F5 Solutions for Containers > Class 1: Kubernetes with F5 Container Ingress Service > Module 4: Using F5 IngressLink Source | Edit on
Lab 4.1 - Configure F5 IngressLink with Kubernetes¶
BIG-IP Setup¶
When we configure CIS below, NGINX requires “Proxy-Protocol” to provide the application POD with the original client IP. BIG IP will pass the original client IP to NGINX via PROXY PROTOCOL, and NGINX will pass the client IP to the application POD via X-Real-IP HTTP header. The following iRule provides the necessary header with IP information.
Login to BigIP GUI
On the Main tab go to
Click Create.
In the Name field, type name as “Proxy_Protocol_iRule”.
Important
Be sure to use the name as shown. The IngressLink Resource will reference that specific name.
In the Definition field, Copy the following definition
Proxy_Protocol_iRule¶# PROXY Protocol Receiver iRule # iRule used for F5 IngressLink # Layer 4 irule since BIG-IP is passthrough when CLIENT_ACCEPTED { set proxyheader "PROXY " if {[IP::version] eq 4} { append proxyheader "TCP4 " } else { append proxyheader "TCP6 " } append proxyheader "[IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVER_CONNECTED { TCP::respond $proxyheader }
Click Finished
Configure CIS¶
On the jumphost open a terminal and start an SSH session with kube-master1.
Note
You should already have an open SSH session with kube-master1 from the previous module. If not follow the instructions below.
Change to the default working directory with all the yaml files
cd ~/agilitydocs/docs/class1/kubernetes/
Ensure the previously deployed “CIS ClusterIP deployment” is deleted
kubectl delete -f cluster-deployment.yaml
Attention
This was most likely done in a previous step but we need to ensure the previous deployment is removed. It does not hurt to run the command again so do so now.
Create the CIS IngressLink custom resource definition. The schema is used to validate the JSON data during creation and updates so that it can prevent invalid data, or moreover, malicious attacks.
kubectl create -f ingresslink/ingresslink-customresourcedefinition.yaml
Create a service for the Ingress Controller pods for ports 80 and 443
kubectl create -f ingresslink/nginx-service.yaml
Verify the service
kubectl describe svc nginx-ingress-ingresslink -n nginx-ingress
The default nginx config needs to be updated with proxy-protocol. This is necesary for IngressLink to properly operate.
Note
BIG IP will pass the original client IP to NGINX via PROXY PROTOCOL, and NGINX will pass the client IP to the application POD via X-Real-IP HTTP header.
nginx-config.yaml¶1 2 3 4 5 6 7 8 9
kind: ConfigMap apiVersion: v1 metadata: name: nginx-config namespace: nginx-ingress data: proxy-protocol: "True" real-ip-header: "proxy_protocol" set-real-ip-from: "0.0.0.0/0"
Apply the config changes to nginx ingress
kubectl apply -f ingresslink/nginx-config.yaml
Hint
The use of “apply” allows us to modify an already running object.
Inspect the deployment yaml
Note
To enable IngressLink you’ll notice two additional “args”
"--custom-resource-mode=true", "--ingress-link-mode=true",
You’ll see this difference in the deployment file
ingresslink-deployment.yaml¶1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
apiVersion: apps/v1 kind: Deployment metadata: name: k8s-bigip-ctlr namespace: kube-system spec: replicas: 1 selector: matchLabels: app: k8s-bigip-ctlr template: metadata: name: k8s-bigip-ctlr labels: app: k8s-bigip-ctlr spec: serviceAccountName: k8s-bigip-ctlr containers: - name: k8s-bigip-ctlr image: "f5networks/k8s-bigip-ctlr:2.4.1" imagePullPolicy: IfNotPresent env: - name: BIGIP_USERNAME valueFrom: secretKeyRef: name: bigip-login key: username - name: BIGIP_PASSWORD valueFrom: secretKeyRef: name: bigip-login key: password command: ["/app/bin/k8s-bigip-ctlr"] args: [ "--bigip-username=$(BIGIP_USERNAME)", "--bigip-password=$(BIGIP_PASSWORD)", "--bigip-url=https://10.1.1.4:8443", "--insecure=true", "--custom-resource-mode=true", "--bigip-partition=kubernetes", "--pool-member-type=cluster", "--flannel-name=/Common/fl-tunnel" ]
Create the CIS deployment
kubectl create -f ingresslink/ingresslink-deployment.yaml
Verify the new CIS pod is “Running”
kubectl get pods -A
You should see something similar to the following. Verify a new pod named “K8s-bigip-ctrl…” has started.
Hint
Note the use of “-A” for all namespaces in the kubectl command.
Create an IngressLink Resource¶
Inspect the IngressLink resource
Attention
Ensure the IP ADDR in the IngressLink resource matches the required IP. In this lab we’re using 10.1.1.4 as the virtual IP. This IP ADDR will be used to configure the BIG-IP device to load balance the Ingress Controller resources.
vs-ingresslink.yaml¶1 2 3 4 5 6 7 8 9 10 11 12
apiVersion: "cis.f5.com/v1" kind: IngressLink metadata: name: vs-ingresslink namespace: nginx-ingress spec: virtualServerAddress: "10.1.1.4" iRules: - /Common/Proxy_Protocol_iRule selector: matchLabels: app: nginx-ingress
Important
The name of the app label selector in the IngressLink resource should match the labels of the nginx-ingress service created in module 3 where we deployed NGINX.
Create the IngressLink
kubectl create -f ingresslink/vs-ingresslink.yaml
To validate IngressLink deployment we’ll verify the pool member created on BIGIP consist of one IP and it matches the NGINX ingress controller. To find the IP run the following command and take note of the Endpoint IP.
kubectl describe svc nginx-ingress-ingresslink -n nginx-ingress
Note
Your Endpoint/IP will most likely be different.
Switch back to the jumpbox and start Firefox. Open the BIGIP mgmt console.
Warning
Don’t forget to select the “kubernetes” partition or you’ll see nothing.
GoTo:
Here you can see two new Virtual Servers, “ingress_link_crd_10.1.1.4_80” and “ingress_link_crd_10.1.1.4_443” was created, in partition “kubernetes”.
Check the Pools to see a new pool and the associated pool members.
GoTo:
and select either of the “nginx_ingress_nginx_ingress_ingresslink” pool objects. Both have the same pool member but are running on different ports. Click the Members tab.Note
You can see that the pool member listed is the same Endpoint/IP discovered in the earlier step above.