Openshift-F5整合(南北流量走F5)
使用F5與Openshift整合目的
外部流量訪問應用時,通過F5 BIG-IP硬體裝置直接代理到叢集中的Pod。
這樣做的好處,很明顯。
- 使用硬體負載均衡器替換掉軟體負載均衡器,提高效能。
- F5有更靈活的配置,可以實現更復雜的流量控制
Openshift操作
Openshift通過BIG-IP Controller來控制BIG-IP裝置。由於Openshift是基於Kubernetes的,所以它們使用同一個Controller(k8s-bigip-ctlr)。BIG-IP Controller為叢集中的應用配置BIG-IP物件,提供南北流量的服務。
F5整合Openshift原理圖
BIG-IP Controller有兩種方式來使用F5 BIG-IP裝置
- 為Openshift中的Service提供代理流量
- 為Openshift中的Route提供代理流量
為Openshift中的Service提供代理流量(不介紹具體部署操作)
這種方式,我們測試下來發現,需要為對外提供服務的Service繫結到F5的不同埠,同時外部訪問應用時需要指定埠號。如:app1.openshift.example.com:8000, app2.openshift.example.com:8001,app3.openshift.example.com:8002,其中埠號不能重複。
- 這種方式在真正使用時不能滿足業務需求,除非在F5的前面再加一層代理,這又增加了架構的複雜性。
- 理想的狀態是,所以的App應用的HTTP請求都訪問F5的80埠,而HTTPS的請求訪問F5的443埠,根據請求的域名路由到對應的Pool中(每個Pool是一個Service下的所有Pod的列表)。
- 很高興告訴大家,第二種方式能夠滿足上面的需求
為Openshift中的Route提供代理流量
使用BIG-IP作為Openshift的Router,能實現以下功能:
- 為Services建立BIG-IP本地流量規則
- 提供HTTP/HTTPS路由
- 為Route資源新增BIG-IP健康檢查
本文只介紹,如何使用F5提供HTTP/HTTPS路由。這也是最核心的部分。
部署環境版本:
2臺F5:v13 192.168.200.82 192.168.200.83
Openshift叢集: v3.9.1
建立新的HostSub
Openshift
# hostsubnet.yml
apiVersion: v1
kind: HostSubnet
metadata:
name: f5-bigip-node01
annotations:
pod.network.openshift.io/fixed-vnid-host: "0"
pod.network.openshift.io/assign-subnet: "true"
# provide a name for the node that will serve as BIG-IP's entry into the cluster
host: f5-bigip-node01
# The hostIP address will be the BIG-IP interface address routable to the
# OpenShift Origin nodes.
# This address is the BIG-IP VTEP in the SDN's VXLAN.
hostIP: 192.168.200.82
---
apiVersion: v1
kind: HostSubnet
metadata:
name: f5-bigip-node02
annotations:
pod.network.openshift.io/fixed-vnid-host: "0"
pod.network.openshift.io/assign-subnet: "true"
# provide a name for the node that will serve as BIG-IP's entry into the cluster
host: f5-bigip-node02
# The hostIP address will be the BIG-IP interface address routable to the
# OpenShift Origin nodes.
# This address is the BIG-IP VTEP in the SDN's VXLAN.
hostIP: 192.168.200.83
---
apiVersion: v1
kind: HostSubnet
metadata:
name: f5-bigip-float
annotations:
pod.network.openshift.io/fixed-vnid-host: "0"
pod.network.openshift.io/assign-subnet: "true"
# provide a name for the node that will serve as BIG-IP's entry into the cluster
host: f5-bigip-float
# The hostIP address will be the BIG-IP interface address routable to the
# OpenShift Origin nodes.
# This address is the BIG-IP VTEP in the SDN's VXLAN.
hostIP: 192.168.200.84
oc create -f hostsubnet.yml
檢視執行結果
[root@master01 ~]# oc get hostsubnet
NAME HOST HOST IP SUBNET EGRESS IPS
f5-bigip-float f5-bigip-float 192.168.200.84 10.128.6.0/23 []
f5-bigip-node01 f5-bigip-node01 192.168.200.82 10.129.6.0/23 []
f5-bigip-node02 f5-bigip-node02 192.168.200.83 10.130.4.0/23 []
master01.example.com master01.example.com 192.168.200.1 10.130.0.0/23 []
master02.example.com master02.example.com 192.168.200.2 10.128.0.0/23 []
master03.example.com master03.example.com 192.168.200.3 10.128.2.0/23 []
node01.example.com node01.example.com 192.168.200.21 10.129.0.0/23 []
node02.example.com node02.example.com 192.168.200.22 10.131.0.0/23 []
router01.example.com router01.example.com 192.168.200.11 10.129.2.0/23 []
router02.example.com router02.example.com 192.168.200.12 10.130.2.0/23 []
建立一個VXLAN profile
F5
在F5的TMOS終端,建立一個多點模式的vxlan
create /net tunnels vxlan openshift_vxlan flooding-type multipoint
建立一個VXLAN Tunnel
F5
Local Address使用vip: 192.168.200.84
Secondary Address使用F5的裝置IP:node1 192.168.200.82, node2 192.168.200.83
在F5 Node1上的TMOS建立Tunnel
create /net tunnels tunnel <float_tun_name> key 0 profile openshift_vxlan local-address 192.168.200.84 secondary-address 192.168.200.82 traffic-group traffic-group-1
在F5 Node2上的TMOS建立Tunnel
create /net tunnels tunnel <float_tun_name> key 0 profile openshift_vxlan local-address 192.168.200.84 secondary-address 192.168.200.83 traffic-group traffic-group-1
在每個F5裝置VXLAN中建立Self IP
F5
IP為裝置對應在Openshift的HostSubnet下的一個IP(只要在對應的HostSubnet下就OK)
在F5 Node1中建立Self IP
create /net self 10.129.6.82/14 allow-service none vlan openshift_vxlan
在F5 Node2中建立Self IP
create /net self 10.130.4.83/14 allow-service none vlan openshift_vxlan
在當前主F5裝置的VXLAN下建立Floating IP
F5
如:當前主F5裝置為node1,那Floating IP為主裝置所在的HostSubnet下。
create /net self 10.128.6.84/14 allow-service none traffic-group traffic-group-1 vlan openshift_vxlan
建立一個新的Partition
F5
create auth partition OpenShift
建立訪問F5 BIG-IP的私鑰
Openshift
oc create secret generic bigip-login --from-literal=username=admin --from-literal=password=admin -n kube-system
建立RBAC認證
Openshift
# cluster-role.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: bigip-ctlr
namespace: kube-system
---
# For use in OpenShift clusters
apiVersion: v1
kind: ClusterRole
metadata:
annotations:
authorization.openshift.io/system-only: "true"
name: system:bigip-ctlr
namespace: kube-system
rules:
- apiGroups: ["", "extensions"]
resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "routes" ]
verbs: ["get", "list", "watch"]
- apiGroups: ["", "extensions"]
resources: ["configmaps", "events", "ingresses/status"]
verbs: ["get", "list", "watch", "update", "create", "patch" ]
- apiGroups: ["", "extensions"]
resources: ["secrets"]
resourceNames: ["bigip-login"]
verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ClusterRoleBinding
metadata:
name: bigip-ctlr-role
namespace: kube-system
userNames:
- system:serviceaccount:kube-system:bigip-ctlr
subjects:
- kind: ServiceAccount
name: bigip-ctlr
roleRef:
name: system:bigip-ctlr
oc create -f cluster-role.yml
部署BIG-IP Controller
Openshift
- 對應每臺F5裝置建立一個Deployment
- Deployment中的 --bigip-url 為裝置的IP
- Deployment中的 --bigip-partition為之前F5下建立的Partition,Openshift
- Deployment中的 --route-vserver-addr 為F5對外提供服務的IP
#deployment.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: f5-bigip-ctlr-01
spec:
replicas: 1
template:
metadata:
name: k8s-bigip-ctlr
labels:
app: k8s-bigip-ctlr
spec:
# Name of the Service Account bound to a Cluster Role with the required
# permissions
serviceAccountName: bigip-ctlr
containers:
- name: k8s-bigip-ctlr
# replace the version as needed
image: "f5networks/k8s-bigip-ctlr:1.5.1"
env:
- name: BIGIP_USERNAME
valueFrom:
secretKeyRef:
# Replace with the name of the Secret containing your login
# credentials
name: bigip-login
key: username
- name: BIGIP_PASSWORD
valueFrom:
secretKeyRef:
# Replace with the name of the Secret containing your login
# credentials
name: bigip-login
key: password
command: ["/app/bin/k8s-bigip-ctlr"]
args: [
# See the k8s-bigip-ctlr documentation for information about
# all config options
# http://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest
"--bigip-username=$(BIGIP_USERNAME)",
"--bigip-password=$(BIGIP_PASSWORD)",
"--bigip-url=192.168.200.82",
"--bigip-partition=OpenShift",
"--pool-member-type=cluster",
"--openshift-sdn-name=/Common/openshift_vxlan",
'--manage-routes=true',
'--route-vserver-addr=99.248.82.220'
]
imagePullSecrets:
# Secret containing the BIG-IP system login credentials
- name: bigip-login
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: f5-bigip-ctlr-02
spec:
replicas: 1
template:
metadata:
name: k8s-bigip-ctlr
labels:
app: k8s-bigip-ctlr
spec:
# Name of the Service Account bound to a Cluster Role with the required
# permissions
serviceAccountName: bigip-ctlr
containers:
- name: k8s-bigip-ctlr
# replace the version as needed
image: "f5networks/k8s-bigip-ctlr:1.5.1"
env:
- name: BIGIP_USERNAME
valueFrom:
secretKeyRef:
# Replace with the name of the Secret containing your login
# credentials
name: bigip-login
key: username
- name: BIGIP_PASSWORD
valueFrom:
secretKeyRef:
# Replace with the name of the Secret containing your login
# credentials
name: bigip-login
key: password
command: ["/app/bin/k8s-bigip-ctlr"]
args: [
# See the k8s-bigip-ctlr documentation for information about
# all config options
# http://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest
"--bigip-username=$(BIGIP_USERNAME)",
"--bigip-password=$(BIGIP_PASSWORD)",
"--bigip-url=192.168.200.83",
"--bigip-partition=OpenShift",
"--pool-member-type=cluster",
"--openshift-sdn-name=/Common/openshift_vxlan",
'--manage-routes=true',
'--route-vserver-addr=192.168.200.80'
]
imagePullSecrets:
- name: bigip-login
oc create -f deployment.yml
檢視BIG-IP Controller的部署進度
[root@master01 ~]# oc get pod
NAME READY STATUS RESTARTS AGE
f5-bigip-ctlr-01-7f44695b97-lmwdh 1/1 Running 0 17h
f5-bigip-ctlr-02-54df674f58-j2x26 1/1 Running 0 17h
當BIG-IP Controller POD啟動後,在F5上會自動建立兩個virtual servers
- "ose-vserver" 為HTTP請求
- "https-ose-vserver" 為HTTPS請求
這兩個virtual servers是Openshift下所有的Route共用的。
建立新的應用F5-Test,並建立HTTP Route
Openshift
- 使用自己映象倉庫中的映象:harbor.example.com/public/nginx:1.14
- 該映象的製作方法及說明參考:Openshfit上用ConfigMap來自定義Nginx配置
oc new-project f5-test
oc new-app harbor.example.com/public/nginx:1.14 --name=f5-test --allow-missing-images
oc expose dc/f5-test --port=8080
建立Route
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
name: f5-test
name: f5-test
annotations:
virtual-server.f5.com/balance: least-connections-node
spec:
host: f5-test.example.com
port:
targetPort: 8080
to:
kind: Service
name: f5-test
本地繫結hosts
192.168.200.80 f5-test.example.com
瀏覽器訪問http://f5-test.example.com,即能看到應用頁面。
建立HTTPS Route(仍然使用上面的應用)
Openshift
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
virtual-server.f5.com/balance: least-connections-node
labels:
app: f5-test
name: f5-test-2
spec:
host: f5-tes-2t.example.com
tls:
insecureEdgeTerminationPolicy: Allow
termination: edge
to:
kind: Service
name: f5-test
本地繫結hosts
192.168.200.80 f5-test-2.example.com
瀏覽器訪問https://f5-test.example.com,即能看到應用頁面。
說明
- Openshit上建立Service後,F5會自動建立新的Pool,Pool裡的資源即為Service下的Pod
- 請求到達F5後,F5根據請求的域名,找到對應的Pool,請求直接到達Pod。不會請求叢集裡的Route。
參考資料
相關文章
- 什麼是南北向流量和東西向流量?
- Openshift-F5整合(總結)——與Router方案對比
- F5與Openshift整合,實現灰度釋出
- 實在智慧×南北聯合,RPA數字員工開赴大江南北
- 喵南北的部落格目錄
- Python繪製南北極地圖Python地圖
- SDN南北向介面協議-VeCloud協議Cloud
- Spring Boot 整合多點套路,少走點彎路~Spring Boot
- tep整合mitmproxy錄製流量自動生成用例MIT
- 96%被薅走的流量,雲託管幫泡泡瑪特防住了
- 流量將往哪裡走?2021,將建立不可思議的新秩序
- 吐槽南北方飲食習慣差異
- F5負載均衡系列教程九【F5日誌存放目錄】負載
- 谷歌Stadia:與YouTube整合,低硬體門檻收割“大眾”流量谷歌
- F5負載均衡系列教程七【F5高可用相關知識】負載
- 百萬獎金+流量支撐,微信創意小遊戲的未來該怎麼走遊戲
- 我先走? 你先走?
- SpringMvc整合開源流量監控、限流、熔斷降級、負載保護元件SentinelSpringMVC負載元件
- 超大流量電商平臺系統背後的持續整合與釋出
- F5:雲讓應用殊途同歸
- F5 api介面開發實戰(一)API
- 走馬
- 流量劫持,分析為什麼會流量劫持,流量劫持危害大麼
- python按f5為什麼不執行Python
- 教你如何整合HMS Nearby Service 實現智慧裝置間檔案的高速、免流量傳輸!
- 20180801 出去走一走,遊一遊舟山
- 什麼是流量劫持,如何防止流量劫持
- node,走你...
- less走你
- 走進Kudu
- 走迷宮
- ps走你...
- 走進springbootSpring Boot
- 走進JavaJava
- F5負載均衡系列教程六【配置virtual Server】負載Server
- F5 API加固解決方案有了解的嗎?API
- F5 api介面開發實戰手冊(二)API
- F5:2022年應用策略現狀報告