Release Notes for BIG-IP Controller for Kubernetes¶
- Changed container base image from debian-stretch to debian-buster.
- Support AS3 for BIG-IP orchestration with Openshift Routes using –agent=as3 option.
- Support disabling Ingress resource processing using –manage-ingress option.
- Controller does not use master node as a pool member when marked as unscheduled in NodePort Mode.
- Support BIG-IP 14.x when using AS3 Orchestration for BIG-IP in Openshift.
- Controller adds pods in unscheduled nodes as pool members.
- Controller now handles Openshift route TLS termination switch from reencrypt to edge.
- Added support for establishing trust with remote BIG-IP systems using either the device or CA certificates.
- Added support for AS3 3.11.
- Improves performance when updating Configmaps with AS3 Declarations.
- Improves performance when updating Services associated with AS3 Declarations.
- Improves performance when handling changes in Endpoints associated with AS3 Declarations.
- Improves performance when handling node updates in AS3 Declarations.
- Improves performance when applying AS3 Declarations to BIG-IP.
- issue 797 - Controller uses
flannel.alpha.coreos.com/public-ipas VTEP endpoint.
|TBA||Controller no longer prints AS3 Declarations in debug logs|
- Added support for Application Services 3 Extension.
- Added support for Google Container Engine (GKE) LoadBalancer service. Validated against Kubernetes 1.13.4.
- issue 736 - Added support for Google Container Engine (GKE) LoadBalancer service. Validated against Kubernetes 1.13.4.
- AS3 pool class declarations support only one load balancing pool.
- The BIG-IP Contoller supports only one AS3 ConfigMap instance.
- AS3 does not support moving BIG-IP nodes to new partitions.
- Static ARP entries remain after deleting an AS3 ConfigMap.
- Fixes security vulnerabilities between Controller and BIG-IP.
- Added support for Services handling in namespaces of Kubernetes and Openshift that starts with a number.
- Validated against 14.X versions of BIG-IP
- Openshift Routes are not compatible with 14.X versions of BIG-IP
|CVE-2018-1002105||Validated against Kubernetes 1.12.3|
- Added –manage-configmaps argument to CC to prevent or allow CC to respond to ConfigMap events. Defaults to true.
- Added virtual-server.f5.com/whitelist-source-range Ingress/Route annotation to support IP CIDR whitelisting.
- issue 699 - Ability to configure health monitor type in Ingress/Route annotation. Http is the default.
- Changed container base image to use debian-slim.
- issue 735 - Deleted rules from routes and ingresses on the same service not cleaned up properly.
- issue 753 - Controller doesn’t delete and recreate annotation-based policy rules.
- issue 755 - Controller implements best-match by setting first-match and sorting rules in reverse lexical order.
- issue 765 - Controller properly sorts Route rules in reverse lexical order.
- VEL-1484: Added ability to provide BIG-IP credentials via mounted Secret files instead of CLI arguments.
- Improved controller performance when deep copying configurations.
- Improved controller performance when starting up and achieving “steady state”.
- Support for virtual server source address translation configuration.
- Support for app-root and url-rewrite annotations.
- Added controller name and version to the metadata of certain BIG-IP LTM resources managed by the controller.
- issue 433 - Support for pre-existing server ssl profiles for Ingresses.
- Added support for attaching OpenShift Routes to existing BIG-IP virtual servers.
- Added support for Kubernetes version 1.8.
- Added support for OpenShift Origin version 3.7.
- Added support for Red Hat OpenShift Container Platform (OSCP) version 3.7.
- (BETA) Added initial basic support for Prometheus metrics.
- F5 IPAM Controller pairs with k8s-bigip-ctlr by writing out virtual-server.f5.com/ip annotation for IP addresses allocated for host names in Ingresses or ConfigMaps.
- Added support for using helm to deploy the Controller using the f5-bigip-ctlr chart.
- Added support for using helm to deploy Ingress resources using the f5-bigip-ingress chart.
- issue 552 - Controller properly creates Secret SSL profiles for ConfigMaps.
- issue 592 - Node label selector works properly in cluster mode.
- issue 603 - Pool only mode no longer prints excessive logs.
- issue 608 - Single service Ingresses cannot share virtual servers.
- issue 636 - Controller configures default ssl profiles for Routes when specified via CLI.
- issue 635 - Controller cleans up policy rules when an Ingress removes them.
- issue 638 - Ingress extended paths no longer break BIG-IP GUI links.
- issue 649 - Route annotation profiles are no longer ignored.
- issue 214 - Keys and certificates are now installed onto the managed partition.
- Cannot apply app-root and url-rewrite annotations to the same resource; see: issue 675
- If an older controller created resources, upgrading to the new version could result in a python exception when adding metadata to virtuals: issue 683
- If running the controller in cluster mode without a vxlan name, pool members are not created: issue 686
- issue 549 - Using IP annotation on ConfigMaps would result in the virtual server getting a port of 0.
- issue 551 - Memory leak in python subprocess
- issue 211 - Memory leak in f5-cccl submodule
- issue 555 - Controller high CPU usage when inactive
- issue 510 - Change behavior of controller on startup when encountering errors
- issue 567 - Clean up all objects (including iRules and datagroups) when deleting Routes.
- Enhanced route domain handling:
- Create VxLAN forwarding database (FDB) addresses for route domains.
- Ability to change the default route domain for a partition managed by an F5 controller after the controller has deployed.
- Support for Flannel VxLAN in Kubernetes.
- Enhanced options for configuring Virtual IP addresses for Ingress resources:
- Ingresses with the same IP address and port can share a virtual server.
- Set a default IP address to use as the VIP for all Ingresses.
- Support for
recvstrings in health monitors for ConfigMaps, Ingresses, and Routes.
- Support UDP in ConfigMaps (includes proxy type and health monitors).
- Provide Controller version info in the container and logs.
- Support for
virtual-server.f5.com/balanceannotation for Routes.
- Support for A/B deployments using the Openshift route alternateBackends token.
- issue 341 - HTTPS redirect applies to individual Routes instead of all Routes.
- issue 344 - Create default for SNI profile when using Ingress custom profiles from Secrets.
- issue 460 - Remove risk that pools will update with wrong members after a node update (NodePort mode).
- issue 428 - Controller writes unnecessary updates when no config changes occurred.
- issue 506 - Controller stops updating BIG-IP after an exception occurs in the python driver.
- issue 198 - Corrected a comparison problem in CCCL that caused unnecessary updates for BIG-IP Virtual Server resources.
If you are deploying services using the F5-supported iApps, you must upgrade to a version that supports route domain 0 for non-Common partitions. The minimum versions required for the F5 iapps are:
You can find these versions in the iapp package
iapps-126.96.36.1992.0. To upgrade, you must perform the following:
Check BIG-IP version compatibility on Application Services (iApps) before deploying. See Application Services Integration iApp [#16] for more information.
Cannot delete ARP entries on BIG-IP v11.6.1 when running the Controller in Kubernetes with Flannel VXLAN enabled.
The controller will exit at startup if it cannot establish a connection with the BIG-IP.
- Create health monitors for OpenShift Routes via an annotation.
- Optionally disable loading of certificates and keys from Routes in preference of using pre-existing profiles on the BIG-IP system.
- Optionally disable loading of Kubernetes Secrets on an Ingress.
- Resolve the first host name in an Ingress to an IP address using a local or custom DNS server. The controller configures the virtual server with this address.
- Support for BIG-IP partitions with non-zero default route domains.
- OpenShift Route targetPort field is no longer required if the port is not 80 or 443.
- Properly configure named targetPorts in OpenShift Route configurations.
- Remove ssl certificate lists for deleted custom profiles.
- If a Route configuration contains no targetPort, the controller uses the first port it sees on the referenced Service. The controller does not use all ports.
- You cannot change the default route domain for a partition managed by an F5 controller after the controller has deployed. To specify a new default route domain, use a different partition.
- Introduced support for Kubernetes 1.6 and 1.7.
- Watch all nodes by default; watch a subset of nodes with a user-specified label.
- Create BIG-IP SSL Profiles from Kubernetes Secrets via Ingress TLS.
- Create BIG-IP objects from OpenShift Route resources. - This includes unsecured, edge, passthrough, and re-encrypt Routes.
- This is a feature-complete upgrade from the OpenShift F5Router. See Replace the OpenShift F5 Router with the BIG-IP Controller for more information.
- Properly configure http redirect rules on v11.6.1 BIG-IP systems.
- Failed configurations for objects do not prevent future configurations from happening.
- Creation of BIG-IP Virtual Servers from Kubernetes Ingress resources.
- Configure multiple SSL Profiles for a BIG-IP Virtual Server.
- Watch all Kubernetes namespaces by default; watch a list of namespaces; watch namespaces with a user-specified label.
- Watch for Kubernetes annotation if virtual address not specified, enabling custom IPAM integration.
- Create detached pools if virtual server bind addresses not specified.
- Container image size reduced from 361MB to 123MB.
- Can use local and non-local BIG-IP users.
- The SSL Profiles referenced in Ingress resources must already exist on the BIG-IP device. Any Secret resources configured in Kubernetes are not used.
- Can manage multiple BIG-IP partitions in the following environments
- Red Hat OpenShift
- Manages the following LTM resources for the BIG-IP partition(s)
- Virtual Servers
- Virtual Addresses
- Pool Members
- Health Monitors
- Application Services
- Manages the following Network resource for the BIG-IP partition(s)
- FDB tunnel records (Red Hat OpenShift)
- Cannot share endpoints managed in a partition controlled by the K8S BIG-IP Controller with endpoints managed in another partition.
- Kubernetes allows a service to name the individual service ports within a particular service. However, the K8S BIG-IP Controller requires the virtual server section within the configmap to refer to the port number for the service port, not the name.
- Two virtual servers cannot point to the same servicePort. The last one specified will be the one that remains configured.
- The BIG-IP Controller does not handle non-zero route domains. All managed partitions should use the default route domain (0).
- Parameters other than IPAddress and Port (e.g. Connection Limit) specified in the iApp Pool Member Table apply to all members of the pool.
- Cannot configure virtual servers with IPv6 addresses in the configmap.
- The K8S BIG-IP Controller cannot watch more than one namespace.