Skip to main content

Illumio Segmentation (formerly Illumio Core) for Kubernetes

Rules for Persistent Storage

This section only applies to deployments which require communication with external storage nodes over NFS, iSCSI, and others for persistent storage. If the cluster or Pods have external storage dependencies, then you need a policy to allow outbound communications to the storage node. The storage node can be represented as an unmanaged workload or IP list.

The following is an example of outbound policy to a NFS node, which is represented by an IP list.

Kubernetes

The following is an example of an outbound policy to an NFS node, which is represented by an IP list:

Example Ruleset 1

Scope

Application

Environment

Location

Notes

Kubernetes Infrastructure

Development

Cloud

Kubernetes cluster

Intra-Scope Rule

Source

Source Service

Destination

Notes

NFS Storage (IP List)

TCP 2049

All Workloads

All Kubernetes nodes and infrastructure Pods can communicate outbound to NFS over the NFS TCP port.

Example Ruleset 2

Scope

Application

Environment

Location

Notes

ERP

Development

Cloud

From httpd example

Intra-Scope Rule

Source

Source Service

Destination

Notes

NFS Storage (IP List)

TCP 2049

All Workloads

All Pods can talk outbound to NFS over the NFS TCP port.

OpenShift

The following is an example of an outbound policy to an NFS node, which is represented by an IP list:

Example Ruleset 1

Scope

Application

Environment

Location

Notes

OpenShift Infrastructure

Development

Cloud

OpenShift cluster

Intra-Scope Rule

Source

Source Service

Destination

Notes

NFS Storage (IP List)

TCP 2049

All Workloads

All OpenShift nodes and infrastructure Pods can communicate outbound to NFS over the NFS TCP port.

Example Ruleset 2

Scope

Application

Environment

Location

Notes

ERP

Development

Cloud

From httpd example

Intra-Scope Rule

Source

Source Service

Destination

Notes

NFS Storage (IP List)

TCP 2049

All Workloads

All Pods can talk outbound to NFS over the NFS TCP port.