OpenShift 4.12 and F5 BIG-IP Container Ingress Services (CIS) User-Guide for Standalone BIG-IP using OVN-Kubernetes iCNI with NO Tunnels¶
This document demonstrates how to use OVN-Kubernetes with F5 BIG-IP Routes to Ingress traffic without using an Overlay. Using OVN-Kubernetes with F5 BIG-IP Routes removes the complexity of creating VXLAN tunnels or using Calico. This document demonstrates Standalone BIG-IP working with OVN-Kubernetes. The diagram below demonstrates an OpenShift Cluster with three master, and three worker nodes. Three applications: tea, coffee and mocha are deployed in the cafe namespace.

Configuration Steps¶
Note
The configuration below has been validated on OCP versions 4.11 and 4.12.
Step 1: Deploy OpenShift using OVNKubernetes¶
Deploy the OpenShift Cluster with networkType set to OVNKubernetes. Change the default to OVNKubernetes in the install-config.yaml before creating the cluster.
Step 2: Deploy Global ConfigMap¶
Using Global ConfigMap
- Global ConfigMap provides control to the admin to create and maintain the resource configuration centrally.
- namespace: cafe, vserverAddr: 10.192.125.65
apiVersion: v1
kind: ConfigMap
metadata:
name: global-cm
namespace: kube-system
labels:
f5nr: "true"
data:
extendedSpec: |
extendedRouteSpec:
- namespace: cafe
vserverAddr: 10.192.125.65
vserverName: cafe
allowOverride: true
Deploy global ConfigMap
oc create -f global-cm.yaml
Step 3: Deploy CIS¶
F5 BIG-IP Controller Ingress Services (CIS) is called the Next Generation Route Controller. The Next Generation Route Controller extended F5 CIS to use multiple Virtual IP addresses. Previously, F5 BIG-IP CIS could only manage one Virtual IP address per CIS instance.
Add the following parameters to the CIS deployment:
- Routegroup specific config for each namespace is provided as part of extendedSpec through ConfigMap.
- ConfigMap info is passed to CIS with the argument
--route-spec-configmap="namespace/configmap-name"
- Controller mode should be set to openshift enabling multiple VIP support
--controller-mode="openshift"
See also
The k8s-bigip-ctlr documentation for information about all config options https://clouddocs.f5.com/containers/latest/
args: [
"--bigip-username=$(BIGIP_USERNAME)",
"--bigip-password=$(BIGIP_PASSWORD)",
"--bigip-url=10.192.125.60",
"--bigip-partition=OpenShift",
"--namespace",
"--cafe",
"--pool-member-type=cluster",
"--insecure=true",
"--route-spec-configmap=kube-system/global-cm",
"--controller-mode=openshift",
"--static-routing-mode=true",
"--orchestration-cni=ovn-k8s",
"--as3-validation=true",
"--log-as3-response=true",
]
Deploy CIS in OpenShift
oc create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=<secret>
oc create -f bigip-ctlr-clusterrole.yaml
oc create -f f5-bigip-ctlr-deployment.yaml
Step 4: Verify BIG-IP Static Routes¶
CIS provisions static routes on BIG-IP using the deployment parameter. For example --static-routing-mode=true
View static routes created on BIG-IP with node subnets assigned for the three worker nodes in the OpenShift cluster.

Setup complete! Deploy CIS and create OpenShift Routes
Step 5: Creating OpenShift Routes for cafe.example.com¶
User-case for the OpenShift Routes:
- Edge Termination
- Backend listening on PORT 8080
Create OpenShift Routes:
oc create -f route-tea-edge.yaml
oc create -f route-coffee-edge.yaml
oc create -f route-mocha-edge.yaml
Validation¶
Step 1: Validate OpenShift Routes using the BIG-IP¶

Step 2: Validate OpenShift Virtual IP using the BIG-IP¶

Step 3: Validate OpenShift Routes policies on the BIG-IP¶

Step 4: Validate OpenShift Routes policies by connecting to the Public IP¶

Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.