Skip to main content

Illumio Segmentation for Kubernetes

Host and Cluster Requirements

To deploy Illumio containers into your environment, you must meet the following requirements.

Supported Configurations for On-premises and IaaS

For full details on all supported configurations for Containerized VEN release 21.5.15 and earlier, see the C-VEN/Kubelink OS Support and Dependencies page on the Illumio Support Portal (under Software > OS Support).

Privileges

The privileges listed below should be provided on host-level and cluster-level for the respective components.

Host-Level
C-VEN

C-VEN requires the following privileges on the host:

  • C-VEN is a privileged container and requires access to the following system calls:

    • NET_ADMIN

    • SYS_MODULE

    • SYS_ADMIN

  • C-VEN requires persistent storage on the host to write iptables rules and logs.

  • C-VEN mounts volumes on the local host to be able to operate (mount points may differ depending on the orchestration platform).

Optionally, you can set the Priority Class to system-node-critical. This option is only supported in Kubernetes 1.17 and later, in a namespace other than kube-system. For more details, see the Kubernetes documentation.

Kubelink

Kubelink does not require specific privileges on the host because Kubelink:

  • Is not a privileged container.

  • Is a stateless container.

  • Does not require persistent storage.

Cluster-Level
Namespace

C-VENs and Kubelink are deployed in the illumio-system namespace. You can modify this namespace name according to your deployment (manifest file modification).

C-VEN

C-VEN requires the following privileges on the cluster:

  • C-VEN uses the illumio-ven ServiceAccount.

Kubelink

Kubelink requires the following privileges on the cluster:

  • Kubelink creates a new Cluster Role to list and watch events occurring on the Kubernetes API server for the following elements:

    • nodes

    • hostsubnets

    • replicationcontrollers

    • services

    • replicasets

    • daemonsets

    • namespaces

    • statefulsets

  • Kubelink uses the illumio-kubelink ServiceAccount.

Optionally, you can set the Priority Class to system-cluster-critical. This option is only supported in Kubernetes 1.17 and later, in a namespace other than kube-system. For more details, see the Kubernetes documentation.