Release Notes

This page contains the release notes for F5 BIG-IP Container Ingress Services.

2.3.0

Added Functionality

  • CIS supports IP address assignment to Virtual Server CRD using F5 IPAM Controller.
  • CIS allows user to leverage Virtual IP address using either F5 IPAM Controller or virtualServerAddress field in VirtualServer CRD.
  • Support Passthrough termination for TLS CRD.
  • Added support for AS3 schema minor versions.
  • Issue 1631: Support caCertificate for OpenShift Routes.
  • Issue 1571: iRule reference for CRD for VirtualServer.
  • Issue 1592, Issue 1621: Enabling VLANS on CRD for VirtualServer and TransportServer.
  • Updated CR Kind from NginxCisConnector to IngressLink.
  • Helm Chart Enhancements:

Bug Fixes

  • Issue 1457: Each Client request will be logged on BIG-IP when http2-profile is associated to Virtual Server.
  • Issue 1458: CIS v2.1.0 does not delete LTM-Policy reset-rule when OpenShift-annotation for whitelist-source-range will be removed.
  • Issue 1498: In iRule openshift_passthrough_irule the variable “$dflt_pool” could not be set correctly when http/2-profile is linked to Virtual Server.
  • Issue 1565: Logs should distinguish ConfigMap and Ingress errors.
  • Issue 1641: Debug log sKey.ServiceName in syncVirtualServer.
  • Issue 1671: TransportServer assigns wrong pool/service.
  • CIS fail to update pod arp on BIG-IP, “Attempted to mutate read-only attribute(s)”.

Limitations

  • For AB routes, HTTP2 traffic does not distribute properly when http2-profile is associated to VS.
  • Workaround for CIS in IPAM mode.
  • Removing virtualServerAddress field from VSCRD in non-IPAM mode may flush corresponding BIG-IP configuration.
  • CIS works with dedicated F5 IPAM Controller only.



2.2.3

Bug Fix

  • Issue 1646: Virtual Server demoted from CMP when updating to CIS v2.2.2.



2.2.2

Added Functionality

  • CIS is now compatible with:
    • OpenShift 4.6.4.
    • Kubernetes 1.19
    • BIG-IP v16
    • AS3 3.25.
  • CIS now verifies whether the BIG-IP clientssl/serverssl is valid or not valid.
  • Support for error handling in CRDs.

Bug Fixes

  • Issue 1557: iRule openshift_passthrough_irule logs various TCL errors.
  • Issue 1584: iRule openshift_passthrough_irule logs TCL errors - can’t read “tls_extensions_len”.
  • Issue 1602: ConfigMap not working for 2.2.1 but works for 2.2.0.
  • CIS now properly handles incorrect configMap with syntax errors.
  • CIS now logs crash message when processing multiple EDNS.
  • CIS now handles deletion of GTM configuration when there is no EDNS configuration after CIS restarts/starts.
  • CIS now handles the duplicate and invalid routes properly.
  • CIS now updates global parameters SNAT by every Virtual server pointing to the same hostname.
  • CIs handles duplicate path issue with virtual server pointing to same host or virtual address.
  • CIS handles MAC address parsing issue with new flannel versions.
  • CIS now processes TLS profiles correctly when VirtualServer and TLS profiles are added at a time.
  • CIS now processes configMap updates properly.



2.2.1

Added Functionality

  • CIS is now compatible with:
    • OpenShift 4.6.4.
    • AS3 3.24.X
  • CIS supports OVN-Kubernetes CNI for Standalone and HA with OSCP 4.5.X
  • External DNS CRD – Preview available in CRD mode:
    • Supports single CIS to configure both LTM and GTM configuration.
    • Supports external DNS for GTM configuration.
    • Create Wide-IP on BIG-IP using Virtual server CRD’s domain name.
    • Multi-cluster support for the same domain.
    • Health montior support for monitoring GSLB pools.
    • CIS deployment parameter added –gtm-bigip-url, –gtm-bigip-username, –gtm-bigip-password and –gtm-credentials- directory for External DNS.
    • CRD schema definition for External DNS.
    • CRD examples.

Bug Fixes

  • Issue 1464: CIS AS3 does not support k8s services with multiple ports.
  • Issue 1391: Expose Kubernetes API services via F5 ingress crashes CIS.
  • Issue 1527: Service Discovery logs not being output.
  • SR - Fix for concurrent map read and write with configmap processing.
  • SR - Improved performance by skipping the processing of endpoints for unassociated services.

Limitations

  • CIS does not update the GSLB pool members when virtual server CRD’s virtualServerAddress is updated or virtual server CRD is deleted for a domain.
  • CIS is unable to delete the Wide-IP without Health Monitor.
  • CIS is unable to delete the Health Monitor when there are no virtual server CRD available for a domain name.



2.2.0

Added Functionality

  • Custom Resource Definition (CRD):
    • Multiple ports in a single service.
    • TransportServer Custom Resource.
    • VirtualServer Custom Resource without Host Parameter.
    • Share Nodes implementation for CRD, Ingress, and Routes.
    • WAF integration.
    • SNAT in VirtualServer CRD.
    • Option to configure Virtual address port.
    • App-Root Rewrite and URL Rewrite.
    • Health monitor for each pool member.
    • Option to configure VirtualServer name.
    • Nginx CIS connector.
    • Namespace label.
    • CRD TEEMs Integration.
    • Support for AS3 3.23.
    • Upgraded AS3 Schema validation version from v3.11.0-3 to v3.18.0-4.
    • Schema
    • Examples

Bug Fixes

  • Custom Resource Definition (CRD):
    • Verified the AS3 installation on BIG-IP in CRD Mode.
    • Streamlined logs.
    • Fixed unnecessary creation of HTTP VirtulServer when httpTraffic is set to ‘None’.
  • Routes:
    • Fixed FlipFlop of Policy with AB deployment Routes.
    • Removed unwanted logs from iRule.

Limitations

  • Modifying VirtualServer address leads to traffic loss intermittently. Delete and re-create the VirtualServer as an alternative.
  • VirtualServers with same host and virtualServerAddress should maintain same parameters except pool, tlsProfileName and monitors.



2.1.1

Added Functionality

  • CIS is now compatible with:
    • OpenShift 4.5
    • AS3 3.21.0
  • Custom Resource Definition (CRD) Preview version available with virtual-server and TLSProfile custom resources. See the Custom Resource Definitions section for more information and examples.
    • Added Support for k8s Secrets with TLSProfile Custom Resource.
    • Improved the strategy of processing virtual-server and TLSProfile custom resources.
    • Added support for installation using Helm and Operator.
    • Streamlined logs to provide insightful information in INFO and remove unwanted information in DEBUG mode.

Bug Fixes

  • Issue 1467: AS3 ERROR declaration.schemaVersion must be one of the following with Controller version 2.1.0.
  • Issue 1433: Template is not valid. When using CIS 2.1 with AS3 version: 3.21.0.
  • Issue 1440: Optional health check parameters don’t appear to be optional.
  • Fixed issues with processing multiple services with same annotations in AS3 ConfigMap mode. When there are multiple services with same annotations, CIS updates the oldest service endpoints in BIG-IP.
  • Fixed issues with continuous AS3 declarations in CRD mode.
  • Fixed issues with re-encrypt termination on multiple domains in CRD mode.
  • Fixed issues with CIS crashing in CRD mode in the following situations: when the user removes f5cr label from VirtualServer or TLSProfile custom resources; when the user deletes TLSProfile custom resource. This behavior is intermittent.
  • Fixed issues with processing of unwanted endpoint and service changes in CRD mode.

Limitations

  • During restarts, CIS fails to read TLSProfile custom resource. This behavior is intermittent.
  • CIS does not update the endpoint changes on BIG-IP in CRD mode. This behavior is intermittent.
  • CIS does not validate secrets and BIG-IP profiles provided in TLSProfile custom resource.
  • CIS supports only port 80 and 443 for BIG-IP Virtual servers in CRD mode.



2.1

Added Functionality

  • CIS will not create _AS3 partition anymore.
    • CIS uses single partition (i.e. –bigip-partition) to configure both LTM and NET configuration.
    • Additional AS3 managed partition _AS3 will be removed if it exists.
  • Enhanced performance for lower CPU Utilization with optimized CCCL calls.
  • CIS validates AS3 declarations against AS3 v3.20 schema.
  • CIS supports AS3 versions installed on BIG-IP from v3.18 to latest (v3.20).
  • Added support for:
    • Multiple AS3 ConfigMaps.
    • AS3 label switching in AS3 ConfigMap resource:
      • When set to False, CIS deletes the existing configuration (or) CIS ignores AS3 ConfigMap.
      • When set to True, CIS reads the corresponding AS3 ConfigMap.
    • Added Whitelist feature support for agent AS3 using policy endpoint condition.
      • New annotation “allow-source-range” added parallel to “whitelist-source-range”.
  • Deprecated –userdefined-as3-declaration CIS deployment option as CIS now supports Multiple AS3 ConfigMaps.
  • Custom Resource Definition (CRD) – Alpha available with TLS support.
    • Highlights of this Alpha CRD version:
      • Supports single partition to configure both LTM and NET configuration.
      • Supports both unsecured and TLS CRD.
      • Supports single domain per Virtual server.
      • Supports merging multiple virtual servers into single BIG-IP VIP referring to a single domain.
      • Added Health monitor support.
      • Supports nodelabel in Virtual server CRD.
      • Supports TLSProfile CRD with BIG-IP reference client and server SSL profiles.
      • Supports TLSProfile CRD with K8S secrets reference for client SSL profiles.
      • CRD schema definition for both Virtual server and TLSProfile.
      • CRD examples.
  • The following GitHub repositories have been archived are now read-only. These projects are no longer actively maintained:

Bug Fixes

  • Issue 1420: Enhanced performance for lower CPU Utilization with optimized CCCL calls.
  • Issue 1362: CIS supports HTTP Header with iv-groups.
  • Issue 1388, 1311: CIS properly manages AS3 ConfigMaps when configured with namespace-labels.
  • Issue 1337: CIS supports multiple AS3 Configmaps.
  • Issue 1171: CIS will not create _AS3 partition anymore.

Vulnerability Fixes

CVE Comments
CCVE-2018-5543 CIS Operator uses –credentials-directory by default for BIG-IP credentials

Guidelines for upgrading to CIS 2.1

  • Those migrating from agent CCCL to agent AS3:
    • User should clean up LTM resources in BIG-IP partition created by CCCL before migrating to CIS 2.1. Steps to clean up LTM resources in BIG-IP partition using AS3:
      • Use this POST call: https://<bigip-ip>/mgmt/shared/appsvcs/declare?async=true along with this AS3 declaration.
      • Note: Please modify <big-ip> in above POST call and <bigip-partition> name in the AS3 configuration.



2.0

Added Functionality

  • AS3 is the default agent. Use deployment argument --agent to configure CCCL agent.
  • Custom Resource Definition (CRD) – Alpha available with Custom resource virtual-server.
  • Added new optional deployment arguments:
    • --custom-resource-mode (default false) when set true processes custom resources only.
    • --userdefined-as3-declaration for processing user defined AS3 ConfigMap in CIS watched namespaces.
  • AS3 versions newer than 3.18 is required for 2.X releases.
  • CIS is now compatible with:
    • OpenShift 4.3
    • BIG-IP 15.1
    • K8S 1.18
  • Base image upgraded to UBI for CIS Container images.
  • Added Support for:
    • Multiple BIG-IP ClientSSL profiles for a Virtual Server
    • Informer based Override AS3 ConfigMap
    • UserAgent in AS3 Controls object
    • New Attributions Generator - Licensee
    • GO Modules for dependency management
    • HTTPS health monitoring for passthrough and re-encrypt routes

New RH container registry : registry.connect.redhat.com/f5networks/cntr-ingress-svcs

Bug Fixes

  • CIS handles requests sent to unknown hosts for Routes using debug messages.
  • CIS handles posting of ‘Overwriting existing entry for backend’ log message frequently when different routes configured in different namespaces.
  • Issue 1233: CIS handles ClientSSL annotation and cert/key logging issues.
  • Issue 1145, 1185, 1295: CIS handles namespace isolation for AS3 ConfigMaps.
  • Issue 1241, 1229: CIS fetches 3.18 AS3 schema locally.
  • Issue 1191: CIS cleans AS3 managed partition when moved to CCCL as agent.
  • Issue 1162: CIS properly handles OpenShift Route admit status.
  • Issue 1160: CIS handles https redirection for ingress which accepts all common names.

Vulnerability Fixes

CVE Comments
CVE-2009-3555 CIS disables renegotiation for all Custom ClientSSL

Limitations

  • CIS with CCCL as agent, OpenShift A/B route cannot be updated in BIG-IP versions newer than 14.1.X due to data group changes.

Next Upgrade Notes

  • From CIS 2.1, additional AS3 managed partition _AS3 will be removed.



To see older versions of the release notes, see this page.