Release Notes

This page contains the release notes for F5 BIG-IP Container Ingress Services. To see the changes in this documentation, see Document Revision History.

2.10.0

Added Functionality

  • Next Generation Routes:
    • Added new base config block for TLSCiphers in global extended ConfigMap. See Examples.
    • Support for namespaceLabel in global extended ConfigMap. See Examples.
    • Support for BIG-IP ClientSSL/ServerSSL profile reference in global extended ConfigMap. See Examples.
    • Support for allowSourceRange in global and local extended ConfigMap. See Examples.
    • rewrite-target-url support via route annotations.
    • Load Balancing support via route annotation. See Examples.
    • Support for AB Deployment in routes.
  • CRD:
    • allowSourceRange support for VirtualServer CRs and Policy CR. See Examples.
    • Added support for TCP Health Monitor in VirtualServer CRs. See Examples.
    • Added support for multiple monitors in VirtualServer and TransportServer CRs. See Examples.
    • SCTP support for TransportServer Custom Resource. See Examples.
    • Issue 2201: Support for linking existing health monitor on BIG-IP with VirtualServer and TransportServer CRs. See Examples.
    • Issue 2361: Allow monitoring of an alias port in VirtualServer and TransportServer. See Examples.
    • Issue 1933: Added serviceNamespace field in Pools for VirtualServer CR that allows you to define a pool service from another namespace in a VirtualServer CR. See Examples.
  • Ingress:
    • Added support to configure netmask for Virtual Server for Ingress. See Example.
  • Support for Cilium CNI versions 1.12.0 and above in Kubernetes cluster.
  • Support for --log-file deployment parameter to store the CIS logs in a file.
  • Support for AS3 3.38.0
  • Support for operator in Openshift versions 4.10 and 4.11.

Bug Fixes

  • Fixed CIS continuous processing of ingress belonging to unmanaged ingress class.
  • Issue 2325: Supporting Prometheus service in CRDs.
  • Issue 2158: CIS send logs to file from container.
  • Issue 2345: CIS crash due to Route Profiles.
  • Issue 2507: Monitor name by accident includes health check command.
  • Issue 2413: Hyphens/dashes not allowed in VirtualServer pool path.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.9.1

Enhancements

  • CIS is now compatible with:
    • Kubernetes 1.23
    • OCP 4.10 with OVN & SDN CNI

Bug Fixes

  • Issue 2336: Fixed confusing EDNS Pool name.
  • Issue 2337: Fixed EDNS pool deletion with invalid server config.
  • Issue 2484: Fixed scalability issue of LB services with IPAM processing.
  • Issue 2464: CIS sends empty members declaration to BIG-IP while using HubMode.
  • Issue 2308: Fixed ARP deletion in filter-tenant mode.
  • Fixed Invalid traffic allow in Ingress with Custom HTTP Port.

CIS Helm Chart Fixes

  • Issue 2422: Fixed wrong indentation for securityContext.
  • Issue 2434: Helm install values.yaml results in a bad image format.
  • Updated links in Helm values.yaml documentation.

FIC Helm Chart Fixes

  • Issue 104: Fixed issue where IPAM breaks if ipamLabel is changed for a typeLB service.
  • Issue 96: Added PVC creation to Helm charts.
  • Issue 102: Added tolerations support with Helm charts.
  • Added support for multiple Infoblox labels with Helm charts.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




1.14.1

Added Functionality

  • Added CIS deployment configuration option of --disable-teems which you can configure to send anonymous analytics data to F5.

Vulnerability Fixes

CVE Package
CVE-2022-29155 openldap libldap-2.4-2
DSA-5140-1 openldap libldap-2.4-2
CVE-2022-1586 pcre2 libpcre2-8-0
CVE-2022-1587 pcre2 libpcre2-8-0
CVE-2022-2068 openssl openssl
CVE-2022-1292 openssl openssl
DSA-5139-1 openssl openssl
CVE-2021-3711 openssl openssl
DSA-4963-1 openssl openssl
CVE-2022-2068 openssl openssl
CVE-2020-13776 systemd libudev1
pyup.io-38100 (CVE-2020-1747) pyyaml
pyup.io-39611 (CVE-2020-14343) pyyaml
CVE-2019-1010022 glibc libc6
CVE-2021-33574 glibc libc6
CVE-2021-35942 glibc libc6
CVE-2022-23218 glibc libc6
CVE-2022-23219 glibc libc6
CVE-2021-3520 lz4 liblz4-1
DSA-4919-1 lz4 liblz4-1
pyup.io-39606 (CVE-2020-36242) cryptography
CVE-2022-1664 dpkg dpkg
DSA-5147-1 dpkg dpkg
CVE-2019-8457 db5.3 libdb5.3
CVE-2021-20231 gnutls28 libgnutls30
CVE-2021-20232 gnutls28 libgnutls30
CVE-2022-29155 openldap libldap-common
DSA-5140-1 openldap libldap-common
CVE-2020-13776 systemd libsystemd0
CVE-2019-1010022 glibc libc-bin
CVE-2021-33574 glibc libc-bin
CVE-2021-35942 glibc libc-bin
CVE-2022-23218 glibc libc-bin
CVE-2022-23219 glibc libc-bin
CVE-2019-9893 libseccomp libseccomp2
CVE-2021-3711 openssl libssl1
CVE-2022-2068 openssl libssl1.1
CVE-2022-1292 openssl libssl1.1
DSA-5139-1 openssl libssl1.1
DSA-4963-1 openssl libssl1.1
CVE-2022-2068 openssl libssl1.1
CVE-2020-11656 sqlite3 libsqlite3-0
CVE-2022-22823 expat libexpat1
CVE-2022-22824 expat libexpat1
CVE-2022-25235 expat libexpat1
CVE-2022-25236 expat libexpat1
CVE-2022-25315 expat libexpat1
DSA-5085-1 expat libexpat1
CVE-2022-22822 expat libexpat1
CVE-2022-23852 expat libexpat1
CVE-2022-23990 expat libexpat1
DSA-5073-1 expat libexpat1

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.9.0

Added Funtionality:

  • Next generation routes preview. See the documentation for more details.
    • Multiple VIP and partition support for routes.
  • Custom Resource Definition (CRD):
    • LoadBalancingMethod support for VirtualServer and TransportServer CRs. See Examples.
    • DoS Protection Profile support for VirtualServer, TransportServer, and Policy CRs. See Examples.
    • Bot Defence Profile support for VirtualServer and Policy CRs. See Examples.
    • Protocol profile(client) support for TransportServer and Policy CRs. See Examples.
    • OneConnect profile support added for VirtualServer CRs. See Examples
    • Custom TCP Client and Server profile support added for VirtualServer, TransportServer, and Policy CRs. See Examples.
    • SNAT pool name support in Policy CR for VirtualServer, TransportServer CRs. See Example.
    • Custom pool name support in VirtualServer and TransportServer CRs. See Example.
    • GTM global-availability LB method and order precedence support with EDNS CRs. See Examples.
  • Service Type LoadBalancer:
    • SCTP protocol support in Services of type LoadBalancer. See Kubernetes documentation for more information.
    • Added support for attaching Policy CRD as an annotation. SNAT profile can be specified in policy CR. See Examples.
  • ConfigMap:
    • Issue 2326: Support for ConfigMap resource with NodePortLocal mode.
  • Routes:
    • Added support for route admit status for rejected legacy and next gen routes.
  • Added support for AS3 3.36 and OCP 4.9.
  • Helm Chart Enhancements:
    • Support for latest CRD schema.
    • Issue 2387: Inconsistent use of value in f5-bigip-ctlr helm chart.

Bug Fixes

  • Issue 2224: Selecting Load Balancing method on VirtualServer CRD.
  • Issue 2323: File and example links updated in IngressLink document.
  • Issue 2151: Fix for adding unique pool members only to AS3 declaration with AS3 ConfigMap.
  • Added fix for CIS crash with routes.
  • Fix for different service port and target port with CRs.

Upgrade Note

Some of the new features require you to update the Custom Resource Definition file.

F5 IPAM Controller Release Notes

Added Functionality:

  • Support for label with multiple IP ranges with comma-separated values. See the documentation for more information.

Bug Fixes:

  • Issue 115: Reference handled properly in Database table.

Known Issues

  • Appending a new pool to an existing range using the comma operator triggers FIC to reassign the newIP with the new IP pool for the corresponding ipamLabel domains/keys.
  • Issue 2251: MultiHost VS and policy CRD profiles attached via LTM policy and not assigned globally. Please see this document for more information.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.8.1

Bug Fixes

  • Issue 2030: Changes to Ingress resource ServicePort are now reflected on BIG-IP.
  • Issue 2205: Bulk deletion of EDNS is handled properly.
  • Issue 2255: ServicePort is now optional and multi-port service is handled properly in ConfigMaps.
  • Issue 2164: CIS properly updates configureation in BIGIP when configured with agent CCCL and log-level DEBUG.
  • Issue 2191: CIS properly logs iApps when configured with agent CCCL.
  • Issue 2220: CRD VirtualServer status is reported correctly when using hostGroup.
  • Issue 2209: ConfigMap errors logs now contain ConfigMap name and namespace.
  • CIS configured in CCCL agent mode properly updates BIG-IP when there are no backend pods to iApps ConfigMaps.

FIC Enhancements

  • Issue 98: IPAM Storage initialization is handled properly.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.8.0

Added Functionality

  • CRD:
    • Persistence Profile support for VirtualServer, TransportServer and Policy CRs. See Examples
    • Added support for host in TransportServer and IngressLink CR. See Examples
    • NodePortLocal(NPL) Antrea CNI feature support added to Ingress and Virtual Server Custom Resource. See VMware Tanzu and GitHub for more information.
  • NodePortLocal (NPL) Antrea CNI feature support added to Ingress and CRD Resources.
  • Helm Chart Enhancements:
    • Support for latest CRD schema.

Bug Fixes

  • Added fix for processing oldest route when same host and path in routes.
  • Added fix for CIS crash with routes.
  • Issue 2212: Fix ExternalDNS adds both VSs to a Wide IP pool with using “httpTraffic: allow” with VS CR.
  • Issue 2221: Fixed Error in CIS logs while deleting multiple VS CRD.
  • Issue 2222: Fix deleting VirtualServer using hostGroup.
  • Issue 2233: TS and VS CRD don’t detect the pool members for grafana service.
  • Issue 2234: Fix for CIS crash with subsequent creation and deletion of wrong ConfigMap.
  • Issue 2077: CIS deletes all existing ARP on restart and recreates it, which affects traffic.

Known Issues

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.7.1

Added Functionality

  • Optimized processing of ConfigMaps with FilterTenants enabled.
  • Added support for multihost VS policy rules for same path and service backend combination.
  • Improved error handling with EDNS Custom resource.

Bug Fixes

  • Issue 1872: Support protocol UDP in Services of type LoadBalancer.
  • Issue 1918: ExternalDNS adds both virtual servers to a Wide IP pool.
  • Issue 2051: Fix AS3 Postdelay issue when error occurs.
  • Issue 2077: Fix recreating ARPs when CIS restarts.
  • Issue 2172: Fix Endpoint NodeName validation issue.
  • Helm Chart Enhancements: Issue 2184: Helm Chart ClusterRole does not have correct permissions.

F5 IPAM Controller Release Notes

FIC Enhancements:

  • Added support for FIC installation using Helm Charts. See the documentation for more information.
  • Added support for FIC installation using OpenShift Operator

Known Issues

  • CIS does not delete the ARP entries immediately from BIG-IP when you remove all the endpoints for a service in cccl mode.
  • Unable to pass multiple Infoblox labels to FIC Helm charts and OpenShift Operator.
  • Deleting an EDNS resource does not remove Wide IP config from BIG-IP intermittently.
  • CIS sends the failed tenant declaration every 30 seconds with filter-tenant parameter when a 422 error occurs in AS3 response.

Upgrade Notes

  • Moving from CIS > 2.6 with IPAM, see the troubleshooting guide for IPAM issue ipams.fic.f5.com not found. See Troubleshooting Section.
  • Moving to CIS > 2.4.1 requires update to RBAC and CR schema definition before upgrade. See RBAC and CR schema.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.7.0

Added Functionality

  • What’s new:
    • CRD:
      • Policy CR support for VirtualServer and TransportServer CRD. Support for L3 WAF, L7 Firewall policy and various profiles. Examples
      • IPv6 address support for VirtualServer, TransportServer CRD and ServiceTypeLB service. Examples
      • Wildcard domain name support with TLSProfile and VirtualServer. Examples
      • Multi-host support in VirtualServer CRD using hostgroup parameter. Examples
      • New Status column for VirtualServer and TransportServer CRD. GitHub issue
    • ConfigMap:
      • Tenant-based AS3 declarations support for configmaps using --filter-tenants deployment option. –filter-tenants – Default behaviour in CIS 2.9 with possible name change.
    • Ingress:
    • EDNS:
      • TCP type monitor support for EDNS.
      • EDNS resource name is modified from externaldnss to externaldns. CRD definition.
  • CIS now compatible with:
    • Kubernetes 1.22
    • OCP 4.9 with OVN
    • AS3 3.30

Bug Fixes

  • Issue 1659: Report “status” of TransportServer CRD.
  • Issue 1684: [EDNS] CIS tries to remove non-existing monitor from GTM pool.
  • Issue 1873: Enable /metrics endpoint with CRD mode.
  • Issue 1916: Display IPAM provided IPaddress for TransportServer.
  • Issue 2006: Add support for Wildcard domain name with TLSProfile and VirtualServer.
  • Issue 2014: Allow type LoadBalancer with different TargetPort and Port values.
  • Issue 2025: Support ‘sni-server-name’ for GTM HTTPS Monitor.
  • Issue 2031: Add support for named service port reference for ingresses.
  • Issue 2032: EDNS will not work if both Virtual Server CRD and EDNS CRD are applied at the same time.
  • Issue 2087: Enable nodeMemberLabel regex to support common node labels.
  • Issue 2102 and Issue 2016: Fix for crash while validating secrets.
  • Restructured docs examples directory.
  • Improved performance while processing VS, services, and endpoint resources.

Notes

  • EDNS resource name is modified from externaldnss to externaldns. Refer to latest EDNS CRD definition here.
  • IPv6 is validated with calico CNI on k8s 1.22 setup.
  • Log4j vulnerability does not impact CIS and FIC code base.

Known Issues

  • Policy CRD integration with TS CRD has few issues.
  • Wildcard hostname in VS CRD doesn’t match the parent domain.
  • When root domain and wildcard domain refer to same VSAddress, CIS is not working as expected.

F5 IPAM Controller v0.1.5 Release Notes

Added Functionality

  • IPv6 address range configuration support with default f5-ip-provider. Example.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.6.1

Bug Fixes

  • Added the complete path for datagroups in http redirect iRule.
  • Added RouteDomain support for AS3 resources.
  • Issue 2032: EDNS will not work if both Virtual Server CRD and EDNS CRD applied at the same time.
  • Issue 2012: Invalid Pool Name passed to AS3.
  • Issue 1931: Cannot disable IngressClass in HelmChart.
  • Issue 1911: CIS delete all exist vs when CIS pod restarting.
  • Issue 1792: EDNS fails to link WIP to Pool, error says “last-resort-pool” needs value in bipctrl log.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.6.0

Added Functionality

  • CIS is now compatible with OpenShift 4.8.12. It is validated with OpenShift SDN and OVN-Kubernetes with hybridOverlay.
  • CIS supports IP address assignment to IngressLink Custom Resources using F5 IPAM Controller (See documentation).
  • CIS validates IPv6 address in bigip-url and gtm-bigip-url parameters.

Bug Fixes

  • Issue 1679: CIS requires GTM parameter in CIS declaration even if GTM runs on the same BIG-IP.
  • Issue 1888: Unable to upgrade from 2.2.0 (or below) to 2.2.1 (or above).
  • Issue 1941: CIS 2.5 output DEBUG log even with --log-level=INFO configured.
  • Fixed issue with deletion of monitor with EDNS custom resource deletion.

Performance Improvements

  • Improved EDNS Performance: new VirtualServer creation triggers processing of only associated EDNS resources.
  • Improved Ingress performance.

Known Issues

  • EDNS with https monitor is not properly supported.

F5 IPAM Controller v0.1.5 Release Notes

Added Functionality

  • F5 IPAM Controller supports InfoBlox (See the documentation for more information).
  • Persistent support added for F5 IPAM Controller default provider. FIC now requires pvc with volume mounted in deployment for default provider (See the documentation for more information).
  • Added support for Single NetView via deployment parameter infoblox-netview. It does not need to be provided via an IPAM label (See the documentation for more information).
  • Added support for standalone IP in Infoblox Provider.
  • Added support for credentials-directory configuration option for mounting Infoblox credentials and self-signed certificate from Kubernetes secrets.
  • Disabled DNSView for Infoblox Provider.

Bug Fixes

  • Stale status entries are cleared from IPAM custom resource.
  • FIC restart allocates multiple IP addresses on InfoBlox

Known Issues

  • With InfoBlox integration update ip-range is not working as expected.

Migration from 0.1.4

  • With this release, the f5ipam CRD is now renamed to ipam.
  • A resource in clusterrole should be updated to IPAM before upgrading to latest IPAM (See latest clusterrole in the documentation).
  • For F5 IPAM Controller default provider, update deployment with PVC and volume for persistance of DB. Volume mount is a prerequisite for FIC v0.1.5 (See the documentation for FIC deploment with volume).

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.5.1

Added Functionality

  • CIS now supports:
    • Deletion of old F5IPAM CR when it is not in use.
    • Skipping certificate validation for passthrough routes.
    • The ability to update or delete Ingress V1 annotation with shared IP.

Bug Fixes

  • Issue 1921: Plain text login and password in process status on node that is running controller.
  • Issue 1849: Fix VirtualServer CRD processing which share same IP and different port.
  • OpenShift operator no longer fails to install multiple CIS instances due to existing CRDs.

Vulnerability Fixes

CVE Comments
CVE-2019-19794 Upgraded the miekg Go DNS package in CIS repository

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.5.0

Added Functionality

  • CIS is now compatible with:
    • Kubernetes v1.21
    • OpenShift 4.7.13 with OpenShift SDN
    • AS3 3.28
  • Added support for:
    • Multiport Service and Health Monitor for Service type LoadBalancer in CRD mode. See examples.
    • Issue 1824: Kubernetes networking.k8s.io/v1 Ingress and IngressClass. See examples.
    • For networking.k8s.io/v1 Ingress, add multiple BIG-IP SSL client profiles with annotation virtual-server.f5.com/clientssl. See examples.
    • OpenShift route annotations virtual-server.f5.com/rewrite-app-root (examples) and virtual-server.f5.com/rewrite-target-url (examples) with agent AS3.
    • Issue 1570: iRule reference in TransportServer CRD. See examples.
    • CIS deployment configuration options:
      • --periodic-sync-interval - Configure the periodic sync of Kubernetes resources.
      • --hubmode - Enable support for ConfigMaps to monitor services in same and different namespaces.
      • --disable-teems - Configure to send anonymous analytics data to F5.
  • CIS now monitors changes to Kubernetes Secret resource.
  • Improved performance while processing Ingress resources.
  • CIS in AS3 agent mode now adds default cipher groups to SSL profiles for TLS v1.3.
  • CIS now supports F5 IPAM Controller 0.1.4.
  • Helm Chart Enhancements:
    • Latest CRD schemas.
    • Added support to install Ingress and IngressClass objects in networking.k8s.io/v1.

Bug Fixes

  • CIS now properly adds nodes as pool members (in NodePort mode).

Known Issues

  • To improve performance, F5 recommends increasing the resync periodic interval to more than 300 seconds except for passthrough routes. Configure CIS deployment with --periodic-sync-interval to more than 300 seconds. OpenShift Routes with termination Passthrough are processed post this interval.

Upgrading to 2.5.0

  • CIS 2.5.0 supports Kubenetes networking.k8s.io/v1 Ingress and IngressClass. With Kubernetes version 1.18+:
    • Update CIS ClusterRole. We removed resourceName to monitor all secrets.
    • Create IngressClass before upgrading to version 2.5.0.
  • To upgrade CIS using operator in OpenShift:
    • Install IngressClass manually.
    • Install CRDs manually if using CIS CustomResources (VirtualServer/TransportServer/IngressLink).

F5 IPAM Controller v0.1.4 Release Notes:

Added Functionality - F5 IPAM Controller supports Infoblox (Preview available for VirtualServer CRD only). Refer to documentation for more details.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.4.1

Added Functionality

  • CIS supports F5 IPAM Controller 0.1.3.
  • Helm Chart Enhancements:
    • Added support for multiple namespace configuration parameter with CIS operator.

Bug Fixes

  • Issue 1737: Inconsistent ordering of policy rules when adding an Ingress path.
  • Issue 1808: K8S BIG-IP Controller upload old certificate to BIG-IP.
  • Stale IPAM CR configuration is deleted when CIS restarts.
  • IPAM allocated IP address now populates for VirtualServer under VSAddress column.
  • CIS supports endpoints created without nodeNames in cluster mode for Headless Service.
  • Updated Helm charts to support IBM platform certification.

Vulnerability Fixes

CVE Comments
CVE-2020-36242 Upgraded the cryptography package in f5-common-python repository
CVE-2020-25659 Upgraded the cryptography package in f5-cccl repository
CVE-2020-14343 Upgraded the PyYAML package in f5-cccl repository

Limitations

Due to changes in the BIG-IP Python API, CIS EDNS no longer functions correctly. EDNS will be moving to the AS3 API in the upcoming release.

F5 IPAM Controller 0.1.3 Release Notes:

Added Functionality

  • Old entries in IPAM CR spec/status are now removed when CIS is restarted versus during an update.
  • FIC does not allocate the last IP address specified in the IP range.
  • Deleting resources releases IP address along with clearing corresponding spec entries.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.4.0

Added Functionality

  • Improved data group handling for virtual server custom resource.
  • CIS is now compatible with: Kubernetes 1.20
  • CIS supports IP address assignment to Kubernetes service type LoadBalancer using F5 IPAM Controller. Refer for Examples.
  • CIS supports IP address assignment to Transport Server CR using F5 IPAM Controller. Refer for Examples.
  • Added support for defaultRouteDomain in custom resource mode.
  • CIS supports service address reference in virtual server and transport server Custom Resources.
  • Integrated the IngressLink mode with CRD mode.
  • CIS supports implicit Health Monitor for ingress link resource
  • Improved data group handling for virtual server custom resource
  • Helm Chart Enhancements:
    • Updated the Custom Resource Definitions for Virtual Server and Transport Server resources.
    • Added the IngressLink Custom Resource installation using Helm charts.
    • Updated the RBAC to support service type LoadBalancer.

Bug Fixes

  • SR - Fix continuous overwrites with iApp in cccl mode.
  • Issue 1573: Added support for type UDP Transport Server CRD.
  • Issue 1723: BIG-IP selects wrong certificate with ECDSA-signed certificate.
  • Issue 1645: Certificate-check added in CISv2.2.2 logs too often.
  • Issue 1730: Partition default_route_domain is being reset while creating VirtualServer via CRD to 0.

Vulnerability Fixes

CVE Comments
CVE-2020-1747 Upgraded the PyYaml package in f5-cccl repository
CVE-2020-25659 Removed unused package cryptography in f5-cccl repository

Limitations

VXLAN tunnel name starting with prefix “k8s” is not supported. CIS uses prefix “k8s” to differentiate managed and user-created resources. See Issue 1508 for more information.

FIC 0.1.2 Release Notes

Added Functionality

  • FIC supports label-based IP address allocation.
  • FIC supports multiple CIS deployments.
  • FIC is now compatible with k8s 1.20.
  • FIC now creates the IPAM custom resource schema for validation.
  • Earlier way of specifying –ip-range format is deprecated.

Known Issues

  • FIC does not allocate the last IP address specified in the ip range.
  • CIS deletes IPAM custom resource intermittently.
  • Updating the –ip-range in FIC deployment is not working properly.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.3.0

Added Functionality

  • CIS supports IP address assignment to Virtual Server CRD using F5 IPAM Controller.
  • CIS allows user to leverage Virtual IP address using either F5 IPAM Controller or virtualServerAddress field in VirtualServer CRD.
  • Support Passthrough termination for TLS CRD.
  • Added support for AS3 schema minor versions.
  • Issue 1631: Support caCertificate for OpenShift Routes.
  • Issue 1571: iRule reference for CRD for VirtualServer.
  • Issue 1592, Issue 1621: Enabling VLANS on CRD for VirtualServer and TransportServer.
  • Updated CR Kind from NginxCisConnector to IngressLink.
  • Helm Chart Enhancements:

Bug Fixes

  • Issue 1457: Each Client request will be logged on BIG-IP when http2-profile is associated to Virtual Server.
  • Issue 1458: CIS v2.1.0 does not delete LTM-Policy reset-rule when OpenShift-annotation for whitelist-source-range will be removed.
  • Issue 1498: In iRule openshift_passthrough_irule the variable “$dflt_pool” could not be set correctly when http/2-profile is linked to Virtual Server.
  • Issue 1565: Logs should distinguish ConfigMap and Ingress errors.
  • Issue 1641: Debug log sKey.ServiceName in syncVirtualServer.
  • Issue 1671: TransportServer assigns wrong pool/service.
  • CIS fail to update pod arp on BIG-IP, “Attempted to mutate read-only attribute(s)”.

Limitations

  • For AB routes, HTTP2 traffic does not distribute properly when http2-profile is associated to VS.
  • Workaround for CIS in IPAM mode.
  • Removing virtualServerAddress field from VSCRD in non-IPAM mode may flush corresponding BIG-IP configuration.
  • CIS works with dedicated F5 IPAM Controller only.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.2.3

Bug Fix

  • Issue 1646: Virtual Server demoted from CMP when updating to CIS v2.2.2.



2.2.2

Added Functionality

  • CIS is now compatible with:
    • OpenShift 4.6.4.
    • Kubernetes 1.19
    • BIG-IP v16
    • AS3 3.25.
  • CIS now verifies whether the BIG-IP clientssl/serverssl is valid or not valid.
  • Support for error handling in CRDs.

Bug Fixes

  • Issue 1557: iRule openshift_passthrough_irule logs various TCL errors.
  • Issue 1584: iRule openshift_passthrough_irule logs TCL errors - can’t read “tls_extensions_len”.
  • Issue 1602: ConfigMap not working for 2.2.1 but works for 2.2.0.
  • CIS now properly handles incorrect configMap with syntax errors.
  • CIS now logs crash message when processing multiple EDNS.
  • CIS now handles deletion of GTM configuration when there is no EDNS configuration after CIS restarts/starts.
  • CIS now handles the duplicate and invalid routes properly.
  • CIS now updates global parameters SNAT by every Virtual server pointing to the same hostname.
  • CIs handles duplicate path issue with virtual server pointing to same host or virtual address.
  • CIS handles MAC address parsing issue with new flannel versions.
  • CIS now processes TLS profiles correctly when VirtualServer and TLS profiles are added at a time.
  • CIS now processes configMap updates properly.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.2.1

Added Functionality

  • CIS is now compatible with:
    • OpenShift 4.6.4.
    • AS3 3.24.X
  • CIS supports OVN-Kubernetes CNI for Standalone and HA with OSCP 4.5.X
  • External DNS CRD – Preview available in CRD mode:
    • Supports single CIS to configure both LTM and GTM configuration.
    • Supports external DNS for GTM configuration.
    • Create Wide-IP on BIG-IP using Virtual server CRD’s domain name.
    • Multi-cluster support for the same domain.
    • Health montior support for monitoring GSLB pools.
    • CIS deployment parameter added –gtm-bigip-url, –gtm-bigip-username, –gtm-bigip-password and –gtm-credentials- directory for External DNS.
    • CRD schema definition for External DNS.
    • CRD examples.

Bug Fixes

  • Issue 1464: CIS AS3 does not support k8s services with multiple ports.
  • Issue 1391: Expose Kubernetes API services via F5 ingress crashes CIS.
  • Issue 1527: Service Discovery logs not being output.
  • SR: Fix for concurrent map read and write with configmap processing.
  • SR: Improved performance by skipping the processing of endpoints for unassociated services.

Limitations

  • CIS does not update the GSLB pool members when virtual server CRD’s virtualServerAddress is updated or virtual server CRD is deleted for a domain.
  • CIS is unable to delete the Wide-IP without Health Monitor.
  • CIS is unable to delete the Health Monitor when there are no virtual server CRD available for a domain name.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.2.0

Added Functionality

  • Custom Resource Definition (CRD):
    • Multiple ports in a single service.
    • TransportServer Custom Resource.
    • VirtualServer Custom Resource without Host Parameter.
    • Share Nodes implementation for CRD, Ingress, and Routes.
    • WAF integration.
    • SNAT in VirtualServer CRD.
    • Option to configure Virtual address port.
    • App-Root Rewrite and URL Rewrite.
    • Health monitor for each pool member.
    • Option to configure VirtualServer name.
    • Nginx CIS connector.
    • Namespace label.
    • CRD TEEMs Integration.
    • Support for AS3 3.23.
    • Upgraded AS3 Schema validation version from v3.11.0-3 to v3.18.0-4.
    • Schema
    • Examples

Bug Fixes

  • Custom Resource Definition (CRD):
    • Verified the AS3 installation on BIG-IP in CRD Mode.
    • Streamlined logs.
    • Fixed unnecessary creation of HTTP VirtulServer when httpTraffic is set to ‘None’.
  • Routes:
    • Fixed FlipFlop of Policy with AB deployment Routes.
    • Removed unwanted logs from iRule.

Limitations

  • Modifying VirtualServer address leads to traffic loss intermittently. Delete and re-create the VirtualServer as an alternative.
  • VirtualServers with same host and virtualServerAddress should maintain same parameters except pool, tlsProfileName and monitors.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.1.1

Added Functionality

  • CIS is now compatible with:
    • OpenShift 4.5
    • AS3 3.21.0
  • Custom Resource Definition (CRD) Preview version available with virtual-server and TLSProfile custom resources. See the Custom Resource Definitions section for more information and examples.
    • Added Support for k8s Secrets with TLSProfile Custom Resource.
    • Improved the strategy of processing virtual-server and TLSProfile custom resources.
    • Added support for installation using Helm and Operator.
    • Streamlined logs to provide insightful information in INFO and remove unwanted information in DEBUG mode.

Bug Fixes

  • Issue 1467: AS3 ERROR declaration.schemaVersion must be one of the following with Controller version 2.1.0.
  • Issue 1433: Template is not valid. When using CIS 2.1 with AS3 version: 3.21.0.
  • Issue 1440: Optional health check parameters don’t appear to be optional.
  • Fixed issues with processing multiple services with same annotations in AS3 ConfigMap mode. When there are multiple services with same annotations, CIS updates the oldest service endpoints in BIG-IP.
  • Fixed issues with continuous AS3 declarations in CRD mode.
  • Fixed issues with re-encrypt termination on multiple domains in CRD mode.
  • Fixed issues with CIS crashing in CRD mode in the following situations: when the user removes f5cr label from VirtualServer or TLSProfile custom resources; when the user deletes TLSProfile custom resource. This behavior is intermittent.
  • Fixed issues with processing of unwanted endpoint and service changes in CRD mode.

Limitations

  • During restarts, CIS fails to read TLSProfile custom resource. This behavior is intermittent.
  • CIS does not update the endpoint changes on BIG-IP in CRD mode. This behavior is intermittent.
  • CIS does not validate secrets and BIG-IP profiles provided in TLSProfile custom resource.
  • CIS supports only port 80 and 443 for BIG-IP Virtual servers in CRD mode.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.1

Added Functionality

  • CIS will not create _AS3 partition anymore.
    • CIS uses single partition (i.e. –bigip-partition) to configure both LTM and NET configuration.
    • Additional AS3 managed partition _AS3 will be removed if it exists.
  • Enhanced performance for lower CPU Utilization with optimized CCCL calls.
  • CIS validates AS3 declarations against AS3 v3.20 schema.
  • CIS supports AS3 versions installed on BIG-IP from v3.18 to latest (v3.20).
  • Added support for:
    • Multiple AS3 ConfigMaps.
    • AS3 label switching in AS3 ConfigMap resource:
      • When set to False, CIS deletes the existing configuration (or) CIS ignores AS3 ConfigMap.
      • When set to True, CIS reads the corresponding AS3 ConfigMap.
    • Added Whitelist feature support for agent AS3 using policy endpoint condition.
      • New annotation “allow-source-range” added parallel to “whitelist-source-range”.
  • Deprecated –userdefined-as3-declaration CIS deployment option as CIS now supports Multiple AS3 ConfigMaps.
  • Custom Resource Definition (CRD) – Alpha available with TLS support.
    • Highlights of this Alpha CRD version:
      • Supports single partition to configure both LTM and NET configuration.
      • Supports both unsecured and TLS CRD.
      • Supports single domain per Virtual server.
      • Supports merging multiple virtual servers into single BIG-IP VIP referring to a single domain.
      • Added Health monitor support.
      • Supports nodelabel in Virtual server CRD.
      • Supports TLSProfile CRD with BIG-IP reference client and server SSL profiles.
      • Supports TLSProfile CRD with K8S secrets reference for client SSL profiles.
      • CRD schema definition for both Virtual server and TLSProfile.
      • CRD examples.
  • The following GitHub repositories have been archived are now read-only. These projects are no longer actively maintained:

Bug Fixes

  • Issue 1420: Enhanced performance for lower CPU Utilization with optimized CCCL calls.
  • Issue 1362: CIS supports HTTP Header with iv-groups.
  • Issue 1388, 1311: CIS properly manages AS3 ConfigMaps when configured with namespace-labels.
  • Issue 1337: CIS supports multiple AS3 Configmaps.
  • Issue 1171: CIS will not create _AS3 partition anymore.

Vulnerability Fixes

CVE Comments
CCVE-2018-5543 CIS Operator uses –credentials-directory by default for BIG-IP credentials

Guidelines for upgrading to CIS 2.1

  • Those migrating from agent CCCL to agent AS3:
    • User should clean up LTM resources in BIG-IP partition created by CCCL before migrating to CIS 2.1. Steps to clean up LTM resources in BIG-IP partition using AS3:
      • Use this POST call: https://<bigip-ip>/mgmt/shared/appsvcs/declare?async=true along with this AS3 declaration.
      • Note: Please modify <big-ip> in above POST call and <bigip-partition> name in the AS3 configuration.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




2.0

Added Functionality

  • AS3 is the default agent. Use deployment argument --agent to configure CCCL agent.
  • Custom Resource Definition (CRD) – Alpha available with Custom resource virtual-server.
  • Added new optional deployment arguments:
    • --custom-resource-mode (default false) when set true processes custom resources only.
    • --userdefined-as3-declaration for processing user defined AS3 ConfigMap in CIS watched namespaces.
  • AS3 versions newer than 3.18 is required for 2.X releases.
  • CIS is now compatible with:
    • OpenShift 4.3
    • BIG-IP 15.1
    • K8S 1.18
  • Base image upgraded to UBI for CIS Container images.
  • Added Support for:
    • Multiple BIG-IP ClientSSL profiles for a Virtual Server
    • Informer based Override AS3 ConfigMap
    • UserAgent in AS3 Controls object
    • New Attributions Generator - Licensee
    • GO Modules for dependency management
    • HTTPS health monitoring for passthrough and re-encrypt routes

New RH container registry : registry.connect.redhat.com/f5networks/cntr-ingress-svcs

Bug Fixes

  • CIS handles requests sent to unknown hosts for Routes using debug messages.
  • CIS handles posting of ‘Overwriting existing entry for backend’ log message frequently when different routes configured in different namespaces.
  • Issue 1233: CIS handles ClientSSL annotation and cert/key logging issues.
  • Issue 1145, 1185, 1295: CIS handles namespace isolation for AS3 ConfigMaps.
  • Issue 1241, 1229: CIS fetches 3.18 AS3 schema locally.
  • Issue 1191: CIS cleans AS3 managed partition when moved to CCCL as agent.
  • Issue 1162: CIS properly handles OpenShift Route admit status.
  • Issue 1160: CIS handles https redirection for ingress which accepts all common names.

Vulnerability Fixes

CVE Comments
CVE-2009-3555 CIS disables renegotiation for all Custom ClientSSL

Limitations

  • CIS with CCCL as agent, OpenShift A/B route cannot be updated in BIG-IP versions newer than 14.1.X due to data group changes.

Next Upgrade Notes

  • From CIS 2.1, additional AS3 managed partition _AS3 will be removed.

Security Vulnerabilities

Visit the F5 Security Center for complete F5 BIG-IP and F5 BIG-IQ security information. For the latest list of known and fixed vulnerabilities related to versions of BIG-IP and BIG-IQ, visit the F5 Documentation Center and select the Security Advisory document type to narrow the search results.




To see older versions of the release notes, see this page.