For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

F5 BIG-IP deployment with OpenShift - platform and networking options

Introduction This article is an architectural overview on how F5 BIG-IP can be used with Red Hat OpenShift. Several topics are covered, including: 1-tier or 2-tier arrangements, where the BIG-I...
Screenshot 2023-09-29 at 09.06.41.png
Updated Feb 22, 2024
Version 2.0
application delivery
cloud
devops
Ulises_Alonso's avatar
Icon for Employee rankEmployee
Solutions architect in Business Development with focus in automation and integration with partner's technologies. Prior to this role I was consultant in Professional Services and escalations engineer in Technical Support. Outside F5, I worked in mobile and wired network operators as network engineer. I started my career in academic research. In all these years, no matter what I've been doing Linux has been always the best tool. Not the one in the picture :-)
View Profile
thanhpnt's avatar
thanhpnt
Icon for Nimbostratus rankNimbostratus
Nov 12, 2025

Thanks for the article,
I have a question about multi-cluster architecture:
Would you recommend an approach where each OpenShift cluster has its own CIS instance, and each CIS connects to a separate BIG-IP tenant (rather than using partitions within a single tenant)?
In other words, is it viable (or better) to use one CIS + one tenant per cluster instead of splitting clusters via partitions in the same tenant?
I’d appreciate your thoughts on the pros/cons of each method

  • Ulises_Alonso's avatar
    Ulises_Alonso
    Icon for Employee rankEmployee
    Nov 14, 2025

    I like having different CIS instances for the different tenants. Note that each tenant which can represent a set of namespaces, and write in different partitions in the BIG-IP. How to define the scope of a tenant is something that should be adapted to each enterprise, it could be by department, functional unit, end-customer service... 

    This is specially useful in medium to large environments.

    Overall this separation is good because it limits the scope of any possible problem and it is easier to check logs. 

    Each of these CIS instances could work in multi-cluster mode for the same tenant in different clusters for OpenShift cluster resiliency. 

    Did I answer your question?

     

    • thanhpnt's avatar
      thanhpnt
      Icon for Nimbostratus rankNimbostratus
      Nov 17, 2025

      Hi,
      Thank you for your answer. I understand now that having separate CIS instances per tenant (and per OpenShift cluster) is generally better for isolation.
      I will proceed to implement multiple F5 tenants for my multi-cluster OpenShift deployment and explore running CIS instances per tenant for resiliency