For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

F5 Distributed Cloud Kubernetes Integration: Securing Services with Direct Pod Connectivity

Introduction As organizations embrace Kubernetes for container orchestration, they face critical challenges in exposing services securely to external consumers while maintaining granular control ov...
Published Nov 13, 2025
Version 1.0
cloud
Distributed Cloud
kubernetes
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Nov 21, 2025

Basically the F5 XC Customer Edge can connect to the k8s API like the F5 BIG-IP CIS and the with BGP that advertise the pods with /24 for example and the XC CE can send traffic directly to the pod ip addresses. Basically like nginx ingress or CIS , the CE uses the service to discover it's endpoints "kubectl get endpoints"

 

As a note k8s LB services with /32 can be advertised by BGP as Calico, Cillium or MetalLB support an "externalTrafficPolicy: Local" (as to be advertised only from nodes that have application pods) and maybe by selecting "Kubernetes POD is isolated" the F5 XC CE can discover the nodes and not the pods and with health monitor to see which nodes have active user pods as in the routing table of the CE just those nodes will advertise the service /32 with BGP, so any health monitor will work to mark the other nodes as down. This will be similar to F5 BIG-IP CIS in node-ip mode. I think this is also good idea for direct access to isolated pods through an LB service, what do you think Philippe_Veys​   ?