k8s-bigip-ctlr: F5 configuration not getting updated through F5 CIS AS3

Setup Details

CIS Version : 2.0.0
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 13.1.3
AS3 Version: f5appsvc 3.17.1 Agent Mode: AS3 Orchestration: K8S
Orchestration Version: v1.17.4 Pool Mode: Cluster
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>

Description

AS3-CIS-F5 update not working, with the following erros 2020/06/08 20:47:18 [ERROR] [AS3] Response from BIG-IP: code: ERR_REQUEST_FAILED — tenant:Nginx_IC — message: declaration failed

2020/06/08 20:47:18 [ERROR] [AS3] Response from BIG-IP: code: 200 — tenant:k8s-AS3_AS3 — message: no change

I have tried this setup with CIS 2.0.0 and f5appsvc 3.20.0 and also CIS 1.14.0 and f5appsvc 3.17.1, i am using same working configuration from march. but getting below error

nginx SVC config

root@master-1:~# kubectl describe svc nginx-ingress2 -n nginx-ingress

Name: nginx-ingress2

Namespace: nginx-ingress

Labels: cis.f5.com/as3-app=Nginx_IC_vs

      cis.f5.com/as3-pool=Nginx_IC_pool

      cis.f5.com/as3-tenant=Nginx_IC

Annotations: <none>

Selector: app=nginx-ingress

Type: ClusterIP

IP: 10.111.160.103

Port: https 443/TCP

TargetPort: 443/TCP

Endpoints: 10.1.2.191:443

Session Affinity: None

Events: <none>

Configmap for CIS and F5 integration

root@master-1:~# kubectl describe configmap nginx-as3 -n kube-system

Name: nginx-as3

Namespace: kube-system

Labels: as3=true

   f5type=virtual-server

Annotations: <none>

Data

====

template:

{

“class”: “AS3”,

“action”: “deploy”,

“persist”: true,

“declaration”: {

“class”: “ADC”,

“schemaVersion”: “3.13.0”,

“id”: “1847a369-5a25-4d1b-8cad-5740988d4423”,

“label”: “APP Template”,

“remark”: “HTTP application”,

“Nginx_IC”: {

   "class": "Tenant",

   "Nginx_IC_vs": {

     "class": "Application",

     "template": "generic",

     "app_80_vs": {

      "class": "Service_HTTP",

      "remark": "app",

      "virtualAddresses": [

       "10.165.36.141"

       ],

      "virtualPort": 80,

      "profileTCP": {

      "bigip": "/Common/f5-tcp-lan"

      },

   "pool": "Nginx_IC_pool"

      },

      "Nginx_IC_pool": {

      "class": "Pool",

      "members": [

      {

       "servicePort": 80,

       "shareNodes": true,

       "serverAddresses": []

      }

     ]

    }

   }

  }

}

}

Events: <none>

CIS:

root@master-1:~# kubectl describe pod k8s-bigip-ctlr-deployment-6759c46587-tdk79 -n kube-system

Name: k8s-bigip-ctlr-deployment-6759c46587-tdk79

Namespace: kube-system

Priority: 0

Node: worker-2/192.168.5.22

Start Time: Mon, 08 Jun 2020 20:40:16 +0000

Labels: app=k8s-bigip-ctlr

   pod-template-hash=6759c46587

Annotations: <none>

Status: Running

IP: 10.1.2.192

IPs:

IP: 10.1.2.192

Controlled By: ReplicaSet/k8s-bigip-ctlr-deployment-6759c46587

Containers:

k8s-bigip-ctlr:

Container ID: docker://4f4bfd89700af786bfa3920e5287160003a4500370c4e133c159cc33c62ed984

Image: f5networks/k8s-bigip-ctlr:1.14.0

Image ID: docker-pullable://f5networks/k8s-bigip-ctlr@sha256:25bdfc947ed4cdd172a68e37c51dbaa8ca87fcbc4d894622b42a260755a2bf68

Port: <none>

Host Port: <none>

Command:

/app/bin/k8s-bigip-ctlr

Args:

–bigip-username=$(BIGIP_USERNAME)

–bigip-password=$(BIGIP_PASSWORD)

–bigip-url=https://192.168.5.210

–bigip-partition=k8s-AS3

–pool-member-type=cluster

–agent=as3

–manage-ingress=false

–insecure=true

–as3-validation=true

–node-poll-interval=30

–verify-interval=30

–log-level=INFO

State: Running

Started: Mon, 08 Jun 2020 20:40:20 +0000

Ready: True

Restart Count: 0

Environment:

BIGIP_USERNAME: <set to the key ‘username’ in secret ‘bigip-login’> Optional: false

BIGIP_PASSWORD: <set to the key ‘password’ in secret ‘bigip-login’> Optional: false

Mounts:

/var/run/secrets/kubernetes.io/serviceaccount from bigip-ctlr-token-r6rvn (ro)

Conditions:

Type Status

Initialized True

Ready True

ContainersReady True

PodScheduled True

Volumes:

bigip-ctlr-token-r6rvn:

Type: Secret (a volume populated by a Secret)

SecretName: bigip-ctlr-token-r6rvn

Optional: false

QoS Class: BestEffort

Node-Selectors: <none>

Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s

     node.kubernetes.io/unreachable:NoExecute for 300s

Events:

Type Reason Age From Message

Normal Scheduled <unknown> default-scheduler Successfully assigned kube-system/k8s-bigip-ctlr-deployment-6759c46587-tdk79 to worker-2

Normal Pulling 17m kubelet, worker-2 Pulling image “f5networks/k8s-bigip-ctlr:1.14.0”

Normal Pulled 17m kubelet, worker-2 Successfully pulled image “f5networks/k8s-bigip-ctlr:1.14.0”

Normal Created 17m kubelet, worker-2 Created container k8s-bigip-ctlr

Normal Started 17m kubelet, worker-2 Started container k8s-bigip-ctlr

Expected Result

F5 should receive update configuration

Actual Result

No update send to F5

Diagnostic Information

<Configuration files, error messages, logs>
Note: Sanitize the data. For example, be mindful of IPs, ports, application names and URLs
Note: The following F5 article outlines the information required when opening an issue.
https://support.f5.com/csp/article/K60974137

Observations (if any)

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 16 (9 by maintainers)

Most upvoted comments

Hello Mark This is not yet completely fixed it seems, here are the new errors with the suggested configuration CIS 2.0.0 and AS3 3.18.0 [root@aalmglnams00001 ~] kubectl logs k8s-bigip-ctlr-deployment-b4f4bc578-hpzb7 -n kube-system 2020/06/12 16:02:27 [INFO] [INIT] Starting: Container Ingress Services - Version: 2.0.0, BuildInfo: cloud-user-efcab9e-20200522033624 2020/06/12 16:02:27 [INFO] ConfigWriter started: 0xc0003a8270 2020/06/12 16:02:27 [DEBUG] [CCCL] ConfigWriter (0xc0003a8270) writing section name global 2020/06/12 16:02:27 [DEBUG] [CCCL] ConfigWriter (0xc0003a8270) successfully wrote section (global) 2020/06/12 16:02:27 [DEBUG] [CCCL] ConfigWriter (0xc0003a8270) writing section name bigip 2020/06/12 16:02:27 [DEBUG] [CCCL] ConfigWriter (0xc0003a8270) successfully wrote section (bigip) 2020/06/12 16:02:27 [INFO] Started config driver sub-process at pid: 16 2020/06/12 16:02:27 [INFO] [INIT] Creating Agent for as3 2020/06/12 16:02:27 [DEBUG] [INIT] Invalid trusted-certs-cfgmap option provided. 2020/06/12 16:02:27 [DEBUG] [CORE] Agent Response Worker started and blocked on channel 0xc0000886c0 2020/06/12 16:02:27 [INFO] [AS3] Initializing AS3 Agent 2020/06/12 16:02:27 [DEBUG] [AS3] No certs appended, using only system certs 2020/06/12 16:02:27 [DEBUG] [AS3] Validating AS3 schema with as3-schema-3.18.0-4-cis.json 2020/06/12 16:02:27 [DEBUG] [AS3] posting GET BIGIP AS3 Version request on https://172.23.80.182/mgmt/shared/appsvcs/info 2020/06/12 16:02:28 [DEBUG] [2020-06-12 16:02:28,447 root DEBUG] get WITH uri: https://172.23.80.182:443/mgmt/tm/sys/ AND suffix: AND kwargs: {} 2020/06/12 16:02:28 [DEBUG] [2020-06-12 16:02:28,450 urllib3.connectionpool DEBUG] Starting new HTTPS connection (1): 172.23.80.182:443 2020/06/12 16:03:27 [ERROR] [AS3] REST call error: Get https://172.23.80.182/mgmt/shared/appsvcs/info: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) 2020/06/12 16:03:27 [ERROR] [AS3] Internal Error 2020/06/12 16:03:27 [CRITICAL] [INIT] Failed to initialize as3 agent, Internal Error Thanks Kunal

+1
kunalpuriii on Jun 12, 2020
Read more comments on GitHub
← k8s-bigip-ctlr: [Enhancement]vxlan manager only use node internal IP for fdb endpoint IP cause wrong FDB in bigip
k8s-bigip-ctlr: Ingress controller can not update http_to_https redirect →