information, see Deployment Options.

Installing CIS Manually

  1. Add BIG-IP credentials as K8S secrets.

    kubectl create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=<password>
    
  2. Create a service account for deploying CIS. In the example below, the Service Account is named bigip-ctlr.

    kubectl create serviceaccount bigip-ctlr -n kube-system
    
  3. Create a Cluster Role and Cluster Role Binding on the Kubernetes Cluster using the examples below.

    The example below shows the broadest supported permission set. You can narrow the permissions down to specific resources, namespaces, etc. to suit your needs. See the Kubernetes RBAC documentation for more information.

    Important

    If you change the name of the secret (bigip-login), you need to update rbac_k8S.yaml file accordingly.

    k8s_rbac.yaml
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
     # for use in k8s clusters only
     kind: ClusterRole
     apiVersion: rbac.authorization.k8s.io/v1
     metadata:
       name: bigip-ctlr-clusterrole
     rules:
     - apiGroups: ["", "extensions"]
       resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "pods"]
       verbs: ["get", "list", "watch"]
     - apiGroups: ["", "extensions"]
       resources: ["configmaps", "events", "ingresses/status"]
       verbs: ["get", "list", "watch", "update", "create", "patch"]
     - apiGroups: ["", "extensions"]
       resources: ["secrets"]
       resourceNames: ["bigip-login"]
       verbs: ["get", "list", "watch"]
     - apiGroups: ["cis.f5.com"]
       resources: ["virtualservers", "tlsprofiles", "transportservers", "ingresslinks", "externaldnss"]
       verbs: ["get", "list", "watch", "update"]
    
     ---
    
     kind: ClusterRoleBinding
     apiVersion: rbac.authorization.k8s.io/v1
     metadata:
       name: bigip-ctlr-clusterrole-binding
       namespace: kube-system
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: bigip-ctlr-clusterrole
     subjects:
     - apiGroup: ""
       kind: ServiceAccount
       name: bigip-ctlr
       namespace: kube-system
    

    k8s-rbac.yaml

    Push this configuration with the command:

    kubectl apply -f  k8s_rbac.yaml
    

    Important

    You can substitute a Role and RoleBinding if your Controller does not need access to the entire Cluster.

  4. Optionally, if you plan to use CIS in CRD mode, install Custom Resource Definitions. To install F5 CRDs, download this file and run the following command:

    kubectl create -f customresourcedefinitions.yml [-n kube-system]
    
  5. Create a CIS deployment using cis_deploy.yaml as shown below. You need to update the example file with the correct information, for example: the name of your BIG-IP secret, BIG-IP IP, BIG-IP partion, etc.

    cis_deploy.yaml
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: k8s-bigip-ctlr-deployment
      namespace: kube-system
    spec:
    # DO NOT INCREASE REPLICA COUNT
      replicas: 1
      selector:
        matchLabels:
          app: k8s-bigip-ctlr-deployment
      template:
        metadata:
          labels:
            app: k8s-bigip-ctlr-deployment
        spec:
          # Name of the Service Account bound to a Cluster Role with the required
          # permissions
          containers:
            - name: k8s-bigip-ctlr
              image: "f5networks/k8s-bigip-ctlr"
              env:
                - name: BIGIP_USERNAME
                  valueFrom:
                    secretKeyRef:
                    # Replace with the name of the Secret containing your login
                    # credentials
                      name: bigip-login
                      key: username
                - name: BIGIP_PASSWORD
                  valueFrom:
                    secretKeyRef:
                    # Replace with the name of the Secret containing your login
                    # credentials
                      name: bigip-login
                      key: password
              command: ["/app/bin/k8s-bigip-ctlr"]
              args: [
                # See the k8s-bigip-ctlr documentation for information about
                # all config options
                # https://clouddocs.f5.com/containers/latest/
                "--bigip-username=$(BIGIP_USERNAME)",
                "--bigip-password=$(BIGIP_PASSWORD)",
                "--bigip-url=<ip_address-or-hostname>",
                "--bigip-partition=<name_of_partition>",
                "--pool-member-type=nodeport",
                "--insecure",
                # for secure communication provide the internal ca certificates using config-map with below option and remove insecure parameter
                #"--trusted-certs-cfgmap=<namespace/configmap>",
                ]
          serviceAccount: bigip-ctlr
          serviceAccountName: bigip-ctlr
        imagePullSecrets:
            # Secret that gives access to a private docker registry
            #- name: f5-docker-images
            # Secret containing the BIG-IP system login credentials
            - name: bigip-login
    

    Push this configuration with the following command:

    kubectl apply -f  cis_deploy.yaml
    

Creating VXLAN Tunnels on Kubernetes Cluster (Optional)

This section is required only if you plan to use CIS in a ClusterIP Deployment. See Deployment Options for more information.

  1. Create a VXLAN tunnel. In the example below, the tunnel name is fl-vxlan.

    tmsh create net tunnels vxlan fl-vxlan port 8472 flooding-type none
    
    ../../_images/kubernetes-vxlan-1.png
  2. Create a VXLAN profile.

    tmsh create net tunnels tunnel fl-vxlan key 1 profile fl-vxlan local-address 192.168.200.91
    
    ../../_images/kubernetes-vxlan-2.png
  3. Create the VXLAN tunnel self-IP.

    tmsh create net self 10.244.20.91 address 10.244.20.91/255.255.0.0 allow-service none vlan fl-vxlan
    
    ../../_images/kubernetes-vxlan-3.png

Installing CIS Using Helm Charts

This is the simplest way to install CIS on a Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of YUM or APT. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit.

  1. Add BIG-IP credentials as K8S secrets.

    For Kubernetes, use the following command:

    kubectl create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=<password>
    
  2. Add the CIS chart repository in Helm using following command:

    helm repo add f5-stable https://f5networks.github.io/charts/stable
    
  3. Create values.yaml as shown below:

    values.yaml
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
     bigip_login_secret: bigip-login
     rbac:
       create: true
     serviceAccount:
       # Specifies whether a service account should be created
       create: true
       # The name of the service account to use.
       # If not set and create is true, a name is generated using the fullname template
       name: k8s-bigip-ctlr
     # This namespace is where the Controller lives;
     namespace: kube-system
     args:
       # See https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html
       # NOTE: helm has difficulty with values using `-`; `_` are used for naming
       # and are replaced with `-` during rendering.
       # REQUIRED Params
       bigip_url: <ip_address-or-hostname>
       bigip_partition: <name_of_partition>
       # OPTIONAL PARAMS -- uncomment and provide values for those you wish to use.
       # verify_interval:
       # node-poll_interval:
       # log_level:
       # python_basedir: ~
       # VXLAN
       # openshift_sdn_name:
       # flannel_name:
       # KUBERNETES
       # default_ingress_ip:
       # kubeconfig:
       # namespace:
       # namespace_label:
       # node_label_selector:
       pool_member_type: nodeport
       insecure: true
       # resolve_ingress_names:
       # running_in_cluster:
       # use_node_internal:
       # use_secrets:
       # custom-resource-mode: true
       # log-as3-response: true
     image:
       # Use the tag to target a specific version of the Controller
       user: f5networks
       repo: k8s-bigip-ctlr
       pullPolicy: Always
     resources: {}
       # If you want to specify resources, uncomment the following
       # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
       # limits:
       #  cpu: 100m
       #  memory: 128Mi
       # requests:
       #  cpu: 100m
       #  memory: 128Mi
     version: latest
    

  1. Install the Helm chart using the following command:

    helm install -f values.yaml  --name <new-chart> f5-stable/f5-bigip-ctlr
    

Uninstalling Helm Chart

Run the following command to uninstall the chart.

helm del --purge  <new-chart>

Examples Repository

View more examples on GitHub.


Note

To provide feedback on Container Ingress Services or this documentation, you can file a GitHub Issue.