Release Notes

F5 Service Proxy for Kubernetes (SPK) - v1.4.9

Important Changes

  • This release contains the f5-dssm-upgrader image required for the Upgrading dSSM procedure. Refer to the SPK Software guide for more details about the image.
  • The Service Proxy Custom Resource Definitions (CRDs) are now provided in separate CRD bundles, and must be installed prior to installing the SPK Controller. Refer to the SPK Software guide for the full installation process.
  • The SPK Controller values.yaml file contains Helm entries for the AFM and IPSD products. These configurations are disabled, and should not be enabled for this software release.

New Features and Improvements

The new features and improvements for this release are listed below:

  • Full IPv4/IPv6 dual-stack support - The SPK software now fully supports IPv4/IPv6 dual-stack networking.
  • Dual CRD support - The SPK Controller supports installing Custom Resource Definitions (CRDs) released prior to version 1.3.1. Refer to the Dual CRD Support overview for more information.
  • dSSM Upgrade - The dSSM Sentinel and database (DB) Pods can be upgraded without service interruption. Refer to the Upgrading dSSM guide.
  • Container Security - The FluentD and dSSM containers no longer run as the root user.
  • DNS Caching - The F5SPKDnscache CR provides high performance DNS resolution and caching. Refer to the DNS/NAT46 section of the F5SPKEgress CR overview.
  • DNS Rate Limiting - The dnsRateLimit parameter limits DNS requests per second. Refer to the DNS/NAT46 section of the F5SPKEgress CR overview.
  • SNAT Automap - SNAT Automap translates the source IP address of ingress packets to TMM’s self IP addresses, ensuring packets return through TMM. SNAT Automap can now be applied using the F5SPKIngressTCP, F5SPKIngressUDP, and F5SPKIngressNGAP SPK CRs.
  • Auto Last Hop - The Auto Last Hop feature can now be disabled per VLAN. Refer to F5SPKVlan guide for an example. _images/spk_info.png.
  • Intelligent Load Balancing - Least Connection load balancing method (mode) selects pool members with the least number of connections when making load balancing decisions. The new Least Connection mode has been added to all application traffic SPK CRs.
  • VLAN Lists - All application traffic SPK CRs can now be configured to listen for network traffic on specified VLANs.
  • App Hairpinning - Application Hairpinning enables internal clients to access the same application as external clients, using the same domain name or IP address. Refer to the App Hairpinning guide.

Limitations

  • Jumbo Frames - The maximum transmission unit (MTU) must be the same size on both ingress and egress interfaces. Packets over 8000 bytes are dropped.

Bug Fixes

1081309 (Controller)

The SPK Controller no longer restarts continuously after an F5SPKVlan CR is deleted and applied, and the TMM Pod is restarted.

1081293 (TMM)

Egress traffic no longer flows through a single TMM, when multiple TMM replicas are deployed and restarted.

1080545 (Controller)

The SPK Controller now sends a delete message to TMM when an installed F5SPKSnatpool CR is deleted.

1071545 (TMM)

The iRule RESOLVER::name_lookup function now returns DNS answers when the query response is larger than 4096 bytes.

Known Issues

1072957 (Controller)

SNAT IP addresses are selected randomly from the SNAT pool for UDP connections, causing Pods to send packets to destinations outside of the cluster.

Workaround:

1. Delete the internal VLAN. 
2. Scale down f5-tmm deployment to 0 
3. Wait for f5-tmm pod to terminate. 
4. Scale TMM back up. 
5. Verify configuration by viewing the TMM static route entries: ip route show.
6. Re-install the internal VLAN to reapply the OVN annotation, and enable egress traffic.

Next step

Continue to the Cluster Requirements guide to ensure the OpenShift cluster has the required software components.