GitHub - cloudadc/cis-scripts · GitHub
Skip to content

cloudadc/cis-scripts

BranchesTags

Folders and files

Repository files navigation

F5 CIS 101

Table of Contents

LoadBalancer Type Service

1. Install both CIS and IPAM Controller
kubectl apply -f loadbalancer/install/ns.yaml

kubectl apply -f loadbalancer/install/ipam/rbac.yaml
kubectl apply -f loadbalancer/install/ipam/localstorage-pv-pvc.yaml
kubectl apply -f loadbalancer/install/ipam/ipam_schema.yaml
kubectl apply -f loadbalancer/install/ipam/fic.yaml

kubectl create secret generic bigip-login --from-literal=username=admin --from-literal=password=admin -n bigip-ctlr
kubectl apply -f loadbalancer/install/rbac.yaml
kubectl apply -f loadbalancer/install/customresourcedefinitions.yaml
kubectl apply -f loadbalancer/install/cis.yaml

Execute kubectl get pods -n bigip-ctlr to verify the installation.

2. Deploy App
kubectl apply -f loadbalancer/ttcp.yaml
kubectl apply -f loadbalancer/cafe.yaml

CRD

1. Install CIS Controller
kubectl apply -f crd/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=admin --from-literal=password=admin -n bigip-ctlr
kubectl apply -f crd/install/rbac.yaml
kubectl apply -f crd/install/customresourcedefinitions.yaml
kubectl apply -f crd/install/cis.yaml
2. Deploy app
kubectl apply -f crd/cafe.yaml
kubectl apply -f crd/ttcp.yaml
3. App delivery
kubectl apply -f crd/vs.yaml
kubectl apply -f crd/transport.yaml

CRD Arcadia

1. Deploy
kubectl apply -f arcadia/arcadia.yaml
2. App delivery
kubectl apply -f arcadia/vs.yaml

Configmap Hub Mode

1. Install CIS Controller
kubectl apply -f configmap-hub/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=admin --from-literal=password=admin -n bigip-ctlr
kubectl apply -f configmap-hub/install/rbac.yaml
kubectl apply -f configmap-hub/install/cis.yaml
2. Deploy App
kubectl apply -f configmap-hub/apps.yaml
3. Deploy Configmap
kubectl apply -f configmap-hub/cm-hub-1.yaml
kubectl apply -f configmap-hub/cm-hub-2.yaml

The above configmap will demostrate:

  • Hub mode with 2 hub configmap in 2 namespace

  • AS3 pool member’s servicePort is optional, container exposed port is 8080, but AS3 pool member port is 8088

              "members": [
              {
                "servicePort": 8088,

  • Immediate Action On Service Down reset mode

              "serviceDownImmediateAction": "reset",
4. Verify deployment via tmsh
~ # tmsh list auth partition | grep cistest | awk '{print $3}'
cistest1
cistest2
cistest3
cistest4
cistest5

~ # tmsh list ltm virtual /cistest3/app-1/app_svc_vs | grep reset
    service-down-immediate-action reset
5. #1387 duplicated label verification
kubectl apply -f configmap-hub/duplicated-label.yaml

Check from cis pod log, the following logs

2022/05/16 08:44:11 [WARNING] [CORE] Multiple Services are tagged for this pool. Using oldest service endpoints.
Service: app-svc-1, Namespace: cistest1,Timestamp: 2022-05-16 08:07:30 +0000 UTC

2022/05/16 08:44:12 [WARNING] [CORE] Multiple Services are tagged for this pool. Using oldest service endpoints.
Service: app-svc-1, Namespace: cistest1,Timestamp: 2022-05-16 08:07:30 +0000 UTC
6. Tear down
kubectl delete -f configmap-hub/duplicated-label.yaml
kubectl delete -f configmap-hub/cm-hub-1.yaml
kubectl delete -f configmap-hub/cm-hub-2.yaml
kubectl delete -f configmap-hub/apps.yaml

kubectl delete -f configmap-hub/install/rbac.yaml
kubectl delete -f configmap-hub/install/cis.yaml
kubectl delete -f configmap-hub/install/ns.yaml

Configmap Hub Mode Debug

1. Install CIS Controller
kubectl apply -f configmap-debug/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=admin --from-literal=password=admin -n bigip-ctlr
kubectl apply -f configmap-debug/install/rbac.yaml
kubectl apply -f configmap-debug/install/cis.yaml

Configmap Hub Mode Per Tenants Update

1. Install CIS Controller
kubectl apply -f configmap-filter-tenants/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=admin --from-literal=password=admin -n bigip-ctlr
kubectl apply -f configmap-filter-tenants/install/rbac.yaml
kubectl apply -f configmap-filter-tenants/install/cis.yaml
2. Use the following script to test CIS control plane performance
kubectl apply -f configmap-filter-tenants/deploy-10.yaml
kubectl apply -f configmap-filter-tenants/cm-10.yaml
3. Delete 1 service’s pods 10 times
ns=cistest010 ; for j in {1..10} ; do for i in $(kubectl get pods -n $ns --no-headers | awk '{print $1}') ; do kubectl delete pod  $i -n $ns ; done ; done
4. Delete and create all 30 services 3 times
for i in {1..3} ; do  kubectl delete -f configmap-debug/deploy.yaml ; kubectl apply -f configmap-debug/deploy.yaml  ; echo;  done ;
5. Clean up
kubectl delete -f configmap-debug/cm.yaml
kubectl delete -f configmap-debug/deploy.yaml
kubectl delete -f configmap-debug/install/cis.yaml
kubectl delete -f configmap-debug/install/rbac.yaml
kubectl delete -f configmap-debug/install/ns.yaml

Installation - Limited CIS RBAC

1. Install CIS Controller
kubectl apply -f configmap-limited-rbac/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=admin --from-literal=password=admin -n bigip-ctlr
kubectl apply -f configmap-limited-rbac/install/rbac-small.yaml
kubectl apply -f configmap-limited-rbac/install/cis.yaml
2. Clean up
kubectl delete -f configmap-debug/install/cis.yaml
kubectl delete -f configmap-debug/install/rbac.yaml
kubectl delete -f configmap-debug/install/ns.yaml

Installation - Limited BIG-IP User Account

1. Install
kubectl apply -f configmap-limited-bigip-account/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-limited-bigip-account/install/rbac.yaml
kubectl apply -f configmap-limited-bigip-account/install/cis.yaml
2. Deploy App
kubectl apply -f configmap-limited-bigip-account/deploy.yaml
kubectl apply -f configmap-limited-bigip-account/cm.yaml
3. Create a customized BIG-IP User
create auth user cis_user password default partition-access add { all-partitions { role admin } }
Note
 The admin role is necessary for CIS to work.

Configmap Isolation with L4/l7 Application ADC

1. Install
kubectl apply -f configmap-advanced-adc/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-advanced-adc/install/rbac.yaml
kubectl apply -f configmap-advanced-adc/install/cis.yaml
2. Deploy APP
kubectl apply -f configmap-advanced-adc/cafe.yaml
kubectl apply -f configmap-advanced-adc/ttcp.yaml
3. Deliver APP
kubectl apply -f configmap-advanced-adc/cm-cafe.yaml
kubectl apply -f configmap-advanced-adc/cm-ttcp.yaml

The L7 ADC will demostrate:

  • Cookie persistence with insert method

  • Cookie encription with random cipher text

  • Service down immediate action with drop

  • Health monitor with path and response pattern mapping

  • XFF via iRule

  • Least connections member load balancer algorithm

  • Customized snat address

  • Customized TCP attributes

The L4 ADC will demostrate:

  • Source address persistence

  • Customized snat address

  • Enabled Connection mirroring

  • TCP half open health monitoring

  • Least connections member load balancer algorithm

Configmap Management isolation

1. Install
kubectl apply -f configmap-management-isolation/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-management-isolation/install/rbac.yaml
kubectl apply -f configmap-management-isolation/install/cis.yaml
2. Deploy APP
kubectl apply -f configmap-management-isolation/deploy.yaml
3. Deliver APP 1(this will failed due to configmap syntax err)
kubectl apply -f configmap-management-isolation/cm-cistest001.yaml

Check from the cis log, the following errors show up:

2022/06/06 09:19:42 [ERROR] [AS3] Big-IP Responded with error code: 422
4. Deliver APP 2
kubectl apply -f configmap-management-isolation/cm-cistest002.yaml

Check from BIG-IP VE, the test002 be delivered successfully even the app 1 delivered failed.

[root@bigip1:Active:Standalone] config # tmsh list ltm virtual /cistest002/app-svc-1-app/app-svc-1-app-vs
ltm virtual /cistest002/app-svc-1-app/app-svc-1-app-vs {
    creation-time 2022-06-06:16:57:13
    description app-svc-1-app
    destination /cistest002/10.10.10.2:http
    ip-protocol tcp
    last-modified-time 2022-06-06:16:57:13
    mask 255.255.255.255
    partition cistest002
    persist {
        cookie {
            default yes
        }
    }
    pool /cistest002/app-svc-1-app/app-svc-1-app-pool
    profiles {
        f5-tcp-progressive { }
        http { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        pool /cistest002/app-svc-1-app/app-svc-1-app-vs-self
        type snat
    }
    translate-address enabled
    translate-port enabled
    vs-index 1947
}

Configmap Canary

1. Install
kubectl apply -f configmap-canary/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-canary/install/rbac.yaml
kubectl apply -f configmap-canary/install/cis.yaml
2. Deploy APP(Deploy 2 version of app, 1.0 version on test001, 1.1 version on test002)
kubectl apply -f configmap-canary/backend-canary.yaml
Methods Steps

URL

Deliver

kubectl apply -f configmap-canary/cm-canary-v1.yaml
kubectl apply -f configmap-canary/cm-canary-v2.yaml
kubectl apply -f configmap-canary/cm-canary-url.yaml

Test

curl 192.168.200.13/foo

URL Parameter

Deliver

kubectl apply -f configmap-canary/cm-canary-v1.yaml
kubectl apply -f configmap-canary/cm-canary-v2.yaml
kubectl apply -f configmap-canary/cm-canary-parametes.yaml

Test

curl 192.168.200.13/foo?name=1010

Source Address

Deliver

kubectl apply -f configmap-canary/cm-canary-v1.yaml
kubectl apply -f configmap-canary/cm-canary-v2.yaml
kubectl apply -f configmap-canary/cm-canary-sourceaddr.yaml

Test

curl 192.168.200.13/foo

Http Header

Deliver

kubectl apply -f configmap-canary/cm-canary-v1.yaml
kubectl apply -f configmap-canary/cm-canary-v2.yaml
kubectl apply -f configmap-canary/cm-canary-headers.yaml

Test

curl 192.168.200.13/foo --header "Canary: true"

Cookie

Deliver

kubectl apply -f configmap-canary/cm-canary-v1.yaml
kubectl apply -f configmap-canary/cm-canary-v2.yaml
kubectl apply -f configmap-canary/cm-canary-cookie.yaml

Test

curl 192.168.200.13/foo --cookie "Canary=true"

Ratio

Deliver

kubectl apply -f configmap-canary/cm-canary-v1.yaml
kubectl apply -f configmap-canary/cm-canary-v2.yaml
kubectl apply -f configmap-canary/cm-canary-ratio.yaml

Test

curl 192.168.200.13/foo

Configmap Arcadia

1. Install
kubectl apply -f configmap-arcadia/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-arcadia/install/rbac.yaml
kubectl apply -f configmap-arcadia/install/cis.yaml
2. Deploy APP
kubectl apply -f configmap-arcadia/arcadia.yaml
3. Deliver APP
kubectl apply -f configmap-arcadia/cm-v1.yaml
kubectl apply -f configmap-arcadia/cm.yaml

Routing Rules

when HTTP_REQUEST {
  if { [HTTP::uri] starts_with "/api" } {
    pool /arcadia/api/api-svc-pool
  } elseif { [HTTP::uri] starts_with "/files" } {
    pool /arcadia/backend/backend-svc-pool
  } elseif { [HTTP::uri] starts_with "/app3" } {
    pool /arcadia/refer/refer-svc-pool
  } else {
    pool /arcadia/main/main-svc-pool
  }
}

Configmap Arcadia Across Namespace Routing

1. Install
kubectl apply -f configmap-arcadia/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-arcadia/install/rbac.yaml
kubectl apply -f configmap-arcadia/install/cis.yaml
2. Deploy APP
kubectl apply -f configmap-arcadia/arcadia-backend.yaml
kubectl apply -f configmap-arcadia/arcadia-api.yaml
kubectl apply -f configmap-arcadia/arcadia-refer.yaml
kubectl apply -f configmap-arcadia/arcadia-main.yaml
3. Deliver APP
kubectl apply -f configmap-arcadia/cm-backend.yaml
kubectl apply -f configmap-arcadia/cm-api.yaml
kubectl apply -f configmap-arcadia/cm-refer.yaml
kubectl apply -f configmap-arcadia/cm-main.yaml

Routing Rules

when HTTP_REQUEST {
  if { [HTTP::uri] starts_with "/api" } {
    pool /arcadia-api/api/api-svc-pool
  } elseif { [HTTP::uri] starts_with "/files" } {
    pool /arcadia-backend/backend/backend-svc-pool
  } elseif { [HTTP::uri] starts_with "/app3" } {
    pool /arcadia-refer/refer/refer-svc-pool
  } else {
    pool /arcadia-main/main/main-svc-pool
  }
}

Configmap Path Based Route

1. Install
kubectl apply -f configmap-routing/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-routing/install/rbac.yaml
kubectl apply -f configmap-routing/install/cis.yaml
3. Deploy APP
kubectl apply -f deploy.yaml
3. Depliver APP
kubectl apply -f configmap-routing/cm.yaml

Configmap FastL4 Vs Standard

1. Install
kubectl apply -f configmap-fastl4-standard/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-fastl4-standard/install/rbac.yaml
kubectl apply -f configmap-fastl4-standard/install/cis.yaml
2. Deploy APP
kubectl apply -f  configmap-fastl4-standard/deploy.yaml
3. Deliver APP
kubectl apply -f configmap-fastl4-standard/cm-l4.yaml
kubectl apply -f configmap-fastl4-standard/cm-http.yaml

Configmap AS3 Performance

1. Install
kubectl apply -f configmap-as3/install/ns.yaml
kubectl create secret generic bigip-login --from-literal=username=cis_user --from-literal=password=default -n bigip-ctlr
kubectl apply -f configmap-as3/install/rbac.yaml
kubectl apply -f configmap-as3/install/cis.yaml
2. Deploy APP
kubectl apply -f  configmap-as3/deploy.yaml
**












  

    

      

  
About


      

        No description, website, or topics provided.
      



    
Resources

    

      
        
        Readme
    


  
    
License

  

    
      
     Apache-2.0 license
    
  







  
  

  

    

      
        Activity    


    

      
        Custom properties    


    
Stars

    

        
          4
          stars    


    
Watchers

    

        
          2
          watching    


    
Forks

    

      
        0
        forks    



    

      
          Report repository
    




    

  


  
      

        

          

  Releases


    
No releases published


        

      


  
  
  
      

        

          

  
  

  Packages
      



      

        

        

      

      

        

        

      

      

        

        

      




  

        

      


  
  
    

      

        
  
  

    Contributors  


  
    
      
  • 
        
    
      
    • 
      
  • 
        
    
      
    • 
      
  • 
        
    
      
    •