Lab 1.3 - F5 Container Connector Setup

Take the steps below to deploy a contoller for each BIG-IP device in the cluster.

Set up RBAC

The F5 BIG-IP Controller requires permission to monitor the status of the OpenSfhift cluster. The following will create a “role” that will allow it to access specific resources.

You can create RBAC resources in the project in which you will run your BIG-IP Controller. Each Controller that manages a device in a cluster or active-standby pair can use the same Service Account, Cluster Role, and Cluster Role Binding.

  1. Create bigip login secret

    oc create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=admin
    
  2. Create a Service Account for the BIG-IP Controller.

    oc create serviceaccount bigip-ctlr -n kube-system
    
  3. Create a Cluster Role and Cluster Role Binding with the required permissions.

    Note

    The following file has already being created f5-kctlr-openshift-clusterrole.yaml which is located in /home/centos/agilitydocs/openshift/advanced/ocp on ose-master1

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    # For use in OpenShift clusters
    apiVersion: v1
    kind: ClusterRole
    metadata:
      annotations:
        authorization.openshift.io/system-only: "true"
      name: system:bigip-ctlr
    rules:
    - apiGroups: ["", "extensions"]
      resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "routes" ]
      verbs: ["get", "list", "watch"]
    - apiGroups: ["", "extensions"]
      resources: ["configmaps", "events", "ingresses/status"]
      verbs: ["get", "list", "watch", "update", "create", "patch" ]
    - apiGroups: ["", "extensions"]
      resources: ["secrets"]
      resourceNames: ["<secret-containing-bigip-login>"]
      verbs: ["get", "list", "watch"]
    
    ---
    
    apiVersion: v1
    kind: ClusterRoleBinding
    metadata:
        name: bigip-ctlr-role
    userNames:
    - system:serviceaccount:kube-system:bigip-ctlr
    subjects:
    - kind: ServiceAccount
      name: bigip-ctlr
    roleRef:
      name: system:bigip-ctlr
    
    oc create -f f5-kctlr-openshift-clusterrole.yaml
    

Create & Verify CC Deployment

  1. Create an OpenShift Deployment for each Controller (one per BIG-IP device). You need to deploy a controller for both f5-bigip-node1 and f5-bigip-node2

    • Provide a unique metadata.name for each Controller.
    • Provide a unique –bigip-url in each Deployment (each Controller manages a separate BIG-IP device).
    • Use the same –bigip-partition in all Deployments.

    bigip1-cc.yaml

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: bigip1-ctlr
      namespace: kube-system
    spec:
      replicas: 1
      template:
        metadata:
          name: k8s-bigip-ctlr1
          labels:
            app: k8s-bigip-ctlr1
        spec:
          serviceAccountName: bigip-ctlr
          containers:
            - name: k8s-bigip-ctlr
              image: "f5networks/k8s-bigip-ctlr:latest"
              command: ["/app/bin/k8s-bigip-ctlr"]
              args: [
                "--credentials-directory=/tmp/creds",
                "--bigip-url=10.3.10.60",
                "--bigip-partition=ocp",
                "--pool-member-type=cluster",
                "--manage-routes=true",
                "--node-poll-interval=5",
                "--verify-interval=5",
                "--namespace=demoproj",
                "--namespace=yelb",
                "--namespace=guestbook",
                "--namespace=f5demo",
                "--route-vserver-addr=10.3.10.120",
                "--route-http-vserver=ocp-vserver",
                "--route-https-vserver=ocp-https-vserver",
                "--openshift-sdn-name=/Common/ocp-tunnel"
              ]
              volumeMounts:
              - name: bigip-creds
                mountPath: "/tmp/creds"
                readOnly: true
          volumes:
          - name: bigip-creds
            secret:
              secretName: bigip-login
          imagePullSecrets:
            - name: f5-docker-images
    

    bigip2-cc.yaml

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: bigip2-ctlr
      namespace: kube-system
    spec:
      replicas: 1
      template:
        metadata:
          name: k8s-bigip-ctlr1
          labels:
            app: k8s-bigip-ctlr1
        spec:
          serviceAccountName: bigip-ctlr
          containers:
            - name: k8s-bigip-ctlr
              image: "f5networks/k8s-bigip-ctlr:latest"
              command: ["/app/bin/k8s-bigip-ctlr"]
              args: [
                "--credentials-directory=/tmp/creds",
                "--bigip-url=10.3.10.61",
                "--bigip-partition=ocp",
                "--pool-member-type=cluster",
                "--manage-routes=true",
                "--node-poll-interval=5",
                "--verify-interval=5",
                "--namespace=demoproj",
                "--namespace=yelb",
                "--namespace=guestbook",
                "--namespace=f5demo",
                "--route-vserver-addr=10.3.10.120",
                "--route-http-vserver=ocp-vserver",
                "--route-https-vserver=ocp-https-vserver",
                "--openshift-sdn-name=/Common/ocp-tunnel"
              ]
              volumeMounts:
              - name: bigip-creds
                mountPath: "/tmp/creds"
                readOnly: true
          volumes:
          - name: bigip-creds
            secret:
              secretName: bigip-login
          imagePullSecrets:
            - name: f5-docker-images
    
    oc create -f bigip1-cc.yaml
    oc create -f bigip2-cc.yaml
    
  2. Verify the deployment and pods that are created

    oc get deployment -n kube-system
    

    Note

    Check in your lab that you have your two controllers as AVAILABLE. If Not, you won’t be able to do the lab. It may take up to 10 minutes for them to be available.

    ../../../_images/oc-get-deployment.png
    oc get pods -n kube-system
    
    ../../../_images/oc-get-pods.png

    You can also use the web console in OpenShift (https://ose-master1:8443/) to view the bigip controller (login: centos, password: centos). Go to the kube-system project

    ../../../_images/kube-system.png