Release Notes

This page contains the release notes for F5 BIG-IP Container Ingress Services. To see the changes in this documentation, see Document Revision History.

2.19.1

Bug Fixes

• Issue 3679: Certificate, CA chain, and private key shown in debug logs.
• Issue 3726: VS in default multi cluster mode not working.
• Issue 3655: Calico static routes not updated when nodes added/removed from cluster.
• Issue 3717: Static Route CNI calico doesn’t detect multiple block affinities.
• Issue 3719: Fix shared static routes override each other.
• Issue 3723: Configuration errors reset VS Address to None for all Virtual Servers, Transport Servers, and Ingress Links.
• Issue 3727: F5-cis needs a restart to use updated kubeconfig secret.
• Resolved Kubernetes Client API throttling errors.
• Improved monitor creation efficiency in default mode by utilizing a shared monitor for pools.

Upgrade notes

• When using Calico CNI with staticRoutingMode, update RBAC permissions to allow monitoring of Calico block affinities resources. Refer to the RBAC documentation for the details.
• Upgrade AS3 to version 3.52 to support shared monitor creation for pools in Multi-Cluster default mode.

Known Issues

• When shared static routes are enabled, changes in the CIS partition may require manual cleanup of routes from the Common partition.

2.19.0

Added Functionality

What’s new:

• Multi Cluster

  • local-cluster-name parameter is a new and mandatory parameter for multi-cluster mode.
  • Introducing the new default mode for MultiCluster topologies which supports the ServiceType LoadBalancer, VirtualServer CR, and Transport Server CR. See Default Mode.
  • CIS now supports the serviceType Load balancer discovery in remote clusters as well using the default mode. See Default Mode.
  • Support for the MultiCluster serviceType load balancer in the default mode. See Example.

  • Issue 3494: make service discovery equal for all clusters by eliminating the extendedServiceReferences attribute.

    • CIS now does the service discovery for VS/TS CR from all the clusters implicitly in Active-Active or Ratio mode.
    • extendedServiceReferences property is not supported for VS/TS CR in the Active-Active and Ratio mode any more.
    • Active-standby mode is not supported any more.

• CRD

  • Issue 3523: Support for HTTP Compression profile in VS CR. See Example
  • Issue 3637: Support for TLS in transport server. See Example
  • Issue 3574: OpenShift operator: needs to run oc adm policy add-cluster-role-to-user cluster-admin -z f5-bigip-ctlr-serviceaccount -n <spec.namespace>
  • Issue 3528: Cross Site Multi-Cluster GTM Support with ccclGTMAgent
  • Support for empty node label selector.

Bug Fixes

• Issue 3615: Fix service type LoadBalancer IPs re-assigned on service update.
• Issue 3561: Controller stops posting changes at runtime when some ingress path has the + character.
• Issue 3570: tls irule fails if pool has no active members.
• Issue 3654: Persistent connection issue with SSL and HTTP pools in a VirtualServer Hostgroup.
• Issue 3599: typo in CIS Operator arguments.
• Issue 3574: Fix the adm policy for service account in OpenShift operator.
• Support dots and dashes in object names aligned to AS3

Upgrade notes

• serviceAddress property for VS and TS CR is not allowed to add/delete once the CR is created.
• –local-cluster-name parameter is a new and mandatory parameter for multi-cluster mode, It is required for all the modes(default, active-active, and ratio).
• Default mode is the default mode for multi-cluster, if no mode is specified in the extended configMap.
• CIS now does the service discovery for VS/TS CR in all the clusters defined via extended configMap when active-active or ratio mode is configured.
• Active-standby mode is deprecated and not supported anymore.
• extendedServiceReferences have been deprecated for VS/TS CR in the active-active and ratio mode.

2.18.1

Added Functionality

What’s new:

• CRD
  • Issue 3536 Added CRD status support for VS, TS, and IngressLink.
  • Added support for custom partition and pool settings for ServiceTypeLB service. See example.

Bug Fixes

• Issue 3518 CIS is reposting the declaration because of re-ordering of the pool-members.
• Issue 3520 [LOGS] improve log message Finished syncing virtual servers xxx in namespace yyy(199.218µs).
• Issue 3507 Controller stops posting changes at runtime when multiple ingress use the same backend service.
• Issue 3501 CIS with oneconnect and TLS breaks some connections.
• Remove pool members of GTM when host removed or updated on Transport Server, IngressLink, and, Service Type LB.
• Issue 3535 CIS with namespace-label is not working correctly in MultiCluster mode.
• Issue 3508 Fix to disable default UID in F5 BIG-IP Controller Operator.
• Fix for handling resource deletion incase of multiple VS/TS sharing the service.

Upgrade notes

• Improved the resource status for Virtual Server, Transport Server, and Ingresslink, To upgrade the CRD schema, see Updating Custom Resource Definitions.

2.18.0

Added Functionality

What’s new:

• CRD
  • Issue 3471 Support for loadBalancerClass for service type lb. See example.
  • Issue 3438 Support for FTP Profile in Policy CR. See example.
  • Issue 3418 Support to append route domain to the virtual addresses of the BIG-IP in Virtual Server, Transport Server, and IngressLink. See examples with virtual server, transport server, and ingressLink.
  • Issue 3511 Support for Request and Response Adapt Profiles in VirtualServer CRD or Policy CRD. See Virtual Server CR, and Policy CR.
  • Issue 3442 Support for multiple LTM monitors with multiple virtual servers referring to same backend.
• Issue 3430 Support for CIS deployment parameter ipam-namespace to configure the namespace for IPAM CR.
• Issue 3373 Support to disable members based on deployments for AS3 Configmaps. See example.
• Add support for AS3 3.52.0.
• CIS is now compatible with OpenShift 4.16.
• CIS and IPAM operator support for OpenShift 4.16
• Support for Passthrough Virtual Server/route without default ssl profile (Minimum AS3 version required is 3.52).
• Add support to disable specific version of tls in tls profile.

Bug Fixes

• Issue 3401 Fix for invalid iRule generation for HTTP/2 full proxy mode.
• Issue 3466 Fix for scaling issue in NodeportLocal mode.
• Issue 3432 Shows meaningful logs for exceptions occured from controller agent.
• Issue 3396 Fix for adding pool members from external clusters in nodeportLocal mc mode.
• Issue 3351 Improved message handling when getting HTTP/401 from AS3.
• Fix pool members not getting updated for VS/TS on re-deployment of application with different servicePort and targetPort.

Known Issues

• Support for multiple LTM monitors with single virtual server referring to same backend on different paths does not work.

Upgrade notes

Starting with CIS version 2.18.0:

• By default, CIS will automatically process all the services that do not have the loadBalancerClass field set in the service specification. However, it will not process the services that have the loadBalancerClass field set in the service specification. The Load Balancer Class supports all the Custom Resources (such as VirtualServer, TransportServer, and IngressLink) and the loadBalancer service. This feature cannot be disabled. You need to either remove the loadBalancerClass field from the service or set the CIS deployment parameter load-balancer-class to the same value as the loadBalancerClass field in the service. Additionally, see the deployment parameter manage-load-balancer-class-only, to control the behavior of CIS for services with the loadBalancerClass field set in the service specification.
• If you are using CIS with AS3 version 3.52 or higher, the passthrough Virtual Server on BIG-IP will not have default ssl profile.

F5 IPAM Controller v0.1.11 Release Notes

Added Functionality

What’s new:

• Support for namespace to watch the multiple namespaces for IPAM CRD.

2.17.1

Added Functionality

What’s new:

• CRD
  • Issue 3378 Support to control ciphers groups and ssl options in TLSProfile CRD, see example.
  • Improved performance for Hub Mode using the isTenantNameServiceNamespace label in the AS3 configmap, see example.
  • Pod Graceful Shutdown support for AS3 ConfigMap using CIS deployment parameter pod-graceful-shutdown, see Configuration Parameters.

Bug Fixes

• Issue 3395 BIG-IP controller 2.16.0 removes F5 configuration when removing Kubernetes resources in namespace.
• Issue 3424 Static routes are not added if a label is not added to a namespace when the --namespace-label flag is used.
• Issue 3443 Addressed the problem with IPAM IP allocation on resource recreation.
• Issue 3406 Upon deletion of all CRD resources, the default route domain of the CIS-managed Partition resets to 0.
• Issue 3405 Resolved the issue where Helm Chart does not enable ingressClass after creating it.
• Resolved the issue where LB Services remain stuck in a Pending state when using IPAM.

Upgrade notes

Starting with CIS version 2.17.1:

• Re-sync period for the service in hub mode is the same as the periodic sync interval configured in the CIS deployment parameter periodic-sync-interval, for which the default value is 30 seconds..

• If the --ipam-cluster-label is already enabled in previous versions, it is recommended to remove the ipam CR created by the previous version of CIS and recreate it. For example, you can use the command:

  kubectl -n kube-system delete ipam <CIS_deployment_name>.<CIS_managed_bigip_partition>.ipam

  • If you wish to enable --ipam-cluster-label in CIS or modify the --ipam-cluster-label configuration, it is still recommended to remove the ipam CR created by the previous version of CIS.

2.17.0

Added Functionality

What’s new:

• Multi-Cluster
  • Support for Alternate backend and cluster Ratio in Transport Server, see example.

• CRD
  • Issue 3337 Support for access profile and per request policy in policy CRD and VS CRD, see example.
  • Issue 3352 Add support for alternate backend,weight and ratio for transport server, see example.

• Support for Calico CNI with Static Routing Mode, see StaticRouteSupport.
• CIS compatible with
  • Kubernetes 1.31
  • OpenShift 4.15
• Improved operator support for OpenShift 4.15.

Bug Fixes

• Issue 3371 CIS added irules cannot have “event disable all”.
• Issue 3402 TLS iRule fails after recent browser updates.
• Fix for EDNS pool member empty issue.
• Issue 3414 CIS is deleting referenced SSL Profile it did not create.
• Issue 3434 Fix crash in CIS startup after using namespace-label parameter.

2.16.1

Added Functionality

What’s new:

• CRD
  • Issue 3329: Add support for static ip configuration in annotation for service type LoadBalancer.

Bug Fixes

• Issue 3324: Fix for Service LoadBalancer with targetPort set to name of containerPort creates emtpy BIG-IP Pool.
• Issue 3326: Multi-cluster: Services in blue-green deployments don’t get updated.
• Issue 3340: Fix to post latest config in retrying a failing AS3 configuration.
• Issue 3335: Authorization errors and unexpected 503 HTTP return code inside F5 BIGIP controller version 2.16-WIP.
• Issue 3322: Ingress using single service backend with different paths and ports not create correctly f5 ingress object.

Known Issues

• CVE-2024-2961

F5 IPAM Controller v0.1.10

Vulnerability Fixes

• CVE-2023-38545
• CVE-2023-38546
• CVE-2022-48337
• CVE-2022-48338
• CVE-2022-48339
• CVE-2023-2491
• CVE-2023-24329
• CVE-2023-40217
• CVE-2023-4527
• CVE-2023-4806
• CVE-2023-4813
• CVE-2023-4911
• CVE-2023-44487
• CVE-2023-28617
• CVE-2022-40897

Known Issues

• CVE-2024-2961

2.16.0

Added Functionality

What’s new:

• Multi Cluster
  • Issue 3284: Added support to avoid service pool creation for clusters under maintenance, see Example.
  • Streamlined naming convention for extended service references and multi cluster reference annotations. See Example: updated field names for extendedServiceReferences in VS CRD and Example: updated field names for multiClusterServices annotation in NextGenRoutes.

• CRD
  • Issue 3225: Support for Host Persistence to configure and disable the Persistence in VS Policy Rule action based on host in VirtualServer, see Example.
  • Issue 3262: Support for Host Aliases to allow defining multiple hosts in VirtualServer CRD, see Example.
  • Issue 3263: Support for Host group virtual server name in virtual server to customise the virtual server name when Host Group exists, see Example.
  • Issue 3279: Support to disable default partition in AS3 legacy nodeport mode.
  • Issue 3295: Support to set the default pool via policy CRD for virtual server and nextgen routes, see Example.
  • Issue 3239: Support for mix of k8s Secret and bigip reference in TLSProfile, see Example.
  • Support to set sslProfile with https monitor in virtualServer and nextgen routes. See Example for Virtual Server CRD and See Example for NextGenRoutes.
  • Support for self value of SNAT in virtualServer and transportServer.

• Support for pool-member-type auto for CRD, NextGen Routes, and multiCluster mode, see Documentation.
• Support for CIS deployment parameters trusted-certs-cfgmap && insecure in CRD and NextGen, see Example.
• CIS is compatible with AS3 3.50.

Bug Fixes

• Issue 3230: CRD multicluster configuration triggers Raw response from Big-IP: map[code:422 declarationFullId: message:declaration has duplicate values in rules]. Please refer FAQ in Documentation.
• Issue 3232: Enhance as3 response add the runtime attribute.
• Issue 3266: Improve log when admitting next gen routes.
• Issue 3267: Improve log for certificate host name validation.
• Issue 3268: Handle embedded certificates appropriately when missing SAN and hostnames mismatch.
• Issue 3277: Additional PoolMember properties in ConfigMap not preserved for NodePortLocal mode.
• Issue 3299: Fix for EDNS in AS3 and CCCL modes.
• Issue 3312: CIS 2.15 crashes due to interface conversion panic.
• Fix for wildcard domain with multiple hosts in tls profile.
• Improved documentation for HTTP2 profile. See Documentation.

Upgrade notes

Starting with CIS version 2.16.0:

• In CRD, the default value of “–insecure” will be false and if “trusted-certs-cfgmap” deployment parameter is not configured, CIS might crash with error “x509: certificate signed by unknown authority”.
• In multicluster, serviceName is replaced with service and port is replaced with servicePort in the extendedServiceReferences/multiClusterServices.

2.15.1

Added Functionality

• CRD
  • Support for HTML profile in Policy CR and VirtualServer CR. See Example
  • Support for renegotiationEnabled in TLSProfile CR. See Example

• CIS compatible with OpenShift 4.14 and Kubernetes 1.29
• Improved operator support for OpenShift 4.14

Bug Fixes

• Issue 3160: Support to provide different IPs for the same resources deployed in different clusters for Infoblox IPAM provider only.
• Issue 3197: Image mismatch in F5 operator metadata.

2.15.0

Added Functionality

• Multi-Cluster Support
  • Support for cluster AdminState. See example

• Next Generation Routes
  • Support for readiness based auto Health monitor. See example
  • Support for new route annotation virtual-server.f5.com/pod-concurrent-connections. See example

• CRD
  • Issue 3062 Support ConnectionMirroring in virtualserver and Transportserver CR, See example
  • Issue 2963 Support MinimumMonitors in virtualserver CR

• CIS compatible with
  • Kubernetes 1.28
  • OpenShift 4.13
  • AS3 3.48

• Improved AS3 GTM agent to GTM server.
• Support for new CIS health check endpoint /ready.
• Support for configuring node network CIDR for ovn-k8s CNI with staticRoutingMode. See example
• Support for OpenShift 4.13 Operator.
• Support for a/b deployment custom persistence in ratio mode with cluster mode. See example

Bug Fixes

• Issue 3057 Support for pool settings for reselect with policy CR.
• Issue 3061 Provide stable pool name in multi cluster mode.
• Issue 3079 Fix logic for node not ready check.
• Issue 3073 Fix AS3 config map multi port service issue.
• Issue 2985 Improve CIS primary and secondary coordination.
• Issue 3126 VirtualServer with hostGroup and ipamLabel set returns the wrong vsAddress status

Upgrade notes

• Default health monitoring with NextGen Routes is disabled. Recommend using autoMonitor support. See example

Known issues

• [Multi-Cluster] Route status is not updated in other HA cluster.
• Issue 777 Cluster adminState in multiCluster mode doesn’t work properly with AS3 (v3.47 and v3.48) as updating pool member adminState from enable to offline fails with 422 error with AS3 (v3.47 and v3.48). If customer needs this feature, we recommend to use AS3 v3.46 or lower on BIGIP.

2.14.0

Added Functionality

• Multi-Cluster Support
  • Support for Custom Resources on OpenShift and Kubernetes. See Documentation for more details.
  • Support for routes on OpenShift. See Documentation for more details.

• ConfigMap
  • Support for AS3 logLevel parameter in ConfigMap.
  • Support for AS3 persist parameter in ConfigMap.

• Ingress
  • Support for default pool using the single-service ingress.

• CRD
  • NodePortLocal mode support added with all CRD resources.
  • Support for default pool with VS CR. See Examples
  • Support for service typeLB in EDNS CR.
  • Support for persistence capability for service published through EDNS. See Example
  • Support for wildcard domain in EDNS CR. See Examples
  • Support for preferred client subnet in EDNS CR using AS3. See Examples
  • Support for lbModeFallback with EDNS. See Examples

• Helm Chart Enhancements
  • Support for the latest CRD schema.

• New log level AS3DEBUG to log the AS3 request and response for AS3 mode.
• Support for BIG-IP v17.x

Bug Fixes

• Fix for Virtual Server CRs with the same IP address and different hosts and terminations.
• Issue 2785 Support for wildcard domains in EDNS CR.
• Issue 2813 Add EDNS support for service type LB.
• Issue 2850 Fix for AS3 config that updated every 30 seconds by CIS with default ingress backend.
• Issue 2909 Fix for empty pool members when K8S API server throws any error.
• Issue 2941 Fix for services with the same name in different namespaces in NodePortLocal mode.
• Issue 2978 Nodes in “NotReady” state are not removed from their pool(s) when using ServiceType LoadBalancer.
• Issue 3004 ExternalDNS Global Availability Mode not working.

Known Issues

• [MultiCLuster] Pool members are not getting populated for extended service in ratio mode.
• [MultiCLuster] CIS doesn’t update pool members if the service doesn’t exist in primary cluster, but does exist in the secondary cluster for Route.
• [MultiCLuster] CIS, on start up in multiCluster mode, if on any external cluster the kube-api server is down/not reachable, CIS does not process any valid cluster configs.
• [MultiCLuster] CIS fails to post declaration intermittently with VS when using health monitors in ratio mode.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.13.1

Bug Fixes

• Exclude the removal of static ARP entries for Flannel CNI during CIS restart
• Issue 2800 Added validation message for monitor when send string is missing.
• Issue 2867 Ignore virtualServerName if hostGroup configured.
• Issue 2898 Fix for CIS crash when namespace-label parameter is used.
• Issue 2778 Fix hostless VS with IPAM to work with hostgroup.
• Issue 2908 Fix for CIS crash while updating the route status.
• Issue 2912 Enable metrics with IPv6 mode.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.13.0

Added Functionality

• Next generation routes. See GitHub for more details.
  • Support for separate policy CR for HTTP VS in NextGen Routes.
  • NextGen Route controller takes precedence over Legacy Route deployment parameters.
• CRD
  • Added support for webSocket Profile in Policy CR. See example
  • Added support for server-side HTTP2 Profile using Policy CR. See example
  • Added support for setting Auto-LastHop option from Policy CR. See example
  • Added support for setting HTTP MRF router option from Policy CR (applied for HTTPS virtual server only). See example
  • Added support for setting HTTP Analytics Profile from Policy CR. See example
  • Added support for configuring multiple iRules with Policy CR. See example
  • Added support for setting Client and Server SSL Profiles from Policy CR, for NextGen Routes only. See example
  • Added support for A/B deployment with VS CR. See example
  • Added support for ServerSide HTTP2 Profile for VS CR. See example
  • Added support for HTTP Monitor for Transport Server CR. See example
• Added static route support for ovn-k8s, flannel, Cilium and Antrea CNI.
• Added new parameter --cilium-name to specify BIG-IP tunnel name for Cilium VXLAN integration.
• Added support for operator in OpenShift v4.12.
• Added support for AS3 v3.45.0.
• CIS is now compatible with Kubenetes v1.27.

Bug Fixes

• Issue 2632 Fixed HubMode support with NodePortLocal.
• Issue 2821 Fix for additional VirtualAddresses with serviceAddress configuration.
• Issue 2550 Ability to specify additional monitor details for TransportServer CR.
• Fix for recreating the LTM objects when CIS restarts in IPAM mode.
• Improved error handling for GTM objects with cccl-gtm-agent.
• Fixed crash issue with liveness probe in NextGen Routes.
• Fixed issue for improper ARP updates in NextGen Routes.
• Skip processing OSCP system services to enhance performance in NextGen Routes.

Upgrade Notes

• Extended support for the server-side HTTP2 Profile, which causes the existing Policy CRD to be modified, for example.
• Upgrade the CRD schema using CRD Update Guide if you are using custom resources.
• When multiple client SSL certificates are specified for a VS using Kubernetes secrets with AS3 >= v3.44 and CIS >= 2.13.0, then CIS sets the first SSL profile as the default profile for SNI (sorted in alphabetical order by name). In earlier version it was set by AS3.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.12.1

Added Functionality

• Next generation routes. See GitHub for more details.
  • Support for WAF with A/B deployments in routes.
• CRD
  • Support for ExternalIP update of associated services of Type LB in Transport Server CR.
  • Support for new GTM partition in AS3 mode. CIS will create a new partition for GTM with partition name {defaultpartition_gtm} in AS3 mode.

Bug Fixes

• Issue 2725: AS3 label not working with AS3 ConfigMap when filter-tenants set to true.
• Issue 2793: TLSProfile CRD not working when the SSL profile is from Shared location.
• Issue 2797: TLSProfile deletes a referenced SSL Profile when making changes or deleting a VS.
• Issue 2799: VirtualServer deletes a referenced iRule when making changes or deleting a VS.
• Issue 2789: AS3 Post delay - Not working as expected.
• Issue 2816: Fix Error Not found cis.f5.com/ipamLabel.
• Issue 2796: EDNS not working when deployed before TS.
• Issue 2790: CIS sends multiple AS3 requests for a single VS.

Upgrade Notes

• CIS supports a new partition for GTM in AS3 mode for CRDs. In CCCL mode, there are no partition changes for GTM, common partition remains the same.
• In AS3 mode, CIS will clear existing GTM objects in default partition and recreates them in new GTM partition.
• Format of the new GTM partition name: {defaultpartition_gtm}
• With EDNS and VS/TS/IngressLink resource partition change, sometimes CIS might come across 422 error.
• The root cause can be that the VS list is not refreshed in the GSLB server.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.12.0

Added Functionality

• Next generation routes. See GitHub for more details.
  • Support for rewrite-app-root annotation in routes.
  • Support for WAF annotation in routes.
  • Support for allow-source-range annotation in routes.
  • Support for targetPort in route’s health monitors.
• Ingress
  • Support for partition annotation in Ingress.
  • Added wildcard character(*) validation for ingress path.
• CRD
  • Support for ipIntelligencePolicy with Policy CR. See GitHub for examples.
  • Support for configuring ratio on GSLBDomainPool with ExternalDNS CR. See GitHub for examples.
  • Support for BIG-IP partition with VirtualServer, TransportServer, and IngressLink CR. See GitHub for examples.
  • Support for none as value for iRules in Policy CR and VirtualServer CR to disable adding default CIS iRule on BIG-IP. See GitHub for more details.
  • Support for path/pool based WAF for VirtualServer CR. See GitHub for examples.
  • Issue 2737: Support for serviceNamespace field in transport server spec that allows to define a pool service from another namespace for TransportServer CR. See GitHub for examples.
  • Issue 2682: Support to Enable “HTTP MRF Router” on VirtualServer CRD required for HTTP2 Full Proxy feature. See GitHub for examples.
  • Issue 2666: Support for multiple virtual addresses on VirtualServer CR. See GitHub for examples.
  • Issue 2729: Support for named port with servicePort. See GitHub for examples.
  • Issue 2744: Support for Host header rewrite in VirtualServer CR. See GitHub for examples.
• Helm Chart Enhancements
  • Support for podSecurityContext.
  • Support for bigip-login secret creation.
  • Support for latest CRD schema.
  • Fix for nesting of ingressClass definitions.
• Support for --http-client-metrics deployment parameter to export the AS3 HTTP client Prometheus metrics.

Bug Fixes

• Issue 2703:Issue 2703: Fix host group having multiple hosts with EDNS.
• Issue 2726:Issue 2726: Fix prometheus metrics broken in v2.11.1
• Issue 2767:Issue 2767: Fix wrong pool member port configured.
• Issue 2764:Issue 2764: Remove unwanted TLS iRule deployed on reencrypt when passing XFF.
• Issue 2677:Issue 2677: Remove NotReady state nodes from BIGIP poolmembers in NodePortMode.
• Issue 2686:Issue 2686: Validate insecure VirtualServer CR.
• LTM policy fix for default http and https ports.

Known Issues

• Partition annotation change for ingress intermittently causes AS3 422 error. When you receive an error, delete the old ingress and recreate the ingress with a new partition.
• Partition change for custom resources (VS/TS/IngressLink) may cause AS3 422 error for default partition. When you receive an error, restart the CIS controller.

Upgrade Notes

• Refer to guide to migrate to next generation routes.
• Deprecated extensions/v1beta1 ingress API and it’s no longer processed by CIS versions newer than v2.12. Use the networking.k8s.io/v1 API for ingress.
• Deprecated CommonName support for host certificate verification in secrets. Use subject alternative name (SAN) in certificates instead.

F5 IPAM Controller v0.1.9 Release Notes

Added Functionality:

• Base image upgraded to RedHat UBI-9 for FIC Container image.

Bug Fixes:

• Issue 2747: Fix to persist IP addresses after CIS restart.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.11.1

Added Functionality

• Next generation routes preview.
  • Support for default routeGroup (Migration Only).
• Base image upgraded to RedHat UBI-9 for CIS Container image.
• Support for AS3 3.41.0.

Bug Fixes

• Added pattern definition in CR schema to align with F5 BIG-IP Object Naming convention.
• Issue 2153: Updated go.mod to v2 eTraveli.
• Issue 2657: WAF policy name does not allow hyphen (-) OrangeCyberDefense.

Documentation

• Added additional user guides to GitHub.
• Issue 2606: Applying setup files from Clouddocs fails.

CIS Helm Chart Fixes

• Updated CRD Schema
• Updated RBAC

FIC Helm Chart Fixes

• Added support for Infoblox credentials using k8s secrets in helm charts.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

1.14.2

Added Functionality

• Upgraded base image to RedHat UBI-9 for CIS Container image.

Bug Fixes

• Fixed Teems Data Crash issue.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.11.0

Added Functionality

• Next generation routes preview. See documentation and examples
  • Policy CR integration with extended ConfigMap
  • EDNS CR integration with extended ConfigMap
  • Support for Default SSL profiles from baseRouteSpec in extended ConfigMap
  • Support Path based A/B deployment for Re-encrypt termination
  • Support for TLS profiles as K8S secrets in route annotations.
  • Support for TLS profiles as route annotations.
  • Support for health monitors using route annotations
  • Support to create Health Monitor from the pod liveness probe for routes. Refer Documentation for more details
• CRD
  • CIS configures GTM configuration in default partition
  • Pool reselect support for VirtualServer and TransportServer
  • Support for allowVlans with policy CR
  • Support for –cccl-gtm-agent deployment parameter to set the gtm agent
  • Support to provide the same VIP for TS and VS CRs using hostGroup
  • Issue 2420: Support for nodeMemberLabel in Transport Server pool
  • Issue 2469: Support for virtual server grouping by hostgroup across namespaces.From 2.11, hostGroup should be unique across namespaces
  • Issue 2585: Support for multiple clientssl & serverssl profiles in TLS Profiles
  • Issue 2637: Support for custom persistence profile
• Ingress
  • Support for Translate Address annotation in Ingress.
  • Support for sslProfile in HTTPS health monitors for ingress. See Examples

Bug Fixes

• Issue 2581: IPAM to provide the same IP for different TS.
• Issue 2586: Update ExternalIP of associated services of Type LB for VS and IngressLink CR.
• Issue 2609: TargetPort support for string with NPL.
• Issue 2626: Process IngressLink on K8S node update.
• Fix to remove old Ingress monitor when type gets modified.
• Fix to send AS3 declaration for the recreated domain after IPAM controller restart.
• FIC Helm Chart Fixes: Fixed Issue 130: IPAM Helm Deployment strategy should be recreated.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.10.1

Bug Fixes

• Fix to monitor NGINX+ service changes.
• Issue 2582: Fixed issue with inconsistent pool names for VS.
• Issue 2596: Fixed invalid property name with serviceAddress.
• Issue 2570: Fixed issue where TLSProfile doesn’t get updated when the K8s secret changes.
• Issue 2394: Fixed to set ingress https monitor send string.
• Issue 2549: Fixed trafficGroup regex.
• Issue 2492: Fixed for shared pool not working in nodePort mode.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.10.0

Added Functionality

• Next Generation Routes:
  • Added new base config block for TLSCiphers in extended ConfigMap. See Examples.
  • Support for namespaceLabel in extended ConfigMap. See Examples.
  • Support for BIG-IP ClientSSL/ServerSSL profile reference in extended ConfigMap. See Examples.
  • Support for allowSourceRange in extended ConfigMap. See Examples.
  • rewrite-target-url support via route annotations.
  • Load Balancing support via route annotation. See Examples.
  • Support for AB Deployment in routes.
• CRD:
  • allowSourceRange support for VirtualServer CRs and Policy CR. See Examples.
  • Added support for TCP Health Monitor in VirtualServer CRs. See Examples.
  • Added support for multiple monitors in VirtualServer and TransportServer CRs. See Examples.
  • SCTP support for TransportServer Custom Resource. See Examples.
  • Issue 2201: Support for linking existing health monitor on BIG-IP with VirtualServer and TransportServer CRs. See Examples.
  • Issue 2361: Allow monitoring of an alias port in VirtualServer and TransportServer. See Examples.
  • Issue 1933: Added serviceNamespace field in Pools for VirtualServer CR that allows you to define a pool service from another namespace in a VirtualServer CR. See Examples.
• Ingress:
  • Added support to configure netmask for Virtual Server for Ingress. See Example.
• Support for Cilium CNI versions 1.12.0 and above in Kubernetes cluster.
• Support for --log-file deployment parameter to store the CIS logs in a file.
• Support for AS3 3.38.0
• Support for operator in Openshift versions 4.10 and 4.11.

Bug Fixes

• Fixed CIS continuous processing of ingress belonging to unmanaged ingress class.
• Issue 2325: Supporting Prometheus service in CRDs.
• Issue 2158: CIS send logs to file from container.
• Issue 2345: CIS crash due to Route Profiles.
• Issue 2507: Monitor name by accident includes health check command.
• Issue 2413: Hyphens/dashes not allowed in VirtualServer pool path.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.9.1

Enhancements

• CIS is now compatible with:
  • Kubernetes 1.23
  • OCP 4.10 with OVN & SDN CNI

Bug Fixes

• Issue 2336: Fixed confusing EDNS Pool name.
• Issue 2337: Fixed EDNS pool deletion with invalid server config.
• Issue 2484: Fixed scalability issue of LB services with IPAM processing.
• Issue 2464: CIS sends empty members declaration to BIG-IP while using HubMode.
• Issue 2308: Fixed ARP deletion in filter-tenant mode.
• Fixed Invalid traffic allow in Ingress with Custom HTTP Port.

CIS Helm Chart Fixes

• Issue 2422: Fixed wrong indentation for securityContext.
• Issue 2434: Helm install values.yaml results in a bad image format.
• Updated links in Helm values.yaml documentation.

FIC Helm Chart Fixes

• Issue 104: Fixed issue where IPAM breaks if ipamLabel is changed for a typeLB service.
• Issue 96: Added PVC creation to Helm charts.
• Issue 102: Added tolerations support with Helm charts.
• Added support for multiple Infoblox labels with Helm charts.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

1.14.1

Added Functionality

• Added CIS deployment configuration option of --disable-teems which you can configure to send anonymous analytics data to F5.

Vulnerability Fixes

CVE	Package
CVE-2022-29155 openldap	libldap-2.4-2
DSA-5140-1 openldap	libldap-2.4-2
CVE-2022-1586 pcre2	libpcre2-8-0
CVE-2022-1587 pcre2	libpcre2-8-0
CVE-2022-2068 openssl	openssl
CVE-2022-1292 openssl	openssl
DSA-5139-1 openssl	openssl
CVE-2021-3711 openssl	openssl
DSA-4963-1 openssl	openssl
CVE-2022-2068 openssl	openssl
CVE-2020-13776 systemd	libudev1
pyup.io-38100 (CVE-2020-1747)	pyyaml
pyup.io-39611 (CVE-2020-14343)	pyyaml
CVE-2019-1010022 glibc	libc6
CVE-2021-33574 glibc	libc6
CVE-2021-35942 glibc	libc6
CVE-2022-23218 glibc	libc6
CVE-2022-23219 glibc	libc6
CVE-2021-3520 lz4	liblz4-1
DSA-4919-1 lz4	liblz4-1
pyup.io-39606 (CVE-2020-36242)	cryptography
CVE-2022-1664 dpkg	dpkg
DSA-5147-1 dpkg	dpkg
CVE-2019-8457 db5.3	libdb5.3
CVE-2021-20231 gnutls28	libgnutls30
CVE-2021-20232 gnutls28	libgnutls30
CVE-2022-29155 openldap	libldap-common
DSA-5140-1 openldap	libldap-common
CVE-2020-13776 systemd	libsystemd0
CVE-2019-1010022 glibc	libc-bin
CVE-2021-33574 glibc	libc-bin
CVE-2021-35942 glibc	libc-bin
CVE-2022-23218 glibc	libc-bin
CVE-2022-23219 glibc	libc-bin
CVE-2019-9893 libseccomp	libseccomp2
CVE-2021-3711 openssl	libssl1
CVE-2022-2068 openssl	libssl1.1
CVE-2022-1292 openssl	libssl1.1
DSA-5139-1 openssl	libssl1.1
DSA-4963-1 openssl	libssl1.1
CVE-2022-2068 openssl	libssl1.1
CVE-2020-11656 sqlite3	libsqlite3-0
CVE-2022-22823 expat	libexpat1
CVE-2022-22824 expat	libexpat1
CVE-2022-25235 expat	libexpat1
CVE-2022-25236 expat	libexpat1
CVE-2022-25315 expat	libexpat1
DSA-5085-1 expat	libexpat1
CVE-2022-22822 expat	libexpat1
CVE-2022-23852 expat	libexpat1
CVE-2022-23990 expat	libexpat1
DSA-5073-1 expat	libexpat1

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.9.0

Added Funtionality:

• Next generation routes preview. See the documentation for more details.
  • Multiple VIP and partition support for routes.
• Custom Resource Definition (CRD):
  • LoadBalancingMethod support for VirtualServer and TransportServer CRs. See Examples.
  • DoS Protection Profile support for VirtualServer, TransportServer, and Policy CRs. See Examples.
  • Bot Defence Profile support for VirtualServer and Policy CRs. See Examples.
  • Protocol profile(client) support for TransportServer and Policy CRs. See Examples.
  • OneConnect profile support added for VirtualServer CRs. See Examples
  • Custom TCP Client and Server profile support added for VirtualServer, TransportServer, and Policy CRs. See Examples.
  • SNAT pool name support in Policy CR for VirtualServer, TransportServer CRs. See Example.
  • Custom pool name support in VirtualServer and TransportServer CRs. See Example.
  • GTM global-availability LB method and order precedence support with EDNS CRs. See Examples.
• Service Type LoadBalancer:
  • SCTP protocol support in Services of type LoadBalancer. See Kubernetes documentation for more information.
  • Added support for attaching Policy CRD as an annotation. SNAT profile can be specified in policy CR. See Examples.
• ConfigMap:
  • Issue 2326: Support for ConfigMap resource with NodePortLocal mode.
• Routes:
  • Added support for route admit status for rejected legacy and next gen routes.
• Added support for AS3 3.36 and OCP 4.9.
• Helm Chart Enhancements:
  • Support for latest CRD schema.
  • Issue 2387: Inconsistent use of value in f5-bigip-ctlr helm chart.

Bug Fixes

• Issue 2224: Selecting Load Balancing method on VirtualServer CRD.
• Issue 2323: File and example links updated in IngressLink document.
• Issue 2151: Fix for adding unique pool members only to AS3 declaration with AS3 ConfigMap.
• Added fix for CIS crash with routes.
• Fix for different service port and target port with CRs.

Upgrade Note

Some of the new features require you to update the Custom Resource Definition file.

F5 IPAM Controller Release Notes

Added Functionality:

• Support for label with multiple IP ranges with comma-separated values. See the documentation for more information.

Bug Fixes:

• Issue 115: Reference handled properly in Database table.

Known Issues

• Appending a new pool to an existing range using the comma operator triggers FIC to reassign the newIP with the new IP pool for the corresponding ipamLabel domains/keys.
• Issue 2251: MultiHost VS and policy CRD profiles attached via LTM policy and not assigned globally. Please see this document for more information.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.8.1

Bug Fixes

• Issue 2030: Changes to Ingress resource ServicePort are now reflected on BIG-IP.
• Issue 2205: Bulk deletion of EDNS is handled properly.
• Issue 2255: ServicePort is now optional and multi-port service is handled properly in ConfigMaps.
• Issue 2164: CIS properly updates configureation in BIGIP when configured with agent CCCL and log-level DEBUG.
• Issue 2191: CIS properly logs iApps when configured with agent CCCL.
• Issue 2220: CRD VirtualServer status is reported correctly when using hostGroup.
• Issue 2209: ConfigMap errors logs now contain ConfigMap name and namespace.
• CIS configured in CCCL agent mode properly updates BIG-IP when there are no backend pods to iApps ConfigMaps.

FIC Enhancements

• Issue 98: IPAM Storage initialization is handled properly.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.8.0

Added Functionality

• CRD:
  • Persistence Profile support for VirtualServer, TransportServer and Policy CRs. See Examples
  • Added support for host in TransportServer and IngressLink CR. See Examples
  • NodePortLocal(NPL) Antrea CNI feature support added to Ingress and Virtual Server Custom Resource. See VMware Tanzu and GitHub for more information.
• NodePortLocal (NPL) Antrea CNI feature support added to Ingress and CRD Resources.

• Helm Chart Enhancements:

  • Support for latest CRD schema.

Bug Fixes

• Added fix for processing oldest route when same host and path in routes.
• Added fix for CIS crash with routes.
• Issue 2212: Fix ExternalDNS adds both VSs to a Wide IP pool with using “httpTraffic: allow” with VS CR.
• Issue 2221: Fixed Error in CIS logs while deleting multiple VS CRD.
• Issue 2222: Fix deleting VirtualServer using hostGroup.
• Issue 2233: TS and VS CRD don’t detect the pool members for grafana service.
• Issue 2234: Fix for CIS crash with subsequent creation and deletion of wrong ConfigMap.
• Issue 2077: CIS deletes all existing ARP on restart and recreates it, which affects traffic.

Known Issues

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.7.1

Added Functionality

• Optimized processing of ConfigMaps with FilterTenants enabled.
• Added support for multihost VS policy rules for same path and service backend combination.
• Improved error handling with EDNS Custom resource.

Bug Fixes

• Issue 1872: Support protocol UDP in Services of type LoadBalancer.
• Issue 1918: ExternalDNS adds both virtual servers to a Wide IP pool.
• Issue 2051: Fix AS3 Postdelay issue when error occurs.
• Issue 2077: Fix recreating ARPs when CIS restarts.
• Issue 2172: Fix Endpoint NodeName validation issue.
• Helm Chart Enhancements: Issue 2184: Helm Chart ClusterRole does not have correct permissions.

F5 IPAM Controller Release Notes

FIC Enhancements:

• Added support for FIC installation using Helm Charts. See the documentation for more information.
• Added support for FIC installation using OpenShift Operator

Known Issues

• CIS does not delete the ARP entries immediately from BIG-IP when you remove all the endpoints for a service in cccl mode.
• Unable to pass multiple Infoblox labels to FIC Helm charts and OpenShift Operator.
• Deleting an EDNS resource does not remove Wide IP config from BIG-IP intermittently.
• CIS sends the failed tenant declaration every 30 seconds with filter-tenant parameter when a 422 error occurs in AS3 response.

Upgrade Notes

• Moving from CIS > 2.6 with IPAM, see the troubleshooting guide for IPAM issue ipams.fic.f5.com not found. See Troubleshooting Section.
• Moving to CIS > 2.4.1 requires update to RBAC and CR schema definition before upgrade. See RBAC and CR schema.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.7.0

Added Functionality

• What’s new:
  • CRD:
    • Policy CR support for VirtualServer and TransportServer CRD. Support for L3 WAF, L7 Firewall policy and various profiles. Examples
    • IPv6 address support for VirtualServer, TransportServer CRD and ServiceTypeLB service. Examples
    • Wildcard domain name support with TLSProfile and VirtualServer. Examples
    • Multi-host support in VirtualServer CRD using hostgroup parameter. Examples
    • New Status column for VirtualServer and TransportServer CRD. GitHub issue
  • ConfigMap:
    • Tenant-based AS3 declarations support for configmaps using --filter-tenants deployment option. –filter-tenants – Default behaviour in CIS 2.9 with possible name change.
  • Ingress:
    • Named service port reference for ingresses. GitHub issue
  • EDNS:
    • TCP type monitor support for EDNS.
    • EDNS resource name is modified from externaldnss to externaldns. CRD definition.
• CIS now compatible with:
  • Kubernetes 1.22
  • OCP 4.9 with OVN
  • AS3 3.30

Bug Fixes

• Issue 1659: Report “status” of TransportServer CRD.
• Issue 1684: [EDNS] CIS tries to remove non-existing monitor from GTM pool.
• Issue 1873: Enable /metrics endpoint with CRD mode.
• Issue 1916: Display IPAM provided IPaddress for TransportServer.
• Issue 2006: Add support for Wildcard domain name with TLSProfile and VirtualServer.
• Issue 2014: Allow type LoadBalancer with different TargetPort and Port values.
• Issue 2025: Support ‘sni-server-name’ for GTM HTTPS Monitor.
• Issue 2031: Add support for named service port reference for ingresses.
• Issue 2032: EDNS will not work if both Virtual Server CRD and EDNS CRD are applied at the same time.
• Issue 2087: Enable nodeMemberLabel regex to support common node labels.
• Issue 2102 and Issue 2016: Fix for crash while validating secrets.
• Restructured docs examples directory.
• Improved performance while processing VS, services, and endpoint resources.

Notes

• EDNS resource name is modified from externaldnss to externaldns. Refer to latest EDNS CRD definition here.
• IPv6 is validated with calico CNI on k8s 1.22 setup.
• Log4j vulnerability does not impact CIS and FIC code base.

Known Issues

• Policy CRD integration with TS CRD has few issues.
• Wildcard hostname in VS CRD doesn’t match the parent domain.
• When root domain and wildcard domain refer to same VSAddress, CIS is not working as expected.

F5 IPAM Controller v0.1.5 Release Notes

Added Functionality

• IPv6 address range configuration support with default f5-ip-provider. Example.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.6.1

Bug Fixes

• Added the complete path for datagroups in http redirect iRule.
• Added RouteDomain support for AS3 resources.
• Issue 2032: EDNS will not work if both Virtual Server CRD and EDNS CRD applied at the same time.
• Issue 2012: Invalid Pool Name passed to AS3.
• Issue 1931: Cannot disable IngressClass in HelmChart.
• Issue 1911: CIS delete all exist vs when CIS pod restarting.
• Issue 1792: EDNS fails to link WIP to Pool, error says “last-resort-pool” needs value in bipctrl log.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.6.0

Added Functionality

• CIS is now compatible with OpenShift 4.8.12. It is validated with OpenShift SDN and OVN-Kubernetes with hybridOverlay.
• CIS supports IP address assignment to IngressLink Custom Resources using F5 IPAM Controller (See documentation).
• CIS validates IPv6 address in bigip-url and gtm-bigip-url parameters.

Bug Fixes

• Issue 1679: CIS requires GTM parameter in CIS declaration even if GTM runs on the same BIG-IP.
• Issue 1888: Unable to upgrade from 2.2.0 (or below) to 2.2.1 (or above).
• Issue 1941: CIS 2.5 output DEBUG log even with --log-level=INFO configured.
• Fixed issue with deletion of monitor with EDNS custom resource deletion.

Performance Improvements

• Improved EDNS Performance: new VirtualServer creation triggers processing of only associated EDNS resources.
• Improved Ingress performance.

Known Issues

• EDNS with https monitor is not properly supported.

F5 IPAM Controller v0.1.5 Release Notes

Added Functionality

• F5 IPAM Controller supports InfoBlox (See the documentation for more information).
• Persistent support added for F5 IPAM Controller default provider. FIC now requires pvc with volume mounted in deployment for default provider (See the documentation for more information).
• Added support for Single NetView via deployment parameter infoblox-netview. It does not need to be provided via an IPAM label (See the documentation for more information).
• Added support for standalone IP in Infoblox Provider.
• Added support for credentials-directory configuration option for mounting Infoblox credentials and self-signed certificate from Kubernetes secrets.
• Disabled DNSView for Infoblox Provider.

Bug Fixes

• Stale status entries are cleared from IPAM custom resource.
• FIC restart allocates multiple IP addresses on InfoBlox

Known Issues

• With InfoBlox integration update ip-range is not working as expected.

Migration from 0.1.4

• With this release, the f5ipam CRD is now renamed to ipam.
• A resource in clusterrole should be updated to IPAM before upgrading to latest IPAM (See latest clusterrole in the documentation).
• For F5 IPAM Controller default provider, update deployment with PVC and volume for persistance of DB. Volume mount is a prerequisite for FIC v0.1.5 (See the documentation for FIC deploment with volume).

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.5.1

Added Functionality

• CIS now supports:
  • Deletion of old F5IPAM CR when it is not in use.
  • Skipping certificate validation for passthrough routes.
  • The ability to update or delete Ingress V1 annotation with shared IP.

Bug Fixes

• Issue 1921: Plain text login and password in process status on node that is running controller.
• Issue 1849: Fix VirtualServer CRD processing which share same IP and different port.
• OpenShift operator no longer fails to install multiple CIS instances due to existing CRDs.

Vulnerability Fixes

CVE	Comments
CVE-2019-19794	Upgraded the miekg Go DNS package in CIS repository

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.5.0

Added Functionality

• CIS is now compatible with:
  • Kubernetes v1.21
  • OpenShift 4.7.13 with OpenShift SDN
  • AS3 3.28
• Added support for:
  • Multiport Service and Health Monitor for Service type LoadBalancer in CRD mode. See examples.
  • Issue 1824: Kubernetes networking.k8s.io/v1 Ingress and IngressClass. See examples.
  • For networking.k8s.io/v1 Ingress, add multiple BIG-IP SSL client profiles with annotation virtual-server.f5.com/clientssl. See examples.
  • OpenShift route annotations virtual-server.f5.com/rewrite-app-root (examples) and virtual-server.f5.com/rewrite-target-url (examples) with agent AS3.
  • Issue 1570: iRule reference in TransportServer CRD. See examples.
  • CIS deployment configuration options:
    • --periodic-sync-interval - Configure the periodic sync of Kubernetes resources.
    • --hubmode - Enable support for ConfigMaps to monitor services in same and different namespaces.
    • --disable-teems - Configure to send anonymous analytics data to F5.
• CIS now monitors changes to Kubernetes Secret resource.
• Improved performance while processing Ingress resources.
• CIS in AS3 agent mode now adds default cipher groups to SSL profiles for TLS v1.3.
• CIS now supports F5 IPAM Controller 0.1.4.
• Helm Chart Enhancements:
  • Latest CRD schemas.
  • Added support to install Ingress and IngressClass objects in networking.k8s.io/v1.

Bug Fixes

• CIS now properly adds nodes as pool members (in NodePort mode).

Known Issues

• To improve performance, F5 recommends increasing the resync periodic interval to more than 300 seconds except for passthrough routes. Configure CIS deployment with --periodic-sync-interval to more than 300 seconds. OpenShift Routes with termination Passthrough are processed post this interval.

Upgrading to 2.5.0

• CIS 2.5.0 supports Kubenetes networking.k8s.io/v1 Ingress and IngressClass. With Kubernetes version 1.18+:
  • Update CIS ClusterRole. We removed resourceName to monitor all secrets.
  • Create IngressClass before upgrading to version 2.5.0.
• To upgrade CIS using operator in OpenShift:
  • Install IngressClass manually.
  • Install CRDs manually if using CIS CustomResources (VirtualServer/TransportServer/IngressLink).

F5 IPAM Controller v0.1.4 Release Notes:

Added Functionality - F5 IPAM Controller supports Infoblox (Preview available for VirtualServer CRD only). Refer to documentation for more details.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.4.1

Added Functionality

• CIS supports F5 IPAM Controller 0.1.3.
• Helm Chart Enhancements:
  • Added support for multiple namespace configuration parameter with CIS operator.

Bug Fixes

• Issue 1737: Inconsistent ordering of policy rules when adding an Ingress path.
• Issue 1808: K8S BIG-IP Controller upload old certificate to BIG-IP.
• Stale IPAM CR configuration is deleted when CIS restarts.
• IPAM allocated IP address now populates for VirtualServer under VSAddress column.
• CIS supports endpoints created without nodeNames in cluster mode for Headless Service.
• Updated Helm charts to support IBM platform certification.

Vulnerability Fixes

CVE	Comments
CVE-2020-36242	Upgraded the cryptography package in f5-common-python repository
CVE-2020-25659	Upgraded the cryptography package in f5-cccl repository
CVE-2020-14343	Upgraded the PyYAML package in f5-cccl repository

Limitations

Due to changes in the BIG-IP Python API, CIS EDNS no longer functions correctly. EDNS will be moving to the AS3 API in the upcoming release.

F5 IPAM Controller 0.1.3 Release Notes:

Added Functionality

• Old entries in IPAM CR spec/status are now removed when CIS is restarted versus during an update.
• FIC does not allocate the last IP address specified in the IP range.
• Deleting resources releases IP address along with clearing corresponding spec entries.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.4.0

Added Functionality

• Improved data group handling for virtual server custom resource.
• CIS is now compatible with: Kubernetes 1.20
• CIS supports IP address assignment to Kubernetes service type LoadBalancer using F5 IPAM Controller. Refer for Examples.
• CIS supports IP address assignment to Transport Server CR using F5 IPAM Controller. Refer for Examples.
• Added support for defaultRouteDomain in custom resource mode.
• CIS supports service address reference in virtual server and transport server Custom Resources.
• Integrated the IngressLink mode with CRD mode.
• CIS supports implicit Health Monitor for ingress link resource
• Improved data group handling for virtual server custom resource
• Helm Chart Enhancements:
  • Updated the Custom Resource Definitions for Virtual Server and Transport Server resources.
  • Added the IngressLink Custom Resource installation using Helm charts.
  • Updated the RBAC to support service type LoadBalancer.

Bug Fixes

• SR - Fix continuous overwrites with iApp in cccl mode.
• Issue 1573: Added support for type UDP Transport Server CRD.
• Issue 1723: BIG-IP selects wrong certificate with ECDSA-signed certificate.
• Issue 1645: Certificate-check added in CISv2.2.2 logs too often.
• Issue 1730: Partition default_route_domain is being reset while creating VirtualServer via CRD to 0.

Vulnerability Fixes

CVE	Comments
CVE-2020-1747	Upgraded the PyYaml package in f5-cccl repository
CVE-2020-25659	Removed unused package cryptography in f5-cccl repository

Limitations

VXLAN tunnel name starting with prefix “k8s” is not supported. CIS uses prefix “k8s” to differentiate managed and user-created resources. See Issue 1508 for more information.

FIC 0.1.2 Release Notes

Added Functionality

• FIC supports label-based IP address allocation.
• FIC supports multiple CIS deployments.
• FIC is now compatible with k8s 1.20.
• FIC now creates the IPAM custom resource schema for validation.
• Earlier way of specifying –ip-range format is deprecated.

Known Issues

• FIC does not allocate the last IP address specified in the ip range.
• CIS deletes IPAM custom resource intermittently.
• Updating the –ip-range in FIC deployment is not working properly.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.3.0

Added Functionality

• CIS supports IP address assignment to Virtual Server CRD using F5 IPAM Controller.
• CIS allows user to leverage Virtual IP address using either F5 IPAM Controller or virtualServerAddress field in VirtualServer CRD.
• Support Passthrough termination for TLS CRD.
• Added support for AS3 schema minor versions.
• Issue 1631: Support caCertificate for OpenShift Routes.
• Issue 1571: iRule reference for CRD for VirtualServer.
• Issue 1592, Issue 1621: Enabling VLANS on CRD for VirtualServer and TransportServer.
• Updated CR Kind from NginxCisConnector to IngressLink.
• Helm Chart Enhancements:
  • Added Support for livenessProbe, ReadinessProbe, nodeSelectors, tolerations.
  • Issue 1632: Added Support for skipping CRDs.

Bug Fixes

• Issue 1457: Each Client request will be logged on BIG-IP when http2-profile is associated to Virtual Server.
• Issue 1458: CIS v2.1.0 does not delete LTM-Policy reset-rule when OpenShift-annotation for whitelist-source-range will be removed.
• Issue 1498: In iRule openshift_passthrough_irule the variable “$dflt_pool” could not be set correctly when http/2-profile is linked to Virtual Server.
• Issue 1565: Logs should distinguish ConfigMap and Ingress errors.
• Issue 1641: Debug log sKey.ServiceName in syncVirtualServer.
• Issue 1671: TransportServer assigns wrong pool/service.
• CIS fail to update pod arp on BIG-IP, “Attempted to mutate read-only attribute(s)”.

Limitations

• For AB routes, HTTP2 traffic does not distribute properly when http2-profile is associated to VS.
• Workaround for CIS in IPAM mode.
• Removing virtualServerAddress field from VSCRD in non-IPAM mode may flush corresponding BIG-IP configuration.
• CIS works with dedicated F5 IPAM Controller only.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.2.3

Bug Fix

• Issue 1646: Virtual Server demoted from CMP when updating to CIS v2.2.2.

---

2.2.2

Added Functionality

• CIS is now compatible with:
  • OpenShift 4.6.4.
  • Kubernetes 1.19
  • BIG-IP v16
  • AS3 3.25.
• CIS now verifies whether the BIG-IP clientssl/serverssl is valid or not valid.
• Support for error handling in CRDs.

Bug Fixes

• Issue 1557: iRule openshift_passthrough_irule logs various TCL errors.
• Issue 1584: iRule openshift_passthrough_irule logs TCL errors - can’t read “tls_extensions_len”.
• Issue 1602: ConfigMap not working for 2.2.1 but works for 2.2.0.
• CIS now properly handles incorrect ConfigMap with syntax errors.
• CIS now logs crash message when processing multiple EDNS.
• CIS now handles deletion of GTM configuration when there is no EDNS configuration after CIS restarts/starts.
• CIS now handles the duplicate and invalid routes properly.
• CIS now updates global parameters SNAT by every Virtual server pointing to the same hostname.
• CIs handles duplicate path issue with virtual server pointing to same host or virtual address.
• CIS handles MAC address parsing issue with new flannel versions.
• CIS now processes TLS profiles correctly when VirtualServer and TLS profiles are added at a time.
• CIS now processes ConfigMap updates properly.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.2.1

Added Functionality

• CIS is now compatible with:
  • OpenShift 4.6.4.
  • AS3 3.24.X
• CIS supports OVN-Kubernetes CNI for Standalone and HA with OSCP 4.5.X
• External DNS CRD – Preview available in CRD mode:
  • Supports single CIS to configure both LTM and GTM configuration.
  • Supports external DNS for GTM configuration.
  • Create Wide-IP on BIG-IP using Virtual server CRD’s domain name.
  • Multi-cluster support for the same domain.
  • Health montior support for monitoring GSLB pools.
  • CIS deployment parameter added –gtm-bigip-url, –gtm-bigip-username, –gtm-bigip-password and –gtm-credentials- directory for External DNS.
  • CRD schema definition for External DNS.
  • CRD examples.

Bug Fixes

• Issue 1464: CIS AS3 does not support k8s services with multiple ports.
• Issue 1391: Expose Kubernetes API services via F5 ingress crashes CIS.
• Issue 1527: Service Discovery logs not being output.
• SR: Fix for concurrent map read and write with ConfigMap processing.
• SR: Improved performance by skipping the processing of endpoints for unassociated services.

Limitations

• CIS does not update the GSLB pool members when virtual server CRD’s virtualServerAddress is updated or virtual server CRD is deleted for a domain.
• CIS is unable to delete the Wide-IP without Health Monitor.
• CIS is unable to delete the Health Monitor when there are no virtual server CRD available for a domain name.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.2.0

Added Functionality

• Custom Resource Definition (CRD):
  • Multiple ports in a single service.
  • TransportServer Custom Resource.
  • VirtualServer Custom Resource without Host Parameter.
  • Share Nodes implementation for CRD, Ingress, and Routes.
  • WAF integration.
  • SNAT in VirtualServer CRD.
  • Option to configure Virtual address port.
  • App-Root Rewrite and URL Rewrite.
  • Health monitor for each pool member.
  • Option to configure VirtualServer name.
  • NGINX CIS connector.
  • Namespace label.
  • CRD TEEMs Integration.
  • Support for AS3 3.23.
  • Upgraded AS3 Schema validation version from v3.11.0-3 to v3.18.0-4.
  • Schema
  • Examples

Bug Fixes

• Custom Resource Definition (CRD):
  • Verified the AS3 installation on BIG-IP in CRD Mode.
  • Streamlined logs.
  • Fixed unnecessary creation of HTTP VirtulServer when httpTraffic is set to ‘None’.
• Routes:
  • Fixed FlipFlop of Policy with AB deployment Routes.
  • Removed unwanted logs from iRule.

Limitations

• Modifying VirtualServer address leads to traffic loss intermittently. Delete and re-create the VirtualServer as an alternative.
• VirtualServers with same host and virtualServerAddress should maintain same parameters except pool, tlsProfileName and monitors.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.1.1

Added Functionality

• CIS is now compatible with:
  • OpenShift 4.5
  • AS3 3.21.0
• Custom Resource Definition (CRD) Preview version available with virtual-server and TLSProfile custom resources. See the Custom Resource Definitions section for more information and examples.
  • Added Support for k8s Secrets with TLSProfile Custom Resource.
  • Improved the strategy of processing virtual-server and TLSProfile custom resources.
  • Added support for installation using Helm and Operator.
  • Streamlined logs to provide insightful information in INFO and remove unwanted information in DEBUG mode.

Bug Fixes

• Issue 1467: AS3 ERROR declaration.schemaVersion must be one of the following with Controller version 2.1.0.
• Issue 1433: Template is not valid. When using CIS 2.1 with AS3 version: 3.21.0.
• Issue 1440: Optional health check parameters don’t appear to be optional.
• Fixed issues with processing multiple services with same annotations in AS3 ConfigMap mode. When there are multiple services with same annotations, CIS updates the oldest service endpoints in BIG-IP.
• Fixed issues with continuous AS3 declarations in CRD mode.
• Fixed issues with re-encrypt termination on multiple domains in CRD mode.
• Fixed issues with CIS crashing in CRD mode in the following situations: when the user removes f5cr label from VirtualServer or TLSProfile custom resources; when the user deletes TLSProfile custom resource. This behavior is intermittent.
• Fixed issues with processing of unwanted endpoint and service changes in CRD mode.

Limitations

• During restarts, CIS fails to read TLSProfile custom resource. This behavior is intermittent.
• CIS does not update the endpoint changes on BIG-IP in CRD mode. This behavior is intermittent.
• CIS does not validate secrets and BIG-IP profiles provided in TLSProfile custom resource.
• CIS supports only port 80 and 443 for BIG-IP Virtual servers in CRD mode.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.1

Added Functionality

• CIS will not create _AS3 partition anymore.
  • CIS uses single partition (i.e. –bigip-partition) to configure both LTM and NET configuration.
  • Additional AS3 managed partition _AS3 will be removed if it exists.
• Enhanced performance for lower CPU Utilization with optimized CCCL calls.
• CIS validates AS3 declarations against AS3 v3.20 schema.
• CIS supports AS3 versions installed on BIG-IP from v3.18 to latest (v3.20).
• Added support for:
  • Multiple AS3 ConfigMaps.
  • AS3 label switching in AS3 ConfigMap resource:
    • When set to False, CIS deletes the existing configuration (or) CIS ignores AS3 ConfigMap.
    • When set to True, CIS reads the corresponding AS3 ConfigMap.
  • Added Whitelist feature support for agent AS3 using policy endpoint condition.
    • New annotation “allow-source-range” added parallel to “whitelist-source-range”.
• Deprecated –userdefined-as3-declaration CIS deployment option as CIS now supports Multiple AS3 ConfigMaps.
• Custom Resource Definition (CRD) – Alpha available with TLS support.
  • Highlights of this Alpha CRD version:
    • Supports single partition to configure both LTM and NET configuration.
    • Supports both unsecured and TLS CRD.
    • Supports single domain per Virtual server.
    • Supports merging multiple virtual servers into single BIG-IP VIP referring to a single domain.
    • Added Health monitor support.
    • Supports nodelabel in Virtual server CRD.
    • Supports TLSProfile CRD with BIG-IP reference client and server SSL profiles.
    • Supports TLSProfile CRD with K8S secrets reference for client SSL profiles.
    • CRD schema definition for both Virtual server and TLSProfile.
    • CRD examples.
• The following GitHub repositories have been archived are now read-only. These projects are no longer actively maintained:
  • https://github.com/F5Networks/cf-bigip-ctlr
  • https://github.com/F5Networks/marathon-bigip-ctlr

Bug Fixes

• Issue 1420: Enhanced performance for lower CPU Utilization with optimized CCCL calls.
• Issue 1362: CIS supports HTTP Header with iv-groups.
• Issue 1388, 1311: CIS properly manages AS3 ConfigMaps when configured with namespace-labels.
• Issue 1337: CIS supports multiple AS3 Configmaps.
• Issue 1171: CIS will not create _AS3 partition anymore.

Vulnerability Fixes

CVE	Comments
CCVE-2018-5543	CIS Operator uses –credentials-directory by default for BIG-IP credentials

Guidelines for upgrading to CIS 2.1

• Those migrating from agent CCCL to agent AS3:
  • User should clean up LTM resources in BIG-IP partition created by CCCL before migrating to CIS 2.1. Steps to clean up LTM resources in BIG-IP partition using AS3:
    • Use this POST call: https://<bigip-ip>/mgmt/shared/appsvcs/declare?async=true along with this AS3 declaration.
    • Note: Please modify <big-ip> in above POST call and <bigip-partition> name in the AS3 configuration.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

2.0

Added Functionality

• AS3 is the default agent. Use deployment argument --agent to configure CCCL agent.
• Custom Resource Definition (CRD) – Alpha available with Custom resource virtual-server.
• Added new optional deployment arguments:
  • --custom-resource-mode (default false) when set true processes custom resources only.
  • --userdefined-as3-declaration for processing user defined AS3 ConfigMap in CIS watched namespaces.
• AS3 versions newer than 3.18 is required for 2.X releases.
• CIS is now compatible with:
  • OpenShift 4.3
  • BIG-IP 15.1
  • K8S 1.18
• Base image upgraded to UBI for CIS Container images.
• Added Support for:
  • Multiple BIG-IP ClientSSL profiles for a Virtual Server
  • Informer based Override AS3 ConfigMap
  • UserAgent in AS3 Controls object
  • New Attributions Generator - Licensee
  • GO Modules for dependency management
  • HTTPS health monitoring for passthrough and re-encrypt routes

New RH container registry : registry.connect.redhat.com/f5networks/cntr-ingress-svcs

Bug Fixes

• CIS handles requests sent to unknown hosts for Routes using debug messages.
• CIS handles posting of ‘Overwriting existing entry for backend’ log message frequently when different routes configured in different namespaces.
• Issue 1233: CIS handles ClientSSL annotation and cert/key logging issues.
• Issue 1145, 1185, 1295: CIS handles namespace isolation for AS3 ConfigMaps.
• Issue 1241, 1229: CIS fetches 3.18 AS3 schema locally.
• Issue 1191: CIS cleans AS3 managed partition when moved to CCCL as agent.
• Issue 1162: CIS properly handles OpenShift Route admit status.
• Issue 1160: CIS handles https redirection for ingress which accepts all common names.

Vulnerability Fixes

CVE	Comments
CVE-2009-3555	CIS disables renegotiation for all Custom ClientSSL

Limitations

• CIS with CCCL as agent, OpenShift A/B route cannot be updated in BIG-IP versions newer than 14.1.X due to data group changes.

Next Upgrade Notes

• From CIS 2.1, additional AS3 managed partition _AS3 will be removed.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.

---

To see older versions of the release notes, see this page.