f5-ipam-controller

module
v0.1.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 3, 2024 License: Apache-2.0

README

Build Status Coverage Status

F5 IPAM Controller

The F5 IPAM Controller is a Docker container that runs in an orchestration environment and interfaces with an IPAM system. It allocates IP addresses from an IPAM system’s address pool for hostnames in an orchestration environment. The F5 IPAM Controller watches orchestration-specific resources and consumes the hostnames within each resource.

In this IPAM

The F5 IPAM Controller can allocate IP address from static IP address pool based on the CIDR mentioned in a Kubernetes resource The idea here is that we will support CRD, Type LB and probably also in the future route/ingress. We should make it more generic so that we don't have to update this later, F5 IPAM Controller decides to allocate the IP from the respective IP address pool for the hostname specified in the virtualserver custom resource.

Supported kubernetes resource :

RESOURCES MINIMUM VERSION SUPPORTED
VS CRD CIS v2.2.2

Setup Diagram and Details

Architectural diagram of how F5-IPAM-Controller(FIC) fits in the environment

alt text The F5 IPAM Controller acts as an interface to CIS to provide an IP address from a pool of IP's to each hostname provided in the virtual server CRD.

Flow Chart for CIS-FIC working

alt text

F5 IPAM Deploy Configuration Options

Deployment Options

PARAMETER TYPE REQUIRED DESCRIPTION
orchestration String Required The orchestration parameter holds the orchestration environment i.e. Kubernetes.
ipam-provider String Required ipam-provider parameter holds the IP provider that holds the ownership of providing IP addresses such as infoblox, f5-ip-provider. Default is f5-ip-provider.
log-level String Optional Log level parameter specify various logging level such as DEBUG, INFO, WARNING, ERROR, CRITICAL.
namespace String Optional Kubernetes namespace(s) to watch. By default controller will watch only kube-system namespace. To specify multiple namespace, use multiple --namespace flags.

Deployment Options of Provider (f5-ip-provider)

PARAMETER TYPE REQUIRED DESCRIPTION
ip-range String Required ip-range parameter holds the IP address ranges and from this range, it creates a pool of IP address range which gets allocated to the corresponding hostname in the virtual server CRD

Deployment Options of Provider (infoblox)

PARAMETER TYPE REQUIRED DESCRIPTION
infoblox-labels String Required infoblox labels holds the mappings for infoblox's CIDR
infoblox-grid-host String Required URL (or IP Address) of Infoblox Grid Host
infoblox-wapi-port String Optional Port that the Infoblox Server listens on. Default is 443
infoblox-wapi-version String Required Web API version of Infoblox
infoblox-username String Required Username of Infoblox User
infoblox-password String Required Password of the given Infoblox User
infoblox-netview String Required Netview from which IP addresses needs to be allocated
credentials-directory String Optional Credentials can be mounted from k8s secrets

Note: On how to configure these Configuration Options, please refer to IPAM Deployment YAML example in below.

Installation
RBAC - ServiceAccount, ClusterRole and ClusterRoleBindings for F5 IPAM Controller
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ipam-ctlr-clusterrole
rules:
  - apiGroups: ["fic.f5.com"]
    resources: ["ipams","ipams/status"]
    verbs: ["get", "list", "watch", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ipam-ctlr-clusterrole-binding
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ipam-ctlr-clusterrole
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: ipam-ctlr
    namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ipam-ctlr
  namespace: kube-system

Kubernetes supports a wide variety of storage options. Refer link for more details.

Note: Below example is just for demo purpose and is not suitable for production environment. Read through the limitations with each of the storage options and choose as per your production need. Please refer cloudodcs for more details.
Note: Local storage ties your application to a specific node as mentioned in nodeAffinity of PV yaml deployment.

Pre-requisite: Ensure mount directory (In below example, /tmp/cis_ipam) to be present on node.

Example: F5 IPAM Controller Deployment YAML with Default Provider and localstorage PV mount using securityContext
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    name: f5-ipam-controller
  name: f5-ipam-controller
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: f5-ipam-controller
  template:
    metadata:
      labels:
        app: f5-ipam-controller
    spec:
      containers:
      - args:
        - --orchestration
        - kubernetes
        - --ip-range
        - '{"Dev":"172.16.3.21-172.16.3.30","Test":"172.16.3.31-172.16.3.40","Production":"172.16.3.41-172.16.3.50",
          "Default":"172.16.3.51-172.16.3.60,172.16.3.81-172.16.3.90" } '
        - --log-level
        - DEBUG
        command:
        - /app/bin/f5-ipam-controller
        image: f5networks/f5-ipam-controller:latest
        imagePullPolicy: IfNotPresent
        name: f5-ipam-controller
        terminationMessagePath: /dev/termination-log
        volumeMounts:
        - mountPath: /app/ipamdb
          name: samplevol
      securityContext:
        fsGroup: 1200
        runAsGroup: 1200
        runAsUser: 1200
      serviceAccount: bigip-controller
      serviceAccountName: bigip-controller
      volumes:
      - name: samplevol
        persistentVolumeClaim:
          claimName: pvc-local
Example: Persistent Volume using localstorage for IPAM controller deployment with default provider
apiVersion: v1
kind: PersistentVolume
metadata:
  name: local-pv
spec:
  capacity:
    storage: 1Gi
  volumeMode: Filesystem
  accessModes:
  - ReadWriteOnce
  storageClassName: local-storage
  local:
    path: /tmp/cis_ipam
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - <node-name>
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-local
  namespace: kube-system
spec:
  storageClassName: local-storage
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 0.1Gi
Example: F5 IPAM Controller Deployment YAML with Infoblox Provider
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    name: f5-ipam-controller
  name: f5-ipam-controller
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: f5-ipam-controller
  template:
    metadata:
      labels:
        app: f5-ipam-controller
    spec:
      containers:
      - args:
        - --orchestration=kubernetes
        - --log-level=DEBUG
        - --ipam-provider
        - infoblox
        - --infoblox-labels
        - '{"Dev" :{"cidr": "172.16.4.0/24"},"Test" :{"cidr": "172.16.5.0/24"}}'
        - --infoblox-grid-host
        - 10.144.75.2
        - --infoblox-wapi-port=443
        - --infoblox-wapi-version
        - 2.11.2
        - --infoblox-username
        - user
        - --infoblox-password
        - paswd
        - --infoblox-netview
        - default

        command:
        - /app/bin/f5-ipam-controller
        image: f5networks/f5-ipam-controller
        imagePullPolicy: IfNotPresent
        name: f5-ipam-controller
      serviceAccount: ipam-ctlr
      serviceAccountName: ipam-ctlr
Deploying RBAC and F5 IPAM Controller

Using kubectl let's apply the above defined RBAC and Deployment definitions.

kubectl create -f f5-ipam-rbac.yaml
kubectl create -f f5-ipam-deployment.yaml
Configuring CIS to work with F5 IPAM Controller

To configure CIS to work with the F5 IPAM controller, the user needs to provide a parameter --ipam=true in the CIS deployment and also provide a parameter ipamLabel in the Kubernetes resource.

Note: ipamLabel can have values as mentioned in the ip-range parameter in the deployment.
Examples

Virtual Server CR

apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
 name: coffee-virtual-server
 labels:
   f5cr: "true"
spec:
 host: coffee.example.com
 ipamLabel: Dev
 pools:
 - path: /coffee
   service: svc-2
   servicePort: 80

Tansport Server CR

  apiVersion: cis.f5.com/v1
  kind: TransportServer
  metadata:
    generation: 2
    labels:
      f5cr: "true"
  spec:
    ipamLabel: Test
    mode: standard
    pool:
      monitor:
        interval: 20
        timeout: 10
        type: tcp
      service: test-svc
      servicePort: 1344
    snat: auto
    type: tcp
    virtualServerPort: 1344

CIS Deployment with ipam enabled

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr-deployment
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr"
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            "--bigip-url=<ip_address-or-hostname>",
            "--bigip-partition=<name_of_partition>",
            "--pool-member-type=nodeport",
            "--agent=as3",
            "--ipam=true", //Enable IPAM 
            ]
      imagePullSecrets:
        - name: f5-docker-images
        - name: bigip-login
NOTE:
  • If the user provides the parameter --ipam=true in the CIS deployment, then CIS decides if it needs to retrieve an IP Address from the IPAM Controller or not

  • If a VirtualServer Address is specified in the Kubernetes resource, CIS will not leverage the IPAM Controller for IP address even if a ipamLabel parameter is specified.

  • If No VirtualServer Address is specified in the Kubernetes resource and ipamLabel parameter is specified, CIS will leverage the IPAM Controller for allocation of IP address.

  • While using IPAM controller with default provider,

    • Regardless of storage option used, IPAM controller expects read and write permission for IPAM controller user (UID 1200) to mounted directory volume. To achieve this, localstorage PV example deployment uses securityContext.
    • Be aware of limitations with each of storage options before choosing one for your production environment.
Known Issues
  • FIC does not allocate the last IP address specified in the ip range.
  • Updating the --ip-range in FIC deployment is an issue.
  • Restarting FIC with infoblox ipam provider holds/allocate more ip addresses in infoblox.

Directories

Path Synopsis
cmd
pkg
ipamapis/apis/fic/v1
Package v1 is the v1 version of the API.
Package v1 is the v1 version of the API.
ipamapis/client/clientset/versioned
This package has the automatically generated clientset.
This package has the automatically generated clientset.
ipamapis/client/clientset/versioned/fake
This package has the automatically generated fake clientset.
This package has the automatically generated fake clientset.
ipamapis/client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
This package contains the scheme of the automatically generated clientset.
ipamapis/client/clientset/versioned/typed/fic/v1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
ipamapis/client/clientset/versioned/typed/fic/v1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
vlogger
Package vlogger implements an interface around basic logging features so that end-user and library writers can code to the interface without worrying about the specific type of logging package that is being used.
Package vlogger implements an interface around basic logging features so that end-user and library writers can code to the interface without worrying about the specific type of logging package that is being used.
vlogger/console
log_console.go:
log_console.go:

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL