Using AS3 for BIG-IP Orchestration in OpenShift

The k8s-bigip-ctlr can use Application Services 3 (AS3) for BIG-IP orchestration. When using AS3 for BIG-IP orchestration, k8s-bigip-ctlr uses a declaritive API to create Local Traffic Management (LTM) objects such as virtual servers, pools, and policies in a unique administrative partition.


Ensure you meet the following requirements:

  • BIG-IP Controller v1.10 or higher when used in OpenShift.
  • BIG-IP system running version v12.1.x or later.
  • BIG-IP system with AS3 v3.11 or higher.
  • A BIG-IP user account with Administrator role.

Enabling AS3 orchestration

You can use these steps to enable AS3 for BIG-IP orchestration:

  1. Include the –agent=as3 option in your Deployment’s argument section. For example:

    Note: In this example, k8s-bigip-ctlr will create partition myParition_AS3 to store LTM objects such as pools, and virtual servers. FDB, and Static ARP entries are stored in myPartition. These partitions should not be managed manually.

args: [
  1. Start the Controller:
oc apply -f f5-k8s-bigip-ctlr-openshift.yaml

Orchestration modes

–agent option Description
as3 Implements AS3 for BIG-IP orchestration. This option creates an additional partition as <partition>_AS3. The <partition> name is provided by the –bigip-partition=<name> argument.
cccl Implements Common Controller Core Library for BIG-IP orchestration. This is the default setting.

Supported OpenShift Route Features

Route Termination Option Values
  • Passthrough
  • None
  • Edge
  • None
  • Allow
  • Redirect
  • Reencrypt
  • None



Known Issues


  • CIS does not update the datagroup of alternate backends when one of the service/deployments is deleted.
  • WAF Policy annotation is restricted to a single namespace.
  • In combination with edge and reencrypt, edge route passes encrypted packets to the backend server, instead of unencrypted packets.


  • Controller does not overwrite manual changes in controller manager partitions on BIG-IP. A restart is required.
  • Change in TLS Termination of a route is not detected by controller. A restart is required.
  • Changing insecureEdgeTerminationPolicy is not detected by controller. A restart is required.
  • Multiple SSL profiles are not supported through annotations.
  • A combination of user specified SSL certificates, and SSL profile annotations are not supported.

AS3 Resources