Release Notes¶
This page contains the release notes for F5 BIG-IP Container Ingress Services. To see the changes in this documentation, see Document Revision History.
2.13¶
Added Functionality¶
- Next generation routes. See GitHub for more details.
- Support for separate policy CR for HTTP VS in NextGen Routes.
- NextGen Route controller takes precedence over Legacy Route deployment parameters.
- CRD
- Added support for webSocket Profile in Policy CR. See example
- Added support for server-side HTTP2 Profile using Policy CR. See example
- Added support for setting Auto-LastHop option from Policy CR. See example
- Added support for setting HTTP MRF router option from Policy CR (applied for HTTPS virtual server only). See example
- Added support for setting HTTP Analytics Profile from Policy CR. See example
- Added support for configuring multiple iRules with Policy CR. See example
- Added support for setting Client and Server SSL Profiles from Policy CR, for NextGen Routes only. See example
- Added support for A/B deployment with VS CR. See example
- Added support for ServerSide HTTP2 Profile for VS CR. See example
- Added support for HTTP Monitor for Transport Server CR. See example
- Added static route support for ovn-k8s, flannel, Cilium and Antrea CNI.
- Added new parameter
--cilium-name
to specify BIG-IP tunnel name for Cilium VXLAN integration. - Added support for operator in OpenShift v4.12.
- Added support for AS3 v3.45.0.
- CIS is now compatible with Kubenetes v1.27.
Bug Fixes¶
- Issue 2632 Fixed HubMode support with NodePortLocal.
- Issue 2821 Fix for additional VirtualAddresses with serviceAddress configuration.
- Issue 2550 Ability to specify additional monitor details for TransportServer CR.
- Fix for recreating the LTM objects when CIS restarts in IPAM mode.
- Improved error handling for GTM objects with cccl-gtm-agent.
- Fixed crash issue with liveness probe in NextGen Routes.
- Fixed issue for improper ARP updates in NextGen Routes.
- Skip processing OSCP system services to enhance performance in NextGen Routes.
Upgrade Notes¶
- Extended support for the server-side HTTP2 Profile, which causes the existing Policy CRD to be modified, for example.
- Upgrade the CRD schema using CRD Update Guide if you are using custom resources.
- When multiple client SSL certificates are specified for a VS using Kubernetes secrets with AS3 >= v3.44 and CIS >= 2.13.0, then CIS sets the first SSL profile as the default profile for SNI (sorted in alphabetical order by name). In earlier version it was set by AS3.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.12.1¶
Added Functionality¶
- Next generation routes. See GitHub for more details.
- Support for WAF with A/B deployments in routes.
- CRD
- Support for ExternalIP update of associated services of Type LB in Transport Server CR.
- Support for new GTM partition in AS3 mode. CIS will create a new partition for GTM with partition name {defaultpartition_gtm} in AS3 mode.
Bug Fixes¶
- Issue 2725: AS3 label not working with AS3 ConfigMap when filter-tenants set to true.
- Issue 2793: TLSProfile CRD not working when the SSL profile is from Shared location.
- Issue 2797: TLSProfile deletes a referenced SSL Profile when making changes or deleting a VS.
- Issue 2799: VirtualServer deletes a referenced iRule when making changes or deleting a VS.
- Issue 2789: AS3 Post delay - Not working as expected.
- Issue 2816: Fix Error Not found cis.f5.com/ipamLabel.
- Issue 2796: EDNS not working when deployed before TS.
- Issue 2790: CIS sends multiple AS3 requests for a single VS.
Upgrade Notes¶
- CIS supports a new partition for GTM in AS3 mode for CRDs. In CCCL mode, there are no partition changes for GTM, common partition remains the same.
- In AS3 mode, CIS will clear existing GTM objects in default partition and recreates them in new GTM partition.
- Format of the new GTM partition name:
{defaultpartition_gtm}
- With EDNS and VS/TS/IngressLink resource partition change, sometimes CIS might come across 422 error.
- The root cause can be that the VS list is not refreshed in the GSLB server.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.12.0¶
Added Functionality¶
- Next generation routes. See GitHub for more details.
- Support for rewrite-app-root annotation in routes.
- Support for WAF annotation in routes.
- Support for allow-source-range annotation in routes.
- Support for targetPort in route’s health monitors.
- Ingress
- Support for partition annotation in Ingress.
- Added wildcard character(*) validation for ingress path.
- CRD
- Support for ipIntelligencePolicy with Policy CR. See GitHub for examples.
- Support for configuring ratio on GSLBDomainPool with ExternalDNS CR. See GitHub for examples.
- Support for BIG-IP partition with VirtualServer, TransportServer, and IngressLink CR. See GitHub for examples.
- Support for
none
as value for iRules in Policy CR and VirtualServer CR to disable adding default CIS iRule on BIG-IP. See GitHub for more details. - Support for path/pool based WAF for VirtualServer CR. See GitHub for examples.
- Issue 2737: Support for serviceNamespace field in transport server spec that allows to define a pool service from another namespace for TransportServer CR. See GitHub for examples.
- Issue 2682: Support to Enable “HTTP MRF Router” on VirtualServer CRD required for HTTP2 Full Proxy feature. See GitHub for examples.
- Issue 2666: Support for multiple virtual addresses on VirtualServer CR. See GitHub for examples.
- Issue 2729: Support for named port with servicePort. See GitHub for examples.
- Issue 2744: Support for Host header rewrite in VirtualServer CR. See GitHub for examples.
- Helm Chart Enhancements
- Support for podSecurityContext.
- Support for bigip-login secret creation.
- Support for latest CRD schema.
- Fix for nesting of ingressClass definitions.
- Support for
--http-client-metrics
deployment parameter to export the AS3 HTTP client Prometheus metrics.
Bug Fixes¶
- Issue 2703:Issue 2703: Fix host group having multiple hosts with EDNS.
- Issue 2726:Issue 2726: Fix prometheus metrics broken in v2.11.1
- Issue 2767:Issue 2767: Fix wrong pool member port configured.
- Issue 2764:Issue 2764: Remove unwanted TLS iRule deployed on reencrypt when passing XFF.
- Issue 2677:Issue 2677: Remove NotReady state nodes from BIGIP poolmembers in NodePortMode.
- Issue 2686:Issue 2686: Validate insecure VirtualServer CR.
- LTM policy fix for default http and https ports.
Known Issues¶
- Partition annotation change for ingress intermittently causes AS3 422 error. When you receive an error, delete the old ingress and recreate the ingress with a new partition.
- Partition change for custom resources (VS/TS/IngressLink) may cause AS3 422 error for default partition. When you receive an error, restart the CIS controller.
Upgrade Notes¶
- Refer to guide to migrate to next generation routes.
- Deprecated extensions/v1beta1 ingress API and it’s no longer processed by CIS versions newer than v2.12. Use the networking.k8s.io/v1 API for ingress.
- Deprecated CommonName support for host certificate verification in secrets. Use subject alternative name (SAN) in certificates instead.
F5 IPAM Controller v0.1.9 Release Notes¶
Added Functionality:
- Base image upgraded to RedHat UBI-9 for FIC Container image.
Bug Fixes:
- Issue 2747: Fix to persist IP addresses after CIS restart.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.11.1¶
Added Functionality¶
- Next generation routes preview.
- Support for default routeGroup (Migration Only).
- Base image upgraded to RedHat UBI-9 for CIS Container image.
- Support for AS3 3.41.0.
Bug Fixes¶
- Added pattern definition in CR schema to align with F5 BIG-IP Object Naming convention.
- Issue 2153: Updated go.mod to v2 eTraveli.
- Issue 2657: WAF policy name does not allow hyphen (-) OrangeCyberDefense.
Documentation¶
- Added additional user guides to GitHub.
- Issue 2606: Applying setup files from Clouddocs fails.
CIS Helm Chart Fixes¶
- Updated CRD Schema
- Updated RBAC
FIC Helm Chart Fixes¶
- Added support for Infoblox credentials using k8s secrets in helm charts.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
1.14.2¶
Added Functionality¶
- Upgraded base image to RedHat UBI-9 for CIS Container image.
Bug Fixes¶
- Fixed Teems Data Crash issue.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.11.0¶
Added Functionality¶
- Next generation routes preview. See documentation and examples
- Policy CR integration with extended ConfigMap
- EDNS CR integration with extended ConfigMap
- Support for Default SSL profiles from baseRouteSpec in extended ConfigMap
- Support Path based A/B deployment for Re-encrypt termination
- Support for TLS profiles as K8S secrets in route annotations.
- Support for TLS profiles as route annotations.
- Support for health monitors using route annotations
- Support to create Health Monitor from the pod liveness probe for routes. Refer Documentation for more details
- CRD
- CIS configures GTM configuration in default partition
- Pool reselect support for VirtualServer and TransportServer
- Support for allowVlans with policy CR
- Support for –cccl-gtm-agent deployment parameter to set the gtm agent
- Support to provide the same VIP for TS and VS CRs using hostGroup
- Issue 2420: Support for nodeMemberLabel in Transport Server pool
- Issue 2469: Support for virtual server grouping by hostgroup across namespaces.From 2.11, hostGroup should be unique across namespaces
- Issue 2585: Support for multiple clientssl & serverssl profiles in TLS Profiles
- Issue 2637: Support for custom persistence profile
- Ingress
- Support for Translate Address annotation in Ingress.
- Support for sslProfile in HTTPS health monitors for ingress. See Examples
Bug Fixes¶
- Issue 2581: IPAM to provide the same IP for different TS.
- Issue 2586: Update ExternalIP of associated services of Type LB for VS and IngressLink CR.
- Issue 2609: TargetPort support for string with NPL.
- Issue 2626: Process IngressLink on K8S node update.
- Fix to remove old Ingress monitor when type gets modified.
- Fix to send AS3 declaration for the recreated domain after IPAM controller restart.
- FIC Helm Chart Fixes: Fixed Issue 130: IPAM Helm Deployment strategy should be recreated.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.10.1¶
Bug Fixes¶
- Fix to monitor NGINX+ service changes.
- Issue 2582: Fixed issue with inconsistent pool names for VS.
- Issue 2596: Fixed invalid property name with serviceAddress.
- Issue 2570: Fixed issue where TLSProfile doesn’t get updated when the K8s secret changes.
- Issue 2394: Fixed to set ingress https monitor send string.
- Issue 2549: Fixed trafficGroup regex.
- Issue 2492: Fixed for shared pool not working in nodePort mode.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.10.0¶
Added Functionality¶
- Next Generation Routes:
- Added new base config block for TLSCiphers in global extended ConfigMap. See Examples.
- Support for namespaceLabel in global extended ConfigMap. See Examples.
- Support for BIG-IP ClientSSL/ServerSSL profile reference in global extended ConfigMap. See Examples.
- Support for allowSourceRange in global and local extended ConfigMap. See Examples.
- rewrite-target-url support via route annotations.
- Load Balancing support via route annotation. See Examples.
- Support for AB Deployment in routes.
- CRD:
- allowSourceRange support for VirtualServer CRs and Policy CR. See Examples.
- Added support for TCP Health Monitor in VirtualServer CRs. See Examples.
- Added support for multiple monitors in VirtualServer and TransportServer CRs. See Examples.
- SCTP support for TransportServer Custom Resource. See Examples.
- Issue 2201: Support for linking existing health monitor on BIG-IP with VirtualServer and TransportServer CRs. See Examples.
- Issue 2361: Allow monitoring of an alias port in VirtualServer and TransportServer. See Examples.
- Issue 1933: Added serviceNamespace field in Pools for VirtualServer CR that allows you to define a pool service from another namespace in a VirtualServer CR. See Examples.
- Ingress:
- Added support to configure netmask for Virtual Server for Ingress. See Example.
- Support for Cilium CNI versions 1.12.0 and above in Kubernetes cluster.
- Support for
--log-file
deployment parameter to store the CIS logs in a file. - Support for AS3 3.38.0
- Support for operator in Openshift versions 4.10 and 4.11.
Bug Fixes¶
- Fixed CIS continuous processing of ingress belonging to unmanaged ingress class.
- Issue 2325: Supporting Prometheus service in CRDs.
- Issue 2158: CIS send logs to file from container.
- Issue 2345: CIS crash due to Route Profiles.
- Issue 2507: Monitor name by accident includes health check command.
- Issue 2413: Hyphens/dashes not allowed in VirtualServer pool path.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.9.1¶
Enhancements¶
- CIS is now compatible with:
- Kubernetes 1.23
- OCP 4.10 with OVN & SDN CNI
Bug Fixes¶
- Issue 2336: Fixed confusing EDNS Pool name.
- Issue 2337: Fixed EDNS pool deletion with invalid server config.
- Issue 2484: Fixed scalability issue of LB services with IPAM processing.
- Issue 2464: CIS sends empty members declaration to BIG-IP while using HubMode.
- Issue 2308: Fixed ARP deletion in filter-tenant mode.
- Fixed Invalid traffic allow in Ingress with Custom HTTP Port.
CIS Helm Chart Fixes¶
- Issue 2422: Fixed wrong indentation for securityContext.
- Issue 2434: Helm install values.yaml results in a bad image format.
- Updated links in Helm values.yaml documentation.
FIC Helm Chart Fixes¶
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
1.14.1¶
Added Functionality¶
- Added CIS deployment configuration option of
--disable-teems
which you can configure to send anonymous analytics data to F5.
Vulnerability Fixes¶
CVE | Package |
---|---|
CVE-2022-29155 openldap | libldap-2.4-2 |
DSA-5140-1 openldap | libldap-2.4-2 |
CVE-2022-1586 pcre2 | libpcre2-8-0 |
CVE-2022-1587 pcre2 | libpcre2-8-0 |
CVE-2022-2068 openssl | openssl |
CVE-2022-1292 openssl | openssl |
DSA-5139-1 openssl | openssl |
CVE-2021-3711 openssl | openssl |
DSA-4963-1 openssl | openssl |
CVE-2022-2068 openssl | openssl |
CVE-2020-13776 systemd | libudev1 |
pyup.io-38100 (CVE-2020-1747) | pyyaml |
pyup.io-39611 (CVE-2020-14343) | pyyaml |
CVE-2019-1010022 glibc | libc6 |
CVE-2021-33574 glibc | libc6 |
CVE-2021-35942 glibc | libc6 |
CVE-2022-23218 glibc | libc6 |
CVE-2022-23219 glibc | libc6 |
CVE-2021-3520 lz4 | liblz4-1 |
DSA-4919-1 lz4 | liblz4-1 |
pyup.io-39606 (CVE-2020-36242) | cryptography |
CVE-2022-1664 dpkg | dpkg |
DSA-5147-1 dpkg | dpkg |
CVE-2019-8457 db5.3 | libdb5.3 |
CVE-2021-20231 gnutls28 | libgnutls30 |
CVE-2021-20232 gnutls28 | libgnutls30 |
CVE-2022-29155 openldap | libldap-common |
DSA-5140-1 openldap | libldap-common |
CVE-2020-13776 systemd | libsystemd0 |
CVE-2019-1010022 glibc | libc-bin |
CVE-2021-33574 glibc | libc-bin |
CVE-2021-35942 glibc | libc-bin |
CVE-2022-23218 glibc | libc-bin |
CVE-2022-23219 glibc | libc-bin |
CVE-2019-9893 libseccomp | libseccomp2 |
CVE-2021-3711 openssl | libssl1 |
CVE-2022-2068 openssl | libssl1.1 |
CVE-2022-1292 openssl | libssl1.1 |
DSA-5139-1 openssl | libssl1.1 |
DSA-4963-1 openssl | libssl1.1 |
CVE-2022-2068 openssl | libssl1.1 |
CVE-2020-11656 sqlite3 | libsqlite3-0 |
CVE-2022-22823 expat | libexpat1 |
CVE-2022-22824 expat | libexpat1 |
CVE-2022-25235 expat | libexpat1 |
CVE-2022-25236 expat | libexpat1 |
CVE-2022-25315 expat | libexpat1 |
DSA-5085-1 expat | libexpat1 |
CVE-2022-22822 expat | libexpat1 |
CVE-2022-23852 expat | libexpat1 |
CVE-2022-23990 expat | libexpat1 |
DSA-5073-1 expat | libexpat1 |
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.9.0¶
Added Funtionality:¶
- Next generation routes preview. See the documentation for more details.
- Multiple VIP and partition support for routes.
- Custom Resource Definition (CRD):
- LoadBalancingMethod support for VirtualServer and TransportServer CRs. See Examples.
- DoS Protection Profile support for VirtualServer, TransportServer, and Policy CRs. See Examples.
- Bot Defence Profile support for VirtualServer and Policy CRs. See Examples.
- Protocol profile(client) support for TransportServer and Policy CRs. See Examples.
- OneConnect profile support added for VirtualServer CRs. See Examples
- Custom TCP Client and Server profile support added for VirtualServer, TransportServer, and Policy CRs. See Examples.
- SNAT pool name support in Policy CR for VirtualServer, TransportServer CRs. See Example.
- Custom pool name support in VirtualServer and TransportServer CRs. See Example.
- GTM global-availability LB method and order precedence support with EDNS CRs. See Examples.
- Service Type LoadBalancer:
- SCTP protocol support in Services of type LoadBalancer. See Kubernetes documentation for more information.
- Added support for attaching Policy CRD as an annotation. SNAT profile can be specified in policy CR. See Examples.
- ConfigMap:
- Issue 2326: Support for ConfigMap resource with NodePortLocal mode.
- Routes:
- Added support for route admit status for rejected legacy and next gen routes.
- Added support for AS3 3.36 and OCP 4.9.
- Helm Chart Enhancements:
- Support for latest CRD schema.
- Issue 2387: Inconsistent use of value in f5-bigip-ctlr helm chart.
Bug Fixes¶
- Issue 2224: Selecting Load Balancing method on VirtualServer CRD.
- Issue 2323: File and example links updated in IngressLink document.
- Issue 2151: Fix for adding unique pool members only to AS3 declaration with AS3 ConfigMap.
- Added fix for CIS crash with routes.
- Fix for different service port and target port with CRs.
Upgrade Note¶
Some of the new features require you to update the Custom Resource Definition file.
F5 IPAM Controller Release Notes¶
Added Functionality:
- Support for label with multiple IP ranges with comma-separated values. See the documentation for more information.
Bug Fixes:
- Issue 115: Reference handled properly in Database table.
Known Issues¶
- Appending a new pool to an existing range using the comma operator triggers FIC to reassign the newIP with the new IP pool for the corresponding ipamLabel domains/keys.
- Issue 2251: MultiHost VS and policy CRD profiles attached via LTM policy and not assigned globally. Please see this document for more information.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.8.1¶
Bug Fixes¶
- Issue 2030: Changes to Ingress resource ServicePort are now reflected on BIG-IP.
- Issue 2205: Bulk deletion of EDNS is handled properly.
- Issue 2255: ServicePort is now optional and multi-port service is handled properly in ConfigMaps.
- Issue 2164: CIS properly updates configureation in BIGIP when configured with agent CCCL and log-level DEBUG.
- Issue 2191: CIS properly logs iApps when configured with agent CCCL.
- Issue 2220: CRD VirtualServer status is reported correctly when using hostGroup.
- Issue 2209: ConfigMap errors logs now contain ConfigMap name and namespace.
- CIS configured in CCCL agent mode properly updates BIG-IP when there are no backend pods to iApps ConfigMaps.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.8.0¶
Added Functionality¶
- CRD:
- Persistence Profile support for VirtualServer, TransportServer and Policy CRs. See Examples
- Added support for host in TransportServer and IngressLink CR. See Examples
- NodePortLocal(NPL) Antrea CNI feature support added to Ingress and Virtual Server Custom Resource. See VMware Tanzu and GitHub for more information.
- NodePortLocal (NPL) Antrea CNI feature support added to Ingress and CRD Resources.
- Helm Chart Enhancements:
- Support for latest CRD schema.
Bug Fixes¶
- Added fix for processing oldest route when same host and path in routes.
- Added fix for CIS crash with routes.
- Issue 2212: Fix ExternalDNS adds both VSs to a Wide IP pool with using “httpTraffic: allow” with VS CR.
- Issue 2221: Fixed Error in CIS logs while deleting multiple VS CRD.
- Issue 2222: Fix deleting VirtualServer using hostGroup.
- Issue 2233: TS and VS CRD don’t detect the pool members for grafana service.
- Issue 2234: Fix for CIS crash with subsequent creation and deletion of wrong ConfigMap.
- Issue 2077: CIS deletes all existing ARP on restart and recreates it, which affects traffic.
Known Issues¶
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.7.1¶
Added Functionality¶
- Optimized processing of ConfigMaps with FilterTenants enabled.
- Added support for multihost VS policy rules for same path and service backend combination.
- Improved error handling with EDNS Custom resource.
Bug Fixes¶
- Issue 1872: Support protocol UDP in Services of type LoadBalancer.
- Issue 1918: ExternalDNS adds both virtual servers to a Wide IP pool.
- Issue 2051: Fix AS3 Postdelay issue when error occurs.
- Issue 2077: Fix recreating ARPs when CIS restarts.
- Issue 2172: Fix Endpoint NodeName validation issue.
- Helm Chart Enhancements: Issue 2184: Helm Chart ClusterRole does not have correct permissions.
F5 IPAM Controller Release Notes¶
FIC Enhancements:
- Added support for FIC installation using Helm Charts. See the documentation for more information.
- Added support for FIC installation using OpenShift Operator
Known Issues¶
- CIS does not delete the ARP entries immediately from BIG-IP when you remove all the endpoints for a service in cccl mode.
- Unable to pass multiple Infoblox labels to FIC Helm charts and OpenShift Operator.
- Deleting an EDNS resource does not remove Wide IP config from BIG-IP intermittently.
- CIS sends the failed tenant declaration every 30 seconds with filter-tenant parameter when a 422 error occurs in AS3 response.
Upgrade Notes¶
- Moving from CIS > 2.6 with IPAM, see the troubleshooting guide for IPAM issue ipams.fic.f5.com not found. See Troubleshooting Section.
- Moving to CIS > 2.4.1 requires update to RBAC and CR schema definition before upgrade. See RBAC and CR schema.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.7.0¶
Added Functionality¶
- What’s new:
- CRD:
- Policy CR support for VirtualServer and TransportServer CRD. Support for L3 WAF, L7 Firewall policy and various profiles. Examples
- IPv6 address support for VirtualServer, TransportServer CRD and ServiceTypeLB service. Examples
- Wildcard domain name support with TLSProfile and VirtualServer. Examples
- Multi-host support in VirtualServer CRD using
hostgroup parameter
. Examples - New Status column for VirtualServer and TransportServer CRD. GitHub issue
- ConfigMap:
- Tenant-based AS3 declarations support for configmaps using
--filter-tenants
deployment option. –filter-tenants – Default behaviour in CIS 2.9 with possible name change.
- Tenant-based AS3 declarations support for configmaps using
- Ingress:
- Named service port reference for ingresses. GitHub issue
- EDNS:
- TCP type monitor support for EDNS.
- EDNS resource name is modified from externaldnss to externaldns. CRD definition.
- CRD:
- CIS now compatible with:
- Kubernetes 1.22
- OCP 4.9 with OVN
- AS3 3.30
Bug Fixes¶
- Issue 1659: Report “status” of TransportServer CRD.
- Issue 1684: [EDNS] CIS tries to remove non-existing monitor from GTM pool.
- Issue 1873: Enable
/metrics
endpoint with CRD mode. - Issue 1916: Display IPAM provided IPaddress for TransportServer.
- Issue 2006: Add support for Wildcard domain name with TLSProfile and VirtualServer.
- Issue 2014: Allow type LoadBalancer with different TargetPort and Port values.
- Issue 2025: Support ‘sni-server-name’ for GTM HTTPS Monitor.
- Issue 2031: Add support for named service port reference for ingresses.
- Issue 2032: EDNS will not work if both Virtual Server CRD and EDNS CRD are applied at the same time.
- Issue 2087: Enable nodeMemberLabel regex to support common node labels.
- Issue 2102 and Issue 2016: Fix for crash while validating secrets.
- Restructured docs examples directory.
- Improved performance while processing VS, services, and endpoint resources.
Notes¶
- EDNS resource name is modified from
externaldnss
toexternaldns
. Refer to latest EDNS CRD definition here. - IPv6 is validated with calico CNI on k8s 1.22 setup.
- Log4j vulnerability does not impact CIS and FIC code base.
Known Issues¶
- Policy CRD integration with TS CRD has few issues.
- Wildcard hostname in VS CRD doesn’t match the parent domain.
- When root domain and wildcard domain refer to same VSAddress, CIS is not working as expected.
F5 IPAM Controller v0.1.5 Release Notes¶
Added Functionality
- IPv6 address range configuration support with default f5-ip-provider. Example.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.6.1¶
Bug Fixes¶
- Added the complete path for datagroups in http redirect iRule.
- Added RouteDomain support for AS3 resources.
- Issue 2032: EDNS will not work if both Virtual Server CRD and EDNS CRD applied at the same time.
- Issue 2012: Invalid Pool Name passed to AS3.
- Issue 1931: Cannot disable IngressClass in HelmChart.
- Issue 1911: CIS delete all exist vs when CIS pod restarting.
- Issue 1792: EDNS fails to link WIP to Pool, error says “last-resort-pool” needs value in bipctrl log.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.6.0¶
Added Functionality¶
- CIS is now compatible with OpenShift 4.8.12. It is validated with OpenShift SDN and OVN-Kubernetes with hybridOverlay.
- CIS supports IP address assignment to IngressLink Custom Resources using F5 IPAM Controller (See documentation).
- CIS validates IPv6 address in
bigip-url
andgtm-bigip-url
parameters.
Bug Fixes¶
- Issue 1679: CIS requires GTM parameter in CIS declaration even if GTM runs on the same BIG-IP.
- Issue 1888: Unable to upgrade from 2.2.0 (or below) to 2.2.1 (or above).
- Issue 1941: CIS 2.5 output DEBUG log even with
--log-level=INFO
configured. - Fixed issue with deletion of monitor with EDNS custom resource deletion.
Performance Improvements¶
- Improved EDNS Performance: new VirtualServer creation triggers processing of only associated EDNS resources.
- Improved Ingress performance.
Known Issues¶
- EDNS with https monitor is not properly supported.
F5 IPAM Controller v0.1.5 Release Notes¶
Added Functionality
- F5 IPAM Controller supports InfoBlox (See the documentation for more information).
- Persistent support added for F5 IPAM Controller default provider. FIC now requires pvc with volume mounted in deployment for default provider (See the documentation for more information).
- Added support for Single NetView via deployment parameter
infoblox-netview
. It does not need to be provided via an IPAM label (See the documentation for more information). - Added support for standalone IP in Infoblox Provider.
- Added support for
credentials-directory
configuration option for mounting Infoblox credentials and self-signed certificate from Kubernetes secrets. - Disabled DNSView for Infoblox Provider.
Bug Fixes
- Stale status entries are cleared from IPAM custom resource.
- FIC restart allocates multiple IP addresses on InfoBlox
Known Issues
- With InfoBlox integration
update ip-range
is not working as expected.
Migration from 0.1.4
- With this release, the
f5ipam
CRD is now renamed toipam
. - A resource in clusterrole should be updated to IPAM before upgrading to latest IPAM (See latest clusterrole in the documentation).
- For F5 IPAM Controller default provider, update deployment with PVC and volume for persistance of DB. Volume mount is a prerequisite for FIC v0.1.5 (See the documentation for FIC deploment with volume).
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.5.1¶
Added Functionality¶
- CIS now supports:
- Deletion of old F5IPAM CR when it is not in use.
- Skipping certificate validation for passthrough routes.
- The ability to update or delete Ingress V1 annotation with shared IP.
Bug Fixes¶
- Issue 1921: Plain text login and password in process status on node that is running controller.
- Issue 1849: Fix VirtualServer CRD processing which share same IP and different port.
- OpenShift operator no longer fails to install multiple CIS instances due to existing CRDs.
Vulnerability Fixes¶
CVE | Comments |
---|---|
CVE-2019-19794 | Upgraded the miekg Go DNS package in CIS repository |
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.5.0¶
Added Functionality¶
- CIS is now compatible with:
- Kubernetes v1.21
- OpenShift 4.7.13 with OpenShift SDN
- AS3 3.28
- Added support for:
- Multiport Service and Health Monitor for Service type LoadBalancer in CRD mode. See examples.
- Issue 1824: Kubernetes networking.k8s.io/v1 Ingress and IngressClass. See examples.
- For networking.k8s.io/v1 Ingress, add multiple BIG-IP SSL client profiles with annotation
virtual-server.f5.com/clientssl
. See examples. - OpenShift route annotations
virtual-server.f5.com/rewrite-app-root
(examples) andvirtual-server.f5.com/rewrite-target-url
(examples) with agent AS3. - Issue 1570: iRule reference in TransportServer CRD. See examples.
- CIS deployment configuration options:
--periodic-sync-interval
- Configure the periodic sync of Kubernetes resources.--hubmode
- Enable support for ConfigMaps to monitor services in same and different namespaces.--disable-teems
- Configure to send anonymous analytics data to F5.
- CIS now monitors changes to Kubernetes Secret resource.
- Improved performance while processing Ingress resources.
- CIS in AS3 agent mode now adds default cipher groups to SSL profiles for TLS v1.3.
- CIS now supports F5 IPAM Controller 0.1.4.
- Helm Chart Enhancements:
- Latest CRD schemas.
- Added support to install Ingress and IngressClass objects in networking.k8s.io/v1.
Bug Fixes¶
- CIS now properly adds nodes as pool members (in NodePort mode).
Known Issues¶
- To improve performance, F5 recommends increasing the resync periodic interval to more than 300 seconds except for passthrough routes. Configure CIS deployment with
--periodic-sync-interval
to more than 300 seconds. OpenShift Routes with termination Passthrough are processed post this interval.
Upgrading to 2.5.0¶
- CIS 2.5.0 supports Kubenetes networking.k8s.io/v1 Ingress and IngressClass. With Kubernetes version 1.18+:
- Update CIS ClusterRole. We removed resourceName to monitor all secrets.
- Create IngressClass before upgrading to version 2.5.0.
- To upgrade CIS using operator in OpenShift:
- Install IngressClass manually.
- Install CRDs manually if using CIS CustomResources (VirtualServer/TransportServer/IngressLink).
F5 IPAM Controller v0.1.4 Release Notes:¶
Added Functionality - F5 IPAM Controller supports Infoblox (Preview available for VirtualServer CRD only). Refer to documentation for more details.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.4.1¶
Added Functionality¶
- CIS supports F5 IPAM Controller 0.1.3.
- Helm Chart Enhancements:
- Added support for multiple namespace configuration parameter with CIS operator.
Bug Fixes¶
- Issue 1737: Inconsistent ordering of policy rules when adding an Ingress path.
- Issue 1808: K8S BIG-IP Controller upload old certificate to BIG-IP.
- Stale IPAM CR configuration is deleted when CIS restarts.
- IPAM allocated IP address now populates for VirtualServer under VSAddress column.
- CIS supports endpoints created without nodeNames in cluster mode for Headless Service.
- Updated Helm charts to support IBM platform certification.
Vulnerability Fixes¶
CVE | Comments |
---|---|
CVE-2020-36242 | Upgraded the cryptography package in f5-common-python repository |
CVE-2020-25659 | Upgraded the cryptography package in f5-cccl repository |
CVE-2020-14343 | Upgraded the PyYAML package in f5-cccl repository |
Limitations¶
Due to changes in the BIG-IP Python API, CIS EDNS no longer functions correctly. EDNS will be moving to the AS3 API in the upcoming release.
F5 IPAM Controller 0.1.3 Release Notes:¶
Added Functionality
- Old entries in IPAM CR spec/status are now removed when CIS is restarted versus during an update.
- FIC does not allocate the last IP address specified in the IP range.
- Deleting resources releases IP address along with clearing corresponding spec entries.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.4.0¶
Added Functionality¶
- Improved data group handling for virtual server custom resource.
- CIS is now compatible with: Kubernetes 1.20
- CIS supports IP address assignment to Kubernetes service type LoadBalancer using F5 IPAM Controller. Refer for Examples.
- CIS supports IP address assignment to Transport Server CR using F5 IPAM Controller. Refer for Examples.
- Added support for defaultRouteDomain in custom resource mode.
- CIS supports service address reference in virtual server and transport server Custom Resources.
- Integrated the IngressLink mode with CRD mode.
- CIS supports implicit Health Monitor for ingress link resource
- Improved data group handling for virtual server custom resource
- Helm Chart Enhancements:
- Updated the Custom Resource Definitions for Virtual Server and Transport Server resources.
- Added the IngressLink Custom Resource installation using Helm charts.
- Updated the RBAC to support service type LoadBalancer.
Bug Fixes¶
- SR - Fix continuous overwrites with iApp in cccl mode.
- Issue 1573: Added support for type UDP Transport Server CRD.
- Issue 1723: BIG-IP selects wrong certificate with ECDSA-signed certificate.
- Issue 1645: Certificate-check added in CISv2.2.2 logs too often.
- Issue 1730: Partition default_route_domain is being reset while creating VirtualServer via CRD to 0.
Vulnerability Fixes¶
CVE | Comments |
---|---|
CVE-2020-1747 | Upgraded the PyYaml package in f5-cccl repository |
CVE-2020-25659 | Removed unused package cryptography in f5-cccl repository |
Limitations¶
VXLAN tunnel name starting with prefix “k8s” is not supported. CIS uses prefix “k8s” to differentiate managed and user-created resources. See Issue 1508 for more information.
FIC 0.1.2 Release Notes¶
Added Functionality
- FIC supports label-based IP address allocation.
- FIC supports multiple CIS deployments.
- FIC is now compatible with k8s 1.20.
- FIC now creates the IPAM custom resource schema for validation.
- Earlier way of specifying –ip-range format is deprecated.
Known Issues
- FIC does not allocate the last IP address specified in the ip range.
- CIS deletes IPAM custom resource intermittently.
- Updating the –ip-range in FIC deployment is not working properly.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.3.0¶
Added Functionality¶
- CIS supports IP address assignment to Virtual Server CRD using F5 IPAM Controller.
- CIS allows user to leverage Virtual IP address using either F5 IPAM Controller or virtualServerAddress field in VirtualServer CRD.
- Support Passthrough termination for TLS CRD.
- Added support for AS3 schema minor versions.
- Issue 1631: Support caCertificate for OpenShift Routes.
- Issue 1571: iRule reference for CRD for VirtualServer.
- Issue 1592, Issue 1621: Enabling VLANS on CRD for VirtualServer and TransportServer.
- Updated CR Kind from NginxCisConnector to IngressLink.
- Helm Chart Enhancements:
- Added Support for livenessProbe, ReadinessProbe, nodeSelectors, tolerations.
- Issue 1632: Added Support for skipping CRDs.
Bug Fixes¶
- Issue 1457: Each Client request will be logged on BIG-IP when http2-profile is associated to Virtual Server.
- Issue 1458: CIS v2.1.0 does not delete LTM-Policy reset-rule when OpenShift-annotation for whitelist-source-range will be removed.
- Issue 1498: In iRule openshift_passthrough_irule the variable “$dflt_pool” could not be set correctly when http/2-profile is linked to Virtual Server.
- Issue 1565: Logs should distinguish ConfigMap and Ingress errors.
- Issue 1641: Debug log sKey.ServiceName in syncVirtualServer.
- Issue 1671: TransportServer assigns wrong pool/service.
- CIS fail to update pod arp on BIG-IP, “Attempted to mutate read-only attribute(s)”.
Limitations¶
- For AB routes, HTTP2 traffic does not distribute properly when http2-profile is associated to VS.
- Workaround for CIS in IPAM mode.
- Removing virtualServerAddress field from VSCRD in non-IPAM mode may flush corresponding BIG-IP configuration.
- CIS works with dedicated F5 IPAM Controller only.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.2.3¶
2.2.2¶
Added Functionality¶
- CIS is now compatible with:
- OpenShift 4.6.4.
- Kubernetes 1.19
- BIG-IP v16
- AS3 3.25.
- CIS now verifies whether the BIG-IP clientssl/serverssl is valid or not valid.
- Support for error handling in CRDs.
Bug Fixes¶
- Issue 1557: iRule openshift_passthrough_irule logs various TCL errors.
- Issue 1584: iRule openshift_passthrough_irule logs TCL errors - can’t read “tls_extensions_len”.
- Issue 1602: ConfigMap not working for 2.2.1 but works for 2.2.0.
- CIS now properly handles incorrect configMap with syntax errors.
- CIS now logs crash message when processing multiple EDNS.
- CIS now handles deletion of GTM configuration when there is no EDNS configuration after CIS restarts/starts.
- CIS now handles the duplicate and invalid routes properly.
- CIS now updates global parameters SNAT by every Virtual server pointing to the same hostname.
- CIs handles duplicate path issue with virtual server pointing to same host or virtual address.
- CIS handles MAC address parsing issue with new flannel versions.
- CIS now processes TLS profiles correctly when VirtualServer and TLS profiles are added at a time.
- CIS now processes configMap updates properly.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.2.1¶
Added Functionality¶
- CIS is now compatible with:
- OpenShift 4.6.4.
- AS3 3.24.X
- CIS supports OVN-Kubernetes CNI for Standalone and HA with OSCP 4.5.X
- External DNS CRD – Preview available in CRD mode:
- Supports single CIS to configure both LTM and GTM configuration.
- Supports external DNS for GTM configuration.
- Create Wide-IP on BIG-IP using Virtual server CRD’s domain name.
- Multi-cluster support for the same domain.
- Health montior support for monitoring GSLB pools.
- CIS deployment parameter added –gtm-bigip-url, –gtm-bigip-username, –gtm-bigip-password and –gtm-credentials- directory for External DNS.
- CRD schema definition for External DNS.
- CRD examples.
Bug Fixes¶
- Issue 1464: CIS AS3 does not support k8s services with multiple ports.
- Issue 1391: Expose Kubernetes API services via F5 ingress crashes CIS.
- Issue 1527: Service Discovery logs not being output.
- SR: Fix for concurrent map read and write with configmap processing.
- SR: Improved performance by skipping the processing of endpoints for unassociated services.
Limitations¶
- CIS does not update the GSLB pool members when virtual server CRD’s virtualServerAddress is updated or virtual server CRD is deleted for a domain.
- CIS is unable to delete the Wide-IP without Health Monitor.
- CIS is unable to delete the Health Monitor when there are no virtual server CRD available for a domain name.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.2.0¶
Added Functionality¶
- Custom Resource Definition (CRD):
- Multiple ports in a single service.
- TransportServer Custom Resource.
- VirtualServer Custom Resource without Host Parameter.
- Share Nodes implementation for CRD, Ingress, and Routes.
- WAF integration.
- SNAT in VirtualServer CRD.
- Option to configure Virtual address port.
- App-Root Rewrite and URL Rewrite.
- Health monitor for each pool member.
- Option to configure VirtualServer name.
- NGINX CIS connector.
- Namespace label.
- CRD TEEMs Integration.
- Support for AS3 3.23.
- Upgraded AS3 Schema validation version from v3.11.0-3 to v3.18.0-4.
- Schema
- Examples
Bug Fixes¶
- Custom Resource Definition (CRD):
- Verified the AS3 installation on BIG-IP in CRD Mode.
- Streamlined logs.
- Fixed unnecessary creation of HTTP VirtulServer when httpTraffic is set to ‘None’.
- Routes:
- Fixed FlipFlop of Policy with AB deployment Routes.
- Removed unwanted logs from iRule.
Limitations¶
- Modifying VirtualServer address leads to traffic loss intermittently. Delete and re-create the VirtualServer as an alternative.
- VirtualServers with same host and virtualServerAddress should maintain same parameters except pool, tlsProfileName and monitors.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.1.1¶
Added Functionality¶
- CIS is now compatible with:
- OpenShift 4.5
- AS3 3.21.0
- Custom Resource Definition (CRD) Preview version available with virtual-server and TLSProfile custom resources. See the Custom Resource Definitions section for more information and examples.
- Added Support for k8s Secrets with TLSProfile Custom Resource.
- Improved the strategy of processing virtual-server and TLSProfile custom resources.
- Added support for installation using Helm and Operator.
- Streamlined logs to provide insightful information in INFO and remove unwanted information in DEBUG mode.
Bug Fixes¶
- Issue 1467: AS3 ERROR declaration.schemaVersion must be one of the following with Controller version 2.1.0.
- Issue 1433: Template is not valid. When using CIS 2.1 with AS3 version: 3.21.0.
- Issue 1440: Optional health check parameters don’t appear to be optional.
- Fixed issues with processing multiple services with same annotations in AS3 ConfigMap mode. When there are multiple services with same annotations, CIS updates the oldest service endpoints in BIG-IP.
- Fixed issues with continuous AS3 declarations in CRD mode.
- Fixed issues with re-encrypt termination on multiple domains in CRD mode.
- Fixed issues with CIS crashing in CRD mode in the following situations: when the user removes
f5cr
label from VirtualServer or TLSProfile custom resources; when the user deletes TLSProfile custom resource. This behavior is intermittent. - Fixed issues with processing of unwanted endpoint and service changes in CRD mode.
Limitations¶
- During restarts, CIS fails to read TLSProfile custom resource. This behavior is intermittent.
- CIS does not update the endpoint changes on BIG-IP in CRD mode. This behavior is intermittent.
- CIS does not validate secrets and BIG-IP profiles provided in TLSProfile custom resource.
- CIS supports only port 80 and 443 for BIG-IP Virtual servers in CRD mode.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.1¶
Added Functionality¶
- CIS will not create _AS3 partition anymore.
- CIS uses single partition (i.e. –bigip-partition) to configure both LTM and NET configuration.
- Additional AS3 managed partition _AS3 will be removed if it exists.
- Enhanced performance for lower CPU Utilization with optimized CCCL calls.
- CIS validates AS3 declarations against AS3 v3.20 schema.
- CIS supports AS3 versions installed on BIG-IP from v3.18 to latest (v3.20).
- Added support for:
- Multiple AS3 ConfigMaps.
- AS3 label switching in AS3 ConfigMap resource:
- When set to False, CIS deletes the existing configuration (or) CIS ignores AS3 ConfigMap.
- When set to True, CIS reads the corresponding AS3 ConfigMap.
- Added Whitelist feature support for agent AS3 using policy endpoint condition.
- New annotation “allow-source-range” added parallel to “whitelist-source-range”.
- Deprecated –userdefined-as3-declaration CIS deployment option as CIS now supports Multiple AS3 ConfigMaps.
- Custom Resource Definition (CRD) – Alpha available with TLS support.
- Highlights of this Alpha CRD version:
- Supports single partition to configure both LTM and NET configuration.
- Supports both unsecured and TLS CRD.
- Supports single domain per Virtual server.
- Supports merging multiple virtual servers into single BIG-IP VIP referring to a single domain.
- Added Health monitor support.
- Supports nodelabel in Virtual server CRD.
- Supports TLSProfile CRD with BIG-IP reference client and server SSL profiles.
- Supports TLSProfile CRD with K8S secrets reference for client SSL profiles.
- CRD schema definition for both Virtual server and TLSProfile.
- CRD examples.
- Highlights of this Alpha CRD version:
- The following GitHub repositories have been archived are now read-only. These projects are no longer actively maintained:
Bug Fixes¶
- Issue 1420: Enhanced performance for lower CPU Utilization with optimized CCCL calls.
- Issue 1362: CIS supports HTTP Header with iv-groups.
- Issue 1388, 1311: CIS properly manages AS3 ConfigMaps when configured with namespace-labels.
- Issue 1337: CIS supports multiple AS3 Configmaps.
- Issue 1171: CIS will not create _AS3 partition anymore.
Vulnerability Fixes¶
CVE | Comments |
---|---|
CCVE-2018-5543 | CIS Operator uses –credentials-directory by default for BIG-IP credentials |
Guidelines for upgrading to CIS 2.1¶
- Those migrating from agent CCCL to agent AS3:
- User should clean up LTM resources in BIG-IP partition created by CCCL before migrating to CIS 2.1. Steps to clean up LTM resources in BIG-IP partition using AS3:
- Use this POST call:
https://<bigip-ip>/mgmt/shared/appsvcs/declare?async=true
along with this AS3 declaration. - Note: Please modify <big-ip> in above POST call and <bigip-partition> name in the AS3 configuration.
- Use this POST call:
- User should clean up LTM resources in BIG-IP partition created by CCCL before migrating to CIS 2.1. Steps to clean up LTM resources in BIG-IP partition using AS3:
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
2.0¶
Added Functionality¶
- AS3 is the default agent. Use deployment argument
--agent
to configure CCCL agent. - Custom Resource Definition (CRD) – Alpha available with Custom resource virtual-server.
- Added new optional deployment arguments:
--custom-resource-mode
(defaultfalse
) when settrue
processes custom resources only.--userdefined-as3-declaration
for processing user defined AS3 ConfigMap in CIS watched namespaces.
- AS3 versions newer than 3.18 is required for 2.X releases.
- CIS is now compatible with:
- OpenShift 4.3
- BIG-IP 15.1
- K8S 1.18
- Base image upgraded to UBI for CIS Container images.
- Added Support for:
- Multiple BIG-IP ClientSSL profiles for a Virtual Server
- Informer based Override AS3 ConfigMap
- UserAgent in AS3 Controls object
- New Attributions Generator - Licensee
- GO Modules for dependency management
- HTTPS health monitoring for passthrough and re-encrypt routes
New RH container registry : registry.connect.redhat.com/f5networks/cntr-ingress-svcs
Bug Fixes¶
- CIS handles requests sent to unknown hosts for Routes using debug messages.
- CIS handles posting of ‘Overwriting existing entry for backend’ log message frequently when different routes configured in different namespaces.
- Issue 1233: CIS handles ClientSSL annotation and cert/key logging issues.
- Issue 1145, 1185, 1295: CIS handles namespace isolation for AS3 ConfigMaps.
- Issue 1241, 1229: CIS fetches 3.18 AS3 schema locally.
- Issue 1191: CIS cleans AS3 managed partition when moved to CCCL as agent.
- Issue 1162: CIS properly handles OpenShift Route admit status.
- Issue 1160: CIS handles https redirection for ingress which accepts all common names.
Vulnerability Fixes¶
CVE | Comments |
---|---|
CVE-2009-3555 | CIS disables renegotiation for all Custom ClientSSL |
Limitations¶
- CIS with CCCL as agent, OpenShift A/B route cannot be updated in BIG-IP versions newer than 14.1.X due to data group changes.
Next Upgrade Notes¶
- From CIS 2.1, additional AS3 managed partition
_AS3
will be removed.
Security Vulnerabilities¶
Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.
To see older versions of the release notes, see this page.