NextGen Routes Known Issues and FAQ¶
Known Issues¶
- CIS processes the latest namespace based extended ConfigMap when there are multiple namespaced extended ConfigMap.
- CIS allows insecure traffic if the URI path is included with CAPITAL letters for NextGen Routes.
- CIS delays processing the changes in other tenants if any one of the tenants receives a 422 error. This delay takes up to 60 seconds.
- GSLB - When there is a route group partition change, BIG-IP takes more time to identify the virtual server on the new partition.
FAQ¶
Is extended ConfigMap mandatory?
Yes. CIS fails to start without the --extended-spec-configmap value provided. CIS logs invalid value provided for --extended-spec-configmap and exits.
Can extended ConfigMap be created in any namespace? No. extended ConfigMap can only be created in a namespace which CIS is watching.
Note
CIS watches only those namespaces which are specified through
--namespaceor--namespace-labelas CIS config parameters, if not specified then it watches all the namespaces.
What happens if ConfigMap is not created or deleted?
If referenced ConfigMap with --extended-spec-configmap is not created, CIS logs the below error and does not process any routes.
[ERROR] Unable to get extended Route Spec Config Map: default/extended-cm, ConfigMaps "extended-cm" not found.
CIS uses cache to store extendedRouteSpec information. Even if ConfigMap is deleted, the information loaded initially is used for route processing.
Can I create multiple extended ConfigMap?
CIS only uses ConfigMap provided through the --extended-spec-configmap argument.
Do I need to modify existing routes for extended ConfigMap support?
No, you do not need to modify existing routes for extended ConfigMap
What are the supported routes?
Edge re-encrypt and passthrough routes are supported.
What are the supported insecureEdgeTerminations?
The arguments allow, redirect and none termination are supported with edge routes, while re-encrypt routes supports redirect and none terminations.
Do we support BIG-IP referenced SSL Profiles annotations on routes?
Yes, you can continue the SSL Profiles in route annotations.
Do we support Kubernetes secrets in SSL Profiles annotations on routes?
Yes, you can define the Kubernetes secret in the route’s SSL annotations. See GitHub for examples.
Can we the use legacy default-client-ssl and default-server-ssl CLI parameters?
No, they are no longer supported as CLI parameters. These CLI parameters are moved to extended ConfigMap -> baseRouteSpec -> defaultTLS -> clientSSL and serverSSL. See GitHub for examples.
What is the precedence of client and server SSL profiles?
CIS considers following precedence, with priority in the following order:
- Route annotations
- Route certificates (spec certs)
- Extended ConfigMap baseRouteSpec default profiles
What is not supported with the SSL profiles?
Under a single route group or single VIP, a combination of routes with route certificates (spec certs) and routes with SSL profiles annotation with BIG-IP reference are not supported.
Can we configure health monitors using route annotations?
Yes, you can continue the health monitors using route annotations.
Can we configure WAF using route annotations?
Yes, you can continue using WAF in route annotations.
Can we configure allowSourceRange using route annotations?
Yes, you can continue using the allowSourceRange in route annotations.
Can we configure rewriteAppRoot using route annotations?
Yes you can continue using the rewriteAppRoot in route annotations.
Are there any changes in RBAC?
No, there are no changes in RBAC.
How do I use policy CR with routes?
- You can define the policy CR in extended ConfigMap. See GitHub for examples.
Note
Make sure that Policy CR is created in a namespace which CIS is monitoring.
How do I apply different policies/profiles to HTTP and HTTPS virtual servers?
You can use both PolicyCR and httpServerPolicyCR in route group to apply different policies/profiles to HTTP and HTTPS VS. If only policyCR is used in a route group, then profiles/policies specified in it are applied to both HTTP and HTTPS virtual servers. If only httpServerPolicyCR is used in a route group, then profiles/policies specified in it are applied to only HTTP virtual server. If both policyCR and httpServerPolicyCR are used in a route group, then profiles/policies specified in policyCR are applied to HTTPS virtual server and profiles/policies specified in httpServerPolicyCR are applied to HTTP virtual server. To use the httpServerPolicyCR in extended ConfigMap, please refer to [Example](https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/docs/config_examples/next-gen-routes/configmap). Make sure that both policyCR and httpServerPolicyCR are created in a namespace which CIS is monitoring.
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.