What's New in 5.7.0
Here's a summary of the new and enhanced features in this release.
nftables for Illumio Segmentation for Datacenter Containers
We introduce support for nftables, incorporating its improved performance, scaling, and processing while using a smaller memory footprint for larger rulesets. Support for nftables maintains future compatibility as Kubernetes and OS providers migrate away from iptables in upcoming releases.
For nftables support you must be on version 5.7.0 or higher.
Supporting nftables provides these benefits:
Policy enforcement through the Illumio Container functions for nftables without needing manual intervention.
C-VEN understands and detects netfilter and flow tables. Policies continue to work when they are detected.
C-VEN container images contain packages for both iptables and nftables.
Rule coexistence for pre-existing nftables rules defined by other applications or administrators on the host system.
Helm Chart 5.7.0 includes the cven.firewallBackend parameter which defaults to auto to automatically detect the firewall mode. It supports two other options for manually seting either iptables or nftables for the C-VEN firewall type.
You can write custom iptables rules on the PCE and they will convert to nftables rules.
Kubernetes Tolerations and Taints for C-VEN DaemonSet
We include support for toleration and tainting for the C-VEN DaemonSet without requiring patching and republishing Helm Chart.
Add, update, or override tolerations for the C-VEN DaemonSet through Helm values under the cven section of the Helm Chart values.yaml file.
Tolerations follow this format:
tolerations:
- key: <keyname>
value: <value>
effect: <effect>If no tolerations are specified for the C-VEN DaemonSet, the default behavior (no tolerations), remains unchanged.
For example, to allow C-VEN pods to run on nodes tainted with dedicated=monitoring, the tolerations field includes the key dedicated ,the value monitoring, and the effect NoSchedule.
cven:
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
- key: dedicated
value: monitoring
effect: NoScheduleThe first two keys, node-role.kubernetes.io/master and node-role.kubernetes.io/control-pane are required in every tolerations section.
Run the kubectl describe command for a node to see the taints for that node.
$ kubectl describe node <node-name> ... Taints: dedicated=monitoring:NoSchedule
Configurable Kubelink Support Report Directory Size
With this release, the support report directory size is configurable from Helm Chart using the kubelink.supportReportVolumeSize value . The default size is 2000 MB. When the data size reaches 75% of the configured size (1500 MB for the default), Kubelink removes older files from the support report directory to prevent filling the storage volume.
The default PCE upload limit is 100MB. Smaller support reports can be uploaded to PCE and then downloaded from the PCE UI in the Summary tab for the container cluster in the Support Reports section. Support reports larger than the upload limit can be downloaded using kubectl command:
kubectl -n illumio-system exec deploy/illumio-kubelink -- /support_bundle.sh | base64 -d > kubelink_support.tgz