Skip to main content

Illumio Segmentation for Containers

Introduction to Illumio Segmentation for Containers

Modern applications increasingly rely on containers and orchestrators like Kubernetes and OpenShift to deliver scalable, resilient services. While these platforms offer agility, they also introduce security challenges. Because containers share the same underlying OS kernel and communicate frequently, a single compromised container can lead to lateral movement across the environment. Illumio addresses these challenges with a container-native segmentation solution that provides visibility and control across dynamic environments.

Containers and Orchestrators

Containers are lightweight, portable units that package applications with their dependencies. Containers allow large applications to be broken into smaller, more manageable parts. Containers run isolated processes using the host operating system kernel, making them faster and more resource-efficient than virtual machines.

Orchestrators such as Kubernetes and OpenShift manage container lifecycles, health, networking, and scaling. Examples of orchestrators include:

  • Kubernetes

    Open-source, cloud-native container orchestrator developed by Google and common in the public cloud that manages workloads via nodes, pods, services, and namespaces.

  • OpenShift

    Enterprise-ready product and platform often deployed in on-prem data centers and the cloud built on Kubernetes by Red Hat. It adds enhanced Role-Based Access Control (RBAC), developer tools, and CI/CD features.

  • Amazon Elastic Kubernetes Service (EKS)

  • Azure Kubernetes Service (AKS)

  • Google Kubernetes Engine (GKE)

Illumio Segmentation for Containers Components

Illumio Segmentation for Containers extends segmentation to containerized environments. It secures workloads across Kubernetes, OpenShift, virtual machines, and bare-metal servers. Illumio Segmentation for Containers integrates directly with Kubernetes clusters using two key components:

  • C-VEN (Containerized Virtual Enforcement Node)

    C-VEN deploys as a DaemonSet on each node. It enforces security policies at the node and pod levels by using iptables or nftables. Each node requires only one C-VEN.

  • Kubelink

    Kubelink runs as a single pod in each cluster. It synchronizes Kubernetes metadata such as pods, services, and namespaces with Illumio’s Policy Compute Engine (PCE). Kubelink enables real-time traffic mapping and policy delivery. It automatically discovers nodes, network details, and services and sends that information to the PCE.

Benefits of Illumio Segmentation for Containers

  • Unify security for containers, securing workloads across Kubernetes, OpenShift, VMs, and bare metal

  • Gain visibility and control with real-time application traffic insight

  • Work across environments like on-prem, hybrid, or cloud-native container deployments

  • Deploy with Helm, performing installation and upgrades via Helm Charts on cloud-managed and self-managed clusters

How It Works

  • Visibility

    C-VEN captures traffic flows, while Kubelink maps them to workloads. This data is visualized in Illumio.

  • Deployment

    C-VEN and Kubelink are deployed via Helm Chart together, for installation and upgrades.

  • Policy Enforcement

    Policies are applied at the pod level using iptables or nftables. Pods are treated as single workload units in the PCE.

Illumio Segmentation for Containers Use Cases

Kubernetes node visibility and control

Illumio provides visualization and inventory for all container nodes, segmenting at the node level.

Application tier-to-tier segmentation

Illumio enables controlling communication between services. For example, you can control communication flow from web, to application, to database.

Namespace isolation

Illumio helps prevent cross-talk between namespaces and enforces environment boundaries. For example, you can control flow from production environments to development environments.

Ingress traffic control

Illumio secures access through ingress controllers or load balancers, to only allow sanctioned entry points.

Egress traffic control

Illumio enables restricting pods from reaching external or internet destinations by enforcing Fully Qualified Domain Names (FQDNs) and IP-based allowlists, with label-based policies that clearly define intent. Illumio enforces on both pod egress and external server ingress. The pod gets IPs of the external server in egress rules. The external server gets the IPs of the Kubernetes nodes in ingress rule.

Kubernetes infrastructure protection

Illumio can limit access to Kubernetes API and control plane components to harden clusters against lateral movement attacks.

Intra-cluster communication

Illumio provides policy granularity, controlling communication between pods in the same namespace or across namespaces.