cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Can an F5 VIP and Pool have a container member?

DaisyT-G
Nimbostratus
Nimbostratus

I have a container running on a Server with port 80 (TCP) exposed. The container is up and running when you test it on the serverIP and container port for example 172.27.27.2:80.

 

I would now like to point an F5 VIP at a pool containing the member 172.27.27.2:80. I don't want to set up anything fancy using the F5 K8s setup but configure the setup through the F5 as it is were a basic IIS site or windows service. I cannot think of one but is there a reason this is not possible ? & is there a specific health monitor that should be used? at the moment the F5 keeps marking the member as offline.

3 REPLIES 3

Since you mentioned Kubernetes, I'm assuming you're talking about Pods. Pods behind a Kubernetes cluster are not directly reachable and they're ephemeral, i.e. they can "die" and be replaced by another pod using a different IP address.

 

If you want to make your Pods reachable, you need to create an object called Service. The function of a Service is similar to a Load Balancer. You add a bunch of pods to a service and it load balances the requests to them. Services have a unique FQDN and IP address and this will solve the issue where pods are ephemeral. Up to now, this is all within your Kubernetes cluster. So you've got Service pointing to pods.

 

After that, you need to "expose" your service. Exposing just means "making it reachable" externally. There are a couple of options but you'd normally use "NodePort" option where each node in your Kubernetes cluster will be reachable via their EXTERNAL_IP:PORT.

 

You now add EXTERNAL_IP:PORT as pool members of your virtual server on BIG-IP and BIG-IP handles traffic for the Service at the specified virtual address and load balances to all nodes in the cluster. Within the cluster, the allocated NodePort load balances traffic to all pods.

 

However, this is not ideal because it doesn't track changes within your Kubernetes cluster and for that reason I'd recommend using kctlr-k8s-ingress-ctlr (https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-k8s-ingress-ctlr.html)

 

If you're using just a container in a bare metal server, not behind Kubernetes, you just need to expose your container externally, i.e. make it reachable and BIG-IP should be able to monitor it.

 

Hope it helps.

 

Rodrigo

Thanks Rodrigo this confirms what I thought, I must just be missing a setting somewhere 🙂

DaisyT-G
Nimbostratus
Nimbostratus

The resolution to this turned out to be quite simple. The firewall setup to allow the F5 to access our servers was for a specific port range only. The Traefik ports (80,443,8080) were not included in this range. Once the rules were added in the pool member was able to pass the health monitor checks.