change in behavior on namespace visibility between 2.0.0 and 2.1.0

[chen23]

Setup Details

CIS Version : 2.1.0 Build: f5networks/k8s-bigip-ctlr:2.1.0
BIGIP Version: Big IP 15.1.0.2 AS3 Version: 3.20
Agent Mode: AS3
Orchestration: OSCP
Orchestration Version: 4.3 Pool Mode: Cluster Additional Setup details: default CNI (vxlan)

Description

Previously in 2.0.0 you could set the controller namespace to "default", but it would still grab services from other namespaces (i.e. nginx-ingress) using an AS3 configmap. In 2.1.0 this is no longer the case.

Steps To Reproduce

1) deploy controller with arg "--namespace=default" 2) create a service in namespace "nginx-ingress" with annotations for AS3 configmap 3) compare output in 2.0.0 vs. 2.1.0

Expected Result

Using 2.0.0 you can see the pool members created

ltm pool MyApps/ingress_pool {
    members {
        /Common/10.128.0.22:http {
            address 10.128.0.22
            session monitor-enabled
            state up
            metadata {
                source {
                    value declaration
                }
            }
        }
    }
    min-active-members 1
    monitor min 1 of { /Common/tcp }
    partition ConfigMap
}
ltm pool MyApps/ingresstls_pool {
    members {
        /Common/10.128.0.22:https {
            address 10.128.0.22
            session monitor-enabled
            state up
            metadata {
                source {
                    value declaration
                }
            }
        }
    }
    min-active-members 1
    monitor min 1 of { /Common/tcp }
    partition ConfigMap
}

Actual Result

on 2.1.0 you do not

ltm pool MyApps/ingress_pool {
    min-active-members 1
    monitor min 1 of { /Common/tcp }
    partition ConfigMap
}
ltm pool MyApps/ingresstls_pool {
    min-active-members 1
    monitor min 1 of { /Common/tcp }
    partition ConfigMap
}

Diagnostic Information

CIS configuration (for 2.0.0, for 2.1.0 change version): https://github.com/f5devcentral/f5-k8s-demo/blob/624cf0cebe441ddfddee14a2fa02a9a37b47f98a/ocp4/f5-server.yaml

Target service: https://github.com/f5devcentral/f5-k8s-demo/blob/624cf0cebe441ddfddee14a2fa02a9a37b47f98a/ocp4/ingress-nginx-service.yaml

AS3 ConfigMap (flip false to true to deploy): https://github.com/f5devcentral/f5-k8s-demo/blob/624cf0cebe441ddfddee14a2fa02a9a37b47f98a/ocp4/as3-configmap-basic.yaml

Observations (if any)

Depending on your opinion this is either a feature or a bug in 2.0.0. It was useful before b/c you could limit the controller to only look for the configmap in the target namespace, but still allow it to use services from other namespaces.

[cisbotctlr]

cisbot will assign the issue to one of the devs. @devs, use /jira for internal tracking.

[iam-veeramalla]

Hi @chen23 ,

This is done on a purpose. This is a request from customer to restrict Configmap to use a service only with in the namespace.

We have seen customers using services with same annotated tags (may be as a backup service or forgot to delete the old ones in different namespaces). CIS(2.0) used to ignore the specific pool and log an error(multiple services with same tags).

In order to sort this kind off issues we decided to pick services from the same namespace(which we do for routes and ingress as well).

Regards, Abhishek Veeramalla

[chen23]

that makes sense. I'm not sure whether other folks will hit the same issue. I did not see this change called out in the release notes. https://clouddocs.f5.com/containers/latest/reference/release-notes.html

[iam-veeramalla]

@chen23 It is part of the Multiple AS3 ConfigMap support, We are working on the User Documentation in Clouddocs and we will work more vividly on this.

[mdditt2000]

Jira filed form PM/tech writer CONTCNTR-2033

[mdditt2000]

Documented and released as part of CIS 2.1. Closing issue out