search

F5Networks / f5-ipam-controller

The F5 IPAM Controller runs in an orchestration environment like Kubernetes to allocate IP addresses from an IPAM system to BIG-IP Virtual Servers. The purpose is to abstract complexity related to setting up BIG-IP from a networking perspective
Apache License 2.0
10 stars 17 forks source link

Fail to get IP from IPAM #38

Closed JoshanFan closed 3 years ago

JoshanFan commented 3 years ago

FIC Version : 0.1.3 CIS Version : 2.4.1
FIC Build: f5networks/f5-ipam-controller:latest CIS Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 15.1.2.1
AS3 Version: 3.28.0
Orchestration: K8S Orchestration Version:
Additional Setup details: CNI : Cilium + FRRouting

When create TransportServer CRD (include ipamLabel in yaml file), CIS pod log : "[ipam] error while retrieving IPAM custom resource" and fail to create vs in BIG-IP.

CIS Deployment 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: bigip-ctlr
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: bigip-ctlr
  template:
    metadata:
      name: bigip-ctlr
      labels:
        app: bigip-ctlr
    spec:
      serviceAccountName: bigip-ctlr
      containers:
        - name: bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:latest"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            "--bigip-url=x.x.x.x",
            "--bigip-partition=CIS",
            "--custom-resource-mode=true",
            "--ipam=true",
            "--insecure",
            "--log-level=DEBUG"
            ]
      imagePullSecrets:
        - name: bigip-login

CIS RBAC

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bigip-ctlr-clusterrole
rules:
  - apiGroups: ["", "extensions", "networking.k8s.io"]
    resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "pods", "ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["", "extensions", "networking.k8s.io"]
    resources: ["configmaps", "events", "ingresses/status", "services/status"]
    verbs: ["get", "list", "watch", "update", "create", "patch"]
  - apiGroups: ["cis.f5.com"]
    resources: ["virtualservers","virtualservers/status", "tlsprofiles", "transportservers", "ingresslinks", "externaldnss"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["fic.f5.com"]
    resources: ["f5ipams", "f5ipams/status"]
    verbs: ["get", "list", "watch", "update", "create", "patch", "delete"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch", "update", "create", "patch"]
  - apiGroups: ["", "extensions"]
    resources: ["secrets"]
    resourceNames: ["<secret-containing-bigip-login>"]
    verbs: ["get", "list", "watch"]

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bigip-ctlr-clusterrole-binding
  namespace: <controller_namespace>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bigip-ctlr-clusterrole
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: bigip-ctlr
    namespace: kube-system

IPAM Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    name: f5-ipam-controller
  name: f5-ipam-controller
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: f5-ipam-controller
  template:
    metadata:
      labels:
        app: f5-ipam-controller
    spec:
      containers:
      - args:
        - --orchestration=kubernetes
        - --ip-range={"CAD":"x.x.x.x-x.x.x.x"}'
        - --log-level=DEBUG
        command:
        - /app/bin/f5-ipam-controller
        image: f5networks/f5-ipam-controller:latest
        imagePullPolicy: IfNotPresent
        name: f5-ipam-controller
      serviceAccount: ipam-ctlr
      serviceAccountName: ipam-ctlr

IPAM RBAC

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ipam-ctlr-clusterrole
rules:
  - apiGroups: ["fic.f5.com"]
    resources: ["f5ipams","f5ipams/status"]
    verbs: ["get", "list", "watch", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ipam-ctlr-clusterrole-binding
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ipam-ctlr-clusterrole
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: ipam-ctlr
    namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ipam-ctlr
  namespace: kube-system

TransportServer

apiVersion: cis.f5.com/v1
kind: TransportServer
metadata:
  name: vs-l4
  namespace: test
  labels:
    f5cr: "true"
spec:
  ipamLabel: CAD
  virtualServerPort: 80
  mode: performance
  pool:
    monitor:
      interval: 10
      timeout: 31
      type: tcp
    service: nginx
    servicePort: 80
  snat: auto
  type: tcp

CIS Log : image

IPAM Log : image

trinaths commented 3 years ago

@JoshanFan - unable to reproduce the same issue. using the same TS CRD, IPAM is able allocate VIP. Can you restart both the controller and verify. May be environment issue.

JoshanFan commented 3 years ago

@JoshanFan - unable to reproduce the same issue. using the same TS CRD, IPAM is able allocate VIP. Can you restart both the controller and verify. May be environment issue.

After restart both controller, still same @@

trinaths commented 3 years ago

@JY-Ven please try FIC 0.1.5