k8s-bigip-ctlr
k8s-bigip-ctlr copied to clipboard
F5Networks
Specifying service port by name instead of port number causing pool with 0 members
Setup Details
CIS Version : 2.7.1
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 1.,1
AS3 Version: 3.25
Agent Mode: AS3
Orchestration: K8S
Orchestration Version:
Pool Mode: Nodeport
Additional Setup details: Rancher being used.
Description
Submitting on behalf of a customer. I think this is known by PM but I couldn't find an existing github issue, so I'd like to be able to track any plans to support, or official response from PM if support is not planned.
It appears that named ports within a service are not supported, and actual port numbers are required.
I'm no expert but as you probably already know, it looks like there's a way to discover the port number via DNS.
Steps To Reproduce
If I have a service to with named ports (eg, targetPort: insecure-port and targetPort: secure-port), then CIS does not work as expected. If I change the service to use targetPort: 80 and targetPort: 443 instead of the named aliases, then CIS works correctly.
Please let us know if there's any plan to support, and thanks!
@mikeoleary thank you for creating this issue for tracking. Yes this is know
Created Jira CONTCNTR-3203 for PM tracking
Please include TypeLB with the fix. Not only VS and TS. Is there an ETA for this issue?
@mikeoleary @skenderidis - Please verify this issue with CIS 2.8.1. From our internal testing, we found this to be working.
@Vidhi-Pat Please share your findings with CIS 2.8.1 along with test YAML.
@mikeoleary @skenderidis - Please share the YAML manifests so that we can try them in our test environment. Thank you.
@Vidhi-Pat Let's test their YAML manifests in our test env and share our findings.
Thanks for looking into this @trinaths . It has been a few months since I submitted this issue so I have forgotten which customer hit this, but I remember it was a known issue by Mark Dittmer.
I have just done some testing with CIS v 2.7.1 and 2.8.1 and here are my findings:
- I can reproduce this issue only with service of type NodePort. Here is an example of a service which will reproduce the issue. Note spec.type and spec.ports[0].targetPort
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress
namespace: nginx-ingress
labels:
cis.f5.com/as3-tenant: nginx-ingress
cis.f5.com/as3-app: MyApps
cis.f5.com/as3-pool: ingresstls_pool
spec:
type: NodePort ## this must be NodePort. ClusterIP works fine.
ports:
- name: http
port: 80
targetPort: mycrazyalias ## This matches the name of the port in the pod (or deployment).
protocol: TCP
selector:
app: nginx-ingress
-
Testing with named ports and service of type ClusterIP was successful.
-
The issue was present in both CIS 2.7.1 (when I submitted the issue) and CIS 2.8.1 (as you requested).
-
I did not test with service of type LoadBalancer, so please consider this when planning a fix. Thanks!
I tested with TypeLB and it also doesn't work. I am happy to share the manifests but I think what Mike has shared should be enough.
Hi @trinaths or @mdditt2000 , I have had another customer hit this issue where "named ports" in service definitions are not supported by CIS. It took us a few days to troubleshoot their issue because some of their services used name ports and others didn't. Can we get a status update on when named ports will be fully supported by CIS?