Lab 1.3 - F5 Container Connector Setup

Take the steps below to deploy a contoller for each BIG-IP device in the cluster.

Set up RBAC

The F5 BIG-IP Controller requires permission to monitor the status of the OpenSfhift cluster. The following will create a “role” that will allow it to access specific resources.

You can create RBAC resources in the project in which you will run your BIG-IP Controller. Each Controller that manages a device in a cluster or active-standby pair can use the same Service Account, Cluster Role, and Cluster Role Binding.

  1. Create bigip login secret

    oc create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=admin

  2. Create a Service Account for the BIG-IP Controller.

    oc create serviceaccount bigip-ctlr -n kube-system

  3. Create a Cluster Role and Cluster Role Binding with the required permissions.

    Note

    The following file has already being created f5-kctlr-openshift-clusterrole.yaml which is located in /home/centos/agilitydocs/openshift/advanced/ocp on ose-master1

     1# For use in OpenShift clusters
 2apiVersion: v1
 3kind: ClusterRole
 4metadata:
 5  annotations:
 6    authorization.openshift.io/system-only: "true"
 7  name: system:bigip-ctlr
 8rules:
 9- apiGroups: ["", "extensions"]
10  resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "routes" ]
11  verbs: ["get", "list", "watch"]
12- apiGroups: ["", "extensions"]
13  resources: ["configmaps", "events", "ingresses/status"]
14  verbs: ["get", "list", "watch", "update", "create", "patch" ]
15- apiGroups: ["", "extensions"]
16  resources: ["secrets"]
17  resourceNames: ["<secret-containing-bigip-login>"]
18  verbs: ["get", "list", "watch"]
19
20---
21
22apiVersion: v1
23kind: ClusterRoleBinding
24metadata:
25    name: bigip-ctlr-role
26userNames:
27- system:serviceaccount:kube-system:bigip-ctlr
28subjects:
29- kind: ServiceAccount
30  name: bigip-ctlr
31roleRef:
32  name: system:bigip-ctlr

    oc create -f f5-kctlr-openshift-clusterrole.yaml

Create & Verify CC Deployment

  1. Create an OpenShift Deployment for each Controller (one per BIG-IP device). You need to deploy a controller for both f5-bigip-node1 and f5-bigip-node2

    • Provide a unique metadata.name for each Controller.
    • Provide a unique –bigip-url in each Deployment (each Controller manages a separate BIG-IP device).
    • Use the same –bigip-partition in all Deployments.

    bigip1-cc.yaml

     1apiVersion: extensions/v1beta1
 2kind: Deployment
 3metadata:
 4  name: bigip1-ctlr
 5  namespace: kube-system
 6spec:
 7  replicas: 1
 8  template:
 9    metadata:
10      name: k8s-bigip-ctlr1
11      labels:
12        app: k8s-bigip-ctlr1
13    spec:
14      serviceAccountName: bigip-ctlr
15      containers:
16        - name: k8s-bigip-ctlr
17          image: "f5networks/k8s-bigip-ctlr:latest"
18          command: ["/app/bin/k8s-bigip-ctlr"]
19          args: [
20            "--credentials-directory=/tmp/creds",
21            "--bigip-url=10.3.10.60",
22            "--bigip-partition=ocp",
23            "--pool-member-type=cluster",
24            "--manage-routes=true",
25            "--node-poll-interval=5",
26            "--verify-interval=5",
27            "--namespace=demoproj",
28            "--namespace=yelb",
29            "--namespace=guestbook",
30            "--namespace=f5demo",
31            "--route-vserver-addr=10.3.10.120",
32            "--route-http-vserver=ocp-vserver",
33            "--route-https-vserver=ocp-https-vserver",
34            "--openshift-sdn-name=/Common/ocp-tunnel"
35          ]
36          volumeMounts:
37          - name: bigip-creds
38            mountPath: "/tmp/creds"
39            readOnly: true
40      volumes:
41      - name: bigip-creds
42        secret:
43          secretName: bigip-login
44      imagePullSecrets:
45        - name: f5-docker-images

    bigip2-cc.yaml

     1apiVersion: extensions/v1beta1
 2kind: Deployment
 3metadata:
 4  name: bigip2-ctlr
 5  namespace: kube-system
 6spec:
 7  replicas: 1
 8  template:
 9    metadata:
10      name: k8s-bigip-ctlr1
11      labels:
12        app: k8s-bigip-ctlr1
13    spec:
14      serviceAccountName: bigip-ctlr
15      containers:
16        - name: k8s-bigip-ctlr
17          image: "f5networks/k8s-bigip-ctlr:latest"
18          command: ["/app/bin/k8s-bigip-ctlr"]
19          args: [
20            "--credentials-directory=/tmp/creds",
21            "--bigip-url=10.3.10.61",
22            "--bigip-partition=ocp",
23            "--pool-member-type=cluster",
24            "--manage-routes=true",
25            "--node-poll-interval=5",
26            "--verify-interval=5",
27            "--namespace=demoproj",
28            "--namespace=yelb",
29            "--namespace=guestbook",
30            "--namespace=f5demo",
31            "--route-vserver-addr=10.3.10.120",
32            "--route-http-vserver=ocp-vserver",
33            "--route-https-vserver=ocp-https-vserver",
34            "--openshift-sdn-name=/Common/ocp-tunnel"
35          ]
36          volumeMounts:
37          - name: bigip-creds
38            mountPath: "/tmp/creds"
39            readOnly: true
40      volumes:
41      - name: bigip-creds
42        secret:
43          secretName: bigip-login
44      imagePullSecrets:
45        - name: f5-docker-images

    oc create -f bigip1-cc.yaml
oc create -f bigip2-cc.yaml

  2. Verify the deployment and pods that are created

    oc get deployment -n kube-system

    Note

    Check in your lab that you have your two controllers as AVAILABLE. If Not, you won’t be able to do the lab. It may take up to 10 minutes for them to be available.

    ../../../_images/oc-get-deployment.png 
    oc get pods -n kube-system
    ../../../_images/oc-get-pods.png

    You can also use the web console in OpenShift (https://ose-master1:8443/) to view the bigip controller (login: centos, password: centos). Go to the kube-system project

    ../../../_images/kube-system.png