search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
355 stars 193 forks source link

An Edge-termination Route keep generating "Failed to find pool for" error message even though the traffic works just fine #3469

Open jokoyuliantoro opened 2 months ago

jokoyuliantoro commented 2 months ago

Setup Details

CIS Version : 2.17.0
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 17.1.0.1 AS3 Version: 3.50.2 Agent Mode: AS3 Orchestration: OSCP
Orchestration Version: 4.10.17 Pool Mode: Cluster Additional Setup details: SDN without tunnel

Description

Traffic to an edge-termination Route keep generation iRule error in /var/log/ltm:

Rule /ocp-cis/Shared/openshift_passthrough_irule : Failed to find pool for

The real traffic actually works with 200 OK returned. But the error log keep appearing for any incoming request.

Steps To Reproduce

1) Apply this yaml to OCP:

-------------------
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app101
  namespace: ns100
spec:
  replicas: 2  # Adjust as needed
  selector:
    matchLabels:
      app: app101
  template:
    metadata:
      labels:
        app: app101
    spec:
      containers:
      - name: app101
        image: mendhak/http-https-echo:31
        ports:
        - containerPort: 8080
        env:
        - name: HTTP_PORT
          value: "8080"
---
apiVersion: v1
kind: Service
metadata:
  name: app101-service
  namespace: ns100
spec:
  selector:
    app: app101
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 8080
    name: http
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: self-signed
  namespace: ns100
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: app101-cert
  namespace: ns100
spec:
  dnsNames:
    - app101.corp.com
  secretName: app101-cert-tls
  issuerRef:
    name: self-signed
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: app101-route
  namespace: ns100
  annotations:
    cert-utils-operator.redhat-cop.io/certs-from-secret: app101-cert-tls
spec:
  host: app101.corp.com
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: None
  to:
    kind: Service
    name: app101-service
-------------------

2) Run 'tail -f /var/log/ltm' via CLI of BIG-IP.

3) Run from BIG-IP CLI: curl -kv --resolve app101.corp.com:443: https://app101.corp.com/

Expected Result

There should be no error message in the /var/log/ltm

Actual Result

[root@bigip2:Active:In Sync] tmp # tail -f /var/log/ltm -n1
Jul  2 07:34:07 bigip2.local debug tmm1[10349]: Rule /ocp-cis/Shared/openshift_passthrough_irule <CLIENT_DATA>: Failed to find pool for app101.corp.com

CIS yaml

[cloud-user@ocp-provisioner loadtest]$ cat ../cis-manual/f5-cis-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: f5-cis
  namespace: f5-big-ip-cis
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: k8s-bigip-ctlr
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: k8s-bigip-ctlr
      name: k8s-bigip-ctlr
    spec:
      serviceAccount: bigip-ctlr
      serviceAccountName: bigip-ctlr
      securityContext:
        runAsUser: 1000730001
        runAsGroup: 1000730001
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:latest"
          args:
            # See https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html
            # for more configuration options.
            # When insecure=true, this enables insecure SSL communication to the BIG-IP system."
            - "--bigip-username=$(BIGIP_USERNAME)"
            - "--bigip-password=$(BIGIP_PASSWORD)"
            - "--bigip-url=10.1.10.245"
            - "--bigip-partition=ocp-cis"
            - "--insecure=true"
            - "--pool-member-type=cluster"
            - "--manage-routes=true"
            - "--route-vserver-addr=10.1.10.200"
            - "--route-http-vserver=ocp-cis-http-vs"
            - "--route-https-vserver=ocp-cis-https-vs"
            - "--vs-snat-pool-name=/Common/snatpool1"
          command:
            - /app/bin/k8s-bigip-ctlr
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: bigip-login
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: bigip-login
trinaths commented 2 months ago

@jokoyuliantoro Is this error continuous ?

jokoyuliantoro commented 2 months ago

Yes, it is continuous.

jokoyuliantoro commented 2 months ago

For your consideration, @trinaths 

[root@bigip2:Active:Standalone] tmp # diff openshift_passthrough_irule-after openshift_passthrough_irule-before
139d138
<                                                                       set edge_class "/ocp-cis/Shared/ssl_edge_servername_dg"
143d141
<                                                                               set dflt_pool_edge ""
146,148d143
<                                                                               # Get pool for Edge Class
<                                                                               set dflt_pool_edge [class match -value $servername_lower equals $edge_class]
<
158c153
<                                                                                       if { ($dflt_pool_edge == "") and ($dflt_pool_passthrough == "") } then {
---
>                                                                                       if { $dflt_pool_passthrough == "" } then {
161,165c156
<                                                                                               if { $dflt_pool_edge ne "" } {
<                                                                                                       pool $dflt_pool_edge
<                                                                                               } else {
<                                                                                                       pool $dflt_pool_passthrough
<                                                                                               }
---
>                                                                                               pool $dflt_pool_passthrough
[root@bigip2:Active:Standalone] tmp #