F5 IPAM Controller¶
Overview¶
The F5 IPAM Controller is a Docker container that runs in an orchestration environment and interfaces with an IPAM system. It lets you allocate IP addresses from an IPAM system’s address pool for host names in an orchestration environment. The Controller watches orchestration-specific resources and consumes the host names within each resource.
The Controller can:
- Create A and CNAME DNS records in the IPAM system for the supplied host names, using the next available address in the specified subnet.
- Write an annotation or label with the selected IP address back to orchestration resources.
- Update A or CNAME records if a resource’s host names get updated.
- Delete any A or CNAME records and release reserved IP addresses from deleted resources.
Features¶
- Interfaces with an orchestration environment to receive lists of host names.
- Interfaces with an IPAM system to allocate IP addresses for the requested host names.
- Creates A records and CNAME records for the host names and chosen IP addresses.
- Annotates the orchestration resources with the chosen IP addresses to enable integration with an F5 Container Connector.
Configuration Parameters¶
Tip
See the example configuration files for usage examples.
General¶
All configuration parameters below are global to the f5-ipam-ctlr
.
Parameter | Type | Required | Default | Description | Allowed Values |
---|---|---|---|---|---|
log-level | string | Optional | INFO | Log level | INFO, DEBUG, CRITICAL, WARNING, ERROR |
ip-manager | string | Required | n/a | The IPAM system that the controller will interface with. | infoblox |
orchestration | string | Required | n/a | The orchestration that the controller is running in. | kubernetes, k8s, openshift |
verify-interval | integer | Optional | 30 | In seconds, the interval at which to verify the IPAM configuration. Set to |
|
version | string | Optional | n/a | Print the controller version and exit. |
IPAM Systems¶
Infoblox¶
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
credentials-directory | string | Optional | n/a | Directory that contains the infoblox username and password files. |
infoblox-grid-host | string | Required | n/a | The grid manager host IP address. |
infoblox-password | string | Required | n/a | The login password. |
infoblox-port | integer | Optional | 443 | The Web API port. |
infoblox-username | string | Required | n/a | The login username. |
infoblox-wapi-version | string | Required | n/a | The Web API version. |
Important
The credentials-directory
option is an alternative to using the infoblox-username
and infoblox-password
arguments.
When you use this argument, the controller expects to find two files:
- “infoblox-username” and
- “infoblox-password”
Each file should contain only the username and the password, respectively. You can create the files as Kubernetes Secrets.
Orchestration¶
Kubernetes¶
Parameter | Type | Required | Default | Description | Allowed Values |
---|---|---|---|---|---|
kubeconfig | string | Optional | ./config | Path to the kubeconfig file | |
namespace | string | Optional | All | Kubernetes namespace(s) to watch
|
|
namespace-label | string | Optional | n/a | Tells the f5-ipam-ctlr to watch
any namespace with this label. |
|
running-in-cluster | boolean | Optional | true | Indicates whether or not a
kubernetes cluster started
f5-ipam-ctlr . |
true, false |
Installation¶
Take the steps below to install the f5-ipam-ctlr
in Kubernetes or OpenShift.
Set up RBAC as appropriate for your Cluster. The
f5-ipam-ctlr
requires the following permissions:- apiGroups: - "" - "extensions" resources: - configmaps - ingresses verbs: - get - list - watch - update - patch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch
Example:
To give the
f5-ipam-ctlr
cluster-wide access to resources, define a ServiceAccount, ClusterRole, and ClusterRole Binding.View or
download
example RBAC resourcesTip
Do not grant the
f5-ipam-ctlr
more access than needed for your specific use case. If thef5-ipam-ctlr
will watch a specific namespace(s), consider using a Role and RoleBinding instead.Define the Configuration Parameters in a Kubernetes Deployment using YAML or JSON.
View or
download
a basic DeploymentView or
download
a Deployment that uses thecredentials-directory
Upload the resources to the Kubernetes or OpenShift API server.
kubectl create -f f5-ipam-ctlr-rbac.yaml -f f5-ipam-ctlr.yaml [-n <desired_namespace>] ______ oc create -f f5-ipam-ctlr-rbac.yaml -f f5-ipam-ctlr.yaml [-n <desired_namespace>]
Usage¶
To use the F5 IPAM Controller in Kubernetes or OpenShift, add the resource annotations to a ConfigMap or Ingress resource.
Important
Use of the resource annotations with OpenShift Routes is not supported.
Example
kubectl annotate ingress <ingress_name> ipam.f5.com/infoblox-netview=default ipam.f5.com/ip-allocation=dynamic ipam.f5.com/network-cidr=1.2.3.0/24
Note
The f5-ipam-ctlr
writes the chosen IP address to each resource using the following annotation:
virtual-server.f5.com/ip
Important
If changing the network view, network cidr, or group, we recommend deleting the Ingress or ConfigMap first, then perform the edits, and recreate the resource. Changing these fields “live” may cause unwanted behavior.
Kubernetes Resource Annotations¶
In Kubernetes, the F5 IPAM Controller watches for ConfigMap and Ingress resources with the required annotations.
When using the F5 IPAM Controller with the F5 BIG-IP Controller for Kubernetes, the f5-ipam-ctlr
can watch for F5 Resource ConfigMaps.
Add the Annotations shown in the table below to Kubernetes resources to manage IP address assignment with the f5-ipam-ctlr
.
Annotation | Type | Required | Description | Supported Resource(s) |
---|---|---|---|---|
ipam.f5.com/group | string | Optional | Assign a single IP address to a group of multi-service Ingress resources. Ungrouped multi-service Ingress resources receive unique (non-shared) IP addresses. |
multi-service Ingress |
ipam.f5.com/infoblox-netview | string | Required | Specifies the Infoblox network view in which to allocate the IP address. | ConfigMap, Ingress |
ipam.f5.com/ip-allocation=dynamic | string | Required | Tells the f5-ipam-ctlr to watch this resource
and allocate IP addresses for its hosts. |
ConfigMap, Ingress |
ipam.f5.com/network-cidr | string | Required | Specifies the subnet in which to allocate the IP address. | ConfigMap, Ingress |
ipam.f5.com/hostname | string | Required | Specifies the hostname for which to create a DNS record. | ConfigMap, single-service Ingress |