ABOUT DEVCENTRAL

DevCentral News Technical Forum Technical Articles Technical CrowdSRC Community Guidelines DevCentral EULA Get a Developer Lab License Become a DevCentral MVP

RESOURCES

Product Documentation White Papers Glossary Customer Stories Webinars Free Online Courses F5 Certification LearnF5 Training

SUPPORT

Manage Subscriptions Professional Services Professional Services Create a Service Request Software Downloads Support Portal

PARTNERS

Find a Reseller Partner Technology Alliances Become an F5 Partner Login to Partner Central

---

©2024 F5, Inc. All rights reserved.

In our previous article, we have setup Kubernetes and calico with our BIG-IPs. Now we will setup F5 Container Ingress Services (F5 CIS) and deploy an ingress service.

\n\n

Note: in this deployment, we will setup F5 CIS in the namespace kube-system

\n\n

BIG-IPs Setup

\n\n

Setup our Kubernetes partition

\n\n

Before deploying F5 Container Ingress Services, we need to setup our BIG-IPs:

\n\n

• Setup a partition that CIS will use.
• Install AS3

\n\n

\n\n

On EACH BIG-IP, you need to do the following:

\n\n

In the GUI, go to System > User > Partitions List and click on the Create button

\n\n

\n\n

\n\n

Create a partition called \"kubernetes\" and click Finished

\n\n

\n\n

Next we need to download the AS3 extension and install it on each BIG-IP. 

\n\n

\n\n

Install AS3

\n\n

Go to GitHub . Select the release with the \"latest\" tag and download the rpm.

\n\n

\n\n

\n\n

Once you have the rpm, go to iApps > Package Management LX and click the Import button (you need to run BIG-IP v12.1 or later) on EACH BIG-IP

\n\n

\n\n

\n\n

Chose your rpm and click Upload. Once the rpm has been uploaded and loaded, you should see this: 

\n\n

\n\n

\n\n

Our BIG-IPs are setup properly now.

\n\n

Next, we will deploy F5 CIS

\n\n

\n\n

CIS Deployment

\n\n

Connect to your Kubernetes cluster. We will need to setup the following:

\n\n

• Create a Kubernetes secret to store our BIG-IPs credentials
• Setup a service account for CIS and setup RBAC
• Setup our CIS configuration. We will need 1xCIS per BIG-IP (even when BIG-IP is setup as a cluster - we don't recommend automatic sync between BIG-IPs)
• Deploy one CIS per BIG-IP

\n\n

\n\n

Store our BIG-IP credentials in a kubernetes secret

\n\n

To store your credentials (login/password) in a kubernetes secret, you can run the following command (https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-secrets.html#secret-bigip-login):

\n\n

kubectl create secret generic bigip-login --namespace kube-system --from-literal=username=<your_login> --from-literal=password=<your_password>

\n\n

\n\n

In my setup, my credentials are the following:

\n\n

• Login: admin
• Password: D3f4ult123

\n\n

So we'll run the following command:

\n\n

kubectl create secret generic bigip-login --namespace kube-system --from-literal=username=admin --from-literal=password=D3f4ult123

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl create secret generic bigip-login --namespace kube-system --from-literal=username=admin --from-literal=password=D3f4ult123\nsecret/bigip-login created\n

\n\n

\n\n

Create a Service Account /RBAC for CIS

\n\n

Now we need to create our service account (https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-app-install.html#set-up-rbac-authentication):

\n\n

Run the following command: :

\n\n

kubectl create serviceaccount bigip-ctlr -n kube-system

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl create serviceaccount bigip-ctlr -n kube-system\nserviceaccount/bigip-ctlr created\n

\n\n

\n\n

Use your favorite editor to create this file:

\n\n

f5-k8s-sample-rbac.yaml:

\n\n

# for use in k8s clusters only\n # for OpenShift, use the OpenShift-specific examples\n kind: ClusterRole\n apiVersion: rbac.authorization.k8s.io/v1\n metadata:\n  name: bigip-ctlr-clusterrole\n rules:\n - apiGroups: [\"\", \"extensions\"]\n  resources: [\"nodes\", \"services\", \"endpoints\", \"namespaces\", \"ingresses\", \"pods\"]\n  verbs: [\"get\", \"list\", \"watch\"]\n - apiGroups: [\"\", \"extensions\"]\n  resources: [\"configmaps\", \"events\", \"ingresses/status\"]\n  verbs: [\"get\", \"list\", \"watch\", \"update\", \"create\", \"patch\"]\n - apiGroups: [\"\", \"extensions\"]\n  resources: [\"secrets\"]\n  resourceNames: [\"<secret-containing-bigip-login>\"]\n  verbs: [\"get\", \"list\", \"watch\"]\n---\nkind: ClusterRoleBinding\n apiVersion: rbac.authorization.k8s.io/v1\n metadata:\n  name: bigip-ctlr-clusterrole-binding\n  namespace: kube-system\n roleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: bigip-ctlr-clusterrole\n subjects:\n - apiGroup: \"\"\n  kind: ServiceAccount\n  name: bigip-ctlr\n  namespace: kube-system\n

\n\n

\n\n

Deploy this config by running the following command:

\n\n

kubectl apply -f f5-k8s-sample-rbac.yaml

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl apply -f f5-k8s-sample-rbac.yaml\nclusterrole.rbac.authorization.k8s.io/bigip-ctlr-clusterrole created\nclusterrolebinding.rbac.authorization.k8s.io/bigip-ctlr-clusterrole-binding created\n

\n\n

\n\n

Next step is to setup our CIS deployment files

\n\n

\n\n

Create our CIS deployment configurations

\n\n

Use your favorite editor to create the following files:

\n\n

\n\n

setup_cis_bigip1.yaml:

\n\n

apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: k8s-bigip1-ctlr-deployment\n namespace: kube-system\nspec:\n selector:\n   matchLabels:\n     app: k8s-bigip1-ctlr\n # DO NOT INCREASE REPLICA COUNT\n replicas: 1\n template:\n   metadata:\n     labels:\n       app: k8s-bigip1-ctlr\n   spec:\n     # Name of the Service Account bound to a Cluster Role with the required\n     # permissions\n     serviceAccountName: bigip-ctlr\n     containers:\n       - name: k8s-bigip-ctlr\n         image: \"f5networks/k8s-bigip-ctlr\"\n         env:\n           - name: BIGIP_USERNAME\n             valueFrom:\n               secretKeyRef:\n                 # Replace with the name of the Secret containing your login\n                 # credentials\n                 name: bigip-login\n                 key: username\n           - name: BIGIP_PASSWORD\n             valueFrom:\n               secretKeyRef:\n                 # Replace with the name of the Secret containing your login\n                 # credentials\n                 name: bigip-login\n                 key: password\n         command: [\"/app/bin/k8s-bigip-ctlr\"]\n         args: [\n           # See the k8s-bigip-ctlr documentation for information about\n           # all config options\n           # https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest\n           \"--bigip-username=$(BIGIP_USERNAME)\",\n           \"--bigip-password=$(BIGIP_PASSWORD)\",\n           \"--bigip-url=10.1.20.11\",\n           \"--bigip-partition=kubernetes\",\n           \"--insecure=true\",\n           \"--pool-member-type=cluster\",\n           \"--agent=as3\"\n           ]\n     imagePullSecrets:\n       # Secret that gives access to a private docker registry\n       - name: f5-docker-images\n       # Secret containing the BIG-IP system login credentials\n       - name: bigip-login\n

\n\n

\n\n

setup_cis_bigip2.yaml:

\n\n

apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: k8s-bigip2-ctlr-deployment\n namespace: kube-system\nspec:\n selector:\n   matchLabels:\n     app: k8s-bigip2-ctlr\n # DO NOT INCREASE REPLICA COUNT\n replicas: 1\n template:\n   metadata:\n     labels:\n       app: k8s-bigip2-ctlr\n   spec:\n     # Name of the Service Account bound to a Cluster Role with the required\n     # permissions\n     serviceAccountName: bigip-ctlr\n     containers:\n       - name: k8s-bigip-ctlr\n         image: \"f5networks/k8s-bigip-ctlr\"\n         env:\n           - name: BIGIP_USERNAME\n             valueFrom:\n               secretKeyRef:\n                 # Replace with the name of the Secret containing your login\n                 # credentials\n                 name: bigip-login\n                 key: username\n           - name: BIGIP_PASSWORD\n             valueFrom:\n               secretKeyRef:\n                 # Replace with the name of the Secret containing your login\n                 # credentials\n                 name: bigip-login\n                 key: password\n         command: [\"/app/bin/k8s-bigip-ctlr\"]\n         args: [\n           # See the k8s-bigip-ctlr documentation for information about\n           # all config options\n           # https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest\n           \"--bigip-username=$(BIGIP_USERNAME)\",\n           \"--bigip-password=$(BIGIP_PASSWORD)\",\n           \"--bigip-url=10.1.20.12\",\n           \"--bigip-partition=kubernetes\",\n           \"--insecure=true\",\n           \"--pool-member-type=cluster\",\n           \"--agent=as3\"\n           ]\n     imagePullSecrets:\n       # Secret that gives access to a private docker registry\n       - name: f5-docker-images\n       # Secret containing the BIG-IP system login credentials\n       - name: bigip-login\n

\n\n

\n\n

To deploy our CIS, run the following commands:

\n\n

kubectl apply -f setup_cis_bigip1.yaml

\n\n

kubectl apply -f setup_cis_bigip2.yaml

\n\n

\n\n

You can make sure that they got deployed successfully:

\n\n

kubectl get pods -n kube-system

\n\n

\n\n

\n\n

You can review if it launched successfully with the commands:

\n\n

kubectl logs <pod_name> -n kube system

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl logs k8s-bigip2-ctlr-deployment-6f674c8d58-bbzqv -n kube-system\n2020/01/03 12:04:06 [INFO] Starting: Version: 1.12.0, BuildInfo: n2050-623590021\n2020/01/03 12:04:06 [INFO] ConfigWriter started: 0xc0002bb950\n2020/01/03 12:04:06 [INFO] Started config driver sub-process at pid: 14\n2020/01/03 12:04:07 [INFO] NodePoller (0xc000b7c090) registering new listener: 0x11bfea0\n2020/01/03 12:04:07 [INFO] NodePoller started: (0xc000b7c090)\n2020/01/03 12:04:07 [INFO] Watching Ingress resources.\n2020/01/03 12:04:07 [INFO] Watching ConfigMap resources.\n2020/01/03 12:04:07 [INFO] Handling ConfigMap resource events.\n2020/01/03 12:04:07 [INFO] Handling Ingress resource events.\n2020/01/03 12:04:07 [INFO] Registered BigIP Metrics\n2020/01/03 12:04:07 [INFO] [2020-01-03 12:04:07,663 __main__ INFO] entering inotify loop to watch /tmp/k8s-bigip-ctlr.config563475778/config.json\n2020/01/03 12:04:08 [INFO] Successfully Sent the FDB Records\n

\n\n

\n\n

You may also check your BIG-IPs configuration: if CIS has been able to connect successfully, it will have created *another* partition called \"kubernetes_AS3\".This is explained here: https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-use-as3-backend.html

\n\n

\n\n

CIS will create partition kubernetes_AS3 to store LTM objects such as pools, and virtual servers. FDB, and Static ARP entries are stored in kubernetes. These partitions should not be managed manually. 

\n\n

\n\n

\n\n

Application Deployment

\n\n

In this section, we will do the following:

\n\n

• Deploy an application with 2 replicas (ie 2 instances of our app)
• Setup an ingress service to connect to your application

\n\n

Deploy our application and service

\n\n

Create the following service and deployment configuration files:

\n\n

f5-hello-world-app-http-deployment.yaml

\n\n

apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: f5-hello-world\n namespace: default\nspec:\n replicas: 2\n selector:\n   matchLabels:\n     app: f5-hello-world\n template:\n   metadata:\n     labels:\n       app: f5-hello-world\n   spec:\n     containers:\n     - env:\n       - name: service_name\n         value: f5-hello-world\n       image: f5devcentral/f5-hello-world:latest\n       imagePullPolicy: Always\n       name: f5-hello-world\n       ports:\n       - containerPort: 8080\n         protocol: TCP\n

\n\n

\n\n

f5-hello-world-app-http-service.yaml

\n\n

apiVersion: v1\nkind: Service\nmetadata:\n name: f5-hello-world\n namespace: default\n labels:\n   app: f5-hello-world\nspec:\n ports:\n - name: f5-hello-world\n   port: 8080\n   protocol: TCP\n   targetPort: 8080\n type: NodePort\n selector:\n   app: f5-hello-world\n

\n\n

\n\n

Apply your deployment and service:

\n\n

kubectl apply -f f5-hello-world-app-http-deployment.yaml

\n\n

kubectl apply -f f5-hello-world-app-http-service.yaml

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl apply -f f5-hello-world-app-http-deployment.yaml\ndeployment.apps/f5-hello-world created\nubuntu@ip-10-1-1-4:~$ kubectl apply -f f5-hello-world-app-http-service.yaml\nservice/f5-hello-world created\n

\n\n

\n\n

You can review your deployment and service with kubectl get :

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl get pods\nNAME                             READY  STATUS   RESTARTS  AGE\nf5-hello-world-847698f5c6-59mmn  1/1    Running  0         2m3s\nf5-hello-world-847698f5c6-pcz9v  1/1    Running  0         2m3s\nubuntu@ip-10-1-1-4:~$ kubectl get svc\nNAME            TYPE       CLUSTER-IP    EXTERNAL-IP  PORT(S)         AGE\nf5-hello-world  NodePort   10.97.83.208  <none>       8080:31380/TCP  2m\nkubernetes      ClusterIP  10.96.0.1     <none>       443/TCP         63d\n

\n\n

\n\n

Define our ingress service

\n\n

CIS ingress annotations can be reviewed here: https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/v1.11/#ingress-resources

\n\n

\n\n

Create the following file:

\n\n

f5-as3-ingress.yaml:

\n\n

apiVersion: extensions/v1beta1\nkind: Ingress\nmetadata:\n name: singleingress1\n namespace: default\n annotations:\n # See the k8s-bigip-ctlr documentation for information about\n # all Ingress Annotations\n # https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest/#supported-ingress-annotations\n   virtual-server.f5.com/ip: \"10.1.10.80\"\n   virtual-server.f5.com/http-port: \"443\"\n   virtual-server.f5.com/partition: \"kubernetes_AS3\"\n   virtual-server.f5.com/health: '[{\"path\": \"/\", \"send\": \"HTTP GET /\", \"interval\": 5, \"timeout\": 10}]'\nspec:\n backend:\n   # The name of the Service you want to expose to external traffic\n   serviceName: f5-hello-world\n   servicePort: 8080\n

\n\n

\n\n

you can review the BIG-IP configuration by going into the kubernetes_AS3 partition

\n\n

\n\n

\n\n

Summary

\n\n

In this article we saw how to deploy CIS with AS3 to handle ingress services.

\n\n

CIS has more capabilities than ingress that you may review here: https://clouddocs.f5.com/containers/v2/kubernetes/ (configmap, routes, …)

\n\n

----

\n\n

Relevant links to this article:

\n\n

• https://www.f5.com/products/automation-and-orchestration/container-ingress-services
• https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-use-as3-backend.html
• https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-k8s-as3.html
• https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-app-install.html

In our previous article, we have setup Kubernetes and calico with our BIG-IPs. Now we will setup F5 Container Ingress Services (F5 CIS) and deploy an ingress service.

\n\n

Note: in this deployment, we will setup F5 CIS in the namespace kube-system

\n\n

BIG-IPs Setup

\n\n

Setup our Kubernetes partition

\n\n

Before deploying F5 Container Ingress Services, we need to setup our BIG-IPs:

\n\n

• Setup a partition that CIS will use.
• Install AS3

\n\n

\n\n

On EACH BIG-IP, you need to do the following:

\n\n

In the GUI, go to System > User > Partitions List and click on the Create button

\n\n

\n\n

\n\n

Create a partition called \"kubernetes\" and click Finished

\n\n

\n\n

Next we need to download the AS3 extension and install it on each BIG-IP. 

\n\n

\n\n

Install AS3

\n\n

Go to GitHub . Select the release with the \"latest\" tag and download the rpm.

\n\n

\n\n

\n\n

Once you have the rpm, go to iApps > Package Management LX and click the Import button (you need to run BIG-IP v12.1 or later) on EACH BIG-IP

\n\n

\n\n

\n\n

Chose your rpm and click Upload. Once the rpm has been uploaded and loaded, you should see this: 

\n\n

\n\n

\n\n

Our BIG-IPs are setup properly now.

\n\n

Next, we will deploy F5 CIS

\n\n

\n\n

CIS Deployment

\n\n

Connect to your Kubernetes cluster. We will need to setup the following:

\n\n

• Create a Kubernetes secret to store our BIG-IPs credentials
• Setup a service account for CIS and setup RBAC
• Setup our CIS configuration. We will need 1xCIS per BIG-IP (even when BIG-IP is setup as a cluster - we don't recommend automatic sync between BIG-IPs)
• Deploy one CIS per BIG-IP

\n\n

\n\n

Store our BIG-IP credentials in a kubernetes secret

\n\n

To store your credentials (login/password) in a kubernetes secret, you can run the following command (https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-secrets.html#secret-bigip-login):

\n\n

kubectl create secret generic bigip-login --namespace kube-system --from-literal=username=<your_login> --from-literal=password=<your_password>

\n\n

\n\n

In my setup, my credentials are the following:

\n\n

• Login: admin
• Password: D3f4ult123

\n\n

So we'll run the following command:

\n\n

kubectl create secret generic bigip-login --namespace kube-system --from-literal=username=admin --from-literal=password=D3f4ult123

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl create secret generic bigip-login --namespace kube-system --from-literal=username=admin --from-literal=password=D3f4ult123\nsecret/bigip-login created\n

\n\n

\n\n

Create a Service Account /RBAC for CIS

\n\n

Now we need to create our service account (https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-app-install.html#set-up-rbac-authentication):

\n\n

Run the following command: :

\n\n

kubectl create serviceaccount bigip-ctlr -n kube-system

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl create serviceaccount bigip-ctlr -n kube-system\nserviceaccount/bigip-ctlr created\n

\n\n

\n\n

Use your favorite editor to create this file:

\n\n

f5-k8s-sample-rbac.yaml:

\n\n

# for use in k8s clusters only\n # for OpenShift, use the OpenShift-specific examples\n kind: ClusterRole\n apiVersion: rbac.authorization.k8s.io/v1\n metadata:\n  name: bigip-ctlr-clusterrole\n rules:\n - apiGroups: [\"\", \"extensions\"]\n  resources: [\"nodes\", \"services\", \"endpoints\", \"namespaces\", \"ingresses\", \"pods\"]\n  verbs: [\"get\", \"list\", \"watch\"]\n - apiGroups: [\"\", \"extensions\"]\n  resources: [\"configmaps\", \"events\", \"ingresses/status\"]\n  verbs: [\"get\", \"list\", \"watch\", \"update\", \"create\", \"patch\"]\n - apiGroups: [\"\", \"extensions\"]\n  resources: [\"secrets\"]\n  resourceNames: [\"<secret-containing-bigip-login>\"]\n  verbs: [\"get\", \"list\", \"watch\"]\n---\nkind: ClusterRoleBinding\n apiVersion: rbac.authorization.k8s.io/v1\n metadata:\n  name: bigip-ctlr-clusterrole-binding\n  namespace: kube-system\n roleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: bigip-ctlr-clusterrole\n subjects:\n - apiGroup: \"\"\n  kind: ServiceAccount\n  name: bigip-ctlr\n  namespace: kube-system\n

\n\n

\n\n

Deploy this config by running the following command:

\n\n

kubectl apply -f f5-k8s-sample-rbac.yaml

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl apply -f f5-k8s-sample-rbac.yaml\nclusterrole.rbac.authorization.k8s.io/bigip-ctlr-clusterrole created\nclusterrolebinding.rbac.authorization.k8s.io/bigip-ctlr-clusterrole-binding created\n

\n\n

\n\n

Next step is to setup our CIS deployment files

\n\n

\n\n

Create our CIS deployment configurations

\n\n

Use your favorite editor to create the following files:

\n\n

\n\n

setup_cis_bigip1.yaml:

\n\n

apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: k8s-bigip1-ctlr-deployment\n namespace: kube-system\nspec:\n selector:\n   matchLabels:\n     app: k8s-bigip1-ctlr\n # DO NOT INCREASE REPLICA COUNT\n replicas: 1\n template:\n   metadata:\n     labels:\n       app: k8s-bigip1-ctlr\n   spec:\n     # Name of the Service Account bound to a Cluster Role with the required\n     # permissions\n     serviceAccountName: bigip-ctlr\n     containers:\n       - name: k8s-bigip-ctlr\n         image: \"f5networks/k8s-bigip-ctlr\"\n         env:\n           - name: BIGIP_USERNAME\n             valueFrom:\n               secretKeyRef:\n                 # Replace with the name of the Secret containing your login\n                 # credentials\n                 name: bigip-login\n                 key: username\n           - name: BIGIP_PASSWORD\n             valueFrom:\n               secretKeyRef:\n                 # Replace with the name of the Secret containing your login\n                 # credentials\n                 name: bigip-login\n                 key: password\n         command: [\"/app/bin/k8s-bigip-ctlr\"]\n         args: [\n           # See the k8s-bigip-ctlr documentation for information about\n           # all config options\n           # https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest\n           \"--bigip-username=$(BIGIP_USERNAME)\",\n           \"--bigip-password=$(BIGIP_PASSWORD)\",\n           \"--bigip-url=10.1.20.11\",\n           \"--bigip-partition=kubernetes\",\n           \"--insecure=true\",\n           \"--pool-member-type=cluster\",\n           \"--agent=as3\"\n           ]\n     imagePullSecrets:\n       # Secret that gives access to a private docker registry\n       - name: f5-docker-images\n       # Secret containing the BIG-IP system login credentials\n       - name: bigip-login\n

\n\n

\n\n

setup_cis_bigip2.yaml:

\n\n

apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: k8s-bigip2-ctlr-deployment\n namespace: kube-system\nspec:\n selector:\n   matchLabels:\n     app: k8s-bigip2-ctlr\n # DO NOT INCREASE REPLICA COUNT\n replicas: 1\n template:\n   metadata:\n     labels:\n       app: k8s-bigip2-ctlr\n   spec:\n     # Name of the Service Account bound to a Cluster Role with the required\n     # permissions\n     serviceAccountName: bigip-ctlr\n     containers:\n       - name: k8s-bigip-ctlr\n         image: \"f5networks/k8s-bigip-ctlr\"\n         env:\n           - name: BIGIP_USERNAME\n             valueFrom:\n               secretKeyRef:\n                 # Replace with the name of the Secret containing your login\n                 # credentials\n                 name: bigip-login\n                 key: username\n           - name: BIGIP_PASSWORD\n             valueFrom:\n               secretKeyRef:\n                 # Replace with the name of the Secret containing your login\n                 # credentials\n                 name: bigip-login\n                 key: password\n         command: [\"/app/bin/k8s-bigip-ctlr\"]\n         args: [\n           # See the k8s-bigip-ctlr documentation for information about\n           # all config options\n           # https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest\n           \"--bigip-username=$(BIGIP_USERNAME)\",\n           \"--bigip-password=$(BIGIP_PASSWORD)\",\n           \"--bigip-url=10.1.20.12\",\n           \"--bigip-partition=kubernetes\",\n           \"--insecure=true\",\n           \"--pool-member-type=cluster\",\n           \"--agent=as3\"\n           ]\n     imagePullSecrets:\n       # Secret that gives access to a private docker registry\n       - name: f5-docker-images\n       # Secret containing the BIG-IP system login credentials\n       - name: bigip-login\n

\n\n

\n\n

To deploy our CIS, run the following commands:

\n\n

kubectl apply -f setup_cis_bigip1.yaml

\n\n

kubectl apply -f setup_cis_bigip2.yaml

\n\n

\n\n

You can make sure that they got deployed successfully:

\n\n

kubectl get pods -n kube-system

\n\n

\n\n

\n\n

You can review if it launched successfully with the commands:

\n\n

kubectl logs <pod_name> -n kube system

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl logs k8s-bigip2-ctlr-deployment-6f674c8d58-bbzqv -n kube-system\n2020/01/03 12:04:06 [INFO] Starting: Version: 1.12.0, BuildInfo: n2050-623590021\n2020/01/03 12:04:06 [INFO] ConfigWriter started: 0xc0002bb950\n2020/01/03 12:04:06 [INFO] Started config driver sub-process at pid: 14\n2020/01/03 12:04:07 [INFO] NodePoller (0xc000b7c090) registering new listener: 0x11bfea0\n2020/01/03 12:04:07 [INFO] NodePoller started: (0xc000b7c090)\n2020/01/03 12:04:07 [INFO] Watching Ingress resources.\n2020/01/03 12:04:07 [INFO] Watching ConfigMap resources.\n2020/01/03 12:04:07 [INFO] Handling ConfigMap resource events.\n2020/01/03 12:04:07 [INFO] Handling Ingress resource events.\n2020/01/03 12:04:07 [INFO] Registered BigIP Metrics\n2020/01/03 12:04:07 [INFO] [2020-01-03 12:04:07,663 __main__ INFO] entering inotify loop to watch /tmp/k8s-bigip-ctlr.config563475778/config.json\n2020/01/03 12:04:08 [INFO] Successfully Sent the FDB Records\n

\n\n

\n\n

You may also check your BIG-IPs configuration: if CIS has been able to connect successfully, it will have created *another* partition called \"kubernetes_AS3\".This is explained here: https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-use-as3-backend.html

\n\n

\n\n

CIS will create partition kubernetes_AS3 to store LTM objects such as pools, and virtual servers. FDB, and Static ARP entries are stored in kubernetes. These partitions should not be managed manually. 

\n\n

\n\n

\n\n

Application Deployment

\n\n

In this section, we will do the following:

\n\n

• Deploy an application with 2 replicas (ie 2 instances of our app)
• Setup an ingress service to connect to your application

\n\n

Deploy our application and service

\n\n

Create the following service and deployment configuration files:

\n\n

f5-hello-world-app-http-deployment.yaml

\n\n

apiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: f5-hello-world\n namespace: default\nspec:\n replicas: 2\n selector:\n   matchLabels:\n     app: f5-hello-world\n template:\n   metadata:\n     labels:\n       app: f5-hello-world\n   spec:\n     containers:\n     - env:\n       - name: service_name\n         value: f5-hello-world\n       image: f5devcentral/f5-hello-world:latest\n       imagePullPolicy: Always\n       name: f5-hello-world\n       ports:\n       - containerPort: 8080\n         protocol: TCP\n

\n\n

\n\n

f5-hello-world-app-http-service.yaml

\n\n

apiVersion: v1\nkind: Service\nmetadata:\n name: f5-hello-world\n namespace: default\n labels:\n   app: f5-hello-world\nspec:\n ports:\n - name: f5-hello-world\n   port: 8080\n   protocol: TCP\n   targetPort: 8080\n type: NodePort\n selector:\n   app: f5-hello-world\n

\n\n

\n\n

Apply your deployment and service:

\n\n

kubectl apply -f f5-hello-world-app-http-deployment.yaml

\n\n

kubectl apply -f f5-hello-world-app-http-service.yaml

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl apply -f f5-hello-world-app-http-deployment.yaml\ndeployment.apps/f5-hello-world created\nubuntu@ip-10-1-1-4:~$ kubectl apply -f f5-hello-world-app-http-service.yaml\nservice/f5-hello-world created\n

\n\n

\n\n

You can review your deployment and service with kubectl get :

\n\n

ubuntu@ip-10-1-1-4:~$ kubectl get pods\nNAME                             READY  STATUS   RESTARTS  AGE\nf5-hello-world-847698f5c6-59mmn  1/1    Running  0         2m3s\nf5-hello-world-847698f5c6-pcz9v  1/1    Running  0         2m3s\nubuntu@ip-10-1-1-4:~$ kubectl get svc\nNAME            TYPE       CLUSTER-IP    EXTERNAL-IP  PORT(S)         AGE\nf5-hello-world  NodePort   10.97.83.208  <none>       8080:31380/TCP  2m\nkubernetes      ClusterIP  10.96.0.1     <none>       443/TCP         63d\n

\n\n

\n\n

Define our ingress service

\n\n

CIS ingress annotations can be reviewed here: https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/v1.11/#ingress-resources

\n\n

\n\n

Create the following file:

\n\n

f5-as3-ingress.yaml:

\n\n

apiVersion: extensions/v1beta1\nkind: Ingress\nmetadata:\n name: singleingress1\n namespace: default\n annotations:\n # See the k8s-bigip-ctlr documentation for information about\n # all Ingress Annotations\n # https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest/#supported-ingress-annotations\n   virtual-server.f5.com/ip: \"10.1.10.80\"\n   virtual-server.f5.com/http-port: \"443\"\n   virtual-server.f5.com/partition: \"kubernetes_AS3\"\n   virtual-server.f5.com/health: '[{\"path\": \"/\", \"send\": \"HTTP GET /\", \"interval\": 5, \"timeout\": 10}]'\nspec:\n backend:\n   # The name of the Service you want to expose to external traffic\n   serviceName: f5-hello-world\n   servicePort: 8080\n

\n\n

\n\n

you can review the BIG-IP configuration by going into the kubernetes_AS3 partition

\n\n

\n\n

\n\n

Summary

\n\n

In this article we saw how to deploy CIS with AS3 to handle ingress services.

\n\n

CIS has more capabilities than ingress that you may review here: https://clouddocs.f5.com/containers/v2/kubernetes/ (configmap, routes, …)

\n\n

----

\n\n

Relevant links to this article:

\n\n

• https://www.f5.com/products/automation-and-orchestration/container-ingress-services
• https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-use-as3-backend.html
• https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-k8s-as3.html
• https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-app-install.html