Multiple Clusters in Single F5 Tenant - Potential IP Conflicts

[dronenb]

Title

Multiple Clusters in Single F5 Tenant - Potential IP Conflicts

Description

If using a single F5 tenant for multiple Kubernetes clusters, there is presently not a way to prevent tenants from within that cluster from using the cis.f5.com/ip on their Service with type: LoadBalancer from provisioning VIP's that may be in IP pools of another cluster. Moreover, there is nothing preventing a user even within the same cluster from statically assigning an IP that is within the appropriate subnet for that cluster, but is within the range of IP's that is handed out by the IPAM controller.

Actual Problem

When using multiple Kubernetes clusters within a single F5 tenant, it is not possible to restrict what IP's can be provisioned with CIS, which can cause conflicts between clusters.

Solution Proposed

• Option to prevent statically assigning IP addresses
• Option of having static IP annotation interact w/ IPAM controller to ensure IP's can't get handed out twice
• Option of making IPAM controller be able to send external webhooks so external service can negotiate IP's appropriately so conflicts can't occur (see here).

[trinaths]

Created [CONTCNTR-4875] for internal tracking.