F5 IPAM Controller

× WARNING! This is a beta release. Functionality and testing may be incomplete or under development.

Overview

The F5 IPAM Controller is a Docker container that runs in an orchestration environment and interfaces with an IPAM system. It lets you allocate IP addresses from an IPAM system’s address pool for host names in an orchestration environment. The Controller watches orchestration-specific resources and consumes the host names within each resource.

The Controller can:

  • Create A and CNAME DNS records in the IPAM system for the supplied host names, using the next available address in the specified subnet.
  • Write an annotation or label with the selected IP address back to orchestration resources.
  • Update A or CNAME records if a resource’s host names get updated.
  • Delete any A or CNAME records and release reserved IP addresses from deleted resources.

Release Notes

Attributions

Attributions.md

Features

  • Interfaces with an orchestration environment to receive lists of host names.
  • Interfaces with an IPAM system to allocate IP addresses for the requested host names.
  • Creates A records and CNAME records for the host names and chosen IP addresses.
  • Annotates the orchestration resources with the chosen IP addresses to enable integration with an F5 Container Connector.

Supported Environments

Orchestrations

IPAM systems

Configuration Parameters

Tip

See the example configuration files for usage examples.

General

All configuration parameters below are global to the f5-ipam-ctlr.

Parameter Type Required Default Description Allowed Values
log-level string Optional INFO Log level INFO, DEBUG, CRITICAL, WARNING, ERROR
ip-manager string Required n/a The IPAM system that the controller will interface with. infoblox
orchestration string Required n/a The orchestration that the controller is running in. kubernetes, k8s, openshift
verify-interval integer Optional 30

In seconds, the interval at which to verify the IPAM configuration.

Set to 0 to disable.

 
version string Optional n/a Print the controller version and exit.  

IPAM Systems

Infoblox

Parameter Type Required Default Description
credentials-directory string Optional n/a Directory that contains the infoblox username and password files.
infoblox-grid-host string Required n/a The grid manager host IP address.
infoblox-password string Required n/a The login password.
infoblox-port integer Optional 443 The Web API port.
infoblox-username string Required n/a The login username.
infoblox-wapi-version string Required n/a The Web API version.

Important

The credentials-directory option is an alternative to using the infoblox-username and infoblox-password arguments.

When you use this argument, the controller expects to find two files:

  • “infoblox-username” and
  • “infoblox-password”

Each file should contain only the username and the password, respectively. You can create the files as Kubernetes Secrets.

Orchestration

Kubernetes

Parameter Type Required Default Description Allowed Values
kubeconfig string Optional ./config Path to the kubeconfig file  
namespace string Optional All

Kubernetes namespace(s) to watch

  • may be a comma-separated list
  • watches all namespaces by default
 
namespace-label string Optional n/a Tells the f5-ipam-ctlr to watch any namespace with this label.  
running-in-cluster boolean Optional true Indicates whether or not a kubernetes cluster started f5-ipam-ctlr. true, false

Installation

Take the steps below to install the f5-ipam-ctlr in Kubernetes or OpenShift.

  1. Set up RBAC as appropriate for your Cluster. The f5-ipam-ctlr requires the following permissions:

    - apiGroups:
      - ""
      - "extensions"
      resources:
      - configmaps
      - ingresses
      verbs:
      - get
      - list
      - watch
      - update
      - patch
    - apiGroups:
      - ""
      resources:
      - namespaces
      verbs:
      - get
      - list
      - watch
    

    Example:

    To give the f5-ipam-ctlr cluster-wide access to resources, define a ServiceAccount, ClusterRole, and ClusterRole Binding.

    View or download example RBAC resources

    Tip

    Do not grant the f5-ipam-ctlr more access than needed for your specific use case. If the f5-ipam-ctlr will watch a specific namespace(s), consider using a Role and RoleBinding instead.

  2. Define the Configuration Parameters in a Kubernetes Deployment using YAML or JSON.

    View or download a basic Deployment

    View or download a Deployment that uses the credentials-directory

  3. Upload the resources to the Kubernetes or OpenShift API server.

    kubectl create -f f5-ipam-ctlr-rbac.yaml -f f5-ipam-ctlr.yaml [-n <desired_namespace>]
    ______
    
    oc create -f f5-ipam-ctlr-rbac.yaml -f f5-ipam-ctlr.yaml [-n <desired_namespace>]
    

Usage

To use the F5 IPAM Controller in Kubernetes or OpenShift, add the resource annotations to a ConfigMap or Ingress resource.

Important

Use of the resource annotations with OpenShift Routes is not supported.

Example

kubectl annotate ingress <ingress_name> ipam.f5.com/infoblox-netview=default ipam.f5.com/ip-allocation=dynamic ipam.f5.com/network-cidr=1.2.3.0/24

Note

The f5-ipam-ctlr writes the chosen IP address to each resource using the following annotation:

virtual-server.f5.com/ip

Important

If changing the network view, network cidr, or group, we recommend deleting the Ingress or ConfigMap first, then perform the edits, and recreate the resource. Changing these fields “live” may cause unwanted behavior.

Kubernetes Resource Annotations

In Kubernetes, the F5 IPAM Controller watches for ConfigMap and Ingress resources with the required annotations. When using the F5 IPAM Controller with the F5 BIG-IP Controller for Kubernetes, the f5-ipam-ctlr can watch for F5 Resource ConfigMaps.

Add the Annotations shown in the table below to Kubernetes resources to manage IP address assignment with the f5-ipam-ctlr.

Annotation Type Required Description Supported Resource(s)
ipam.f5.com/group string Optional

Assign a single IP address to a group of multi-service Ingress resources.

Ungrouped multi-service Ingress resources receive unique (non-shared) IP addresses.

multi-service Ingress
ipam.f5.com/infoblox-netview string Required Specifies the Infoblox network view in which to allocate the IP address. ConfigMap, Ingress
ipam.f5.com/ip-allocation=dynamic string Required Tells the f5-ipam-ctlr to watch this resource and allocate IP addresses for its hosts. ConfigMap, Ingress
ipam.f5.com/network-cidr string Required Specifies the subnet in which to allocate the IP address. ConfigMap, Ingress
ipam.f5.com/hostname string Required Specifies the hostname for which to create a DNS record. ConfigMap, single-service Ingress