Forum Discussion

reginaldobo's avatar
Jul 02, 2026

F5 CIS applying iRule from one VirtualServer definition to another

Hi everyone,

I am experiencing a strange behavior with F5 Container Ingress Services (CIS) where an iRule defined in one VirtualServer resource is being applied to a different VirtualServer on BIG-IP.

The setup:

I have two VirtualServer manifests sharing the same IP address and partition, but serving different ports — one for HTTPS (443) and one for HTTP (80).

The HTTP VirtualServer (cis-dev-80) has the iRule /Common/https-301-redirect explicitly defined, which is expected — it redirects HTTP traffic to HTTPS. I'm not using the parameter httpTraffic because I need the http status code 301 instead of 302.

The HTTPS VirtualServer (cis-dev-443) has no iRules defined in its manifest.

# cis-dev-443 — no iRules defined

spec:

  virtualServer

  HTTPSPort: 443

  tlsProfileName:dev-tls-profile

  ...

# cis-dev-80 — iRule intentionally defined here only

spec:

  virtualServerHTTPPort: 80

  iRules: - /Common/https-301-redirect

   ...

The problem:

After CIS reconciles, BIG-IP shows the iRule /Common/https-301-redirect attached to both virtual servers — including cis-dev-443, which should not have it. This causes HTTPS traffic to be redirected back to HTTPS in a loop.

Questions:

  Has anyone else encountered this behavior?

  Does this needs a different configuration?

Any help or pointers to related issues or F5 support articles would be appreciated.

Environment:

  CIS version: 2.20.3

  AS3 version: 3.55.0

  Kubernetes version: v1.22

 

Thanks in advance

No RepliesBe the first to reply