Host and Cluster Requirements
To deploy Illumio containers into your environment, you must meet the following requirements.
Supported Configurations for On-premises and IaaS
For full details on all supported configurations for Illumio Core for Kubernetes version 3.0.0 and later, see the Kubernetes Operator OS Support and Dependencies page on the Illumio Support Portal (under Software > OS Support).
Privileges
The Helm Chart deployment process automatically sets all necessary privileges. The privileges listed below must be provided on host-level and cluster-level for the respective components. They are listed here for reference.
Host-Level
C-VEN
C-VEN requires the following privileges on the host:
C-VEN is a privileged container and requires access to the following system calls:
NET_ADMINSYS_MODULESYS_ADMIN
C-VEN requires persistent storage on the host to write iptables rules and logs.
C-VEN mounts volumes on the local host to be able to operate (mount points may differ depending on the orchestration platform).
Kubelink
Kubelink does not require specific privileges on the host because Kubelink:
is not a privileged container
is a stateless container
does not require persistent storage
Cluster-Level
Namespace
C-VENs and Kubelink are deployed in the illumio-system namespace.
C-VEN
C-VEN requires the following privileges on the cluster:
C-VEN uses the
illumio-venServiceAccount.
Kubelink
Kubelink requires the following privileges on the cluster:
Kubelink creates a new Cluster Role to list and watch events occurring on the Kubernetes API server for the following elements:
nodeshostsubnetsreplicationcontrollersservicesreplicasetsdaemonsetsnamespacesstatefulsets
Kubelink uses the
illumio-kubelinkServiceAccount.