• CIS Using ClusterIP Mode
• CIS and AS3 Extension integration
• Routes
• Install F5 Container ingress services

Based on the UDF Demo -> ASE CC K8s Exercise

# Check the system status
$ systemctl status kubelet
$ kubectl get node

• CIS documentation

1. Find the name of the k8s-bigip-ctlr Pod.

   kubectl get pod --namespace=kube-system

2. Check the status of the Pod.

   kubectl get pod k8s-bigip-ctlr-687734628-7fdds -o yaml --namespace=kube-system

3. View the Controller logs.

   kubectl logs k8s-bigip-ctlr-687734628-7fdds --namespace=kube-system
   # tail -f  
   kubectl logs -f k8s-bigip-ctlr-687734628-7fdds --namespace=kube-system

   View logs for a container that isn’t responding:

   kubectl logs --previous k8s-bigip-ctlr-687734628-7fdds --namespace=kube-system

4. To change the log level for the BIG-IP Controller:

• Edit the Deployment yaml and add the following to the args section: "--log-level=DEBUG"
• Replace the BIG-IP Controller deployment: kubectl replace -f f5-k8s-bigip-ctlr.yaml
• Verify the Deployment updated successfully: kubectl describe deployment k8s-bigip-ctlr -o wide --namespace=kube-system

1. Open the Kubernetes dashboard
2. Navigate to the deployments menu option
3. Click the +Create button in the upper right hand corner of the dashboard
4. Click on the tab labelled Create an App. Fill out the fields in the following manner:
   • App Name: exercise1
   • Container Image: f5devcentral/f5-demo-httpd
   • Number of Pods: 2
   • Service: None
5. Using the dashboard investigate the deployment you just made
   • Look at the pods menu item. Which nodes were the pods deployed on?
   • Look at the deployments menu item again. Notice there is now a deployment.
   • Click on the three dots to the right of your deployment. From the flyout menu select View/edit YAML.
6. Delete the existing deployment by choosing Delete from the previous flyout menu
7. Recreate the same deployment using YAML (./f5-cis/1-exercise1.yml). Click the + Create button. Verify the Create from Text Input tab is selected. Paste the following YAML and then click Upload

1. Create/expose a service with the following command

   $ kubectl expose deployment/exercise1 --name exercise1-svc --port=80

2. Investigate the service you just created in the dashboard. Under the services section click on the “exercise1-svc” name. By default Kubernetes has created a service of serviceType ClusterIP

3. Verify the DNS entry that kubedns created for your service. When pods are created they are able to resolve against kubedns by default.

   $ kubectl get pod
   $ kubectl exec -it [name of pod] -- nslookup exercise1-svc

1. Create a new deployment (so we can more easily differentiate our test applications):

   $ kubectl create -f ./f5-cis/2-exercise2.yml

2. Create a new service using NodePort

   $ kubectl expose deployment/exercise2 --name exercise2-svc --type=NodePort

3. Determine what port(s) the service is exposed on:

   $ kubectl get service exercise2-svc

1. Under Systems -> Users -> Partitions create partition kubernetes

2. Create a Secret for BIG-IP. The user credentials for the BIG-IP need to be stored in a Kubernetes secret. Run the commands in the following section from the bash prompt on kmaster.

   $ kubectl create secret generic bigip-login --namespace kube-system --from-literal=username=admin --from-literal=password=admin

3. Service Account. You will also need a Service Account that the controller will run as.

   $ kubectl apply -f ./f5-cis/cis-sa.yaml -n kube-system

4. RBAC Permissions. Grant appropriate permissions to the Service Account.

   $ kubectl apply -f ./f5-cis/cis-rbac.yaml -n kube-system

5. Deploy the Controller. The following command will deploy the controller.

   $ kubectl apply -f ./f5-cis/f5-cc-deployment.yaml -n kube-system

6. You can verify the controller is running from the dashboard or using kubectl from bash on kmaster. Note this pod is running in the “kube-system” namespace (include -n kube-system if using kubectl).

   $ kubectl -n kube-system get pods

7. Create a new Deployment/Application

   $ kubectl create -f ./f5-cis/3-exercise3.yml

8. Create a Service

   $ kubectl create -f ./f5-cis/3-exercise3-svc.yml

9. Basic L4 Services

   $ kubectl create -f ./f5-cis/4-as3-basic-configmap.yml

10. Deploying a WAF Policy:

• show that there is preconfigured security policy in ASM, which we are referring to

  $ kubectl apply -f ./f5-cis/5-waf-configmap.yml

11. Execute the following command from kmaster:

    $ curl http://app.example.com/ -v -H "X-Hacker: cat /etc/paswd"

12. On the BIG-IP go to Security -> Event Logs and you should see the blocked request

13. Scale the deployment

• change the replicas parameter to 6 and redeploy
• check the LTM Pool chnages after each modification and deployment

  $ kubectl apply -f ./f5-cis/6-scale.yml