k8s-bigip-ctlr: --namespace not work as expect

Setup Details

CIS Version : 2.X
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP x.x.x
AS3 Version: 3.x
Agent Mode: AS3/CCCL
Orchestration: K8S/OSCP
Orchestration Version:
Pool Mode: Cluster/Nodeport
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>

Description

--namespace be used in namespace isolation, which can used to define kubernetes namespaces to watch. Also from document [1],

Kubernetes namespace(s) to watch

  • may be a comma-separated list
  • watches all namespaces by default

But it never work, eg the following config


      args: [
        "--bigip-username=$(BIGIP_USERNAME)",
        "--bigip-password=$(BIGIP_PASSWORD)",
        "--bigip-url=197.14.0.9",
        "--insecure=true",
        "--bigip-partition=k8s",
        "--pool-member-type=cluster",
        "--namespace=test01,test02,test03,test04,test05",
        "--vs-snat-pool-name=SNAT_Pool_MP",
        ]


The above args setting doesn't work, note that `test0*` are namespace in k8s, the controller doesn't watch any of the configured namespace. 

[1] https://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/v1.11/

#### Steps To Reproduce
1)
2)
3)

#### Expected Result 


#### Actual Result  


#### Diagnostic Information
```buildoutcfg
<Configuration files, error messages, logs>
Note: Sanitize the data. For example, be mindful of IPs, ports, application names and URLs
Note: The following F5 article outlines the information required when opening an issue.
https://support.f5.com/csp/article/K60974137
```  

#### Observations (if any)

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 18 (11 by maintainers)

Most upvoted comments

This is working in our env With the creating separate lines of args for each namespace, the CIS logs show it is monitoring those spaces CIS deployment yaml “–namespace=f5-lb”, “–namespace=f5-lb2”,

CIS logs

image

We were able to deploy one user-defined configmap in each of the two namespaces and confirmed that the configuration is pushed to BIGIP

+2
prabhatkarki on Jun 10, 2020

Multiple namespace support:

  • cis supports multiple namespace

To specify multiple namespace, use multiple --namespace flags

eg:

–namespace=default, –namespace=foo

Scenario: configmap in namepace1 and service in namespace2 wont work!! We have no plans to support this!

Behavior on CIS 2.x: CIS processes service endpoint if they are in same namespace as ConfigMap

Note: ConfigMap and service should be in same namespace Note: Same behavior is also verified in CIS 1.14

— Closing issue out —

+1
mdditt2000 on Oct 28, 2020

@kylinsoong The correct way to provide multiple namespaces arg is:

          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            "--bigip-url=197.14.0.9",
            "--insecure=true",
            "--bigip-partition=k8s",
            "--pool-member-type=cluster",
            "--namespace=test01",
            "--namespace=test02",
            "--namespace=test03",
            "--vs-snat-pool-name=SNAT_Pool_MP",
            ]

Please use this way.

+1
agupta49 on Jun 10, 2020
Read more comments on GitHub
← f5-common-python: Add list of supported TMOS versions in the Returned Exception
k8s-bigip-ctlr: AS3 override not getting applied after CIS reboot/recreate in CIS 2.0 →