F5 Solutions for Containers

Contents:

  • Getting Started
  • Class 1: Kubernetes with F5 Container Ingress Service
  • Class 2: OpenShift with F5 Container Ingress Service
  • Appendix

On this page:
  • Lab 4.1 - Configure F5 IngressLink with Kubernetes
    • BIG-IP Setup
    • Configure CIS
    • Create an IngressLink Resource
F5 Solutions for Containers > Class 1: Kubernetes with F5 Container Ingress Service > Module 4: Using F5 IngressLink Source | Edit on

Version notice:

Lab 4.1 - Configure F5 IngressLink with Kubernetes¶

BIG-IP Setup¶

When we configure CIS below, NGINX requires “Proxy-Protocol” to provide the application POD with the original client IP. BIG IP will pass the original client IP to NGINX via PROXY PROTOCOL, and NGINX will pass the client IP to the application POD via X-Real-IP HTTP header. The following iRule provides the necessary header with IP information.

  1. Login to BigIP GUI

  2. On the Main tab go to Local Traffic ‣ iRules

  3. Click Create.

  4. In the Name field, type name as “Proxy_Protocol_iRule”.

    Important

    Be sure to use the name as shown. The IngressLink Resource will reference that specific name.

  5. In the Definition field, Copy the following definition

    Proxy_Protocol_iRule¶
    # PROXY Protocol Receiver iRule
    # iRule used for F5 IngressLink
    # Layer 4 irule since BIG-IP is passthrough
    
    when CLIENT_ACCEPTED {
        set proxyheader "PROXY "
        if {[IP::version] eq 4} {
            append proxyheader "TCP4 "
        } else {
            append proxyheader "TCP6 "
        }
        append proxyheader "[IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
    }
    
    when SERVER_CONNECTED {
        TCP::respond $proxyheader
    }
    
  6. Click Finished

Configure CIS¶

On the jumphost open a terminal and start an SSH session with kube-master1.

Note

You should already have an open SSH session with kube-master1 from the previous module. If not follow the instructions below.

  1. Change to the default working directory with all the yaml files

    cd ~/agilitydocs/docs/class1/kubernetes/
    
  2. Ensure the previously deployed “CIS ClusterIP deployment” is deleted

    kubectl delete -f cluster-deployment.yaml
    

    Attention

    This was most likely done in a previous step but we need to ensure the previous deployment is removed. It does not hurt to run the command again so do so now.

  3. Create the CIS IngressLink custom resource definition. The schema is used to validate the JSON data during creation and updates so that it can prevent invalid data, or moreover, malicious attacks.

    kubectl create -f ingresslink/ingresslink-customresourcedefinition.yaml
    
  4. Create a service for the Ingress Controller pods for ports 80 and 443

    kubectl create -f ingresslink/nginx-service.yaml
    
  5. Verify the service

    kubectl describe svc nginx-ingress-ingresslink -n nginx-ingress
    
  6. The default nginx config needs to be updated with proxy-protocol. This is necesary for IngressLink to properly operate.

    Note

    BIG IP will pass the original client IP to NGINX via PROXY PROTOCOL, and NGINX will pass the client IP to the application POD via X-Real-IP HTTP header.

    nginx-config.yaml¶
    1
    2
    3
    4
    5
    6
    7
    8
    9
    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: nginx-config
      namespace: nginx-ingress
    data:
      proxy-protocol: "True"
      real-ip-header: "proxy_protocol"
      set-real-ip-from: "0.0.0.0/0"
    
  7. Apply the config changes to nginx ingress

    kubectl apply -f ingresslink/nginx-config.yaml
    

    Hint

    The use of “apply” allows us to modify an already running object.

  8. Inspect the deployment yaml

    Note

    To enable IngressLink you’ll notice two additional “args”

    "--custom-resource-mode=true",
    "--ingress-link-mode=true",
    

    You’ll see this difference in the deployment file

    ingresslink-deployment.yaml¶
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: k8s-bigip-ctlr
      namespace: kube-system
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: k8s-bigip-ctlr
      template:
        metadata:
          name: k8s-bigip-ctlr
          labels:
            app: k8s-bigip-ctlr
        spec:
          serviceAccountName: k8s-bigip-ctlr
          containers:
            - name: k8s-bigip-ctlr
              image: "f5networks/k8s-bigip-ctlr:2.4.1"
              imagePullPolicy: IfNotPresent
              env:
                - name: BIGIP_USERNAME
                  valueFrom:
                    secretKeyRef:
                      name: bigip-login
                      key: username
                - name: BIGIP_PASSWORD
                  valueFrom:
                    secretKeyRef:
                      name: bigip-login
                      key: password
              command: ["/app/bin/k8s-bigip-ctlr"]
              args: [
                "--bigip-username=$(BIGIP_USERNAME)",
                "--bigip-password=$(BIGIP_PASSWORD)",
                "--bigip-url=https://10.1.1.4:8443",
                "--insecure=true",
                "--custom-resource-mode=true",
                "--bigip-partition=kubernetes",
                "--pool-member-type=cluster",
                "--flannel-name=/Common/fl-tunnel"
              ]
    
  9. Create the CIS deployment

    kubectl create -f ingresslink/ingresslink-deployment.yaml
    
  10. Verify the new CIS pod is “Running”

    kubectl get pods -A
    

    You should see something similar to the following. Verify a new pod named “K8s-bigip-ctrl…” has started.

    ../../_images/k8s-ingresslink.png

    Hint

    Note the use of “-A” for all namespaces in the kubectl command.

Create an IngressLink Resource¶

  1. Inspect the IngressLink resource

    Attention

    Ensure the IP ADDR in the IngressLink resource matches the required IP. In this lab we’re using 10.1.1.4 as the virtual IP. This IP ADDR will be used to configure the BIG-IP device to load balance the Ingress Controller resources.

    vs-ingresslink.yaml¶
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    apiVersion: "cis.f5.com/v1"
    kind: IngressLink
    metadata:
      name: vs-ingresslink
      namespace: nginx-ingress
    spec:
      virtualServerAddress: "10.1.1.4"
      iRules:
        - /Common/Proxy_Protocol_iRule
      selector:
        matchLabels:
          app: nginx-ingress
    

    Important

    The name of the app label selector in the IngressLink resource should match the labels of the nginx-ingress service created in module 3 where we deployed NGINX.

  2. Create the IngressLink

    kubectl create -f ingresslink/vs-ingresslink.yaml
    
  3. To validate IngressLink deployment we’ll verify the pool member created on BIGIP consist of one IP and it matches the NGINX ingress controller. To find the IP run the following command and take note of the Endpoint IP.

    kubectl describe svc nginx-ingress-ingresslink -n nginx-ingress
    
    ../../_images/nginx-ingresslink-svc.png

    Note

    Your Endpoint/IP will most likely be different.

  4. Switch back to the jumpbox and start Firefox. Open the BIGIP mgmt console.

    Warning

    Don’t forget to select the “kubernetes” partition or you’ll see nothing.

    GoTo: Local Traffic ‣ Virtual Servers

    Here you can see two new Virtual Servers, “ingress_link_crd_10.1.1.4_80” and “ingress_link_crd_10.1.1.4_443” was created, in partition “kubernetes”.

    ../../_images/ingress-link-vs.png
  5. Check the Pools to see a new pool and the associated pool members.

    GoTo: Local Traffic ‣ Pools and select either of the “nginx_ingress_nginx_ingress_ingresslink” pool objects. Both have the same pool member but are running on different ports. Click the Members tab.

    ../../_images/ingress-link-pool.png

    Note

    You can see that the pool member listed is the same Endpoint/IP discovered in the earlier step above.

Previous Next