F5 Solutions for Containers > Appendix > Appendix 4: Advanced OpenShift Topics > Module 1: Working with BIG-IP HA Pairs or Device Groups Source | Edit on
Lab 1.3 - F5 Container Connector Setup¶
Take the steps below to deploy a contoller for each BIG-IP device in the cluster.
Set up RBAC¶
The F5 BIG-IP Controller requires permission to monitor the status of the OpenSfhift cluster. The following will create a “role” that will allow it to access specific resources.
You can create RBAC resources in the project in which you will run your BIG-IP Controller. Each Controller that manages a device in a cluster or active-standby pair can use the same Service Account, Cluster Role, and Cluster Role Binding.
Create bigip login secret
oc create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=admin
Create a Service Account for the BIG-IP Controller.
oc create serviceaccount bigip-ctlr -n kube-system
Create a Cluster Role and Cluster Role Binding with the required permissions.
Note
The following file has already being created f5-kctlr-openshift-clusterrole.yaml which is located in /home/centos/agilitydocs/openshift/advanced/ocp on ose-master1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
# For use in OpenShift clusters apiVersion: v1 kind: ClusterRole metadata: annotations: authorization.openshift.io/system-only: "true" name: system:bigip-ctlr rules: - apiGroups: ["", "extensions"] resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "routes" ] verbs: ["get", "list", "watch"] - apiGroups: ["", "extensions"] resources: ["configmaps", "events", "ingresses/status"] verbs: ["get", "list", "watch", "update", "create", "patch" ] - apiGroups: ["", "extensions"] resources: ["secrets"] resourceNames: ["<secret-containing-bigip-login>"] verbs: ["get", "list", "watch"] --- apiVersion: v1 kind: ClusterRoleBinding metadata: name: bigip-ctlr-role userNames: - system:serviceaccount:kube-system:bigip-ctlr subjects: - kind: ServiceAccount name: bigip-ctlr roleRef: name: system:bigip-ctlr
oc create -f f5-kctlr-openshift-clusterrole.yaml
Create & Verify CC Deployment¶
Create an OpenShift Deployment for each Controller (one per BIG-IP device). You need to deploy a controller for both f5-bigip-node1 and f5-bigip-node2
- Provide a unique metadata.name for each Controller.
- Provide a unique –bigip-url in each Deployment (each Controller manages a separate BIG-IP device).
- Use the same –bigip-partition in all Deployments.
bigip1-cc.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: bigip1-ctlr namespace: kube-system spec: replicas: 1 template: metadata: name: k8s-bigip-ctlr1 labels: app: k8s-bigip-ctlr1 spec: serviceAccountName: bigip-ctlr containers: - name: k8s-bigip-ctlr image: "f5networks/k8s-bigip-ctlr:latest" command: ["/app/bin/k8s-bigip-ctlr"] args: [ "--credentials-directory=/tmp/creds", "--bigip-url=10.3.10.60", "--bigip-partition=ocp", "--pool-member-type=cluster", "--manage-routes=true", "--node-poll-interval=5", "--verify-interval=5", "--namespace=demoproj", "--namespace=yelb", "--namespace=guestbook", "--namespace=f5demo", "--route-vserver-addr=10.3.10.120", "--route-http-vserver=ocp-vserver", "--route-https-vserver=ocp-https-vserver", "--openshift-sdn-name=/Common/ocp-tunnel" ] volumeMounts: - name: bigip-creds mountPath: "/tmp/creds" readOnly: true volumes: - name: bigip-creds secret: secretName: bigip-login imagePullSecrets: - name: f5-docker-images
bigip2-cc.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: bigip2-ctlr namespace: kube-system spec: replicas: 1 template: metadata: name: k8s-bigip-ctlr1 labels: app: k8s-bigip-ctlr1 spec: serviceAccountName: bigip-ctlr containers: - name: k8s-bigip-ctlr image: "f5networks/k8s-bigip-ctlr:latest" command: ["/app/bin/k8s-bigip-ctlr"] args: [ "--credentials-directory=/tmp/creds", "--bigip-url=10.3.10.61", "--bigip-partition=ocp", "--pool-member-type=cluster", "--manage-routes=true", "--node-poll-interval=5", "--verify-interval=5", "--namespace=demoproj", "--namespace=yelb", "--namespace=guestbook", "--namespace=f5demo", "--route-vserver-addr=10.3.10.120", "--route-http-vserver=ocp-vserver", "--route-https-vserver=ocp-https-vserver", "--openshift-sdn-name=/Common/ocp-tunnel" ] volumeMounts: - name: bigip-creds mountPath: "/tmp/creds" readOnly: true volumes: - name: bigip-creds secret: secretName: bigip-login imagePullSecrets: - name: f5-docker-images
oc create -f bigip1-cc.yaml oc create -f bigip2-cc.yaml
Verify the deployment and pods that are created
oc get deployment -n kube-system
Note
Check in your lab that you have your two controllers as AVAILABLE. If Not, you won’t be able to do the lab. It may take up to 10 minutes for them to be available.
oc get pods -n kube-system
You can also use the web console in OpenShift (https://ose-master1:8443/) to view the bigip controller (login: centos, password: centos). Go to the kube-system project