Known Limitations
The known limitations in this release are:
Kube-proxy mode set to IPVS is currently not supported.
Exposing an application using NodePort is currently not supported by Illumio Core (no visibility and no enforcement). Consider leveraging hostNetwork'd ingress controllers to expose HTTP applications to better control inbound connections or Network Load Balancers that can preserve the client IP addresses.
If a C-VEN on a server hosting containers is paired directly into the Enforced policy state, other nodes may lose connectivity with the master node until policy is synchronized across all the nodes.
Pods which run on the host network stack (inherit the host IP address) are not reported to the PCE. Any rules written for the host will also be inherited by any hostNetworked Pods on the host.
If you are using an external load balancer, the policy configuration will be dependent on the type of the load balancer used.
Kubernetes uses NAT tables, which depend on traffic being tracked and stateful. Therefore, it is not recommended to use stateless rules.
If a Kubernetes service has both port 1234/TCP and port 2345/UDP configured, a rule configured with the Pod as Consumer and the virtual service as Provider will open up both ports 1234/TCP and 2345/TCP, and 1234/UDP and 2345/UDP on the Pod's firewall (outbound rule).
In case of a Kubernetes service configured with a
portandtargetPortstatement in the manifest file as shown in the example below:apiVersion: v1 kind: Service metadata: name: web-frontend-svc namespace: app1 labels: app: app1 tier: web-frontend annotations: com.illumio.role: Web spec: type: ClusterIP ports: - port: 8080 targetPort: 80 protocol: TCP - port: 8081 targetPort: 81 protocol: UDP selector: app: app1 tier: web-frontendThis configuration is supported with Illumio Core. In this case, only the port number associated to the
portstatement will show this issue, the port number associated to thetargetPortstatement will not show this issue and will use theprotocolspecified in the Service yaml file.