Skip to main content

Illumio Segmentation (formerly Illumio Core) for Kubernetes

Deploy with Helm Chart

To deploy via Helm Chart:

  1. Install Helm. See https://helm.sh/docs/ for a quick start guide and other relevant information.

    According to official Helm documentation, if your version of Helm is lower than 3.8.0, the following command must be executed in the installation environment:

    $ export HELM_EXPERIMENTAL_OCI=1

  2. Prepare an illumio-values.yaml file with the following mandatory parameters set with values that describe this deployment:

    pce_url: URL_PORT # PCE URL with port, e.g. mypce.example.com:8443 
cluster_id: ILO_CLUSTER_UUID # Cluster ID from PCE, e.g. cc4997c1-40... 
cluster_token: ILO_CLUSTER_TOKEN # Cluster Token from PCE, e.g. 1_170b... 
cluster_code: ILO_CODE # Pairing Profile key from PCE, e.g. 1391c... 
containerRuntime: containerd # Container runtime engine used in cluster, allowed values are [containerd, crio, k3s_containerd] 
containerManager: kubernetes # Container manager used in cluster, allowed values are [kubernetes, openshift]

    where URL_PORT, ILO_CLUSTER_UUID, ILO_CLUSTER_TOKEN, and ILO_CODE are placeholders for customer provided variables.

    If you are using a private PKI, you need to add these additional lines to your illumio_values.yaml:

    extraVolumeMounts:
  - name: root-ca
    mountPath: /etc/pki/tls/ilo_certs/
    readOnly: false
extraVolumes:
  - name: root-ca
    configMap:
      name: root-ca-config

    You may also want to include selected optional parameters when installing, for example, with clusterMode: clas to deploy with a CLAS-enhanced Kubelink component. For more information, see Important Optional Parameters.

    Note

    If you want to deploy with CLAS enabled, you must explicitly set the clusterMode Helm Chart parameter. The default is to deploy in legacy (non-CLAS) mode.

  3. Install the Helm Chart:

    helm install illumio -f illumio-values.yaml oci://quay.io/illumio/illumio --version <ver#> --namespace illumio-system --create-namespace

    Important

    Be sure to specify the version to install with the --version <ver#> option (for example, --version 5.1.0), after confirming that the Illumio Kubernetes Operator version you want to install is supported with your PCE version.

    Verify which PCE versions support the Illumio Core for the Kubernetes version you want to deploy on the Kubernetes Operator OS Support and Dependencies page on the Illumio Support Portal.

    Optionally, you can deploy into a custom namespace of your choice instead of the default namespace of illumio-system, The default namespace is overridden for backward compatibility by using the variable namespaceOverride: illumio-system.

    For example, to install into the ilo namespace, specify the namespace with the --namespace option and the --set option specifying namespaceOverride to null:

    helm install illumio -f illumio-values.yaml oci://quay.io/illumio/illumio --version 5.3.0 --namespace ilo --create-namespace --set namespaceOverride=null

    Alternatively, specify the namespace with the --namespace option but also use --set to explicitly set namespaceOverride to ilo:

    helm install illumio -f illumio-values.yaml oci://quay.io/illumio/illumio --version 5.3.0 --namespace ilo --create-namespace --set namespaceOverride=ilo

Note

Kubelink version labeling has changed. Prior to version 3.3.0, Kubelink used a 6-hexit suffix for its release version, like 3.2.1.445a83. In Kubelink 3.3.0 and later, the version suffix is now changed to a numeric build number, like 3.3.0-56.

Optional Parameters

Refer to the README file included with the Helm Chart for important deployment information, including parameters you can specify in the Helm Chart before installing it. To view the readme, execute:

helm show readme oci://quay.io/illumio/illumio

The following list describes a few important optional parameters to consider using in your illumio-values.yaml file.

CLAS Mode: clusterMode

Starting in Illumio Core for Kubernetes versions 5.0.0 and later, a Cluster Local Actor Store (CLAS) mode is introduced into the Kubelink architecture. Use the optional clusterMode parameter to configure Kubelink when first installing a new cluster, or when migrating an existing cluster.

When installing, set clusterMode to clas or legacy in your illumio-values.yaml file to turn on (or leave off) CLAS mode in the cluster, respectively. The default setting for clusterMode is legacy (non-CLAS). To enable CLAS in a new cluster, you must explicitly include clusterMode:clas in the illumio-values.yaml file when installing.

When upgrading an existing non-CLAS cluster to CLAS, set clusterMode to migrateLegacyToClas. When reverting (or downgrading) CLAS to non-CLAS, set clusterMode to migrateClasToLegacy.

Important

To upgrade to CLAS, follow the procedure described in Upgrade to CLAS Architecture.

Illumio recommends enabling (or migrating to) CLAS-enabled clusters to take advantage of this architecture's benefits. For more information about CLAS, see the Cluster Local Actor Store (CLAS) section.

Cluster mode supports these values:

  • legacy - the default, PCE manages individual Pods as Container Workloads

  • clas - Cluster Local Actor Store, PCE manages cluster workloads as Kubernetes Workloads

  • migrateLegacyToClas - use for upgrade to CLAS mode, see Product Guide

  • migrateClasToLegacy - use for downgrade from CLAS mode, see Product Guide

  • unpair - unpair C-VENs from PCE before deletion

CLAS Degraded Mode: disableDegradedMode and degradedModePolicyFail

If the connection between Kubelink and the PCE becomes unavailable, a CLAS-enabled Kubelink can still serve policies to C-VEN (and therefore to its Kubernetes Workloads and pods). When a PCE interruption is detected, a CLAS-enabled Kubelink enters a degraded mode.

By default, degraded mode is enabled in CLAS clusters. You can disable degraded mode by explicitly setting the parameter/value pair disableDegradedMode: true in illumio-values.yaml, and performing a helm upgrade.

In degraded mode, new Pods of existing Kubernetes Workloads get the latest policy version cached in CLAS storage. When Kubelink detects a new Kubernetes Workload labeled the same way and in the same namespace as an existing Kubernetes Workload, Kubelink delivers the existing, cached policy to Pods of this new Workload.

If Kubelink cannot find a cached policy (that is, when labels of a new Workload do not match the labels of any existing Workload in the same namespace), Kubelink delivers a "fail open" or "fail closed" policy based on the Helm Chart parameter degradedModePolicyFail setting, as specified in the illumio-values.yaml file when installing (or upgrading).

The default parameter value of degradedModePolicyFail is open, which opens the firewall of new Pods. The closed value means the firewall of new Pods is programmed to block all network connectivity.

The precise behavior of closed depends on the Cluster Workload Profile's Enforcement setting: all connectivity is blocked only if the Enforcement of the namespace is set to Full.

By default, degraded mode is enabled in CLAS clusters. You can disable degraded mode by explicitly setting the parameter/value pair disableDegradedMode: true in illumio-values.yaml, and performing a helm upgrade.

When degraded mode is disabled, Kubelink/CLAS does not deliver policy based on matching labels. Kubelink continues to run, and delivers the cached policy to existing Kubernetes Workloads, but does not deliver policy to new Workloads. Kubelink continues to attempt re-establishing communication with the PCE.

After the PCE becomes available again, it restarts, synchronizes policy and labels, and then continues normal operation.

Note

If the PCE becomes inaccessible due to database restoration or maintenance, and Kubelink has disabled degraded mode, you are advised to restart Kubelink by deleting its Pod to synchronize the current state.

Flat Networks: networkType

To add support for flat network CNIs in addition to the default (where pods run on an overlay network), an optional networkType parameter is now available in the Helm Chart where you can specify flat or overlay type. The default value is overlay.

Starting in version 5.2.0, the Kubelink Operator supports flat network CNIs in CLAS mode, a feature that was previously only available in non-CLAS mode. This update includes compatibility with flat network types such as Azure CNI Pod Subnet and Amazon VPC CNI. To enable a flat network CNI, set the networkType parameter to flat in the Helm Chart's illumio-values.yaml file during installation.

Also note that in CLAS-enabled flat networks, if a pod communicates with a virtual machine outside the cluster using private IP addresses, you must enable the annotation meta.illumio.podIPObservability. This is a scenario in which the virtual machine is in a private network and has an IP address from the same range as cluster nodes and pods. In this case, the PCE needs to know the private IP address of the pod to be able to open a connection on the virtual machine. The main benefit of CLAS is that the PCE no longer directly manages individual pods, so the implementation expects a specific annotation on such pods. Traffic between such private IPs will be blocked without this annotation, and will appear in the UI as blocked.

In this case, when the application communicates through private IPs, add the following annotation so that Kubelink can then report the private IPs of Kubernetes Workloads to the PCE:

metadata:
  annotations:
    meta.illumio.podIPObservability: "true"
CLAS etcd Internal Storage Size: sizeGi

Kubelink in CLAS mode uses etcd as a local cache for policy and runtime data. The Helm Chart parameter storage.sizeGi sets the size in GB of this ephemeral storage. Set the parameter under storage in the illumio-values.yaml for a cluster, as shown in the following example:

storage:
  registry: "docker.io/bitnami"
  repo: "etcd"
  imageTag: "3.5.7"
  imagePullPolicy: "IfNotPresent"
  sizeGi: 1

The default value is 1, for 1 GB, which should be enough for a cluster with under 1000 Kubernetes workloads. If a cluster is bigger and you increase memory limits for C-VEN and Kubelink, then increase the etcd internal storage size with this parameter.

Label Mapping

You can map existing Kubernetes labels to desired Illumio labels by adding a Kubernetes Custom Resource Definition (CRD) label map to your illumio-values.yaml file.

Pod priority

Kubelink Pod and CVEN Pods have priorityClassName specified by default. This can be disabled by setting priorityClasses.enabled to false. Default values of priorityClassName can be changed by setting kubelink and cven values.

NodePort traffic enforcement disabling

Starting from C-VEN 22.5, NodePort ingress traffic is enforced by default. To allow NodePort traffic, additional policy rules are needed. If this behavior is undesired, it can be controlled by setting enforceNodePortTraffic: never.

Default values:

enforceNodePortTraffic: always
Common Labels and Common Annotations

There is an option to specify Common Labels and Common Annotations in illumio-values.yaml:

commonLabels:  {  }  # Labels applied to all deployed objects
commonAnnotations:  {  }  # Annotations applied to all deployed objects
Root CA Certificate

If you are using a private PKI to sign the PCE certificate, make sure you add to illumio-values.yaml the references to the root CA certificate that signed the PCE certificate, as shown below:

extraVolumeMounts:
  - name: root-ca
    mountPath: /etc/pki/tls/ilo_certs/
    readOnly:  false  
extraVolumes:
  - name: root-ca
    configMap:
      name: root-ca-config
Kubelink nodeSelector

If the infrastructure requires Kubelink to run on the control-plane node, add the below configuration to illumio-values.yaml (the selector label or name may differ). Keep in mind that this only applies to Kubelink deployment.

nodeSelector:
   node-role.kubernetes.io/control-plane:  ""

Kubelink deployment also supports two more settings:

  1. Option to ignore certificate verification of PCE

  2. The verbosity level of logging

ignore_cert:  true  
verbosity  :  0
Image Pull Policy

Illumio Core for Kubernetes and Openshift provides an option to specify default image pull policy for each of its components.

kubelink:
  imagePullPolicy:  "Always"
cven:
  imagePullPolicy:  "Always"
Resources

Resources limits and requests are defined as chart values for Kubelink Deployment and CVEN DaemonSet. Values for both components can be changed in illumio-values.yaml, and each resources section is used as a whole for the corresponding container, effectively replacing the default resources definition.

See Resource Allocation Guidelines for deployment sizes.

kubelink:
  resources:
    limits:
      memory: 500Mi
    requests:
      memory: 200Mi
      cpu: 200m

cven:
  resources:
    limits:
      memory: 300Mi
  requests:
      memory: 100Mi
      cpu: 250m

storage:
  resources:
    limits:
      memory: 500Mi
    requests:
      memory: 200Mi
      cpu: 100m
Metrics

Illumio Core for Kubernetes & OpenShift provides tools for collecting and visualization of runtime metrics since IC4K chart version 4.4. The chart contains InfluxDB as a dependency. To enable metrics use:

metrics:
  enabled: true

Please refer to https://github.com/bitnami/charts/tree/main/bitnami/influxdb/ for a complete list of available parameters. To set a value in the illumio-values.yaml for InfluxDB subchart the influxdb section must be used.

Warning

Secrets for the InfluxDB must be specified during the upgrade.

First installation with metrics

Use the standard command, secrets will be generated.

$ helm install illumio -f illumio-values.yaml oci://quay.io/illumio/illumio --version  5.3.0 --namespace illumio-system --create  -namespace
Upgrade and enable metrics

To upgrade Illumio Core for Kubernetes & OpenShift deployed with the previous chart version or without metrics enabled, the user has to generate secrets for the version with enabled metrics.

export  ADMIN_USER_PASSWORD  =  `LC_ALL=LC tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo`  

export  ADMIN_USER_TOKEN  =  `LC_ALL=LC tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo`

helm upgrade illumio -f illumio-values.yaml oci://quay.io/illumio/illumio --version  5.3.0 --namespace illumio-system --set influxdb.auth.admin.password  =  $ADMIN_USER_PASSWORD  --set influxdb.auth.admin.token  =  $ADMIN_USER_TOKEN
Upgrade with enabled metrics

To upgrade Illumio Core for Kubernetes & OpenShift deployed with enabled metrics, the user has to pass existing secrets.

export  ADMIN_USER_PASSWORD  =  $(kubectl get secret --namespace illumio-system illumio-influxdb -o jsonpath=  "{.data.admin-user-password}"  | base64 -d)  

export  ADMIN_USER_TOKEN  =  $(kubectl get secret --namespace illumio-system illumio-influxdb -o jsonpath=  "{.data.admin-user-token}"  | base64 -d)

helm upgrade illumio -f illumio-values.yaml oci://quay.io/illumio/illumio --version  5.3.0 --namespace illumio-system --set influxdb.auth.admin.password  =  $ADMIN_USER_PASSWORD  --set influxdb.auth.admin.token  =  $ADMIN_USER_TOKEN
InfluxDB parameters

The InfluxDB deployed with default options will create a persistent volume with a capacity 8Gi and use the default storage class from the cluster. The current Illumio metrics data size for 1 day is approximately 55Mi, and the retention policy for the Illumio bucket is set to 30 days. 4Gi capacity should be enough room for Illumio metrics. Example setting:

influxdb:
  persistence:
    size: 4Gi
    storageClass: kops-csi-1-21

Setting for disabling the metrics persistence:

influxdb:
  persistence:
    enabled:  false
Wait for policy

With a new Wait For Policy feature, CLAS-enabled Kubelink can be configured to automatically and transparently delay the start of an application container in a pod until a policy is properly applied to that container. This synchronizes the benefit of automatic container creation with the protection of proper policy convergence into the new container.

This Wait For Policy feature replaces the existing local policy convergence controller, also known as a readiness gate. A readiness gate required manually adding the readinessGate condition into spec of Kubernetes workload. Wait For Policy uses an automatically injected init container, which requires no change to the user application.

The Wait For Policy feature is disabled by default. To enable it, change the waitForPolicy: enabled value to true in the Helm Chart illumio-values.yaml file.

Support bundle

To assist the Illumio Support team with more details for troubleshooting, Kubelink 5.2.0 provides a support bundle that collects up to 2 GB of logs, metrics, and other data inside its pod. Future versions will add the option to upload these support bundles to the PCE. Currently, you must copy this support bundle by running the script /support_bundle.sh inside the Kubelink pod. The script generates debug data, creates a gzipped tar archive using stdout as output, and encodes this data using Base64.

Use the following command to generate and transfer the Kubelink support bundle from its pod:

kubectl -n illumio-system exec deploy/illumio-kubelink -- /support_bundle.sh | base64 -d > kubelink_support.tgz
Kubernetes Workload metadata

Kubelink reports Kubernetes workloads with its labels and annotations. Starting from Kubernetes Operator 5.4.0, only Illumio annotations are reported. To include other annotation keys, use userAllowedAnnotations list:

userAllowedAnnotations:
  - "deployment.kubernetes.io/revision"
Workloads in host network

Starting from Kubernetes Operator 5.4.0, Kubelink does not create a Kubernetes Workload on PCE if the workload is in the host network. Pods of these workloads don't have separate network namespaces. Policy for these workloads must be part of the policy for Nodes. This was always the case, legacy non-CLAS mode works the same way.

Label-set optimized policy

This optimization can reduce the size of the policy sent from PCE. Instead of sending policy for each Kubernetes workload, PCE groups policies using Kubernetes Workload PCE labels. Kubernetes Workloads with a unique set of PCE labels will not benefit from this optimization.

policyLabelSetEnable: true
Helm Chart Parameters

Name

Description

Default Value

Accepted Values

pce_url

URL connection to PCE with port

""

cluster_id

Cluster ID for created cluster in PCE

""

cluster_token

Cluster Token for created cluster in PCE

""

cluster_code

Cluster Code from Pairing Profile

""

namespaceOverride

Override the namespace for Illumio resources

"illumio-system"

containerRuntime

Container Runtime used in cluster, used for unix sockets directory path

"containerd"

[containerd, crio, k3s_containerd]

containerManager

Container Manager used in cluster, used for specific deployments

"kubernetes"

[kubernetes, openshift]

clusterMode

See "Cluster Mode" section

"legacy"

[legacy, migrateClasToLegacy, migrateLegacyToClas, clas]

enforceNodePortTraffic

See "Cluster Mode" section

"always"

[always, never]

priorityClasses.enabled

Enables priorityClassName

true

[true, false]

priorityClasses.kubelink

Kubelink Deployment priorityClassName

system-cluster-critical

priorityClasses.cven

CVEN DaemonSet priorityClassName

system-node-critical

degradedModePolicyFail

See "CLAS Degraded Mode" section

"open"

[open, closed]

disableDegradedMode

Disable CLAS Degraded Mode

false

[true, false]

reportHostNetworkKubernetesWorkloads

See "Workloads in host network" section

false

[true, false]

imagePullSecret.username

Username for connecting to quay.io registry

""

imagePullSecret.password

Password for connecting to quay.io registry

""

commonLabels

Add common labels to all deployed objects

{}

commonAnnotations

Add common annotations to all deployed objects

{}

extraVolumeMounts

Used to mount directories to Kubelink and C-VEN containing certificates

{}

extraVolumes

Used to mount directories to Kubelink and C-VEN containing certificates

{}

ignore_cert

Skip certificate verification of pce_url in Kubelink

false

[true, false]

networkType

Cluster network type

"overlay"

[overlay, flat]

verbosity

Verbosity level for logs

0

[0, 1, 2]

kubelink.imagePullPolicy

Kubelink imagePullPolicy level

IfNotPresent

[IfNotPresent, Always, Never]

cven.imagePullPolicy

C-VEN imagePullPolicy level

IfNotPresent

[IfNotPresent, Always, Never]

cven.hostBasePath

Path for C-VEN data directory on Nodes (/opt/illumio_ven_data)

/opt

kubelink.pceApiTimeout

HTTP request timeout, in seconds

1200

60 - 7200

kubelink.pceApiMinBackoff

backoff delay before request retry, in seconds

60

5 - 600

kubelink.pceApiMaxBackoff

max backoff delay, in seconds

240

60 - 1200

kubelink.pceApiPolicyInterval

how often should Kubelink ask if there is new policy, in seconds

30

10 - 3600

kubelink.lastAppliedPolicyUpdateInterval

how often should Kubelink update last applied policy timestamp, in seconds

120

5 - inf

kubelink.resources

See "Resources" section

object

cven.resources

See "Resources" section

object

storage.resources

See "Resources" section

object

metrics.enabled

Enable metrics

false

[true, false]

policyLabelSetEnable

Enable label-set policy optimization

true

`[true, false]

argoCD

Chart is deployed with ArgoCD

false

[true, false]

httpProxy

HTTP proxy URL to be used for Kubelink and C-VEN requests

""