使用 F5 和 Google 提供的舊版控制器進行負載平衡

在 1.29 以下版本中,使用 loadBalancer.f5BigIP 設定建立的使用者叢集,會部署 Google 提供的 F5 控制器。由於這些控制器有限制,在 1.30 以上版本中,Google Distributed Cloud 會禁止使用 loadBalancer.f5BigIP 設定建立叢集。您必須為新叢集設定手動平衡負載,並自行部署 F5 控制器。

本頁說明如何為使用 Google Distributed Cloud 建立的使用者叢集,部署 Google 提供的舊版 F5 控制器。雖然系統支援部署這些控制器,但我們建議您安裝 F5 的最新 CIS 控制器。

需求條件:

  • 您有一個使用者叢集,且採用 manualLB 設定。

  • 您擁有使用者叢集的 F5 伺服器,且知道登入資訊。

  • 您想自動化程序,在 F5 中為使用者叢集內 LoadBalancer 類型的 Kubernetes 服務設定虛擬伺服器。

步驟 1:準備控制器的範本

取得 F5 資訊並產生範本。

取得 F5 資訊

  1. 使用 F5 伺服器的登入資訊,設定下列預留位置變數:

    • F5 使用者名稱:USERNAME

    • F5 密碼:PASSWORD

    • F5 地址:ADDRESS

    • F5 分割區:PARTITION

  2. 設定 SnatPoolName。如果未使用 SNAT,請將預留位置變數留空:

    SnatPoolName: SNAT_POOL_NAME

取得登錄檔和版本資訊

  1. 取得 onpremusercluster 自訂資源:

    kubectl --kubeconfig USER_CLUSTER_KUBECONFIG get onpremusercluster -oyaml -n kube-system

  2. onpremusercluster 自訂資源複製下列欄位:

    Registry: REGISTRY (onpremusercluster.spec.registry.address)
ImageTag: IMAGE_TAG (onpremusercluster.spec.gkeOnPremVersion)

產生範本

cat > templates.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
  name: bigip-login
  namespace: kube-system
stringData:
  password: "PASSWORD"
  username: "USERNAME"
  url: "ADDRESS"
  partition: "PARTITION"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bigip-ctlr
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: load-balancer-f5
  namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr-deployment
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: k8s-bigip-ctlr
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      serviceAccountName: bigip-ctlr
      volumes:
        - name: bigip-login
          secret:
            secretName: bigip-login
      containers:
        - name: k8s-bigip-ctlr
          image: "REGISTRY/k8s-bigip-ctlr:v1.14.0-gke.28"
          resources:
            requests:
              cpu: 60m
              memory: 90Mi
          volumeMounts:
            - name: bigip-login
              readOnly: true
              mountPath: "/etc/bigip-login"
          env:
            - name: BIGIP_PARTITION
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: partition
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            # See the k8s-bigip-ctlr documentation for information about
            # all config options
            # http://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest
            "--http-listen-address=:9097",
            "--credentials-directory=/etc/bigip-login",
            "--bigip-partition=\$(BIGIP_PARTITION)",
            "--log-level=ERROR",
            "--pool-member-type=nodeport",
            "--manage-ingress=false",
            "--vs-snat-pool-name=SNAT_POOL_NAME"
          ]
      dnsPolicy: Default
      imagePullSecrets:
        - name: private-registry-creds
      nodeSelector:
        kubernetes.io/os: linux
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: load-balancer-f5
  namespace: kube-system
  labels:
    app: load-balancer-f5
spec:
  replicas: 1
  selector:
    matchLabels:
      app: load-balancer-f5
  template:
    metadata:
      name: load-balancer-f5
      labels:
        app: load-balancer-f5
    spec:
      serviceAccountName: load-balancer-f5
      containers:
        - name: load-balancer-f5
          image: "REGISTRY/load-balancer-f5:IMAGE_TAG"
          env:
            - name: BIGIP_PARTITION
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: partition
          command:
            - ./load-balancer-f5
          args:
            - "--bigip-partition=\$(BIGIP_PARTITION)"
          resources:
            requests:
              cpu: 2m
              memory: 13Mi
      imagePullSecrets:
        - name: private-registry-creds
      nodeSelector:
        kubernetes.io/os: linux
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bigip-ctlr-clusterrole-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bigip-ctlr-clusterrole
subjects:
  - kind: ServiceAccount
    name: bigip-ctlr
    namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: load-balancer-f5-clusterrole-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: load-balancer-f5-clusterrole
subjects:
  - kind: ServiceAccount
    name: load-balancer-f5
    namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name:
    bigip-ctlr-clusterrole
rules:
  - apiGroups: ["", "extensions"]
    resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["", "extensions"]
    resources: ["configmaps", "events", "ingresses/status"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["", "extensions"]
    resources: ["secrets"]
    resourceNames: ["bigip-login"]
    verbs: ["get", "list", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name:
    load-balancer-f5-clusterrole
rules:
  - apiGroups: [""]
    resources: ["events", "nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["services", "services/status"]
    verbs: ["get", "list", "watch", "patch", "update"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch",  "create", "patch", "delete"]
EOF

步驟 2:將範本套用至使用者叢集

kubectl --kubeconfig USER_CLUSTER_KUBECONFIG apply -f templates.yaml