Tanzu Kubernetes Grid Multi-Cloud and F5 BIG-IP Series Load Balancer Integration
F5 BIG-IP is a widely deployed system for application delivery, security, and monitoring. And yes, it still includes load-balancers. With wide customer demand to integrate F5 BIG-IP with Tanzu Kubernetes Grid, VMware and F5 teams worked together to validate integration and verify common use cases.
Powered by F5 Big-IP, the Local Traffic Manager (LTM) series load balancers have programmable cloud-ready & virtual appliances with Layer 4 and Layer 7 throughput. Due to its widespread adoption, IT departments leverage existing appliances to use the product licenses and efficient through put for Tanzu Kubernetes Platform.
F5 – Big IP Container Ingress Services (CIS) for Tanzu has been availed Partner Ready for VMware Tanzu. F5, with VMware, has developed a joint integration between the two products. VMware Tanzu Kubernetes Grid supports replacing or augmenting our ingress solution with a third-party option. This makes it possible for vendors such as F5 to create a seamless integration experience with the VMware Tanzu Kubernetes Grid. In this blog, we cover how customers can start to leverage the two products together.
The Integration
VMware Tanzu Kubernetes Grid – MultiCloud offers easy integration with F5 BIG-IP CIS, to enable the L4 & L7 feature from F5 on TKGm Platform and applications running on it. F5 BIG-IP Container Ingress Services (CIS) lets you manage your F5 BIG-IP device from Kubernetes using either environments native CLI/API. For more information, see Overview of F5 BIG-IP Container Ingress Services .
Configuration:
- Deploy F5 BIG-IP VE on vSphere and configure AS3 package, BIG-IP partition, and VIP Networking.
- Deploy the Tanzu Kubernetes Cluster with Antrea CNI and Kube-VIP as the control plane endpoint provider. Also, enable the Antrea NodePortLocal feature on the workload cluster by adding the parameter “ANTREA_NODEPORTLOCAL: “true”.
- Create a k8s secret with the Big-IP credentials for CIS to communicate with BIG-IP VM:
# kubectl create secret generic bigip-login -n kube-system –from-literal=username=admin –from-literal=password=’VMware123!’
# kubectl create serviceaccount bigip-ctlr -n kube-system |
4. Deploy the F5 custom resource definitions and cluster role required for the CIS controller by applying the rbac:
5. Install the F5 CIS controller on Tanzu Kubernetes Cluster. You can deploy the CIS controller in Nodeport/Nodeportlocal mode with customresourcemode as true/false depending on the L4/L7 requirement.
For more information on configuring F5 CIS controller, see F5 documentation.
6. Create an F5 Ingress class by applying the below configuration:
7. Once you install the F5 CIS controller and F5 Ingressclass, you can proceed with deploying a sample ingress application.
Ensure to add the annotation “nodeportlocal.antrea.io/enabled: “true” to the service for selecting pods for NodePortLocal.
8. If you would like to use F5 IPAM for assigning the IPs to Loadbalancer/VirtualServer, configure the required RBAC and install the IPAM controller. For more information, see Overview of F5 IPAM Controller.
9. F5 supports custom resource definitions VirtualServer(L7) and Loadbalancer(L4) for load balancing the K8s applications. For more information on configuring VirtualServer or LB, see F5 Github Documentation.
Supported CIS combinations:
- F5 CIS controller with Custom Resource Mode (CRD):
- CRD=TRUE supports Loadbalancer (L4), VirtualServer (L7), IPAM and some other F5 CRDs. For more information, see F5 GitHub.
- CRD=FALSE supports Ingress.
- F5 CIS controller deployment Pool-member-type:
- Nodeport mode : CIS controller deployed in Nodeport + CRD mode TRUE supports K8s native service type LoadBalancer (L4) and F5 CRD VirtualServer (L7).
- Nodeportlocal mode: CIS deployed in Nodeportlocal+CRD TRUE supports only F5 CRD VirtualServer(L7), and
CIS deployed in Nodeportlocal+CRD FALSE supports only K8s Ingress.
Note: If you would like to run both L4 and Ingress together in a single K8s cluster, you need to deploy 2 CIS instances, one in Nodeport mode and another in Nodeportlocal mode. You can run multiple instances of CIS in the same k8s cluster by adding a parameter “—share-nodes=true” in the CIS configuration. But they should be using different Big-IP partitions and different VIP networks.
Design Consideration:
- Because F5 IPAM requires CRD mode as TRUE, it only supports LoadBalancers (L4) and VirtualServers (L7). It is necessary to manually assign and maintain IP addresses for K8s Ingress objects.
- IP assignment explicitly specified for LoadBalancer(L4) services using IPAM. CIS in
- Nodeportlocal mode requires the backend K8s application to be deployed as service type “ClusterIP”, whereas CIS in Nodeport mode requires service type “Nodeport”.