Release Notes

This page contains the release notes for F5 BIG-IP Container Ingress Services. To see older versions of the release notes, see this page.


Added Functionality

  • CIS will not create _AS3 partition anymore.
    • CIS uses single partition (i.e. –bigip-partition) to configure both LTM and NET configuration.
    • Additional AS3 managed partition _AS3 will be removed if it exists.
  • Enhanced performance for lower CPU Utilization with optimized CCCL calls.
  • CIS validates AS3 declarations against AS3 v3.20 schema.
  • CIS supports AS3 versions installed on BIG-IP from v3.18 to latest (v3.20).
  • Added support for:
    • Multiple AS3 ConfigMaps.
    • AS3 label switching in AS3 ConfigMap resource:
      • When set to False, CIS deletes the existing configuration (or) CIS ignores AS3 ConfigMap.
      • When set to True, CIS reads the corresponding AS3 ConfigMap.
    • Added Whitelist feature support for agent AS3 using policy endpoint condition.
      • New annotation “allow-source-range” added parallel to “whitelist-source-range”.
  • Deprecated –userdefined-as3-declaration CIS deployment option as CIS now supports Multiple AS3 ConfigMaps.
  • Custom Resource Definition (CRD) – Alpha available with TLS support.
    • Highlights of this Alpha CRD version:
      • Supports single partition to configure both LTM and NET configuration.
      • Supports both unsecured and TLS CRD.
      • Supports single domain per Virtual server.
      • Supports merging multiple virtual servers into single BIG-IP VIP referring to a single domain.
      • Added Health monitor support.
      • Supports nodelabel in Virtual server CRD.
      • Supports TLSProfile CRD with BIG-IP reference client and server SSL profiles.
      • Supports TLSProfile CRD with K8S secrets reference for client SSL profiles.
      • CRD schema definition for both Virtual server and TLSProfile.
      • CRD examples.
  • The following GitHub repositories have been archived are now read-only. These projects are no longer actively maintained:

Bug Fixes

  • Issue 1420: Enhanced performance for lower CPU Utilization with optimized CCCL calls.
  • Issue 1362: CIS supports HTTP Header with iv-groups.
  • Issue 1388, 1311: CIS properly manages AS3 ConfigMaps when configured with namespace-labels.
  • Issue 1337: CIS supports multiple AS3 Configmaps.
  • Issue 1171: CIS will not create _AS3 partition anymore.

Vulnerability Fixes

CVE Comments
CCVE-2018-5543 CIS Operator uses –credentials-directory by default for BIG-IP credentials

Guidelines for upgrading to CIS 2.1

  • Those migrating from agent CCCL to agent AS3:
    • User should clean up LTM resources in BIG-IP partition created by CCCL before migrating to CIS 2.1. Steps to clean up LTM resources in BIG-IP partition using AS3:
      • Use this POST call: https://<bigip-ip>/mgmt/shared/appsvcs/declare?async=true along with this AS3 declaration.
      • Note: Please modify <big-ip> in above POST call and <bigip-partition> name in the AS3 configuration.


Added Functionality

  • AS3 is the default agent. Use deployment argument --agent to configure CCCL agent.
  • Custom Resource Definition (CRD) – Alpha available with Custom resource virtual-server.
  • Added new optional deployment arguments:
    • --custom-resource-mode (default false) when set true processes custom resources only.
    • --userdefined-as3-declaration for processing user defined AS3 ConfigMap in CIS watched namespaces.
  • AS3 versions newer than 3.18 is required for 2.X releases.
  • CIS is now compatible with:
    • OpenShift 4.3
    • BIG-IP 15.1
    • K8S 1.18
  • Base image upgraded to UBI for CIS Container images.
  • Added Support for:
    • Multiple BIG-IP ClientSSL profiles for a Virtual Server
    • Informer based Override AS3 ConfigMap
    • UserAgent in AS3 Controls object
    • New Attributions Generator - Licensee
    • GO Modules for dependency management
    • HTTPS health monitoring for passthrough and re-encrypt routes

New RH container registry :

Bug Fixes

  • CIS handles requests sent to unknown hosts for Routes using debug messages.
  • CIS handles posting of ‘Overwriting existing entry for backend’ log message frequently when different routes configured in different namespaces.
  • Issue 1233: CIS handles ClientSSL annotation and cert/key logging issues.
  • Issue 1145, 1185, 1295: CIS handles namespace isolation for AS3 ConfigMaps.
  • Issue 1241, 1229: CIS fetches 3.18 AS3 schema locally.
  • Issue 1191: CIS cleans AS3 managed partition when moved to CCCL as agent.
  • Issue 1162: CIS properly handles OpenShift Route admit status.
  • Issue 1160: CIS handles https redirection for ingress which accepts all common names.

Vulnerability Fixes

CVE Comments
CVE-2009-3555 CIS disables renegotiation for all Custom ClientSSL


  • CIS with CCCL as agent, OpenShift A/B route cannot be updated in BIG-IP versions newer than 14.1.X due to data group changes.

Next Upgrade Notes

  • From CIS 2.1, additional AS3 managed partition _AS3 will be removed.