Release Notes for BIG-IP Controller for Kubernetes¶
- Added optional command line arguments to support TLS version and Ciphers.
- –tls-version to enable specific TLS version 1.2/1.3 on BIG-IP. Default 1.2
- –ciphers to configure cipher suite on BIG-IP. Option valid for TLSv1.2
- –cipher-group to configure a cipher-group on BIG-IP. Option valid for TLSv1.3
Note: both –ciphers and –cipher-group are mutually exclusive based on the TLS version.
Helm charts based F5 BIG-IP Controller Operator published at Redhat Operator Market place.
Added optional command line argument –as3-post-delay to introduce delay in posting AS3 messages to BIG-IP.
Controller is now compatible with OpenShift version 4.2 and AS3 version 3.17.0.
CCCL(f5-cccl and f5-ctrlr-agent) and base image packages upgraded from python2.7 to python3.6.
- Controller properly updates Route admit status in OpenShift Dashboard.
- Controller supports update of balance annotation for Routes and Ingress.
- Controller handles edge routes with path configured as “/”(slash).
- Controller incorporates ASM vulnerability fix.
- Schema validation failures not observed when AS3 partition deleted.
- Edge redirect routes with WAF policy now works in combination with edge allow routes or insecure routes.
- issue 1160 Controller supports HTTPS redirect in ingress when host spec not configured.
- SR - Controller supports –default-client-ssl when operating in AS3 mode.
- CIS supports Kubernetes 1.16.2.
- Update CIS deployment, apiVersion to apps/v1 and add spec.selector.matchLabels.app to match spec.template.metadata.labels.app.
- Added new command-line options:
- –manage-ingress-class-only A flag whether to handle Ingresses that do not have the class annotation and with annotation kubernetes.io/ingress.class set to f5. When set true, process ingress resources with kubernetes.io/ingress.class set to f5 or custom ingress class.
- –ingress-class to define custom ingress class to watch.
- –filter-tenants A flag whether to enable tenant filtering in BIG-IP.
CIS pushes AS3 Configuration after 3 seconds when encounters 503 HTTP response code from BIG-IP.
CIS does not push AS3 configuration when encounters 404 HTTP response code from BIG-IP.
- CIS handles data groups correctly with routes/ingress in multiple namespaces.
- CIS does not allow User Defined Configmap with controller managed partitions as tenants.
- CIS handles HTTP to HTTPS redirect for child paths in routes.
- issue 1077 CIS now doesn’t post Warning messages ‘Overwriting existing entry for backend’ frequently.
- issue 1014 Fixed performance problem with large number of ingress resources.
- SR - High CPU load in BIG-IP with CIS. CIS doesn’t post data to BIG-IP when there is no change in resources.
- SR - K8S AS3-declaration errors when using TCP-profile. CIS allows TCP profile update using Override ConfigMap.
- Support AS3 for BIG-IP orchestration with Kubernetes Ingress.
- Users can override parameters in controller generated AS3 declaration using a new –override-as3-declaration option.
- CIS handles URL paths to the nearest matching parent path for OpenShift Routes.
- Added new command-line option –log-as3-response to log as3 error response.
- Master Node label must set to “node-role.kubernetes.io/master=true” when operating on K8S version 1.13.4 or OSCP version 4.1 and above in nodeport mode. If not set, BIG-IP treats master node as any other pool member.
- CIS considers secure-serverssl annotation as true irrespective of the configuration.
- CIS does not support virtual-server.f5.com/http-port annotation.
- Controller handles WAF Policy in the root path of a domain in OpenShift Routes.
- Controller handles OpenShift Routes with WAF Policy in multiple namespaces.
- Controller now does not push configuration to BigIP using AS3 for every 30 seconds with no changes.
- issue 1041 Controller now does not log dozens of “INFO” log messages frequently.
- issue 1040 Controller does not crashes if latest AS3 schema is not available.
- Controller updates Route Status in OpenShift Management Console (OCP 4.x)
- Controller does not crash when handling Route with WAF Policy that does not have a service.
Added support for WAF policy reference through
virtual-server.f5.com/wafannotation in OpenShift Routes.
- Added support for OpenShift version 4.1.
- Controller service account needs
cluster-adminrole. Before upgrading controller to v1.11.0 and above, update cluster role as follows:
oc adm policy add-cluster-role-to-user cluster-admin -z <service-account-name> -n <namespace>
Added support for Alternate Backend Deployment in OpenShift Routes while using as3 backend.
Controller updates Route status in Openshift Web Console (OpenShift 3.11 and below).
Controller includes the body of AS3 API call error responses in Debug logs.
Added support for validating AS3 JSON against the latest schema. Controller downloads the latest schema during startup.
- Changed container base image from debian-stretch to debian-buster.
- Support AS3 for BIG-IP orchestration with Openshift Routes using –agent=as3 option.
- Support disabling Ingress resource processing using –manage-ingress option.
- Controller does not use master node as a pool member when marked as unscheduled in NodePort Mode.
- Support BIG-IP 14.x when using AS3 Orchestration for BIG-IP in Openshift.
- Controller adds pods in unscheduled nodes as pool members.
- Controller now handles Openshift route TLS termination switch from reencrypt to edge.
- Added support for establishing trust with remote BIG-IP systems using either the device or CA certificates.
- Added support for AS3 3.11.
- Improves performance when updating Configmaps with AS3 Declarations.
- Improves performance when updating Services associated with AS3 Declarations.
- Improves performance when handling changes in Endpoints associated with AS3 Declarations.
- Improves performance when handling node updates in AS3 Declarations.
- Improves performance when applying AS3 Declarations to BIG-IP.
- issue 797 - Controller uses
flannel.alpha.coreos.com/public-ipas VTEP endpoint.
|CVE-2019-6648||Controller no longer prints AS3 Declarations in debug logs|
- Added support for Application Services 3 Extension.
- Added support for Google Container Engine (GKE) LoadBalancer service. Validated against Kubernetes 1.13.4.
- issue 736 - Added support for Google Container Engine (GKE) LoadBalancer service. Validated against Kubernetes 1.13.4.
- AS3 pool class declarations support only one load balancing pool.
- The BIG-IP Contoller supports only one AS3 ConfigMap instance.
- AS3 does not support moving BIG-IP nodes to new partitions.
- Static ARP entries remain after deleting an AS3 ConfigMap.
- Fixes security vulnerabilities between Controller and BIG-IP.
- Added support for Services handling in namespaces of Kubernetes and Openshift that starts with a number.
- Validated against 14.X versions of BIG-IP
- Openshift Routes are not compatible with 14.X versions of BIG-IP
|CVE-2018-1002105||Validated against Kubernetes 1.12.3|
- Added –manage-configmaps argument to CC to prevent or allow CC to respond to ConfigMap events. Defaults to true.
- Added virtual-server.f5.com/whitelist-source-range Ingress/Route annotation to support IP CIDR whitelisting.
- issue 699 - Ability to configure health monitor type in Ingress/Route annotation. Http is the default.
- Changed container base image to use debian-slim.
- issue 735 - Deleted rules from routes and ingresses on the same service not cleaned up properly.
- issue 753 - Controller doesn’t delete and recreate annotation-based policy rules.
- issue 755 - Controller implements best-match by setting first-match and sorting rules in reverse lexical order.
- issue 765 - Controller properly sorts Route rules in reverse lexical order.
- VEL-1484: Added ability to provide BIG-IP credentials via mounted Secret files instead of CLI arguments.
- Improved controller performance when deep copying configurations.
- Improved controller performance when starting up and achieving “steady state”.
- Support for virtual server source address translation configuration.
- Support for app-root and url-rewrite annotations.
- Added controller name and version to the metadata of certain BIG-IP LTM resources managed by the controller.
- issue 433 - Support for pre-existing server ssl profiles for Ingresses.
- Added support for attaching OpenShift Routes to existing BIG-IP virtual servers.
- Added support for Kubernetes version 1.8.
- Added support for OpenShift Origin version 3.7.
- Added support for Red Hat OpenShift Container Platform (OSCP) version 3.7.
- (BETA) Added initial basic support for Prometheus metrics.
- F5 IPAM Controller pairs with k8s-bigip-ctlr by writing out virtual-server.f5.com/ip annotation for IP addresses allocated for host names in Ingresses or ConfigMaps.
- Added support for using helm to deploy the Controller using the f5-bigip-ctlr chart.
- Added support for using helm to deploy Ingress resources using the f5-bigip-ingress chart.
- issue 552 - Controller properly creates Secret SSL profiles for ConfigMaps.
- issue 592 - Node label selector works properly in cluster mode.
- issue 603 - Pool only mode no longer prints excessive logs.
- issue 608 - Single service Ingresses cannot share virtual servers.
- issue 636 - Controller configures default ssl profiles for Routes when specified via CLI.
- issue 635 - Controller cleans up policy rules when an Ingress removes them.
- issue 638 - Ingress extended paths no longer break BIG-IP GUI links.
- issue 649 - Route annotation profiles are no longer ignored.
- issue 214 - Keys and certificates are now installed onto the managed partition.
- Cannot apply app-root and url-rewrite annotations to the same resource; see: issue 675
- If an older controller created resources, upgrading to the new version could result in a python exception when adding metadata to virtuals: issue 683
- If running the controller in cluster mode without a vxlan name, pool members are not created: issue 686
- issue 549 - Using IP annotation on ConfigMaps would result in the virtual server getting a port of 0.
- issue 551 - Memory leak in python subprocess
- issue 211 - Memory leak in f5-cccl submodule
- issue 555 - Controller high CPU usage when inactive
- issue 510 - Change behavior of controller on startup when encountering errors
- issue 567 - Clean up all objects (including iRules and datagroups) when deleting Routes.
- Enhanced route domain handling:
- Create VxLAN forwarding database (FDB) addresses for route domains.
- Ability to change the default route domain for a partition managed by an F5 controller after the controller has deployed.
- Support for Flannel VxLAN in Kubernetes.
- Enhanced options for configuring Virtual IP addresses for Ingress resources:
- Ingresses with the same IP address and port can share a virtual server.
- Set a default IP address to use as the VIP for all Ingresses.
- Support for
recvstrings in health monitors for ConfigMaps, Ingresses, and Routes.
- Support UDP in ConfigMaps (includes proxy type and health monitors).
- Provide Controller version info in the container and logs.
- Support for
virtual-server.f5.com/balanceannotation for Routes.
- Support for A/B deployments using the Openshift route alternateBackends token.
- issue 341 - HTTPS redirect applies to individual Routes instead of all Routes.
- issue 344 - Create default for SNI profile when using Ingress custom profiles from Secrets.
- issue 460 - Remove risk that pools will update with wrong members after a node update (NodePort mode).
- issue 428 - Controller writes unnecessary updates when no config changes occurred.
- issue 506 - Controller stops updating BIG-IP after an exception occurs in the python driver.
- issue 198 - Corrected a comparison problem in CCCL that caused unnecessary updates for BIG-IP Virtual Server resources.
If you are deploying services using the F5-supported iApps, you must upgrade to a version that supports route domain 0 for non-Common partitions. The minimum versions required for the F5 iapps are:
You can find these versions in the iapp package
iapps-126.96.36.1992.0. To upgrade, you must perform the following:
Check BIG-IP version compatibility on Application Services (iApps) before deploying. See Application Services Integration iApp [#16] for more information.
Cannot delete ARP entries on BIG-IP v11.6.1 when running the Controller in Kubernetes with Flannel VXLAN enabled.
The controller will exit at startup if it cannot establish a connection with the BIG-IP.
- Create health monitors for OpenShift Routes via an annotation.
- Optionally disable loading of certificates and keys from Routes in preference of using pre-existing profiles on the BIG-IP system.
- Optionally disable loading of Kubernetes Secrets on an Ingress.
- Resolve the first host name in an Ingress to an IP address using a local or custom DNS server. The controller configures the virtual server with this address.
- Support for BIG-IP partitions with non-zero default route domains.
- OpenShift Route targetPort field is no longer required if the port is not 80 or 443.
- Properly configure named targetPorts in OpenShift Route configurations.
- Remove ssl certificate lists for deleted custom profiles.
- If a Route configuration contains no targetPort, the controller uses the first port it sees on the referenced Service. The controller does not use all ports.
- You cannot change the default route domain for a partition managed by an F5 controller after the controller has deployed. To specify a new default route domain, use a different partition.
- Introduced support for Kubernetes 1.6 and 1.7.
- Watch all nodes by default; watch a subset of nodes with a user-specified label.
- Create BIG-IP SSL Profiles from Kubernetes Secrets via Ingress TLS.
- Create BIG-IP objects from OpenShift Route resources. - This includes unsecured, edge, passthrough, and re-encrypt Routes.
- This is a feature-complete upgrade from the OpenShift F5Router. See Replace the OpenShift F5 Router with the BIG-IP Controller for more information.
- Properly configure http redirect rules on v11.6.1 BIG-IP systems.
- Failed configurations for objects do not prevent future configurations from happening.
- Creation of BIG-IP Virtual Servers from Kubernetes Ingress resources.
- Configure multiple SSL Profiles for a BIG-IP Virtual Server.
- Watch all Kubernetes namespaces by default; watch a list of namespaces; watch namespaces with a user-specified label.
- Watch for Kubernetes annotation if virtual address not specified, enabling custom IPAM integration.
- Create detached pools if virtual server bind addresses not specified.
- Container image size reduced from 361MB to 123MB.
- Can use local and non-local BIG-IP users.
- The SSL Profiles referenced in Ingress resources must already exist on the BIG-IP device. Any Secret resources configured in Kubernetes are not used.
- Can manage multiple BIG-IP partitions in the following environments
- Red Hat OpenShift
- Manages the following LTM resources for the BIG-IP partition(s)
- Virtual Servers
- Virtual Addresses
- Pool Members
- Health Monitors
- Application Services
- Manages the following Network resource for the BIG-IP partition(s)
- FDB tunnel records (Red Hat OpenShift)
- Cannot share endpoints managed in a partition controlled by the K8S BIG-IP Controller with endpoints managed in another partition.
- Kubernetes allows a service to name the individual service ports within a particular service. However, the K8S BIG-IP Controller requires the virtual server section within the configmap to refer to the port number for the service port, not the name.
- Two virtual servers cannot point to the same servicePort. The last one specified will be the one that remains configured.
- The BIG-IP Controller does not handle non-zero route domains. All managed partitions should use the default route domain (0).
- Parameters other than IPAddress and Port (e.g. Connection Limit) specified in the iApp Pool Member Table apply to all members of the pool.
- Cannot configure virtual servers with IPv6 addresses in the configmap.
- The K8S BIG-IP Controller cannot watch more than one namespace.