Skip to main content

Cloud

Agentless Containers overview

Illumio Segmentation for the Cloud Agentless Containers is a solution that monitors your containerized Kubernetes workloads without requiring agents on each node. It’s designed to provide visibility across large, complex, and diverse cloud and hybrid environments, giving Kubernetes administrators full insights into container traffic and workloads.

The intended audience for this topic includes Kubernetes administrators, security professionals, devops engineers, and application developers looking to:

  • Extend security across the container lifecycle, including reporting, and auditing

For best results, Illumio recommends viewing videos in Chrome.

Supported platforms

Agentless Containers provides visibility into Kubernetes workloads running on the following:

Cloud

  • Amazon EKS

  • Azure AKS

  • Google GKE

On-Premise

  • Self-managed Kubernetes

  • OpenShift

Supported container network interfaces (CNI)

Agentless Containers is a solution that requires a Container Network Interface (CNI). It uses the CNI to ingest pod-level network flows and provide visibility into Kubernetes traffic. Agentless Containers currently supports the following configurations:

  • Cilium with Hubble Relay (recommended option)

    When Cilium is used as the CNI, enabling Hubble allows Agentless Containers to natively ingest network flows for deep visibility and identity-aware traffic analysis.

    For best results, Illumio recommends viewing videos in Chrome.

  • OpenShift OVN (Open Virtual Networking)-Kubernetes

    When OVN-Kubernetes is used as the CNI, the Illumio Segmentation for the Cloud operator becomes an IPFIX collector, allowing you to export from your OBM cluster to the Illumio service. See Configure OpenShift OVN-Kubernetes.

  • Falco Plugin (alternative option)

    As an alternative to Cilium or OpenShift, you can enable Falco to ingest network flows. See Onboard and Offboard Kubernetes Clusters.

Agentless Containers benefits

This solution allows rapid onboarding of Kubernetes clusters to Illumio Segmentation for the Cloud, and reduces time and complexity. You can:

  • Simplify onboarding by eliminating the need for agents on nodes

  • Integrate Illumio Segmentation for the Cloud with your existing cloud-native tools and infrastructure on large, distributed, multi-cloud environments

  • Eliminate the dependency on iptables and underlying Kubernetes infrastructure

Onboarding and managing your Kubernetes clusters

For directions on using Illumio Segmentation for the Cloud to onboard and offboard your Kubernetes clusters, see Onboard and Offboard Kubernetes Clusters.

Viewing and managing your Kubernetes inventory

Illumio Segmentation for the Cloud lets you identify and protect clusters in your environment. You can filter for Kubernetes resources by resources, regions, and other parameters.

See Kubernetes Resources Inventory.

Using the Kubernetes Map View

See Navigating the Map Kubernetes View.

Viewing your Kubernetes traffic visibility

See Search traffic.

Agentless Containers limitations

  • Network policies are not supported at the time of writing

  • Cluster and node-level policy enforcement is not available for on-premise environments