Skip to main content

Cloud

  • Cloud
  • Get Started
  • Onboard and Offboard Kubernetes Clusters

Onboard and Offboard Kubernetes Clusters

This section describes how to onboard and offboard Kubernetes clusters to and from Illumio Cloud. For an overview of Agentless Containers, see Agentless Containers overview.

Kubernetes Administrators can onboard containerized infrastructure to Illumio Cloud with little time and effort. The onboarding wizard improves consistency and reduces repetitive manual configuration tasks for new Kubernetes clusters. Agentless Containers gives you visibility into your inventory, applications, network traffic, and Kubernetes resources, providing deeper visibility and stronger security controls for containerized workloads.

The Kubernetes Clusters tab shows managed clusters organized by regions. An Illumio region is a designated cloud region where onboarded Kubernetes clusters connect for enhanced visibility and control. Select the nearest Illumio Region for each cluster to optimize performance and security.

Note

Prerequisites:

  • Onboard your cloud account. This automatically ingests your cloud-managed Kubernetes clusters. Note that at this point, Illumio can only see the cluster, not what is inside the cluster.

  • If the account has cloud-managed Kubernetes clusters, click the Kubernetes Clusters tab on the Onboarding page.

Caution

You can only download a given credential (.yaml file) once.

Create a New Onboarding Credential

After your clusters are automatically ingested during cloud account onboarding, follow these steps to create credentials. These credentials connect the cluster to the Illumio data plane in the selected region, enabling visibility into the cluster’s contents.

  1. If you have cloud-managed clusters, browse to the Onboarding page and click a region tile.

    Note

    If you don't have any cloud-managed clusters in a specific region, but want to onboard clusters to an Illumio region, click the Onboard other Illumio regions tile instead.

  2. To onboard credentials, click Add in the Onboarding credentials section. This launches the Kubernetes cluster onboarding wizard. The first part is credential creation, and the second part is cluster onboarding.

  3. In the credential part of the wizard, fill out the required fields and any  optional fields and click Save. This creates the onboarding credential and takes you to the onboard cluster instructions part of the wizard. You can use a single onboarding credential to onboard multiple clusters within the selected Illumio region. You can only download a given credential once. Credential creation fields include the following:

    • Onboarding Credential Name (required)

    • Description (optional)

    • Illumio Region (required) this is the region for the tile you clicked in step 1.

  4. Click Save.

  5. In the cluster onboarding step of the wizard, be sure to download the Helm values (.yaml) file. Once the wizard is closed, you won’t be able to download it again. The .yaml files are available for download only when creating new credentials.

  6. From your Helm deployment environment, configure Helm to connect to the Kubernetes cluster. Refer to Helm documentation for details.

  7. Copy the Illumio Cloud deployment command and run it using Helm from outside the cluster, making sure it targets the desired Kubernetes cluster.

  8. Copy the command for confirming the deployment and pairing, and run it in your Helm deployment environment. When you have confirmed the deployment and pairing, click Done in the wizard.

    You have now onboarded your Kubernetes cluster to Illumio Cloud. To see statistics for it, browse to the Inventory page. See Kubernetes Resources Inventory. To see a visualization of it, browse to the Cloud Map. See Navigating the Map Kubernetes View.

    Note

    If you are onboarding an Amazon EKS cluster using the AWS VPC CNI and require visibility into network flows, deploying Falco is required. As per the vendor's recommendation, Falco should be used alongside the AWS CNI to enhance security monitoring and network flow analysis in your EKS environment.

    Before adding configuration values to your credentials file, add the namespace "falco" using the following kubcutl command:

    kubectl create ns falco

    To ensure seamless integration, include the following configurations in your credentials file:

    illumio-cloud-operator-values-xxxxxx.yaml

falco:
  enabled: true

onboardingSecret:
....

  9. Click Done. The cluster status changes to onboarded, and the last connection time and cluster status change. Illumio can now see the Kubernetes resources and traffic for the cluster.

Onboard a Kubernetes Cluster Using an Existing Credential

To onboard additional clusters using a previously created credential, follow these steps. For example, if you initially onboarded 10 clusters during your cloud account setup, you might now want to onboard 15 more in the same region. These steps allow you to reuse the same .yaml credential file that you previously downloaded. The wizard provides a Helm command that uses this credential to onboard the new clusters.

Task-focused example:

Detailed example:

  1. To onboard all the clusters for a region, browse to the Onboarding page, click the region tile, and click Onboard. To onboard individual clusters for a region, click the region tile, click a cluster, and click Onboard.

    This launches a Kubernetes cluster onboarding wizard, that is slightly different from the one used to add new credentials. The first part is credential selection, and the second part is cluster onboarding.

  2. In the credential part of the wizard, select an existing credential from the dropdown menu and click Next.

  3. Configure Helm to connect to the Kubernetes cluster.

  4. Copy the command for deploying the Illumio Cloud and use the command in Helm, outside of the cluster, and have it pointed to the desired cluster.

  5. Copy the command for confirming the deployment, and run it in your Helm deployment environment. When you have confirmed the deployment, click Done in the wizard.

    You have now onboarded your additional Kubernetes cluster to Illumio Cloud using the same same credentials (.yaml) file you downloaded. To see statistics for the cluster, browse to the Inventory page. See Kubernetes Resources Inventory. To see a visualization of the cluster, browse to the Cloud Map. See Navigating the Map Kubernetes View.

Disable a Kubernetes Cluster

  1. Browse to the Onboarding > Kubernetes Clusters tab.

  2. Click the tile for the region containing the cluster you want to disable.

  3. In the Clusters section, click the checkbox next to the cluster and click Disable. To reenable it, click the checkbox and click Enable.

Offboard a Kubernetes Cluster

Use the following steps to offboard a Kubernetes cluster, which removes all its workloads from Inventory but not completely remove it from Illumio Cloud . To completely remove a Kubernetes cluster after you have offboarded it, see Remove an Offboarded Kubernetes Cluster.

  1. Browse to the Onboarding > Kubernetes Clusters tab.

  2. Click the tile for the region containing the cluster you want to offboard.

  3. In the Clusters section, click the checkbox next to the cluster and click Off-board. In the dialog that appears, click Off-board.

Remove an Offboarded Kubernetes Cluster

Offboarding a cluster removes it from Inventory, but does not completely remove it. Illumio recommends that you remove offboarded clusters. To remove offboarded clusters:

Open your Helm console (or a different environment console if you used one to onboard the cluster originally) and run the following command:

helm uninstall illumio -n illumio-cloud

Remove an Onboarding Credential

After you have created credentials to onboard clusters, you can remove them for security purposes. Use the following steps to remove a credential:

  1. Browse to the Onboarding > Kubernetes Cluster tab.

  2. Click the tile for the region containing the cluster that has the credential you wish to remove.

  3. In the Onboarding Credentials section, click the checkbox next to the credential and click Remove. In the dialog that appears, click Remove.

    This removes the credential without affecting any clusters you previously onboarded with this credential.

Other Agentless Container Solutions documentation

For Kubernetes Clusters in Inventory, see Kubernetes Resources Inventory.

For Kubernetes Clusters in Cloud Map, see Navigating the Map Kubernetes View.

For Kubernetes Clusters in Traffic, see Search traffic.