F5 Solutions for Containers > Appendix > Appendix 4: Advanced OpenShift Topics > Module 1: Working with BIG-IP HA Pairs or Device Groups Source | Edit on
Lab 1.3 - F5 Container Connector Setup¶
Take the steps below to deploy a contoller for each BIG-IP device in the cluster.
Set up RBAC¶
The F5 BIG-IP Controller requires permission to monitor the status of the OpenSfhift cluster. The following will create a “role” that will allow it to access specific resources.
You can create RBAC resources in the project in which you will run your BIG-IP Controller. Each Controller that manages a device in a cluster or active-standby pair can use the same Service Account, Cluster Role, and Cluster Role Binding.
Create bigip login secret
oc create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=admin
Create a Service Account for the BIG-IP Controller.
oc create serviceaccount bigip-ctlr -n kube-system
Create a Cluster Role and Cluster Role Binding with the required permissions.
Note
The following file has already being created f5-kctlr-openshift-clusterrole.yaml which is located in /home/centos/agilitydocs/openshift/advanced/ocp on ose-master1
1# For use in OpenShift clusters 2apiVersion: v1 3kind: ClusterRole 4metadata: 5 annotations: 6 authorization.openshift.io/system-only: "true" 7 name: system:bigip-ctlr 8rules: 9- apiGroups: ["", "extensions"] 10 resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "routes" ] 11 verbs: ["get", "list", "watch"] 12- apiGroups: ["", "extensions"] 13 resources: ["configmaps", "events", "ingresses/status"] 14 verbs: ["get", "list", "watch", "update", "create", "patch" ] 15- apiGroups: ["", "extensions"] 16 resources: ["secrets"] 17 resourceNames: ["<secret-containing-bigip-login>"] 18 verbs: ["get", "list", "watch"] 19 20--- 21 22apiVersion: v1 23kind: ClusterRoleBinding 24metadata: 25 name: bigip-ctlr-role 26userNames: 27- system:serviceaccount:kube-system:bigip-ctlr 28subjects: 29- kind: ServiceAccount 30 name: bigip-ctlr 31roleRef: 32 name: system:bigip-ctlr
oc create -f f5-kctlr-openshift-clusterrole.yaml
Create & Verify CC Deployment¶
Create an OpenShift Deployment for each Controller (one per BIG-IP device). You need to deploy a controller for both f5-bigip-node1 and f5-bigip-node2
- Provide a unique metadata.name for each Controller.
- Provide a unique –bigip-url in each Deployment (each Controller manages a separate BIG-IP device).
- Use the same –bigip-partition in all Deployments.
bigip1-cc.yaml
1apiVersion: extensions/v1beta1 2kind: Deployment 3metadata: 4 name: bigip1-ctlr 5 namespace: kube-system 6spec: 7 replicas: 1 8 template: 9 metadata: 10 name: k8s-bigip-ctlr1 11 labels: 12 app: k8s-bigip-ctlr1 13 spec: 14 serviceAccountName: bigip-ctlr 15 containers: 16 - name: k8s-bigip-ctlr 17 image: "f5networks/k8s-bigip-ctlr:latest" 18 command: ["/app/bin/k8s-bigip-ctlr"] 19 args: [ 20 "--credentials-directory=/tmp/creds", 21 "--bigip-url=10.3.10.60", 22 "--bigip-partition=ocp", 23 "--pool-member-type=cluster", 24 "--manage-routes=true", 25 "--node-poll-interval=5", 26 "--verify-interval=5", 27 "--namespace=demoproj", 28 "--namespace=yelb", 29 "--namespace=guestbook", 30 "--namespace=f5demo", 31 "--route-vserver-addr=10.3.10.120", 32 "--route-http-vserver=ocp-vserver", 33 "--route-https-vserver=ocp-https-vserver", 34 "--openshift-sdn-name=/Common/ocp-tunnel" 35 ] 36 volumeMounts: 37 - name: bigip-creds 38 mountPath: "/tmp/creds" 39 readOnly: true 40 volumes: 41 - name: bigip-creds 42 secret: 43 secretName: bigip-login 44 imagePullSecrets: 45 - name: f5-docker-images
bigip2-cc.yaml
1apiVersion: extensions/v1beta1 2kind: Deployment 3metadata: 4 name: bigip2-ctlr 5 namespace: kube-system 6spec: 7 replicas: 1 8 template: 9 metadata: 10 name: k8s-bigip-ctlr1 11 labels: 12 app: k8s-bigip-ctlr1 13 spec: 14 serviceAccountName: bigip-ctlr 15 containers: 16 - name: k8s-bigip-ctlr 17 image: "f5networks/k8s-bigip-ctlr:latest" 18 command: ["/app/bin/k8s-bigip-ctlr"] 19 args: [ 20 "--credentials-directory=/tmp/creds", 21 "--bigip-url=10.3.10.61", 22 "--bigip-partition=ocp", 23 "--pool-member-type=cluster", 24 "--manage-routes=true", 25 "--node-poll-interval=5", 26 "--verify-interval=5", 27 "--namespace=demoproj", 28 "--namespace=yelb", 29 "--namespace=guestbook", 30 "--namespace=f5demo", 31 "--route-vserver-addr=10.3.10.120", 32 "--route-http-vserver=ocp-vserver", 33 "--route-https-vserver=ocp-https-vserver", 34 "--openshift-sdn-name=/Common/ocp-tunnel" 35 ] 36 volumeMounts: 37 - name: bigip-creds 38 mountPath: "/tmp/creds" 39 readOnly: true 40 volumes: 41 - name: bigip-creds 42 secret: 43 secretName: bigip-login 44 imagePullSecrets: 45 - name: f5-docker-images
oc create -f bigip1-cc.yaml oc create -f bigip2-cc.yaml
Verify the deployment and pods that are created
oc get deployment -n kube-system
Note
Check in your lab that you have your two controllers as AVAILABLE. If Not, you won’t be able to do the lab. It may take up to 10 minutes for them to be available.
oc get pods -n kube-system
You can also use the web console in OpenShift (https://ose-master1:8443/) to view the bigip controller (login: centos, password: centos). Go to the kube-system project