Integrating F5 BIG-IP with Kubernetes SIG Gateway API

The Trend of Gateway API in Kubernetes Community

Kubernetes has become one of the most popular open-source container orchestration platforms used by developers and IT operations teams worldwide. It provides an efficient, automatic, scalable, and self-healing way of deploying and managing containerized applications with resource optimized. It’s an essential tool for any organization that wants to use containers to enhance their IT operations. By the way, it is widely community supported.

As organizations continue to adopt Kubernetes for their containerized applications, the reliable and secure ingress control becomes to a great topic.

The SIG Gateway API(https://gateway-api.sigs.k8s.io/, shortly ‘Gateway API’) is a Kubernetes-native solution that enables administrators to configure and manage network infrastructure in a scalable and automated way.

The Gateway API is a Kubernetes enhancement proposal that introduces a declarative and extensible way to manage network infrastructure, including load balancers, firewalls, and proxies. It offers a unified way to manage these resources across different cloud providers and Kubernetes distributions, simplifying configuration and reducing operational overhead.

In a word, the Gateway API becomes an integral part of the Kubernetes ecosystem. It is supported by major vendors such as Google, AWS, and Microsoft.

BIG-IP Scenarios in ADC

As a market leader, F5 BIG-IP, provides a large range of advanced application delivery functionalities, such as advanced traffic management, security, and acceleration features. It enables organizations to scale their applications, improve availability, and enhance security posture that help enterprises deliver fast, secure, and highly available applications to their users.

F5 BIG-IP is good at loadbalancing, SSL/TLS offloading, application acceleration, secrity and HA and, as to networking scenarios, F5 BIG-IP is suitable for network environments of medium to large enterprises, supports multi-clouds and multi-protocols. It can run in public clouds, private clouds, or physical data centers.

Significance of Integrating BIG-IP with Kubernetes Gateway API

Unleash the powerful ADC capabilities of BIG-IP in Kubernetes Environments.

Based on the above understanding of the Gateway API trends in the kubernetes community, and the assessment of the powerful capabilities of BIG-IP, we incubated the project “BIG-IP Kubernetes Gateway API Controller”: https://github.com/f5devcentral/bigip-kubernetes-gateway.

BIG-IP Kubernetes Gateway API Controller is an open-source project from F5 Networks with community support, provides an automated, powerful and customizable Gateway API implementation. It utilizes powerful BIG-IP LTM instance as the Gateway API networking provider.

With BIG-IP Kubernetes Gateway API Controller, users can deploy business-related Gateway API configuration on the Kubernetes side in YAML format. Then, the controller automatically converts the relevant configuration into BIG-IP's corresponding LTM/Network configuration, enables various Gateway capabilities such as TLS offloading, load balancing etc. through BIG-IP. Thus, the powerful ADC capabilities of BIG-IP can be leveraged in a Kubernetes networking environment with a standard specification.

BIG-IP Integrating Gateway API Basic Design

BIG-IP Kubernetes Gateway API Controller is an opensource implementation of the golang language that runs as a standalone program in a pod.

Resource Monitoring

Like all other CRD implementations, BIG-IP Kubernetes Gateway API Controller monitors Kubernetes Gateway API CRD resources (gateway.networking.k8s.io/v1beta1) and converts them to BIG-IP-related configurations for deploying to BIG-IP devices.

In order to access various necessary resources of Kubernetes, we need to use specific ServiceAccount and ClusterRole that have specific permissions. Please refer to https://github.com/f5devcentral/bigip-kubernetes-gateway/blob/master/deploy/1.clusterrole-and-binding.yaml for permission details.

At to the implementation level, on the one hand, BIG-IP Kubernetes Gateway API Controller connects to the upstream Kubernetes, monitors Gateway API updating events from the cluster through the list-watch mechanism. The mechanism was encapsulated in client-go(k8s.io/client-go) and controller-runtime (sigs.k8s.io/controller-runtime).

On the other hand, BIG-IP Kubernetes Gateway API Controller connects to the downstream BIG-IP to parse, convert and deploy the Gateway API configuration to BIG-IP ADC resources. Here, we need to consider 2 problems,

• Network connectivity setup between Kubernetes CNI and BIG-IP traffic network.
• Automatic conversion and deployment of Gateway API resources.

Networking Enablement

In term of network connectivity, as we know, Kubernetes has different CNI types, like flannel(overlay), calico(underlay), etc.

For overlay network, we need to setup the tunnel between BIG-IP traffic network and Kubernetes network, so that the North-south traffic can go through. We need to setup the fdb/arp discovery ability when the service is deployed.

For underlay network, we need to setup the BGP protocol to do the neighbor discovery for any service deployment.

Notes that, all the networking setup should be automatic. The controller is responsible for network enablement along with BIG-IP resources’ deployment.

Resource Mapping

As to automatic deployment of Gateway API resources, in order to implement the ADC ability, we leverage BIG-IP LTM including Virtual, iRule, Pool, etc. To be simply describing, basically, we can map the concept of K8S Gateway API resources to BIG-IP resources as following:

K8S Resources	BIG-IP Resources
Controller	BIG-IP Device
GatewayClass	Partition
Gateway	Virtual
HTTPRoute	iRule/l7policy
Service	Pool
Deployment(pods)	Member

Along with more Gateway API functionalities, we may use more BIG-IP resource types.

There may be more details during the resource mapping. For example, HTTPRoute can be implemented on the BIG-IP side using iRule or l7policy. iRule is program-level flexibility, and it can handle not only Layer 7 traffic but also Layer 4 traffic, so both Filter and Matches in the HTTPRute definition can be implemented by converting to iRule codes.

Deploying Methods

BIG-IP provides a variety of Configuration Utilities, such as AS3, iControl Rest, tmsh.

In Controller, we currently use iControl Rest to assemble the list of deployed resources through transactions, and use incremental way to achieve the deployments, this process is encapsulated as BIG-IP iControl Rest golang module. It is characterized by incremental, fast, self-discovery of BIG-IP resource status, see .

Of course, another possibility is through AS3, which is F5 recommended. In the future BIG-IP Next product, AS3 as the only external configuration utility. We will continuously check its performance and integrate into the controller at the right time and in the right way.

Looking Forward

Along with more customers involved, we will be compatible with more/necessary .Spec functionalities such as those defined in ‘Experimental’ channel(https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels-eg-experimental-standard).

As we mentioned earlier that in the future we will be compatible with AS3 implementations.

We will keep this project updated to be compatible with and support newer versions of BIG-IPs.

What's More

For more information, see https://gateway-api.f5se.io/. You may find all update-to-day information about installation, usage and design documents there.