For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

k8s

4 Topics

F5 CIS IngressLink attaching WAF policy on the big-ip through the CRD ?
Hey Everyone, I did a lot of lab testing for F5 CIS. One interesting thing I saw it that the IngressLink integration between F5 BIG-IP and Nginx Ingress does not have the policy option where you create a policy CRD with WAF, APM Access and F5 profiles and attach it to the VirtualServer or Service of type load balancer. Maybe the option is there but at https://clouddocs.f5.com/containers/latest/userguide/ingresslink/ or https://github.com/F5Networks/k8s-bigip-ctlr I just don't see it and I have no F5 Nginx Ingress to test as in my lab I have F5 BIG-IP and the Community Nginx. I may open a git case but in the future as I still don't have use case for this just I saw it and became interested if the policy option is there but just not documented.
Solved
Nikoolayy1
Nov 11, 2025 Place Technical Forum
54Views
0likes
1Comment
How can k8s CIS CRD VirtualServer reference existing APM Access profile?
Hey Everyone, How can k8s Container Ingress Services (CIS) CRD VirtualServer reference existing APM Acess profile? I know that this is in as3 ( https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3.32/declarations/access-related.html ) but I don't see such options in the virtualserver ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) or policy ( https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html ) crd and I don't want to use old way with config maps. Edit: A not great workaround I found is attaching an access profile by using an irule (APM access-profile can be assigned from iRule only) as the F5 CRD supports attaching configured existing irules. apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: vs-test namespace: xxxx labels: f5cr: "true" spec: virtualServerAddress: "xxxx" virtualServerHTTPPort: xxx snat: auto iRules: - "/Common/test-irule" pools: - monitor: interval: 10 recv: "" send: "GET /" timeout: 31 type: http path: / service: XXX servicePort: 80
Solved
Nikoolayy1
Nov 10, 2025 Place Technical Forum
68Views
0likes
3Comments
F5 kubernetes f5 controller failing to compose 'poolMemberAddrs' and failing to generate F5 objects
Hi - I set this up: http://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/v1.0/ and getting errors after uploading my configmap and an applicable service: 2017/04/28 23:43:30 [INFO] File "/app/python/_f5.py", line 393, in _create_ltm_config_kubernetes 2017/04/28 23:43:30 [INFO] for node in backend['poolMemberAddrs']: 2017/04/28 23:43:30 [INFO] TypeError: 'NoneType' object is not iterable The config file generated by /app/bin/k8s-bigip-ctlr does not populate "poolMemberAddrs" so the python f5 handler /app/python/bigipconfigdriver.py is crashing since it cannot figure out the nodeport targets: /app cat /tmp/k8s-bigip-ctlr.config281602422/config.json {"bigip":{"username":"xxxxxxxxx","password":"yyyyyyyy","url":";:["k8s"]},"global":{"log-level":"INFO","verify-interval":30},"services":[{"virtualServer":{"backend":{"serviceName":"av-service","servicePort":30000,"poolMemberPort":0,"poolMemberAddrs":null},"frontend":{"virtualServerName":"default_av-service","partition":"k8s","balance":"round-robin","mode":"http","virtualAddress":{"bindAddr":"1.2.3.4","port":80},"iappPoolMemberTable":{"name":"","columns":null}}}}]}/app I ran out of anything helpful with debug statements or documentation about the closed source go binary... io:$ kubectl get services/av-service -o wide NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR av-service 10.25.104.158 80:30000/TCP 2h app=av io:$ kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}' 10.25.82.193 10.25.82.65 10.25.83.54 Is this the right place to ask about what possible reasons the controller is crashing here?
Antonio_Varni
Jun 05, 2023 Place Technical Forum
417Views
0likes
3Comments
An example of an AS3 Rest API call to create a GSLB configuration on BIG-IP.
Hi everyone, Below you can find an example of an AS3 Rest API call that creates a simple GSLB configuration on BIG-IP devices. The main purpose of this article is to share this configuration with others. Of course, on different sites (github, etc) you can find different bits of data, but I think this example will be useful, because it contains all the necessary information about how to create different GSLB objects at the same time, such as: Data Centers (DCs), Servers, Virtual Servers (VSs), Wide IPs, pools and more over. { "class": "AS3", "declaration": { "class": "ADC", "schemaVersion": "3.21.0", "id": "GSLB_test", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "DC1": { "class": "GSLB_Data_Center" }, "DC2": { "class": "GSLB_Data_Center" }, "device01": { "class": "GSLB_Server", "dataCenter": { "use": "DC1" }, "virtualServers": [ { "name": "/ocp/Shared/ingress_vs_1_443", "address": "A.B.C.D", "port": 443, "monitors": [ { "bigip": "/Common/custom_icmp_2" } ] } ], "devices": [ { "address": "A.B.C.D" } ] }, "device02": { "class": "GSLB_Server", "dataCenter": { "use": "DC2" }, "virtualServers": [ { "name": "/ocp2/Shared/ingress_vs_2_443", "address": "A.B.C.D", "port": 443, "monitors": [ { "bigip": "/Common/custom_icmp_2" } ] } ], "devices": [ { "address": "A.B.C.D" } ] }, "dns_listener": { "class": "Service_UDP", "virtualPort": 53, "virtualAddresses": [ "A.B.C.D" ], "profileUDP": { "use": "custom_udp" }, "profileDNS": { "use": "custom_dns" } }, "custom_dns": { "class": "DNS_Profile", "remark": "DNS Profile test", "parentProfile": { "bigip": "/Common/dns" } }, "custom_udp": { "class": "UDP_Profile", "datagramLoadBalancing": true }, "testpage_local": { "class": "GSLB_Domain", "domainName": "testpage.local", "resourceRecordType": "A", "pools": [ { "use": "testpage_pool" } ] }, "testpage_pool": { "class": "GSLB_Pool", "resourceRecordType": "A", "members": [ { "server": { "use": "/Common/Shared/device01" }, "virtualServer": "/ocp/Shared/ingress_vs_1_443" }, { "server": { "use": "/Common/Shared/device02" }, "virtualServer": "/ocp2/Shared/ingress_vs_2_443" } ] } } } } } P.S. The AS3 scheme guide was very helpful: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html
Alexander_Slink
Jun 05, 2023 Place Technical Forum
881Views
1like
2Comments