Skip to main content

Illumio Segmentation for Kubernetes

What's New in the 5.1.0 Release

The following are new and changed items in the 5.1.0 release from the previous releases of C-VEN and Kubelink:

  • New CLAS architecture option

    Kubelink now can be deployed with a Cluster Local Actor Store (CLAS) module, which manages flows from C-VENs to PCE, and policies from PCE to C-VENs. The CLAS-enabled Kubelink tracks individual pods, and when they are created or destroyed, instead of this being communicated directly to the PCE. To migrate from an existing (non-CLAS) environment to a CLAS-enabled one, set the clusterMode parameter to migrateLegacyToClas in your deployment YAML file (typically named illumio-values.yaml). See the README.md file accompanying the Helm Chart for full details on this and other Helm Chart parameters.

  • Workloads more closely match Kubernetes architecture

    In CLAS-enabled environments, workloads are now conceptually tied to their containers, instead of being referred to in context of their pods, which more closely matches Kubernetes practice. To reflect this change, such workloads in CLAS environments are called Kubernetes Workloads, regardless of what containers have been spun up or destroyed to run the applications. In non-CLAS environments, the existing term Container Workloads is still used as in prior releases, corresponding to Pods. In mixed environments (with both non-CLAS and CLAS-enabled clusters), the PCE UI shows both Container Workloads and Kubernetes Workloads, as appropriate.

  • Degraded mode for CLAS-enabled Kubelink

    If a CLAS-enabled Kubelink detects that its connection with the PCE becomes unavailable (for example, due to connectivity problems or an upgrade), Kubelink by default enters a degraded mode. In this degraded mode, new Pods of existing Kubernetes Workloads get the latest policy version cached in CLAS storage. When Kubelink detects a new Kubernetes Workload with exactly the same label sets and in the same namespace as an existing Kubernetes Workload, Kubelink delivers the existing, cached policy to Pods to this new Workload. If Kubelink cannot find a cached policy (that is, when labels of a new Workload do not match those of any existing Workload in the same namespace), Kubelink delivers a “fail open” or “fail closed” policy based on the Helm Chart parameter degradedModePolicyFail. The degraded mode can also be turned on or off by the Helm Chart parameter disableDegradedMode.

  • Illumio annotations in CLAS mode specified on the workload and not on Pod's template

    Illumio annotations when in CLAS mode are now specified on the Kubernetes Workload and not on the pod's template.

  • Docker support dropped

    The Docker CRI is no longer supported as of the 5.0.0 release of Illumio Core for Kubernetes.