Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: Allow default CIS partition to be disabled #3279

Closed
sectoreleven opened this issue Feb 9, 2024 · 4 comments
Closed

RFE: Allow default CIS partition to be disabled #3279

sectoreleven opened this issue Feb 9, 2024 · 4 comments
Labels
feature-request JIRA

Comments

@sectoreleven
Copy link

Title

Allow default CIS partition to be disabled

Description

Add a feature flag to the CIS startup options to allow the default partition to be disabled (or make the bigip-partition configuration parameter optional).

Actual Problem

When exclusively using ConfigMap for CIS, the default partition created by CIS is superfluous. This poses usability and scalability issues in a large environment when multiple clusters are targeting the same BIG-IP device group.

In such a case, each cluster has to be configured with a unique partition name, or else manage concurrency/contention issues if using a single shared partition. Additionally, the number of empty default partitions can become a usability and management problem on the BIG-IP device, both through the GUI and the CLI.

Solution Proposed

Allow CIS administrators to disable the default partition created/used by CIS. This should be an option and not the default.

Option 1:
Make the --bigip-partition configuration parameter optional; if it is omitted from the CIS startup arguments, do not create a default partition.

Option 2:
Add a new --disable-default-partition configuration parameter, defaulting to false. If set to true, do not create a default partition. If set to true and --bigip-partition is also set, throw a startup error.

In either of these cases, it would potentially require additional validation on other startup parameters and state of other resources in the cluster; for example, CRDs would then need to ensure that a partition name is specified or else have CIS skip/error on such.

Alternatives

We are currently utilizing the name of the Kubernetes cluster as part of the default partition name and embedding that into our automation that deploys CIS. However, this is causing the usability problem mentioned above.

Additional context

Our company requires fine-grained control of the BIG-IP configuration and is also using AS3 for configuration outside of Kubernetes. As such, we have chosen to exclusively use ConfigMap as this provides us a single stream of configuration templates. Additionally, as infrastructure operators for our BIG-IP devices, we disable CRDs and Ingress - application teams will utilize our IaC CI/CD AS3 pipeline as a trusted pathway for security and regulatory-compliant load-balancer configuration.
@trinaths
Copy link
Contributor

@sectoreleven

When exclusively using ConfigMap for CIS, the default partition created by CIS is superfluous. This poses usability and scalability issues in a large environment when multiple clusters are targeting the same BIG-IP device group.

In such a case, each cluster has to be configured with a unique partition name, or else manage concurrency/contention issues if using a single shared partition. Additionally, the number of empty default partitions can become a usability and management problem on the BIG-IP device, both through the GUI and the CLI.

The Partition configured is for CIS to configure the objects using declarative api AS3. We are not clear on empty default partitions created by CIS.

Please share your usecase, CIS config and infra requirements to automation_toolchain_pm automation_toolchain_pm@f5.com.

@trinaths trinaths added awaiting response Awaiting response and removed untriaged no JIRA created labels Feb 11, 2024
@sectoreleven
Copy link
Author

@trinaths - email has been sent.

@trinaths trinaths added JIRA and removed awaiting response Awaiting response labels Feb 13, 2024
@trinaths
Copy link
Contributor

Created [CONTCNTR-4566] for internal tracking.

vidyasagar-m added a commit to vidyasagar-m/k8s-bigip-ctlr that referenced this issue Mar 6, 2024
@vidyasagar-m
F5Networks#3279 disable default partition
24a2ca8
@vidyasagar-m vidyasagar-m mentioned this issue Mar 6, 2024
Merged
1 task
vidyasagar-m added a commit to vidyasagar-m/k8s-bigip-ctlr that referenced this issue Mar 6, 2024
@vidyasagar-m
F5Networks#3279 update release notes
9232e10
vidyasagar-m added a commit that referenced this issue Mar 6, 2024
@vidyasagar-m
#3279 disable default partition (#3321)
b324353 
* #3279 disable default partition

* #3279 update release notes

* fix format

* update release notes
@trinaths
Copy link
Contributor

Fixed in CIS 2.16.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request JIRA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trinaths @sectoreleven