F5 CIS breaks F5 AS3 when another VirtualServer CRD is applied with the same IP address #3994
Description
Setup Details
CIS Version : The latest
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 17.1.2
AS3 Version: 3.56
Agent Mode: AS3
Orchestration: K8S/OSCP
Orchestration Version:
Pool Mode: Cluster/Nodeport
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>
Description
There should be a protection in place if by mistake another VirtualServer CRD is applied with the same VIP address. Also the CIS command "kubectl get virtualservers.cis.f5.com -o yaml" does not show the new virtualserver with duplicate IP address as having an error and this breaks any the CIS to F5 BIG-IP REST-API communication for the other objects as well.
niki@master-1:~$ kubectl get virtualservers.cis.f5.com
NAME HOST TLSPROFILENAME HTTPTRAFFIC IPADDRESS IPAMLABEL IPAMVSADDRESS STATUS AGE
nginx-vs 192.168.1.76 192.168.1.76 ERROR 24h
vs-hello 192.168.1.77 192.168.1.77 ERROR 4d23h
vs-hello-issue 192.168.1.71 5m5s
vs-hello-new 192.168.1.71 192.168.1.71 ERROR 3d5h
vs-metal 192.168.1.77 192.168.1.77 OK 2d19h
niki@master-1:~$ kubectl get virtualservers.cis.f5.com
NAME HOST TLSPROFILENAME HTTPTRAFFIC IPADDRESS IPAMLABEL IPAMVSADDRESS STATUS AGE
nginx-vs 192.168.1.76 192.168.1.76 OK 24h
vs-hello 192.168.1.77 192.168.1.77 OK 4d23h
vs-hello-new 192.168.1.71 192.168.1.71 OK 3d5h
vs-metal 192.168.1.77 192.168.1.77 OK 2d19h
Steps To Reproduce
create to virtual servers with different "name" and the same IP address
apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
name: vs-hello-issue
namespace: default
labels:
f5cr: "true"
spec:
virtualServerAddress: "192.168.1.71"
virtualServerHTTPPort: 80
policyName: sample-policy
snat: auto
pools:
- monitor:
interval: 10
recv: ""
send: "GET /"
timeout: 31
type: http
path: /
service: hello-world-app-new
servicePort: 8080
Expected Result
To see a better error and to not break fully the CIS to BIG-IP communication
Actual Result
F5 BIG-IP gets config errors under /var/log/restnoded/restnoded.log and the CIS VIPS stop working
Diagnostic Information
Observations (if any)
This happened not bacause I did not use hostGroup feature allowing virtualservers to share ip address if a hostname is configured to be different but by mistake.