Better together - F5 Container Ingress Services and NGINX Plus Ingress Controller Integration

Introduction

The F5 Container Ingress Services (CIS) can be integrated with the NGINX Plus Ingress Controllers (NIC) within a Kubernetes (k8s) environment.

The benefits are getting the best of both worlds, with the BIG-IP providing comprehensive L4 ~ L7 security services, while leveraging NGINX Plus as the de facto standard for micro services solution.

This architecture is depicted below.

The integration is made fluid via the CIS, a k8s pod that listens to events in the cluster and dynamically populates the BIG-IP pool pointing to the NIC's as they scale.

There are a few components need to be stitched together to support this integration, each of which is discussed in detail over the proceeding sections.

NGINX Plus Ingress Controller

Follow this (https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/) to build the NIC image.

The NIC can be deployed using the Manifests either as a Daemon-Set or a Service. See this ( https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/ ).

A sample Deployment file deploying NIC as a Service is shown below,

apiVersion: apps/v1
kind: Deployment
metadata:
 name: nginx-ingress
 namespace: nginx-ingress
spec:
 replicas: 3
 selector:
   matchLabels:
     app: nginx-ingress
 template:
   metadata:
     labels:
       app: nginx-ingress
    #annotations:
      #prometheus.io/scrape: "true"
      #prometheus.io/port: "9113"
   spec:
     serviceAccountName: nginx-ingress
     imagePullSecrets:
     - name: abgmbh.azurecr.io
     containers:
     - image: abgmbh.azurecr.io/nginx-plus-ingress:edge
       name: nginx-plus-ingress
       ports:
       - name: http
         containerPort: 80
       - name: https
         containerPort: 443
      #- name: prometheus
        #containerPort: 9113
       securityContext:
         allowPrivilegeEscalation: true
         runAsUser: 101 #nginx
         capabilities:
           drop:
           - ALL
           add:
           - NET_BIND_SERVICE
       env:
       - name: POD_NAMESPACE
         valueFrom:
           fieldRef:
             fieldPath: metadata.namespace
       - name: POD_NAME
         valueFrom:
           fieldRef:
             fieldPath: metadata.name
       args:
         - -nginx-plus
         - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
         - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
         - -ingress-class=sock-shop
        #- -v=3 # Enables extensive logging. Useful for troubleshooting.
        #- -report-ingress-status
        #- -external-service=nginx-ingress
        #- -enable-leader-election
        #- -enable-prometheus-metrics

Notice the ‘- -ingress-class=sock-shop’ argument, it means that the NIC will only work with an Ingress that is annotated with ‘sock-shop’. The absence of this annotation makes NIC the default for all Ingress created.

Below shows the counterpart Ingress with the ‘sock-shop’ annotation.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: sock-shop-ingress
 annotations:
   kubernetes.io/ingress.class: "sock-shop"
spec:
 tls:
 - hosts:
   - socks.ab.gmbh
   secretName: wildcard.ab.gmbh
 rules:
 - host: socks.ab.gmbh
   http:
     paths:
     - path: /
       backend:
         serviceName: front-end
         servicePort: 80

This Ingress says if hostname is socks.ab.gmbh and path is ‘/’, send traffic to a service named ‘front-end’, which is part of the socks application itself.

The above concludes Ingress configuration with the NIC.

F5 Container Ingress Services

The next step is to leverage the CIS to dynamically populate the BIG-IP pool with the NIC addresses.

Follow this ( https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-app-install.html ) to deploy the CIS.

A sample Deployment file is shown below,

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
 name: k8s-bigip-ctlr-deployment
 namespace: kube-system
spec:
 # DO NOT INCREASE REPLICA COUNT
 replicas: 1
 template:
   metadata:
     name: k8s-bigip-ctlr
     labels:
       app: k8s-bigip-ctlr
   spec:
     # Name of the Service Account bound to a Cluster Role with the required
     # permissions
     serviceAccountName: bigip-ctlr
     containers:
       - name: k8s-bigip-ctlr
         image: "f5networks/k8s-bigip-ctlr"
         env:
           - name: BIGIP_USERNAME
             valueFrom:
               secretKeyRef:
                 # Replace with the name of the Secret containing your login
                 # credentials
                 name: bigip-login
                 key: username
           - name: BIGIP_PASSWORD
             valueFrom:
               secretKeyRef:
                 # Replace with the name of the Secret containing your login
                 # credentials
                 name: bigip-login
                 key: password
         command: ["/app/bin/k8s-bigip-ctlr"]
         args: [
           # See the k8s-bigip-ctlr documentation for information about
           # all config options
           # https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest
           "--bigip-username=$(BIGIP_USERNAME)",
           "--bigip-password=$(BIGIP_PASSWORD)",
           "--bigip-url=https://x.x.x.x:8443",
           "--bigip-partition=k8s",
           "--pool-member-type=cluster",
           "--agent=as3",
           "--manage-ingress=false",
           "--insecure=true",
           "--as3-validation=true",
           "--node-poll-interval=30",
           "--verify-interval=30",
           "--log-level=INFO"
           ]
     imagePullSecrets:
       # Secret that gives access to a private docker registry
       - name: f5-docker-images
       # Secret containing the BIG-IP system login credentials
       - name: bigip-login

Notice the following arguments below. They tell the CIS to consume AS3 declaration to configure the BIG-IP. According to PM, CCCL (Common Controller Core Library) – used to orchestrate F5 BIG-IP, is getting removed this sprint for the CIS 2.0 release.

'--manage-ingress=false' means CIS is not doing anything for Ingress resources defined within the k8s, this is because that CIS is not the Ingress Controller, NGINX Plus is, as far as k8s is concerned.

The CIS will create a partition named k8s_AS3 on the BIG-IP, this is used to hold L4~7 configuration relating to the AS3 declaration.

The best practice is also to manually create a partition named 'k8s' (in our example), where networking info will be stored (e.g., ARP, FDB).

           "--bigip-url=https://x.x.x.x:8443",
           "--bigip-partition=k8s",
           "--pool-member-type=cluster",
           "--agent=as3",
           "--manage-ingress=false",
           "--insecure=true",
           "--as3-validation=true",

To apply AS3, the declaration is embedded within a ConfigMap applied to the CIS pod.

kind: ConfigMap
apiVersion: v1
metadata:
 name: as3-template
 namespace: kube-system
 labels:
   f5type: virtual-server
   as3: "true"
data:
 template: |
   {
      "class": "AS3",
      "action": "deploy",
      "persist": true,
      "declaration": {
        "class": "ADC",
        "id":"1847a369-5a25-4d1b-8cad-5740988d4423",
        "schemaVersion": "3.16.0",
        "Nginx_IC": {
                "class": "Tenant",
                "Nginx_IC_vs": {
                    "class": "Application",
                    "template": "https",
                    "serviceMain": {
                        "class": "Service_HTTPS",
                        "virtualAddresses": [
                            "10.1.0.14"
                        ],
                        "virtualPort": 443,
                        "redirect80": false,
                        "serverTLS": {
                            "bigip": "/Common/clientssl"
                        },
                        "clientTLS": {
                            "bigip": "/Common/serverssl"
                        },
                        "pool": "Nginx_IC_pool"
                    },
                    "Nginx_IC_pool": {
                        "class": "Pool",
                        "monitors": [
                            "https"
                        ],
                        "members": [
                            {
                                "servicePort": 443,
                                "shareNodes": true,
                                "serverAddresses": []
                            }
                        ]
                    }
                }
            }
        } 
    }

They are telling the BIG-IP to create a tenant called ‘Nginx_IC’, a virtual named ‘Nginx_IC_vs’ and a pool named ‘Nginx_IC_pool’. The CIS will update the serverAddresses with the NIC addresses dynamically.

Now, create a Service to expose the NIC’s.

apiVersion: v1
kind: Service
metadata:
 name: nginx-ingress
 namespace: nginx-ingress
 labels:
   cis.f5.com/as3-tenant: Nginx_IC
   cis.f5.com/as3-app: Nginx_IC_vs
   cis.f5.com/as3-pool: Nginx_IC_pool
spec:
 type: ClusterIP
 ports:
   - port: 443
     targetPort: 443
     protocol: TCP
     name: https
 selector:
   app: nginx-ingress

Notice the labels, they match with the AS3 declaration and this allows the CIS to populate the NIC’s addresses to the correct pool. Also notice the kind of the manifest ‘Service’, this means only a Service is created, not an Ingress, as far as k8s is concerned.

On the BIG-IP, the following should be created.

The end product is below.

Please note that this article is focused solely on control plane, that is, how to get the CIS to populate the BIG-IP with NIC's addresses.

The specific mechanisms to deliver packets from the BIG-IP to the NIC's on the data plane is not discussed, as it is decoupled from control plane. For data plane specifics, please take a look here ( https://clouddocs.f5.com/containers/v2/ ).

Hope this article helps to lift the veil on some integration mysteries.

Published Mar 05, 2020

Version 1.0

Ret. Employee

Joined May 16, 2019

View Profile

Chris_Zhang

Ret. Employee

Joined May 16, 2019

View Profile

27 Comments

kunalpuriii
Altocumulus
Mar 17, 2020
Hello Lief Zimmerman

Thanks for posting this document,

I am working on same topology, however did not get this working as of now.

Would it be possible for you to help.

Thanks
Kunal
LiefZimmerman
Admin
Mar 17, 2020
- I recommend posting your specific question in our questions section. That is the most likely way to get the most eyes on your problem.
You might consider adding the URL to this article as a reference of your question and then you may even @mention the author of this article () in your question. Often, someone in the community (either Chris or another) will step in and offer guidance. Failing that, please reach out to your account management team.

Hope that helps.
Chris_Zhang
Ret. Employee
Mar 18, 2020
Hey Kunal,

Regarding user/pass, you need to create a secret within k8s and reference that secret in the form of variables in the yaml file. - the references are already in place, so please create a secret per this article ( https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-app-install.html#kctlr-initial-setup-bigip ), step 3.

For "--bigip-url=<ip_address-or-hostname>", if your BIG-IP has a single interface, the management by default is on port 8443. Use the address that you use to administer the appliance.

You do not need to add anything to the ConfigMap as related to your question. If you follow the referenced article, all the prerequisites should be setup and ready to go.

--insecure=true means CIS will not validate certificate presented by the BIG-IP. All traffic is still SSL encrypted.

Install a recent version of f5-appsvcs on the BIG-IP, otherwise it won't understand AS3 embedded within the ConfigMap.

Once the CIS is able to communicate with the BIG-IP, the AS3 within the ConfigMap will set up everything in the BIG-IP. You do not have to configure anything manually inside the BIG-IP.

The integration is meant for NGINX Plus Ingress Controller, the Open Source Nginx might work as well, but I have not tested it at all.

Thanks,
Chris
chongwp
Nimbostratus
Mar 20, 2020
My "k8s-bigip-ctlr" is having this error in its log.
> 2020-03-20T11:40:39.934958194Z 2020/03/20 11:40:39 [ERROR] Error parsing ConfigMap kube-system_as3-template
Need a recent version of f5-appsvcs on the BIG-IP?
Chris_Zhang
Ret. Employee
Mar 20, 2020
This message is likely cosmetic, I have those messages as well. I will ask internally and see what is causing them.
kunalpuriii
Altocumulus
Mar 23, 2020
I have setup and working now, issue is with AS3-template. I am only able to create VIP with name"serviceMain".
If i have multiple cluster connected to F5, how i will be able to create multiple VIP's.

I have tried changing name of VIP but its not working.

Can you suggest me what would be correct config for AS3 for flexible VIP name
Chris_Zhang
Ret. Employee
Mar 27, 2020
With AS3, the name of the virtual server is fixed to 'ServiceMain', but you can put the name in 'Description'.
kunalpuriii
Altocumulus
Apr 06, 2020
Hello Chris... thanks for responding to the queries... In above example clusterip is used which advertised nginx ingress controller IP to the F5. can you please confirm what would be the data plane forwarding, is it like below
F5-->k8'sNode-->Services-->POD where NGINX is running or is it different?

Thanks again for your help
Chris_Zhang
Ret. Employee
Apr 07, 2020
When you use ClusterIP, the BIG-IP needs to be able to deliver traffic to that IP space. If you use Calico (BGP), that traffic is routed. If you use Flannel (VXLAN), that traffic is sent inside the VXLAN tunnel.

With BGP, the route table will have the next-hop set to the k8s nodes. Traffic is routed to k8s nodes and those nodes further route traffic to the NGINX IC pods.

With VXLAN, the BIG-IP establishes a tunnel with the k8s nodes at the other end. Traffic is sent inside the tunnel and arrives at the k8s nodes, and traffic is taken out from the tunnel and delivered to the NGINX IC pods.
kunalpuriii
Altocumulus
Jun 08, 2020
Hello

I hope you are doing well.

Just wanted to check if this solution still works. I am trying to recreate the environment but its not working, its giving me below error

2020/06/08 20:47:18 [ERROR] [AS3] Response from BIG-IP: code: ERR_REQUEST_FAILED --- tenant:Nginx_IC --- message: declaration failed
2020/06/08 20:47:18 [ERROR] [AS3] Response from BIG-IP: code: 200 --- tenant:k8s-AS3_AS3 --- message: no change

I have tried this setup with CIS 2.0.0 and f5appsvc 3.20.0 and also CIS 1.14.0 and f5appsvc 3.17.1, i am using same working configuration from march. but getting below error

nginx SVC config
root@master-1:~# kubectl describe svc nginx-ingress2 -n nginx-ingress
Name:       nginx-ingress2
Namespace:     nginx-ingress
Labels:      cis.f5.com/as3-app=Nginx_vs
          cis.f5.com/as3-pool=Nginx_IC_pool
          cis.f5.com/as3-tenant=Nginx_IC
Annotations:    <none>
Selector:     app=nginx-ingress
Type:       ClusterIP
IP:        10.111.160.103
Port:       https 443/TCP
TargetPort:    443/TCP
Endpoints:     10.1.2.191:443
Session Affinity: None
Events:      <none>

Configmap for CIS and F5 integration
root@master-1:~# kubectl describe configmap nginx-as3 -n kube-system
Name:     nginx-as3
Namespace:  kube-system
Labels:    as3=true
       f5type=virtual-server
Annotations: <none>

Data
====
template:
----
{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
   "class": "ADC",
   "schemaVersion": "3.13.0",
   "id": "1847a369-5a25-4d1b-8cad-5740988d4423",
   "label": "APP Template",
   "remark": "HTTP application",
   "Nginx_IC": {
       "class": "Tenant",
       "Nginx_IC_vs": {
         "class": "Application",
         "template": "generic",
         "app_80_vs": {
          "class": "Service_HTTP",
          "remark": "app",
          "virtualAddresses": [
           "10.165.36.141"
           ],
          "virtualPort": 80,
          "profileTCP": {
          "bigip": "/Common/f5-tcp-lan"
          },
       "pool": "Nginx_IC_pool"
          },
          "Nginx_IC_pool": {
          "class": "Pool",
          "members": [
          {
           "servicePort": 80,
           "shareNodes": true,
           "serverAddresses": []
          }
         ]
        }
       }
      }
    }
}
Events: <none>

CIS:
root@master-1:~# kubectl describe pod k8s-bigip-ctlr-deployment-6759c46587-tdk79 -n kube-system
Name:     k8s-bigip-ctlr-deployment-6759c46587-tdk79
Namespace:  kube-system
Priority:   0
Node:     worker-2/192.168.5.22
Start Time:  Mon, 08 Jun 2020 20:40:16 +0000
Labels:    app=k8s-bigip-ctlr
       pod-template-hash=6759c46587
Annotations: <none>
Status:    Running
IP:      10.1.2.192
IPs:
IP:      10.1.2.192
Controlled By: ReplicaSet/k8s-bigip-ctlr-deployment-6759c46587
Containers:
k8s-bigip-ctlr:
  Container ID: docker://4f4bfd89700af786bfa3920e5287160003a4500370c4e133c159cc33c62ed984
  Image:     f5networks/k8s-bigip-ctlr:1.14.0
  Image ID:   docker-pullable://f5networks/k8s-bigip-ctlr@sha256:25bdfc947ed4cdd172a68e37c51dbaa8ca87fcbc4d894622b42a260755a2bf68
  Port:     <none>
  Host Port:   <none>
  Command:
   /app/bin/k8s-bigip-ctlr
  Args:
   --bigip-username=$(BIGIP_USERNAME)
   --bigip-password=$(BIGIP_PASSWORD)
   --bigip-url=https://192.168.5.210
   --bigip-partition=k8s-AS3
   --pool-member-type=cluster
   --agent=as3
   --manage-ingress=false
   --insecure=true
   --as3-validation=true
   --node-poll-interval=30
   --verify-interval=30
   --log-level=INFO
  State:     Running
   Started:   Mon, 08 Jun 2020 20:40:20 +0000
  Ready:     True
  Restart Count: 0
  Environment:
   BIGIP_USERNAME: <set to the key 'username' in secret 'bigip-login'> Optional: false
   BIGIP_PASSWORD: <set to the key 'password' in secret 'bigip-login'> Optional: false
  Mounts:
   /var/run/secrets/kubernetes.io/serviceaccount from bigip-ctlr-token-r6rvn (ro)
Conditions:
Type       Status
Initialized    True
Ready       True
ContainersReady  True
PodScheduled   True
Volumes:
bigip-ctlr-token-r6rvn:
  Type:    Secret (a volume populated by a Secret)
  SecretName: bigip-ctlr-token-r6rvn
  Optional:  false
QoS Class:    BestEffort
Node-Selectors: <none>
Tolerations:   node.kubernetes.io/not-ready:NoExecute for 300s
         node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type  Reason   Age    From        Message
----  ------   ----    ----        -------
Normal Scheduled <unknown> default-scheduler Successfully assigned kube-system/k8s-bigip-ctlr-deployment-6759c46587-tdk79 to worker-2
Normal Pulling  17m    kubelet, worker-2 Pulling image "f5networks/k8s-bigip-ctlr:1.14.0"
Normal Pulled   17m    kubelet, worker-2 Successfully pulled image "f5networks/k8s-bigip-ctlr:1.14.0"
Normal Created  17m    kubelet, worker-2 Created container k8s-bigip-ctlr
Normal Started  17m    kubelet, worker-2 Started container k8s-bigip-ctlr

Any help is greatly appreciated.

Thanks
Kunal