search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
355 stars 193 forks source link

Empty service with same label as production service can cause production offline #1387

Closed kylinsoong closed 4 years ago

kylinsoong commented 4 years ago

Setup Details

CIS Version : 2.X
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 14.1.2
AS3 Version: 3.19.1
Agent Mode: AS3/CCCL
Orchestration: K8S/OSCP
Orchestration Version:
Pool Mode: Cluster
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>

Description

CIS 2.0 with AS3 configmap on Kubernets cluster, use the --namespace to point a namespace namespace,

args: [
"--bigip-username=$(BIGIP_USERNAME)",
"--bigip-password=$(BIGIP_PASSWORD)",
"--bigip-url=https://10.1.10.240:443",
"--insecure=true",
"--bigip-partition=k8s",
"--log-level=INFO",
"--namespace=test01",
"--pool-member-type=cluster"
]

If put 2 services with same label on a configmap, the CIS + AS3 deploy will throw a exception that multiple services with same label not allowed

If CIS + AS3 deploy a service success, the create another empty service with the same label as previous success deployed services will cause the success deployed service immediately, the following are reproduce steps:

  1. create a service with 3 labels in namespace test01
  2. create a tenant in a configmap file which map to step 1 service
  3. the CIS + AS 3 success map the service to F5 VE and online
  4. create another service with same label as step 1 service
  5. the step 3 online service(F5 VS) become offline

Note this may cause production service offline only create a empty service with same label as production, which has big potential security risk.

Steps To Reproduce

https://github.com/kylinsoong/container-ingress/tree/master/f5-cis-kubernetes/duplicate-label

Expected Result

The empty service should be ignored.

cisbotctlr commented 4 years ago

cisbot will assign the issue to one of the devs. @devs, use /jira for internal tracking.

mdditt2000 commented 4 years ago

Action: Conflict of picking up the service, pickup the oldest one first

Create service 1 first Duplicate gets created CIS uses oldest service..

CIS today cannot decided which service to pick if duplicate. Add code so if duplicate we ignore and pick older service.

SR - C3318620 Resolution in 2.1.1

mdditt2000 commented 4 years ago

/jira

mdditt2000 commented 4 years ago

@vklohiya please can you verify if this is resolved in CIS 2.1

vklohiya commented 4 years ago

@mdditt2000 , this is observed in CIS 2.1 as well.

mdditt2000 commented 4 years ago

@vklohiya thank you for recreating this. Creating internal Jira CONTCNTR-1978 for PM tracking

mdditt2000 commented 4 years ago

Resolved in CIS 2.1.1. Closing issue