namespace-label not work as expect while using CIS 2.0 + AS3

[kylinsoong]

Setup Details

CIS Version : 2.X
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 14.1.2
AS3 Version: 3.19 Agent Mode: AS3/CCCL
Orchestration: K8S/OSCP
Orchestration Version:
Pool Mode: Cluster
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>

Description

CIS 2.0 with AS3 configmap on Kubernets cluster, use the --namespace-label to isolate the namespaces

args: [
"--bigip-username=$(BIGIP_USERNAME)",
"--bigip-password=$(BIGIP_PASSWORD)",
"--bigip-url=https://10.1.10.240:443",
"--insecure=true",
"--bigip-partition=k8s",
"--log-level=INFO",
"--namespace-label=cis_scanner_zone=zone_1",
"--pool-member-type=cluster"
]

the reproduce steps looks:

1. create 3 namespaces with label cis_scanner_zone=zone_1
2. configure all 3 namespaces services to one configmap, and put the configmap on first namespace,
3. all services and pods are mapping to F5 VE
4. change the first namespace's service that scale the deployment to make sure more endpoint add to services, wait a while, the change are update to F5 VE, pool has more members added
5. do the same as step 4 in other 2 namespaces, the change, like the pod number increase never update to F5 VE

Steps To Reproduce

https://github.com/kylinsoong/container-ingress/tree/master/f5-cis-kubernetes/namespace-label

Expected Result

The change can be update to F5.

[cisbotctlr]

cisbot will assign the issue to one of the devs. @devs, use /jira for internal tracking.

[mdditt2000]

SR opened is C3318587

CIS is trying to extract endpoints from service that are outside the scope of CIS interns of namespace, when processing AS3 ConfigMaps. Will be addressed. @subbuv26 was this a 2.1 or 2.1.1 fix?

[mdditt2000]

awaiting milestone

[mdditt2000]

/jira

[mdditt2000]

Jira filed for PM tracking

[mdditt2000]

Resolved in CIS 2.1