F5 and NGINX: Going Forward with Kubernetes
As F5 Networks works to integrate its acquisition of NGINX, it has pledged commitment to Kubernetes, not just to integrate with the orchestrator, but to fully participate in the open source project.
A Cloud Native Computing Foundation survey published in the second half of 2018 found NGINX to be the most widely used ingress provider for Kubernetes.
For the Seattle-based application controller delivery software provider, a $670 million acquisition provides an established user base and mature technology that puts it at the center of microservice architectures.
Earlier this year, when it purchased NGINX, F5 said it planned to augment the open source web server/load balancer and reverse proxy software with F5’s own security technologies as well as with a set of “cloud native innovations” to enhance load balancing.
At NGINX Conf 2019 in September, François Locoh-Donou, president and CEO of F5 Networks pointed out that the technology acquisitions that have paid off for customers have been those in which the acquired company’s technology was core to the strategy of the acquiring company.
“NGINX is core to the strategy of F5 Networks,” he said. “Combined with the reach and breadth of the F5 application security portfolio, we believe can deliver, code to customer, across all environments and simplify the complexity customers are dealing with.”
He also reiterated its commitment to open source.
“Unlike NGINX, we didn’t get our start in open source, but we have seen over time our customers increase their use of open source,” he said. “We firmly believe that open source, or community-led disruption, is going to continue to be a powerful source of innovation, to either disrupt existing markets or create new markets.”
He pledged the same level of access to NGINX code and increased contributions to NGINX.org.
NGINX is a new unit within the company with 128 engineers added to that team. F5 also has trained more than 1,000 of its engineers on NGINX technology, he said.
Owen Garrett, senior director of product management also outlined what’s coming up, including:
- Support for QUIC/HTTP/3, citing the Google search engine’s speed as an example of QUIC performance: “The challenge for us is to build a general-purpose QUIC implementation on NGINX when we don’t have control of both ends of the connection — one that works well with Chrome and other third-party QUIC implementations,” Garrett said.
- Port statistics framework from NGINX Plus into open source: “We won’t be moving the stats themselves, the things unique to NGINX Plus. But if you’re using tools to monitor NGINX, you’ll be able to use a consistent API. If you’re building your own modules, you’ll be able to instrument those in with the API.”
- Continued investment in nJS: “JavaScript is where the innovation happens. It’s the platform we’re using to ship new product features.”
In May, the NGINX Ingress Controller for Kubernetes release 1.5.0 was launched It’s a daemon that monitors Ingress resources and NGINX custom resources to discover requests for services that require ingress load balancing and does that automatically. There will be future integrations with F5’s Big-IP capabilities, he said.
The Ingress Controller uses a Kubernetes object called an ingress resource that’s limited to basic SSL, TLS, some HTTP load balancing configurations, and extending them is hard, he said. There’s no type safety, they’re global scope, they’re not fine-grained and difficult to work with.
F5 has a project to add an incremental way to configure Ingress Controller in a Kubernetes-native fashion using customer resource definitions (CRDs) to provide richer load-balancing configurations: control over the precise parameters for how NGINX proxies traffic of upstream services in Kubernetes; to provide traffic splitting for blue/green deployments; and more sophisticated conditional routing so, for example, you can pull out a debug request and send that to a different service than your regular traffic service.
NGINX has worked the past two years with Trustwave on ModSecurity open source firewall and will continue to do so, Garrett said. However, F5 has a richer suite of web application security capabilities. It plans to take a lot of that technology out of the Big-IP framework and make it available to NGINX over the next year, Garrett said.
As for the NGINX Unit application server, it supports seven languages and the company does not plan to support more. It will add support for the static file server, more sophisticated routing rules and proxying.
“Since we closed the deal this past May, we have done a tremendous amount of work to integrate NGINX into our core business, said Hitesh Patel, director of product management for F5, citing the staffing up the NGINX Business Unit as evidence of its commitment to open source and ways to help customers bridge the legacy data center and modern application worlds.
They’re working on:
- Analytics and management capabilities based on application-centric, not infrastructure-centric, design.
- Self-service capabilities that integrate with CI/CD toolchains and drive increased agility.
- Accelerated module development, with the availability of a service mesh and advanced security modules that push intelligence and behavioral analysis even closer to the app.
“Those investments will soon begin to be available to users through direct offerings such as NGINX Controller and complementary offerings such as F5 Beacon. Additionally, the convergence of BIG-IP Container Ingress Services and NGINX Kubernetes Ingress Controller is an example of how we plan to continue looking for ways to bring our technology together,” Patel said.
