The F5 BIG-IP Controller for Kubernetes manages F5 BIG-IP Local Traffic Manager (LTM) objects from Kubernetes.
See the F5 Container Connector for Kubernetes user documentation.
The F5 BIG-IP Controller for Kubernetes is a Docker container that runs in a Kubernetes Pod. It uses an F5 Resource to determine:
The F5 BIG-IP Controller for Kubernetes watches the Kubernetes API for the creation, modification or deletion of Kubernetes objects. For some objects, it responds to these events by creating, modifying or deleting objects in the configuration of a BIG-IP. It handles these objects: - A ConfigMap that is the F5-specific VirtualServer type, used to create per-service virtual servers and/or pools on BIG-IP. - The standard Kubernetes Ingress object, used to create a single virtual server on BIG-IP with L7 policies to route to individual services. This object can have some F5-specific annotations documented below to control F5-specific behavior.
One controller can handle a mix of these objects simultaneously. See below for the specifics regarding the handling of these objects.
For example:
virtualServer resource.The BIG-IP handles traffic for the Service the specified virtual address and load-balances to all nodes in the cluster. Within the cluster, the allocated NodePort load balances traffic to all pods.
These configuration parameters are global to the controller.
| Parameter | Type | Required | Default | Description | Allowed Values |
|---|---|---|---|---|---|
| bigip-username | string | Required | n/a | BIG-IP iControl REST username | |
| bigip-password | string | Required | n/a | BIG-IP iControl REST password [3] | |
| bigip-url | string | Required | n/a | BIG-IP admin IP address | |
| bigip-partition | string | Required | n/a | The BIG-IP partition in which to configure objects. | |
| namespace | string | Optional | All | Kubernetes namespace(s) to watch, if not provided will watch all namespaces | |
| namespace-label | string | Optional | n/a | Tells the k8s-bigip-ctlr to watch
any namespace with this label |
|
| kubeconfig | string | Optional | ./config | Path to the kubeconfig file | |
| python-basedir | string | Optional | /app/python | Path to python utilities directory | |
| running-in-cluster | boolean | Optional | true | Indicates whether or not a
kubernetes cluster started
k8s-bigip-ctlr |
true, false |
| use-node-internal | boolean | Optional | true | filter Kubernetes InternalIP addresses for pool members | true, false |
| verify-interval | integer | Optional | 30 | In seconds, interval at which to verify the BIG-IP configuration. | |
| node-poll-interval | integer | Optional | 30 | In seconds, interval at which to poll the cluster for its node members. | |
| log-level | string | Optional | INFO | Log level | INFO, DEBUG, CRITICAL, WARNING, ERROR |
| pool-member-type | string | Optional | nodeport | Create this type of BIG-IP pool members Use Use |
cluster, nodeport |
| openshift-sdn-name | string | Optional | n/a | BigIP configured VxLAN name for access into the Openshift SDN and Pod network |
The F5 BIG-IP Controller for Kubernetes supports VirtualServer ConfigMap objects.
| Property | Description | Allowed Values |
|---|---|---|
| f5type | Defines the type of object
k8s-bigip-ctlr creates on the BIG-IP |
virtual-server |
| schema | Verifies the data blob |
f5schemadb://bigip-virtual-server_v0.1.3.json |
| data | Defines the F5 resource | |
| frontend | Defines object(s) created on the BIG-IP | See frontend |
| backend | Identifes the Kubernets Service acting as the server pool | See backend |
| Property | Type | Required | Default | Description | Allowed Values |
|---|---|---|---|---|---|
| partition | string | Required | Define the BIG-IP partition to manage | ||
| virtualAddress | JSON object | Optional | Allocate a virtual address from the BIG-IP | ||
|
string | Required | Virtual IP address | ||
|
integer | Required | Port number | ||
| mode | string | Optional | tcp | Set the proxy mode | http, tcp |
| balance | string | Optional | round-robin | Set the load balancing mode | round-robin |
| sslProfile | JSON object | Optional | BIG-IP SSL profile to apply to the virtual server. | ||
|
string | Optional | Name of the BIG-IP SSL profile you want to use. Uses format Example: |
||
|
array of strings | Optional | Array of BIG-IP SSL profile names. Each SSL profile name uses the format
Example: [
'Common/testcert1',
'Common/testcert2'
]
|
If bindAddr is not provided in the Frontend configuration, then you must supply it via a Kubernetes Annotation for the ConfigMap. The controller watches for the annotation key virtual-server.f5.com/ip.
This annotation must contain the IP address that the virtual server will use. You can configure an IPAM system to write out this annotation containing the IP address that it chose.
A user of the Kubernetes API can check the status.virtual-server.f5.com/ip annotation, set by the controller, to see the bindAddr that the virtual server is using.
If virtualAddress or bindAddr are not provided in the Frontend configuration, then the controller will configure and manage pools, pool members, and healthchecks for the service without a virtual server on the BIG-IP.
Instead you should already have a BIG-IP virtual server that handles client connections and has an irule or traffic policy to forward the request to the correct pool. The stable name of the pool will be the namespace
of the Kubernetes service followed by an underscore followed by the name of the service ConfigMap.
To configure multiple SSL profiles, use f5ProfileNames, not f5ProfileName. f5ProfileName and f5ProfileNames are mutually exclusive.
| Property | Type | Required | Default | Description | Allowed Values |
|---|---|---|---|---|---|
| partition | string | Required | Define the BIG-IP partition to manage. | ||
| iapp | string | Required | BIG-IP iApp template to use to create the application service. | Any iApp template already configured on the BIG-IP. | |
| iappPoolMemberTable | JSON object | Required | Define the name and layout of the pool-member table in the iApp. See the iApp Pool Member Table section below. | ||
| iappTables | JSON object array | Optional | Define iApp tables to apply to the Application Service Example:
|
||
| iappOptions | key-value object | Required | Define the App configurations | See configuration parameters above. | |
| iappVariables | key-value object | Required | Define the iApp variables needed for service creation. |
You can use the iappPoolMemberTable option to describe the layout of the pool-member table that the controller should configure. It is a JSON object with these properties:
name (required): A string that specifies the name of the table that contains the pool members.columns (required): An array that specifies the columns that the controller will configure in the pool-member table, in order.Each entry in columns is an object that has a name property and either a kind or value property:
name (required): A string that specifies the column name.kind: A string that tells the controller what property from the node to substitute. The controller supports "IPAddress" and "Port".value: A string that specifies a value. The controller will not perform any substitution, it uses the value as specified.For instance, if you configure an application with two pods at 1.2.3.4:20123 and 1.2.3.5:20321, and you specify:
"iappPoolMemberTable" = {
"name": "pool__members",
"columns": [
{"name": "Port", "kind": "Port"},
{"name": "IPAddress", "kind": "IPAddress"},
{"name": "ConnectionLimit", "value": "0"}
]
}
This would configure the following table on BIG-IP:
{
"name": "pool__members",
"columnNames": [
"Port",
"IPAddress",
"ConnectionLimit",
],
"rows": [
{
"row": [
"20123",
"1.2.3.4",
"0",
]
},
{
"row": [
"20321",
"1.2.3.5",
"0",
]
},
]
}
You will need to adjust this for the particular iApp template that you are using. One way to discover the format is to configure an iApp manually from a template, and then check its configuration using tmsh list sys app service <appname>.
| Property | Type | Required | Default | Description | Allowed Values |
|---|---|---|---|---|---|
| serviceName | string | Required | none | The Kubernetes Service representing the server pool. | |
| servicePort | integer | Required | none | Kubernetes Service port number | |
| healthMonitors | JSON object array | Optional | none | Array of TCP or HTTP Health Monitors. |
The F5 BIG-IP Controller for Kubernetes supports Kubernetes Ingress resources as an alternative to F5 Resource ConfigMaps.
| Annotation | Type | Required | Description | Default |
|---|---|---|---|---|
| virtual-server.f5.com/ip | string | Required | Contains the IP address that the virtual server will use. | |
| virtual-server.f5.com/partition | string | Required | Specifies which partition on the Big-IP the controller should create/update/delete objects in for this Ingress. | |
| kubernetes.io/ingress.class | string | Optional | If specified, it must contain the value f5. | f5 |
| virtual-server.f5.com/balance | string | Optional | Specifies the load balancing mode. | round-robin |
| virtual-server.f5.com/http-port | integer | Optional | Specifies the HTTP port. | 80 |
| virtual-server.f5.com/https-port | integer | Optional | Specifies the HTTPS port. | 443 |
| virtual-server.f5.com/health | JSON object | Optional | Health monitor configuration to use for the Ingress resource. | |
| ingress.kubernetes.io/allow-http | boolean | Optional | For HTTPS Ingress resources, specifies to also allow HTTP traffic. | false |
| ingress.kubernetes.io/ssl-redirect | boolean | Optional | For HTTPS Ingress resources, specifies to redirect HTTP traffic to the HTTPS port (see below). | true |
If the Ingress resource contains a tls section, the allow-http and ssl-redirect annotations provide a method of controlling HTTP traffic. In this case, the controller uses the value set in the allow-http annotation to enable or disable HTTP traffic. Use the ssl-redirect annotation to redirect all HTTP traffic to the HTTPS Virtual Server.
One or more SSL profiles may exist in the Ingress resource, and must already exist on the BIG-IP. The SSL profiles referenced in the Ingress resource must use the full path used on the BIG-IP, such as /Common/clientssl.
To configure health monitors on your Ingress resource, you need to use the appropriate annotation with a JSON object containing an array of health monitor JSON object for each path specified in the Ingress resource. Each health monitor JSON object must have the following 4 fields:
{
"path": "serviceName/path",
"send": "<send string to set in the health monitor>",
"interval": <health check interval>,
"timeout": <number of seconds before the check has timed out>
}
Please see the example configuration files for more details.
| [1] | The F5 BIG-IP Controller for Kubernetes creates and manages objects in the BIG-IP partition defined in the F5 resource ConfigMap. |
| [2] | The F5 BIG-IP Controller for Kubernetes forwards traffic to the NodePort assigned to the service by Kubernetes; see the Kubernetes Services documentation for more information. |
| [3] | You can store sensitive information as a Kubernetes Secret. See the user documentation for instructions. |