Last updated on: 2024-04-23 04:45:25.

Upgrading CIS

This page shows you how to upgrade from one version of CIS to another. Each section shows you steps for upgrading as well as any behavioral changes. Refer to the Release Notes for additional information.

Upgrading ConfigMap from 1.X to 2.X

When upgrading to CIS v2.x you need to make sure that all your ConfigMaps are in the same namespace as the service/app workload.

Steps

  1. Ensure that you have backups of all ConfigMaps in YAML format stored in a central repository, ideally GitHub for version control and RBAC.
  2. Confirm that the target CIS version (for example, v2.2.2) is uploaded to your local repository if there is no access to the internet. The local repository location must be accessible from any of the worker nodes to pull down.
  3. For every ConfigMap that is deployed in kube-system, delete the existing ConfigMap. .. Note:: This should not impact any existing config on F5.
  4. In each ConfigMap, if the namespace is defined, modify only the namespace parameter to be the namespace of the corresponding app/service. Redeploy ConfigMap (should not impact existing config on F5 because AS3 is idempotent)
  5. Modify the CIS (k8s-bigip-ctlr) manifest file so that the image version points to the target CIS version.
  6. Redeploy CIS (ctlr) with the updated CIS image (e.g. v2.2.2)

Behavioral Changes

  • Node Label Selector (CIS deployment manifest): Tells CIS to watch only nodes with this label

    --node-label-selector=node-role.kubernetes.io/f5role=worker

  • ConfigMap Delete: No longer need “blank ConfigMap” to remove configuration on BIG-IP. Use AS3: false

    labels: f5type: virtual-server as3: “false” !!!

  • Namespace: You can watch all namespaces by removing the --namespace argument in the ctlr manifest file. Alternatively you can use the namespace-label parameter so that CIS watches the namespaces with specific label(s). For example, NAME STATUS AGE LABELS default Active 6d6h externallb=f5 <–configure in CIS deployment --namespace-label=externallb=f5.

  • CRD early access available.

  • AS3 call optimizations:

    • AS3 will only update BIG-IP if there is changes detected by the K8S API (AS3 must be source of truth)
    • Multiple requests bundled into single call sent at a specified interval to prevent overload of restjavad

  • CIS will no longer create _AS3 partition.

  • From v2.2.2, AS3 ConfigMap expects servicePort to match the port (not the nodeport) exposed in the service definition.


Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.