Agentless Containers overview
Illumio Segmentation for the Cloud Agentless Containers is a solution that monitors your containerized Kubernetes workloads without requiring agents on each node. It’s designed to provide visibility across large, complex, and diverse cloud and hybrid environments, giving Kubernetes administrators full insights into container traffic and workloads.
The intended audience for this topic includes Kubernetes administrators, security professionals, devops engineers, and application developers looking to:
Extend security across the container lifecycle, including reporting, and auditing
For best results, Illumio recommends viewing videos in Chrome.
Supported platforms
Agentless Containers provides visibility into Kubernetes workloads running on the following:
Cloud
Amazon EKS
Azure AKS
Google GKE
Oracle Cloud OKE
On-Premise
Self-managed Kubernetes
OpenShift
Supported container network interfaces (CNI)
Agentless Containers is a solution that requires a Container Network Interface (CNI) plugin. It uses the CNI plugin to ingest pod-level network flows, get traffic flow data, and provide visibility into Kubernetes traffic. Agentless Containers currently supports the following configurations:
Cilium with Hubble Relay (recommended option)
For Cilium you must enable Hubble Relay. When Cilium is used as the CNI plugin, enabling Hubble allows Agentless Containers to natively ingest network flows for deep visibility and identity-aware traffic analysis.
For best results, Illumio recommends viewing videos in Chrome.
OpenShift OVN (Open Virtual Networking)-Kubernetes
When OVN-Kubernetes is used as the CNI plugin, the Illumio Segmentation for the Cloud operator becomes an IPFIX collector, allowing you to export from your OVN cluster to the Illumio service. See Configure OpenShift OVN-Kubernetes.
OKE with Cilium CNI
For Oracle OKE, the operator only supports the Cilium CNI plugin. See Use Cilium to Provide Networking Services in Oracle Cloud Infrastructure Container Engine for Kubernetes.
GKE Dataplane V2
For GKE Standard clusters, Illumio requires enabling Dataplane V2 with Enable Observability (Dataplane V2).
For GKE Autopilot clusters, Dataplane V2 is the default and immutable CNI, and Illumio requires Enable Observability (Dataplane V2).
Ingesting Network Flows Only
Falco Plugin (alternative option)
Though not a CNI plugin, as an alternative to Cilium or OpenShift OVN-k, you can enable Falco to ingest network flows. See Onboard and Offboard Kubernetes Clusters.
Agentless Containers benefits
This solution allows rapid onboarding of Kubernetes clusters to Illumio Segmentation for the Cloud, and reduces time and complexity. You can:
Simplify onboarding by eliminating the need for agents on nodes
Integrate Illumio Segmentation for the Cloud with your existing cloud-native tools and infrastructure on large, distributed, multi-cloud environments
Eliminate the dependency on iptables and other Kubernetes node-level subsystems
Onboarding and managing your Kubernetes clusters
For directions on using Illumio Segmentation for the Cloud to onboard and offboard your Kubernetes clusters, see Onboard and Offboard Kubernetes Clusters.
Viewing and managing your Kubernetes inventory
Illumio Segmentation for the Cloud lets you identify and protect clusters in your environment. You can filter for Kubernetes resources by resources, regions, and other parameters.
Using the Kubernetes Map View
Viewing your Kubernetes traffic visibility
See Search traffic.
Agentless Containers limitations
Network policies are not supported at the time of writing
Cluster and node-level policy enforcement is not available for on-premise environments
Instance linking isn’t supported for GKE Autopilot clusters in Illumio because Google fully manages the worker nodes and doesn’t expose the underlying VM instances. Since those instances aren’t visible, Illumio can’t establish the required cloud‑to‑Kubernetes instance mapping.