F5 Solutions for Containers > Class 1: Kubernetes with F5 Container Ingress Service > Module 2: CIS Using ClusterIP Mode Source | Edit on

Lab 2.1 - Install & Configure CIS in ClusterIP Mode¶

In the previous moudule we learned about Nodeport Mode. Here we’ll learn about ClusterIP Mode.

BIG-IP Setup¶

With ClusterIP we’re utilizing VXLAN to communicate with the application pods. To do so we’ll need to configure BIG-IP first.

If not already connected, RDP to the UDF lab “jumpbox” host. Otherwise resume previous session.

Open firefox and connect to bigip1. For your convenience there’s a shortcut on the toolbar. Username and password are: admin/admin

Attention

Be sure to be in the Common partition before creating the following objects.

First we need to setup a partition that will be used by F5 Container Ingress Service.

Note

This step was performed in the previous module. Verify the “kubernetes” partion exists and if not follow the instructions below.
- GoTo: System ‣ Users ‣ Partition List
- Create a new partition called “kubernetes” (use default settings)
- Click Finished
```
# From the CLI:
ssh admin@10.1.1.4 tmsh create auth partition kubernetes
```
Install AS3 via the management console

Attention

This has been done to save time. If needed see Module1 / Lab 1.1 / Install AS3 Steps
Create a vxlan tunnel profile.
- GoTo: Network ‣ Tunnels ‣ Profiles ‣ VXLAN
- Create a new profile called “fl-vxlan”
- Set Port = 8472
- Set the Flooding Type = none
- Click Finished
```
# From the CLI:
ssh admin@10.1.1.4 tmsh create net tunnels vxlan fl-vxlan { app-service none port 8472 flooding-type none }
```
Create a vxlan tunnel.
- GoTo: Network ‣ Tunnels ‣ Tunnel List
- Create a new tunnel called “fl-tunnel”
- Set the Profile to the one previously created called “fl-vxlan”
- set the Key = 1
- Set the Local Address to 10.1.1.4
- Click Finished
```
# From the CLI:
ssh admin@10.1.1.4 tmsh create net tunnels tunnel fl-tunnel { app-service none key 1 local-address 10.1.1.4 profile fl-vxlan }
```
Create the vxlan tunnel self-ip

Tip

For your SELF-IP subnet, remember it is a /16 and not a /24.

Why? The Self-IP has to know all other /24 subnets are local to this namespace, which includes Master1, Node1, Node2, etc. Each of which have their own /24.

Many students accidently use /24, doing so would limit the self-ip to only communicate with that subnet. When trying to ping services on other /24 subnets from the BIG-IP for instance, communication will fail as your self-ip doesn’t have the proper subnet mask to know the other subnets are local.
- GoTo: Network ‣ Self IPs
- Create a new Self-IP called “fl-vxlan-selfip”
- Set the IP Address to “10.244.20.1”
- Set the Netmask to “255.255.0.0”
- Set the VLAN / Tunnel to “fl-tunnel” (Created earlier)
- Set Port Lockdown to “Allow All”
- Click Finished
```
# From the CLI:
ssh admin@10.1.1.4 tmsh create net self fl-vxlan-selfip { address 10.244.20.1/16 vlan fl-tunnel allow-service all }
```

CIS Deployment¶

Note

For your convenience the file can be found in /home/ubuntu/agilitydocs/docs/class1/kubernetes (downloaded earlier in the git clone repo step).
Or you can cut and paste the file below and create your own file.
If you have issues with your yaml and syntax (indentation MATTERS), you can try to use an online parser to help you : Yaml parser

Before deploying CIS in ClusterIP mode we need to configure Big-IP as a node in the kubernetes cluster. To do so you’ll need to modify “bigip-node.yaml” with the MAC address auto created from the previous steps. From the jumpbox terminal run the following command at bigip1. You’ll want to copy the displayed “MAC Address”.
```
# If directed to, accept the authenticity of the host by typing "yes" and hitting Enter to continue.
# The password is "admin"

ssh admin@10.1.1.4 tmsh show net tunnels tunnel fl-tunnel all-properties
```

On kube-master1 edit bigip-node.yaml and change the highlighted MAC address with the MAC address copied from the previous step.

Note

If your unfamiliar with VI ask for help.

vim ~/agilitydocs/docs/class1/kubernetes/bigip-node.yaml

i           # To enable insert mode and start editing
            # Replace the current MAC addr with the one previously copied
<ESC>       # To exit insert mode
:wq <ENTER> # To write and exit file

bigip-node.yaml¶

apiVersion: v1
kind: Node
metadata:
  name: bigip1
  annotations:
    #Replace IP with Self-IP for your deployment
    flannel.alpha.coreos.com/public-ip: "10.1.1.4"
    #Replace MAC with your BIGIP Flannel VXLAN Tunnel MAC
    flannel.alpha.coreos.com/backend-data: '{"VtepMAC":"02:20:ae:2f:e0:60"}'
    flannel.alpha.coreos.com/backend-type: "vxlan"
    flannel.alpha.coreos.com/kube-subnet-manager: "true"
spec:
  #Replace Subnet with your BIGIP Flannel Subnet
  podCIDR: "10.244.20.0/24"

Create the bigip node:
```
kubectl create -f bigip-node.yaml
```
Verify “bigip1” node is created:
```
kubectl get nodes
```
Note

It’s normal for bigip1 to show up as “Unknown” or “NotReady”. This status can be ignored.

Just like the previous module where we deployed CIS in NodePort mode we need to create a “secret”, “serviceaccount”, and “clusterrolebinding”.

Important

This step can be skipped if previously done in module1(NodePort). Some classes may choose to skip module1.

kubectl create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=admin
kubectl create serviceaccount k8s-bigip-ctlr -n kube-system
kubectl create clusterrolebinding k8s-bigip-ctlr-clusteradmin --clusterrole=cluster-admin --serviceaccount=kube-system:k8s-bigip-ctlr

Now that we have bigip1 added as a Node we can launch the CIS deployment. It will start the f5-k8s-controller container on one of the worker nodes.

Attention

This may take around 30sec to get to a running state.

cd ~/agilitydocs/docs/class1/kubernetes

cat cluster-deployment.yaml

You’ll see a config file similar to this:

cluster-deployment.yaml¶

apiVersion: apps/v1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: k8s-bigip-ctlr
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      serviceAccountName: k8s-bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:2.4.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            "--bigip-url=https://10.1.1.4:8443",
            "--insecure=true",
            "--bigip-partition=kubernetes",
            "--pool-member-type=cluster",
            "--flannel-name=/Common/fl-tunnel"
          ]

Create the CIS deployment with the following command
```
kubectl create -f cluster-deployment.yaml
```

Verify the deployment “deployed”

kubectl get deployment k8s-bigip-ctlr --namespace kube-system

../../_images/f5-container-connector-launch-deployment-controller2.png

To locate on which node CIS is running, you can use the following command:
```
kubectl get pods -o wide -n kube-system
```
We can see that our container, in this example, is running on kube-node1 below.

Troubleshooting¶

Check the container/pod logs via kubectl command. You also have the option of checking the Docker container as described in the previos module.

Using the full name of your pod as showed in the previous image run the following command:
```
# For example:
kubectl logs k8s-bigip-ctlr-846dcb5958-zzvc8 -n kube-system
```
Attention

You will see ERROR in this log output. These errors can be ignored. The lab will work as expected.

Previous Next