|
1 | | -# f5-ipam-controller |
| 1 | +# f5-ipam-controller for CIS 2.2.2 |
| 2 | + |
| 3 | +The F5 IPAM Controller is a Docker container that runs in an orchestration environment and interfaces with an IPAM system. It allocates IP addresses from an IPAM system’s address pool for hostnames in an orchestration environment. The F5 IPAM Controller watches orchestration-specific resources and consumes the hostnames within each resource. |
| 4 | + |
| 5 | +### The Controller can |
| 6 | + |
| 7 | +Allocate IP address from static IP address pool based on the CIDR mentioned in a Kubernetes resource The idea here is that we will support CRD, Type LB and probably also in the future route/ingress. We should make it more generic so that we don't have to update this later, F5 IPAM Controller decides to allocate the IP from the respective IP address pool for the hostname specified in the virtualserver custom resource. |
| 8 | + |
| 9 | + |
| 10 | +### F5 IPAM Deploy Configuration Options |
| 11 | + ``` |
| 12 | + - --orchestration=kubernetes |
| 13 | + ``` |
| 14 | +The orchestration parameter holds the orchestration environment i.e. Kubernetes. |
| 15 | +``` |
| 16 | +- --ip-range=" 172.16.3.17/28-172.16.3.30/28,172.16.3.33/28-172.16.3.46/28" |
| 17 | +``` |
| 18 | +ip-range parameter holds the IP address ranges and from this range, it creates a pool of IP address range which gets allocated to the corresponding hostname in the virtual server CRD. |
| 19 | +``` |
| 20 | +- --log-level=debug |
| 21 | +``` |
| 22 | +Log level parameter specify various logging level such as DEBUG, INFO, WARNING, ERROR, CRITICAL. |
| 23 | + |
| 24 | +#### Below is the RBAC for F5 IPAM Controller: |
| 25 | +``` |
| 26 | +kind: ClusterRole |
| 27 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 28 | +metadata: |
| 29 | + name: ipam-ctlr-clusterrole |
| 30 | +rules: |
| 31 | + - apiGroups: ["fic.f5.com"] |
| 32 | + resources: ["f5ipams"] |
| 33 | + verbs: ["get", "list", "watch", "update", "patch"] |
| 34 | +--- |
| 35 | +kind: ClusterRoleBinding |
| 36 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 37 | +metadata: |
| 38 | + name: ipam-ctlr-clusterrole-binding |
| 39 | + namespace: kube-system |
| 40 | +roleRef: |
| 41 | + apiGroup: rbac.authorization.k8s.io |
| 42 | + kind: ClusterRole |
| 43 | + name: ipam-ctlr-clusterrole |
| 44 | +subjects: |
| 45 | + - apiGroup: "" |
| 46 | + kind: ServiceAccount |
| 47 | + name: ipam-ctlr |
| 48 | + namespace: kube-system |
| 49 | +--- |
| 50 | +apiVersion: v1 |
| 51 | +kind: ServiceAccount |
| 52 | +metadata: |
| 53 | + name: ipam-ctlr |
| 54 | + namespace: kube-system |
| 55 | +``` |
| 56 | + |
| 57 | +#### Deployment example: |
| 58 | + |
| 59 | +``` |
| 60 | +apiVersion: apps/v1 |
| 61 | +kind: Deployment |
| 62 | +metadata: |
| 63 | + labels: |
| 64 | + name: f5-ipam-controller |
| 65 | + name: f5-ipam-controller |
| 66 | + namespace: kube-system |
| 67 | +spec: |
| 68 | + replicas: 1 |
| 69 | + selector: |
| 70 | + matchLabels: |
| 71 | + app: f5-ipam-controller |
| 72 | + template: |
| 73 | + metadata: |
| 74 | + labels: |
| 75 | + app: f5-ipam-controller |
| 76 | + spec: |
| 77 | + containers: |
| 78 | + - args: |
| 79 | + - --orchestration=kubernetes |
| 80 | + - --ip-range="172.16.3.17/28-172.16.3.30/28,172.16.3.33/28-172.16.3.46/28" |
| 81 | + - --log-level=DEBUG |
| 82 | + command: |
| 83 | + - /app/bin/f5-ipam-controller |
| 84 | + image: f5Networks/f5-ipam-controller |
| 85 | + imagePullPolicy: IfNotPresent |
| 86 | + name: f5-ipam-controller |
| 87 | + serviceAccount: ipam-ctlr |
| 88 | + serviceAccountName: ipam-ctlr |
| 89 | +``` |
| 90 | +#### Deploy RBAC and F5 IPAM Controller deployment |
| 91 | +``` |
| 92 | +kubectl create -f f5-ipam-rbac.yaml |
| 93 | +kubectl create -f f5-ipam-deployment.yaml |
| 94 | +``` |
| 95 | + |
| 96 | + |
| 97 | +### Configuring CIS to work with F5 IPAM Controller |
| 98 | + |
| 99 | + |
| 100 | +To configure CIS to work with the F5 IPAM controller, the user needs to give a parameter ```--ipam=true``` in the CIS deployment and also provide a parameter CIDR: "10.10.10.10/24" in the virtual server CRD. |
| 101 | + |
| 102 | +- NOTE: If the user provides the parameter ```--ipam=true``` in the CIS deployment then it is mandatory to provide the CIDR parameter in virtualserver CRD and also the virtualserver CRD should not have virtualServerAddress parameter. |
| 103 | + |
| 104 | +### Updating the Status in Virtual Server CRD |
| 105 | + |
| 106 | + |
| 107 | +The main aim of IPAM is to provide an IP address corresponding to each hostname provided in the VS CRD. |
| 108 | + |
| 109 | +The user needs to mandatorily provide the host and CIDR in the hostSpecs section of F5-CR. The F5 IPAM Controller, in turn, reads the hostSpecs of CR, processes it, and updates the IPStatus with each host provided in the hostSpecs with host, IP(which is generated from the range of IP address by FIC), and corresponding CIDR. |
| 110 | + |
| 111 | +- F5-ipam-controller (FIC) acts as a communication channel for updating the host, IP, and CIDR in VS CRD. |
| 112 | + |
| 113 | + ### Limitations |
| 114 | + |
| 115 | +- F5-ipam-controller cannot update and delete the hostname in the F5-IPAM custom resource hence update and deletion of IP address for virtual server custom may not work as expected. In case if the user wants to reflect the changes, the user can delete the F5-IPAM custom resource from kube-system named "f5ipam" and restart both the controller. |
| 116 | +- Currently, F5 IPAM Controller does not support the update of CIDR and hostname. |
| 117 | +- If F5-IPAM Controller is misconfigured after it allocates few IPs for VS CR. It will remove all its entry from the IPStatus. After the user reconfigured with the correct one, FIC may not get the previous same IPs for the hostname |
| 118 | + |
| 119 | + |
| 120 | + |
0 commit comments