Відео

looking into that. Maybe something new with UA-cam

thank you John!!

I would use CIS 2.18.1 with any version of BIG-IP. You will need AS3 plug AS-52

WAF policy is referenced on BIG-IP using a pointer. We could support a url download in the Policy CRD. Please submit a Github issue for this enhancement

Backend? Please can you elaborate

Flannel is VXLAN based which requires tunnels between BIGIP and K8S. HA doesn’t work!! Recommend using Calico with static routing mode.. I have a video coming on how to set this up. It’s super simple. Calico using static routes on BIGIP was added in 2.17. Let me know how I can help

Thanks for the answer and the reason, I will try it first

I have single control plane with two worker at my existing cluster with CNI Falnnel. If i want to update to multiple control plane with load balancer F5, what i do and try? Detail k8s-cplane1 10.61.6.10 (existing) k8s-worker1 10.61.6.11 (existing) k8s-worker2 10.62.4.11 (existing) k8s-cplane2 10.62.4.10 (new) k8s-lb 10.0.32.41 (new)

CIS is perfect for what you want todo. Deploy CIS and point to service in the cluster. You could use node port and node port labels to only service the 3 workers. Or clusterIP will work good to

I believe you can use static routes with flannel. Email me at m.dittmer@f5.com and I will share the setup docs

Working on a Video today and tomorrow. Here is the declarations etc. github.com/mdditt2000/f5-appsvcs-extension/tree/master/demos/gslb -- Watch out for a video coming soon to UA-cam

Please email me at m.dittmer@f5.com so we can setup a call

Thank you!

No, i wasn't aware of any Ansible Tower requirements. I will ask PM.

@@MarkDittmer looks like it’s bad information from an old doc.

let me know if you want to setup a meeting with the PM from OpenShift side.

thanks for the recommendation. I will work on this tomorrow. You ok with Generic Host instead of Virtual Server Discovery?

@@MarkDittmer that should be fine! Thanks!

AS3 can create a WAF policy from an external REPO as shown in the document. You could then add that policy to the LTM Virtual via the UI etc clouddocs.f5.com/training/fas-ansible-workshop-101/3.3-as3-asm.html --- This what you had in mind?

⁠I am only looking to maintain the WAF policy, regardless of its Virtual Server assignment. I looked at the link and that creates the policy, but also assigns it to the Virtual Server. I don’t want that to happen. Can I use the “new_asm_policy” alone in an AS3 declaration?

lol no AS3 is F5 BIG-IP Application Services 3 and has nothing todo with ActionScript 3.

Can we schedule a meeting? I can demo the networking etc.

@@MarkDittmer Sure Mark.. Let me know your availability we can sync up. I can explain my use case..

yes, for Service Type LoadBalancer the CRD will require iPAM or a static IP to be populated for the public IP. Let me know if you need help setting this up. Contact me at m.dittmer@f5.com

Glad you liked it

Looking into this on Monday. Will message my team. Great question btw!!

Just like with classic we don't actually use schema version other than to ensure a user doesn't send a declaration with a schema version newer than the latest supported on the given device. So just a matter of updating our examples which i will get posted in Clouddocs

@@MarkDittmer Many thanks, I ask it in other way with an example. How do we know what version of AS3 we use in NEXT? Real example from last couple days.. We used 3.43 globally, but I started using Policy Endpoint with a new option "hostHeader" which was introduced in 3.47. In Classic I just need to roll out new rpm. How this work in NEXT and how do I know what AS3 version is installed?

Any time!

Yes published here ua-cam.com/video/EoWeMYhNTFY/v-deo.html -- Look at the weight in the route or CRD

Appreciate that

Try browser from the same next where you installed Journeys. I think this is a limitation of the OS. I will review emails to see if i can find a solution. I believe somebody figured it out

CIS is F5 BIG-IP Ingress Controller clouddocs.f5.com/containers/latest/

Enabled by default. Let me know your feedback and any improvements

thank you!

Thank you!!

@@MarkDittmer what happened to v3.50? How about relasing binary, or giving us build instructions from source :)

thank you. No Per-app declaration must contain at least one application Declare one app in tenant123 and then you can POST to /declare/tenant123/applications/ with updates

Currently DELETE is not their. Something that could be added. Use POST Declare to remove any apps

Good point. Because its only got added in AS3-50 coming next week.

Declarative. Declare the changes. Best to use via GitHub or Bitbucket

Wide-IPs are different when using AS3. I think generic-host for Wide-IPs is the way to go. Maybe common. I need to post a Best practice AS3 video for GSLB.

@@MarkDittmerYes please we are migrating DNS module from on-prem to azure and want to use AS3 and frontend with terraform. About 500 wide-ip's

Yes, absolutely, OpenShift 4.12 is perfectly fine!!

@@MarkDittmer Hi Mark, Can we configure Service Type LoadBalancer with OpenShift OVN-Kubernetes using F5 BIG-IP with NO Tunnels?

use share-nodes=true in the CIS deployment. This will create the pools members in the common partition. Example clouddocs.f5.com/containers/latest/userguide/config-parameters.html

@@MarkDittmer as I mentioned, we use partitions with own routing domain, so placing pool member to Common will not make it work

@@MarkDittmer I know this is not official communication channel, but I would appreciate answer to my question. Thanks

Journey's can consume the UCS file and represent the configuration as a per-app. But Journey's wont POST the the App back to BIG-IP using Per-APP. However this could be better implemented in the VScode extenetion. I am working with that team to get the Per-App API added to VScode

definitely. Lots of new content coming.

CIS will automate the routing table if you using OpenShift and some other CNIs.

This is a change i want to get into CIS. We are waiting for AS3 Per APP API to go GA in AS3.50. This is planned in the upcoming months.

@@MarkDittmer thank you

Cant because the BIG-IP API doesnt provide the permission. This will be possible on BIG-IP Next using Per APP API.

AS3 has no RBAC on Classic. API user permissions to limit POSTS for AS3 is coming in BIG-IP Next. Please subscribe. I will create a demo for this in a month once the code is complete.

Thank you!!

yes this is possible. i have seen some Istio. CIS just needs to monitor the Istio service. Calico or Cilium CNIs are both good options. Ping me if you need help

@@MarkDittmer I’ve sent you an email for this. As I’m planning to use F5 BIG-IP, CIS for OpenShift Active Active Multi data centre deployment. Need to create an architecture and plan for this setup. Is there a way I can have a word with you?

We are about to publish a document "F5 BIG-IP deployment with OpenShift - multi-cluster architectures" for your solution. Please contact me at m.dittmer@f5.com so we can schedule a zoom call

using ServiceType LB? We are working on service type multicluster design this week and code available soon. Istio uses a HELM chart and has no CRD. Theirfore all needs to be specified in the service. Message me to get test image and docs.

CIS can create the routes for BIG-IP. Then BIG-IP simple route to the POD via the next hop "Node IP"

Thanks for your feedback. Definitely a sweet solution been able to use the best of both technology.

ASM policy should be modified in the ASM module or ASM API. AS3 will pull the latest policy and apply. AS3 simply references the profile/policy on the virtual for that tenant.

@@MarkDittmer thanks for the reply, please can you make a video to demonstrate this setting or configuration thanks 🙏

Will do. Per App Api will be GA in AS3 50. I will create another video for the release

Let me know if you need help with your GTM AS3 declaration

Informer configuration is coming in the new two days with a new video using A/B deployment across the two clusters.

F5 CIS is focused on getting traffic into the K8S clusters. CIS configures BIG-IP to steer interesting to the correct Service in a specific cluster. CIS also requires BIG-IP where SPK is independent. SPK is mostly focused on the Service Provider use-case while CIS is traditionally enterprises