search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
355 stars 193 forks source link

CIS ignores openshift configurations. #1915

Closed AlexanderSlinkov closed 3 years ago

AlexanderSlinkov commented 3 years ago

Setup Details

CIS Version : 2.5.0
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 16.0.1
AS3 Version: 3.29.0-3 Agent Mode: AS3
Orchestration: OSCP
Orchestration Version:
Pool Mode: Cluster

Description

Hi,

I' new with CIS and OpenShift and I need some help to understand what is going on. I configured the CIS according to the article below: https://clouddocs.f5.com/containers/latest/userguide/openshift/ But, in some reason, the CIS does not read OpenShift objects and does not add appropriate changes to F5.

In logs I can't find helpful information.

Steps To Reproduce

1) Configure CIS on Openshift cluster. 2) Configure ingress/crd or something else. 3) List logs of CIS deployment.

Expected Result

Configuration on the F5 device should be changed.

Actual Result

Nothing happens.

Diagnostic Information

apiVersion: apps/v1
metadata:
  annotations:
    deployment.kubernetes.io/revision: '3'
  name: bigip-ctlr-a
  namespace: demo-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: bigip-ctlr-a
  template:
    metadata:
      name: bigip-ctlr-a
      creationTimestamp: null
      labels:
        app: bigip-ctlr-a
    spec:
      restartPolicy: Always
      serviceAccountName: bigip-ctlr
      imagePullSecrets:
        - name: bigip-login
      schedulerName: default-scheduler
      terminationGracePeriodSeconds: 30
      securityContext: {}
      containers:
        - resources: {}
          terminationMessagePath: /dev/termination-log
          name: bigip-ctlr-a
          command:
            - /app/bin/k8s-bigip-ctlr
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: bigip-login
                  key: password
          imagePullPolicy: Always
          terminationMessagePolicy: File
          image: f5networks/k8s-bigip-ctlr
          args:
            - '--bigip-username=$(BIGIP_USERNAME)'
            - '--bigip-password=$(BIGIP_PASSWORD)'
            - '--gtm-bigip-username=$(BIGIP_USERNAME)'
            - '--gtm-bigip-password=$(BIGIP_PASSWORD)'
            - '--gtm-bigip-url=172.31.0.14'
            - '--agent=as3'
            - '--bigip-url=172.31.0.14'
            - '--bigip-partition=ocp'
            - '--pool-member-type=cluster'
            - '--insecure=true'
            - '--log-as3-response=true'
            - '--log-level=DEBUG'
            - '--manage-routes=true'
            - '--route-vserver-addr=192.168.100.11'
            - '--openshift-sdn-name=/ocp-net/openshift_vxlan'
            - '--namespace-label=f5type=demo-app'
            - '--default-route-domain=1'
            - '--custom-resource-mode=true'
      serviceAccount: bigip-ctlr
      dnsPolicy: ClusterFirst
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

Here are the logs from the CIS:

2021/07/23 06:08:15 [INFO] [INIT] Starting: Container Ingress Services - Version: 2.5.0, BuildInfo: azure-465-1952a80a2165b7fc2d3561795ad09d1eb8615136
2021/07/23 06:08:15 [INFO]TeemServer:product.apis.f5.com
2021/07/23 06:08:15 teemClient:{{CIS-Ecosystem CIS/v2.5.0 9ba048d8-88ca-47a0-873e-3fb4b8ca7b9a} mmhJU2sCd63BznXAXDh4kxLIyfIMm3Ar   product.apis.f5.com}
2021/07/23 06:08:15 [DEBUG] digitalAssetId:3ef79888-2a85-e6dd-e10c-2eba6ddd3de2
2021/07/23 06:08:15 [DEBUG] telemetryDatalist:[{"Agent":"as3","ConfigmapsCount":0,"DateOfCISDeploy":"2021-07-23T06:08:15.460427522Z","ExternalDNSCount":0,"IPAMSvcLBCount":0,"IPAMTransportServerCount":0,"IPAMVirtualServerCount":0,"IngressCount":0,"IngressLinkCount":0,"Mode":"cluster","PlatformInfo":"CIS/v2.5.0 OCP/v4.6.1","RoutesCount":0,"RunningInDocker":false,"SDNType":"openshiftSDN","TransportServerCount":0,"VirtualServerCount":0}]
2021/07/23 06:08:15 [DEBUG] ControllerAsDocker:#{docker}
2021/07/23 06:08:16 Resp Code:204    Status:204 No Content
2021/07/23 06:08:16 [DEBUG] [AS3] No certs appended, using only system certs
2021/07/23 06:08:16 [INFO] ConfigWriter started: 0xc0002e1050
2021/07/23 06:08:16 [DEBUG] [CCCL] ConfigWriter (0xc0002e1050) writing section name gtm_bigip
2021/07/23 06:08:16 [DEBUG] [CCCL] ConfigWriter (0xc0002e1050) successfully wrote section (gtm_bigip)
2021/07/23 06:08:16 [DEBUG] [CCCL] ConfigWriter (0xc0002e1050) writing section name global
2021/07/23 06:08:16 [DEBUG] [CCCL] ConfigWriter (0xc0002e1050) successfully wrote section (global)
2021/07/23 06:08:16 [DEBUG] [CCCL] ConfigWriter (0xc0002e1050) writing section name bigip
2021/07/23 06:08:16 [DEBUG] [CCCL] ConfigWriter (0xc0002e1050) successfully wrote section (bigip)
2021/07/23 06:08:16 [INFO] Started config driver sub-process at pid: 20
2021/07/23 06:08:16 [DEBUG] Custom Resource Manager Created
2021/07/23 06:08:16 [DEBUG] Client Created
2021/07/23 06:08:16 [INFO] [CORE] NodePoller (0xc0005153b0) registering new listener: 0x1723860
2021/07/23 06:08:16 [INFO] [CORE] NodePoller (0xc0005153b0) registering new listener: 0x17238e0
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller object created: 0xc0005153b0
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) caching listener 0x1723860, poller is not running
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) caching listener 0x17238e0, poller is not running
2021/07/23 06:08:16 [INFO] Posting GET BIGIP AS3 Version request on https://172.31.0.14/mgmt/shared/appsvcs/info
2021/07/23 06:08:16 [DEBUG] [VxLAN] Vxlan Manager waiting for pod events from appManager.
2021/07/23 06:08:16 [INFO] Starting Custom Resource Manager
2021/07/23 06:08:16 [INFO] Starting Namespace Informer
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) registering cached listener: 0x1723860

2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) poller goroutine started
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) poller goroutine adding listener: {l:0xc0001520c0 s:0xc000152180}
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) registering cached listener: 0x17238e0

2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) listener goroutine started: 0x1723860
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) listener callback - num items: 5 err: <nil>
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) listener add wake up - next poll in 29.999852618s

2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) poller goroutine adding listener: {l:0xc0005a8180 s:0xc0005a81e0}
2021/07/23 06:08:16 [INFO] [CORE] NodePoller started: (0xc0005153b0)
2021/07/23 06:08:16 [DEBUG] Starting Custom Resource Worker
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) listener goroutine started: 0x17238e0
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) listener callback - num items: 5 err: <nil>
2021/07/23 06:08:16 [DEBUG] [CCCL] ConfigWriter (0xc0002e1050) writing section name vxlan-fdb
2021/07/23 06:08:16 [DEBUG] [CORE] NodePoller (0xc0005153b0) listener add wake up - next poll in 29.999440987s

2021/07/23 06:08:16 [DEBUG] [CCCL] ConfigWriter (0xc0002e1050) successfully wrote section (vxlan-fdb)
2021/07/23 06:08:16 [DEBUG] [VxLAN] Vxlan manager (openshift_vxlan) wrote config section: [{0a:0a:ac:1f:00:06 172.31.0.6} {0a:0a:ac:1f:00:07 172.31.0.7} {0a:0a:ac:1f:00:08 172.31.0.8} {0a:0a:ac:1f:00:09 172.31.0.9} {0a:0a:ac:1f:00:0a 172.31.0.10}]
2021/07/23 06:08:16 [INFO] BIGIP is serving with AS3 version : 3.29.0-3 
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,174 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/sys/ AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,175 urllib3.connectionpool DEBUG] Starting new HTTPS connection (1): 172.31.0.14:443
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,271 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "POST /mgmt/shared/authn/login HTTP/1.1" 200 721
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,272 urllib3.connectionpool DEBUG] Starting new HTTPS connection (1): 172.31.0.14:443
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,310 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/sys/ HTTP/1.1" 200 4019
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,311 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:sys:syscollectionstate","selfLink":"https://localhost/mgmt/tm/sys?ver=16.0.1","items":[{"reference":{"link":"https://localhost/mgmt/tm/sys/application?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/crypto?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/daemon-log-settings?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/diags?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/disk?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/dynad?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ecm?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/file?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/fpga?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/icall?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ipfix?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/log-config?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/pfman?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/sflow?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/software?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/turboflex?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/url-db?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/aom?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/autoscale-group?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/cluster?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/config?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/core?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/daemon-ha?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/datastor?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/db?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/dns?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/feature-module?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/fipsuser?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/folder?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/global-settings?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ha-group?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/httpd?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/icontrol-soap?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/internal-proxy?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/log-rotate?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-dhcp?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-ip?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-ovsdb?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-proxy-config?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-route?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ntp?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/outbound-smtp?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/provision?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/scriptd?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/service?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/smtp-server?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/snmp?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/sshd?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/state-mirroring?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/syslog?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/telemd?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ucs?ver=16.0.1"}}]}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,324 f5_cccl DEBUG] F5CloudServiceManager initialize
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,324 f5_cccl.bigip DEBUG] BigIPProxy.__init__()
2021/07/23 06:08:17 [INFO] /app/src/f5-cccl/f5_cccl/service/validation.py:40: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
2021/07/23 06:08:17 [INFO]   yaml_data = yaml.load(yaml_file)
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,337 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/sys/ AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,339 urllib3.connectionpool DEBUG] Starting new HTTPS connection (1): 172.31.0.14:443
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,433 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "POST /mgmt/shared/authn/login HTTP/1.1" 200 721
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,435 urllib3.connectionpool DEBUG] Starting new HTTPS connection (1): 172.31.0.14:443
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,473 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/sys/ HTTP/1.1" 200 4019
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,474 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:sys:syscollectionstate","selfLink":"https://localhost/mgmt/tm/sys?ver=16.0.1","items":[{"reference":{"link":"https://localhost/mgmt/tm/sys/application?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/crypto?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/daemon-log-settings?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/diags?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/disk?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/dynad?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ecm?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/file?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/fpga?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/icall?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ipfix?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/log-config?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/pfman?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/sflow?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/software?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/turboflex?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/url-db?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/aom?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/autoscale-group?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/cluster?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/config?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/core?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/daemon-ha?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/datastor?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/db?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/dns?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/feature-module?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/fipsuser?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/folder?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/global-settings?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ha-group?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/httpd?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/icontrol-soap?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/internal-proxy?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/log-rotate?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-dhcp?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-ip?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-ovsdb?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-proxy-config?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/management-route?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ntp?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/outbound-smtp?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/provision?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/scriptd?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/service?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/smtp-server?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/snmp?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/sshd?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/state-mirroring?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/syslog?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/telemd?ver=16.0.1"}},{"reference":{"link":"https://localhost/mgmt/tm/sys/ucs?ver=16.0.1"}}]}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,475 __main__ DEBUG] F5GTMManager initialize
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,475 __main__ DEBUG] config handler thread start
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,475 __main__ DEBUG] config handler woken for reset
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,476 __main__ DEBUG] loaded configuration file successfully
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,478 __main__ DEBUG] NET Config: {"userFdbTunnels": [{"name": "openshift_vxlan", "records": [{"name": "0a:0a:ac:1f:00:06", "endpoint": "172.31.0.6"}, {"name": "0a:0a:ac:1f:00:07", "endpoint": "172.31.0.7"}, {"name": "0a:0a:ac:1f:00:08", "endpoint": "172.31.0.8"}, {"name": "0a:0a:ac:1f:00:09", "endpoint": "172.31.0.9"}, {"name": "0a:0a:ac:1f:00:0a", "endpoint": "172.31.0.10"}]}]}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,479 f5_cccl.service.manager DEBUG] apply_net_config start
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,479 f5_cccl.service.validation DEBUG] Validating desired config against CCCL API schema.
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,479 f5_cccl.service.validation DEBUG] validate start
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,480 f5_cccl.service.validation DEBUG] validate took 0.00083 seconds.
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,481 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/auth/partition/ocp-net AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [INFO] [2021-07-23 06:08:17,484 __main__ INFO] entering inotify loop to watch /tmp/k8s-bigip-ctlr.config601537406/config.json
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,495 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/auth/partition/ocp-net HTTP/1.1" 200 192
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:auth:partition:partitionstate","name":"ocp-net","fullPath":"ocp-net","generation":1,"selfLink":"https://localhost/mgmt/tm/auth/partition/ocp-net?ver=16.0.1","defaultRouteDomain":1}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,496 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,497 f5_cccl.bigip DEBUG] Refreshing the BIG-IP net cached state...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,497 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/auth/partition/ocp-net AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,509 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/auth/partition/ocp-net HTTP/1.1" 200 192
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,510 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:auth:partition:partitionstate","name":"ocp-net","fullPath":"ocp-net","generation":1,"selfLink":"https://localhost/mgmt/tm/auth/partition/ocp-net?ver=16.0.1","defaultRouteDomain":1}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,511 f5_cccl.bigip DEBUG] Retrieving arps from BIG-IP /ocp-net...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,511 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/net/arp/ AND suffix:  AND kwargs: {'params': '$filter=partition+eq+ocp-net'}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,524 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/net/arp/?$filter=partition+eq+ocp-net HTTP/1.1" 200 138
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:net:arp:arpcollectionstate","selfLink":"https://localhost/mgmt/tm/net/arp?$filter=partition+eq+ocp-net&ver=16.0.1","items":[]}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,525 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,525 f5_cccl.bigip DEBUG] Retrieving fdb tunnels from BIG-IP /ocp-net...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,526 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/net/fdb/tunnel/ AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,541 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/net/fdb/tunnel/ HTTP/1.1" 200 1577
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,542 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:net:fdb:tunnel:tunnelcollectionstate","selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel?ver=16.0.1","items":[{"kind":"tm:net:fdb:tunnel:tunnelstate","name":"http-tunnel","partition":"Common","fullPath":"/Common/http-tunnel","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~Common~http-tunnel?ver=16.0.1","recordsReference":{"link":"https://localhost/mgmt/tm/net/fdb/tunnel/~Common~http-tunnel/records?ver=16.0.1","isSubcollection":true}},{"kind":"tm:net:fdb:tunnel:tunnelstate","name":"socks-tunnel","partition":"Common","fullPath":"/Common/socks-tunnel","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~Common~socks-tunnel?ver=16.0.1","recordsReference":{"link":"https://localhost/mgmt/tm/net/fdb/tunnel/~Common~socks-tunnel/records?ver=16.0.1","isSubcollection":true}},{"kind":"tm:net:fdb:tunnel:tunnelstate","name":"openshift_vxlan_2","partition":"ocp2-net","fullPath":"/ocp2-net/openshift_vxlan_2","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2?ver=16.0.1","recordsReference":{"link":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records?ver=16.0.1","isSubcollection":true}},{"kind":"tm:net:fdb:tunnel:tunnelstate","name":"openshift_vxlan","partition":"ocp-net","fullPath":"/ocp-net/openshift_vxlan","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan?ver=16.0.1","recordsReference":{"link":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records?ver=16.0.1","isSubcollection":true}}]}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,543 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/net/fdb/tunnel/~Common~http-tunnel/records/ AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,556 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/net/fdb/tunnel/~Common~http-tunnel/records/ HTTP/1.1" 200 163
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:net:fdb:tunnel:records:recordscollectionstate","selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~Common~http-tunnel/records?ver=16.0.1","items":[]}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,557 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,558 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/net/fdb/tunnel/~Common~socks-tunnel/records/ AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,571 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/net/fdb/tunnel/~Common~socks-tunnel/records/ HTTP/1.1" 200 164
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:net:fdb:tunnel:records:recordscollectionstate","selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~Common~socks-tunnel/records?ver=16.0.1","items":[]}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,572 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,572 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records/ AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,586 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records/ HTTP/1.1" 200 1518
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,587 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:net:fdb:tunnel:records:recordscollectionstate","selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records?ver=16.0.1","items":[{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:10:0a","fullPath":"0a:0a:ac:1f:10:0a","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records/0a:0a:ac:1f:10:0a?ver=16.0.1","endpoint":"172.31.16.10%2"},{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:10:0b","fullPath":"0a:0a:ac:1f:10:0b","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records/0a:0a:ac:1f:10:0b?ver=16.0.1","endpoint":"172.31.16.11%2"},{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:10:0c","fullPath":"0a:0a:ac:1f:10:0c","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records/0a:0a:ac:1f:10:0c?ver=16.0.1","endpoint":"172.31.16.12%2"},{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:10:08","fullPath":"0a:0a:ac:1f:10:08","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records/0a:0a:ac:1f:10:08?ver=16.0.1","endpoint":"172.31.16.8%2"},{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:10:09","fullPath":"0a:0a:ac:1f:10:09","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp2-net~openshift_vxlan_2/records/0a:0a:ac:1f:10:09?ver=16.0.1","endpoint":"172.31.16.9%2"}]}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,587 icontrol.session DEBUG] get WITH uri: https://172.31.0.14:443/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records/ AND suffix:  AND kwargs: {}
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,599 urllib3.connectionpool DEBUG] https://172.31.0.14:443 "GET /mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records/ HTTP/1.1" 200 1493
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,600 icontrol.session DEBUG] RESPONSE::STATUS: 200 Content-Type: application/json; charset=UTF-8 Content-Encoding: None
2021/07/23 06:08:17 [INFO] Text: '{"kind":"tm:net:fdb:tunnel:records:recordscollectionstate","selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records?ver=16.0.1","items":[{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:00:0a","fullPath":"0a:0a:ac:1f:00:0a","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records/0a:0a:ac:1f:00:0a?ver=16.0.1","endpoint":"172.31.0.10%1"},{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:00:06","fullPath":"0a:0a:ac:1f:00:06","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records/0a:0a:ac:1f:00:06?ver=16.0.1","endpoint":"172.31.0.6%1"},{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:00:07","fullPath":"0a:0a:ac:1f:00:07","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records/0a:0a:ac:1f:00:07?ver=16.0.1","endpoint":"172.31.0.7%1"},{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:00:08","fullPath":"0a:0a:ac:1f:00:08","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records/0a:0a:ac:1f:00:08?ver=16.0.1","endpoint":"172.31.0.8%1"},{"kind":"tm:net:fdb:tunnel:records:recordsstate","name":"0a:0a:ac:1f:00:09","fullPath":"0a:0a:ac:1f:00:09","generation":1,"selfLink":"https://localhost/mgmt/tm/net/fdb/tunnel/~ocp-net~openshift_vxlan/records/0a:0a:ac:1f:00:09?ver=16.0.1","endpoint":"172.31.0.9%1"}]}'
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,601 f5_cccl.bigip DEBUG] BIG-IP net refresh took 0.10457 seconds.
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,601 f5_cccl.service.manager DEBUG] Getting arp tasks...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,602 f5_cccl.service.manager DEBUG] Getting tunnel tasks...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,602 f5_cccl.service.manager DEBUG] Getting pre-existing tunnel update tasks...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,602 f5_cccl.service.manager DEBUG] Building task lists...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,602 f5_cccl.service.manager DEBUG] Service task queue length: 0
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,602 f5_cccl.service.manager DEBUG] Creating 0 resources...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,602 f5_cccl.service.manager DEBUG] Updating 0 resources...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,602 f5_cccl.service.manager DEBUG] Deleting 0 resources...
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,602 f5_cccl.service.manager DEBUG] apply_net_config took 0.12351 seconds.
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,603 __main__ DEBUG] loaded configuration file successfully
2021/07/23 06:08:17 [INFO] [2021-07-23 06:08:17,603 __main__ INFO] No change in GMT config.
2021/07/23 06:08:17 [DEBUG] [2021-07-23 06:08:17,604 __main__ DEBUG] updating tasks finished, took 0.1281116008758545 seconds
AlexanderSlinkov commented 3 years ago

I found the answer.

The namespace demo-app should have a lable:

[root@helper ~]# oc describe namespace demo-app
Name:         demo-app
Labels:       f5type=demo-app  <-------- this one
Annotations:  openshift.io/description:
              openshift.io/display-name:
              openshift.io/requester: admin
              openshift.io/sa.scc.mcs: s0:c24,c19
              openshift.io/sa.scc.supplemental-groups: 1000590000/10000
              openshift.io/sa.scc.uid-range: 1000590000/10000
Status:       Active

No resource quota.

No LimitRange resource.

No I have a question. Is it possible to add a note about this in the article below: https://clouddocs.f5.com/containers/latest/userguide/cis-installation.html?highlight=namespace ?

trinaths commented 3 years ago

CIS is configured to monitor resources in namespaces with namespace-label - '--namespace-label=f5type=demo-app'

Please refer to CIS config parameters for more info https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html

Hope this helps.

AlexanderSlinkov commented 3 years ago

Yes, yes, that was the problem.

Thanks!

Now the question is the following: Is it possible to add a note about this in the article below: https://clouddocs.f5.com/containers/latest/userguide/cis-installation.html?highlight=namespace ?

As I mentioned previously, I'm new with these technologies and it was not obvious for me.

trinaths commented 3 years ago

@AlexanderSlinkov understand the document changes. However, we suggest to review config parameters before configuring CIS. This documents helps end users configure CIS based on their requirements.

AlexanderSlinkov commented 3 years ago

@trinaths,

Thanks, I have no more questions.

I think we can close this case.

trinaths commented 3 years ago

closing this issue. Thanks @AlexanderSlinkov