Release Notes

This page contains the release notes for F5 BIG-IP Container Ingress Services.

2.2.0

Added Functionality

  • Custom Resource Definition (CRD):
    • Multiple ports in a single service.
    • TransportServer Custom Resource.
    • VirtualServer Custom Resource without Host Parameter.
    • Share Nodes implementation for CRD, Ingress, and Routes.
    • WAF integration.
    • SNAT in VirtualServer CRD.
    • Option to configure Virtual address port.
    • App-Root Rewrite and URL Rewrite.
    • Health monitor for each pool member.
    • Option to configure VirtualServer name.
    • Nginx CIS connector.
    • Namespace label.
    • CRD TEEMs Integration.
    • Support for AS3 3.23.
    • Upgraded AS3 Schema validation version from v3.11.0-3 to v3.18.0-4.
    • Schema
    • Examples

Bug Fixes

  • Custom Resource Definition (CRD):
    • Verified the AS3 installation on BIG-IP in CRD Mode.
    • Streamlined logs.
    • Fixed unnecessary creation of HTTP VirtulServer when httpTraffic is set to ‘None’.
  • Routes:
    • Fixed FlipFlop of Policy with AB deployment Routes.
    • Removed unwanted logs from iRule.

Limitations

  • Modifying VirtualServer address leads to traffic loss intermittently. Delete and re-create the VirtualServer as an alternative.
  • VirtualServers with same host and virtualServerAddress should maintain same parameters except pool, tlsProfileName and monitors.



2.1.1

Added Functionality

  • CIS is now compatible with:
    • OpenShift 4.5
    • AS3 3.21.0
  • Custom Resource Definition (CRD) Preview version available with virtual-server and TLSProfile custom resources. See the Custom Resource Definitions section for more information and examples.
    • Added Support for k8s Secrets with TLSProfile Custom Resource.
    • Improved the strategy of processing virtual-server and TLSProfile custom resources.
    • Added support for installation using Helm and Operator.
    • Streamlined logs to provide insightful information in INFO and remove unwanted information in DEBUG mode.

Bug Fixes

  • Issue 1467: AS3 ERROR declaration.schemaVersion must be one of the following with Controller version 2.1.0.
  • Issue 1433: Template is not valid. When using CIS 2.1 with AS3 version: 3.21.0.
  • Issue 1440: Optional health check parameters don’t appear to be optional.
  • Fixed issues with processing multiple services with same annotations in AS3 ConfigMap mode. When there are multiple services with same annotations, CIS updates the oldest service endpoints in BIG-IP.
  • Fixed issues with continuous AS3 declarations in CRD mode.
  • Fixed issues with re-encrypt termination on multiple domains in CRD mode.
  • Fixed issues with CIS crashing in CRD mode in the following situations: when the user removes f5cr label from VirtualServer or TLSProfile custom resources; when the user deletes TLSProfile custom resource. This behavior is intermittent.
  • Fixed issues with processing of unwanted endpoint and service changes in CRD mode.

Limitations

  • During restarts, CIS fails to read TLSProfile custom resource. This behavior is intermittent.
  • CIS does not update the endpoint changes on BIG-IP in CRD mode. This behavior is intermittent.
  • CIS does not validate secrets and BIG-IP profiles provided in TLSProfile custom resource.
  • CIS supports only port 80 and 443 for BIG-IP Virtual servers in CRD mode.



2.1

Added Functionality

  • CIS will not create _AS3 partition anymore.
    • CIS uses single partition (i.e. –bigip-partition) to configure both LTM and NET configuration.
    • Additional AS3 managed partition _AS3 will be removed if it exists.
  • Enhanced performance for lower CPU Utilization with optimized CCCL calls.
  • CIS validates AS3 declarations against AS3 v3.20 schema.
  • CIS supports AS3 versions installed on BIG-IP from v3.18 to latest (v3.20).
  • Added support for:
    • Multiple AS3 ConfigMaps.
    • AS3 label switching in AS3 ConfigMap resource:
      • When set to False, CIS deletes the existing configuration (or) CIS ignores AS3 ConfigMap.
      • When set to True, CIS reads the corresponding AS3 ConfigMap.
    • Added Whitelist feature support for agent AS3 using policy endpoint condition.
      • New annotation “allow-source-range” added parallel to “whitelist-source-range”.
  • Deprecated –userdefined-as3-declaration CIS deployment option as CIS now supports Multiple AS3 ConfigMaps.
  • Custom Resource Definition (CRD) – Alpha available with TLS support.
    • Highlights of this Alpha CRD version:
      • Supports single partition to configure both LTM and NET configuration.
      • Supports both unsecured and TLS CRD.
      • Supports single domain per Virtual server.
      • Supports merging multiple virtual servers into single BIG-IP VIP referring to a single domain.
      • Added Health monitor support.
      • Supports nodelabel in Virtual server CRD.
      • Supports TLSProfile CRD with BIG-IP reference client and server SSL profiles.
      • Supports TLSProfile CRD with K8S secrets reference for client SSL profiles.
      • CRD schema definition for both Virtual server and TLSProfile.
      • CRD examples.
  • The following GitHub repositories have been archived are now read-only. These projects are no longer actively maintained:

Bug Fixes

  • Issue 1420: Enhanced performance for lower CPU Utilization with optimized CCCL calls.
  • Issue 1362: CIS supports HTTP Header with iv-groups.
  • Issue 1388, 1311: CIS properly manages AS3 ConfigMaps when configured with namespace-labels.
  • Issue 1337: CIS supports multiple AS3 Configmaps.
  • Issue 1171: CIS will not create _AS3 partition anymore.

Vulnerability Fixes

CVE Comments
CCVE-2018-5543 CIS Operator uses –credentials-directory by default for BIG-IP credentials

Guidelines for upgrading to CIS 2.1

  • Those migrating from agent CCCL to agent AS3:
    • User should clean up LTM resources in BIG-IP partition created by CCCL before migrating to CIS 2.1. Steps to clean up LTM resources in BIG-IP partition using AS3:
      • Use this POST call: https://<bigip-ip>/mgmt/shared/appsvcs/declare?async=true along with this AS3 declaration.
      • Note: Please modify <big-ip> in above POST call and <bigip-partition> name in the AS3 configuration.



2.0

Added Functionality

  • AS3 is the default agent. Use deployment argument --agent to configure CCCL agent.
  • Custom Resource Definition (CRD) – Alpha available with Custom resource virtual-server.
  • Added new optional deployment arguments:
    • --custom-resource-mode (default false) when set true processes custom resources only.
    • --userdefined-as3-declaration for processing user defined AS3 ConfigMap in CIS watched namespaces.
  • AS3 versions newer than 3.18 is required for 2.X releases.
  • CIS is now compatible with:
    • OpenShift 4.3
    • BIG-IP 15.1
    • K8S 1.18
  • Base image upgraded to UBI for CIS Container images.
  • Added Support for:
    • Multiple BIG-IP ClientSSL profiles for a Virtual Server
    • Informer based Override AS3 ConfigMap
    • UserAgent in AS3 Controls object
    • New Attributions Generator - Licensee
    • GO Modules for dependency management
    • HTTPS health monitoring for passthrough and re-encrypt routes

New RH container registry : registry.connect.redhat.com/f5networks/cntr-ingress-svcs

Bug Fixes

  • CIS handles requests sent to unknown hosts for Routes using debug messages.
  • CIS handles posting of ‘Overwriting existing entry for backend’ log message frequently when different routes configured in different namespaces.
  • Issue 1233: CIS handles ClientSSL annotation and cert/key logging issues.
  • Issue 1145, 1185, 1295: CIS handles namespace isolation for AS3 ConfigMaps.
  • Issue 1241, 1229: CIS fetches 3.18 AS3 schema locally.
  • Issue 1191: CIS cleans AS3 managed partition when moved to CCCL as agent.
  • Issue 1162: CIS properly handles OpenShift Route admit status.
  • Issue 1160: CIS handles https redirection for ingress which accepts all common names.

Vulnerability Fixes

CVE Comments
CVE-2009-3555 CIS disables renegotiation for all Custom ClientSSL

Limitations

  • CIS with CCCL as agent, OpenShift A/B route cannot be updated in BIG-IP versions newer than 14.1.X due to data group changes.

Next Upgrade Notes

  • From CIS 2.1, additional AS3 managed partition _AS3 will be removed.



To see older versions of the release notes, see this page.