What's New and Changed in Release 21.5.10
Illumio Core 21.5.10 introduces the following new features and enhancements.
Important
Illumio Core 21.5.10 are available only for Illumio Core On Premises customers who install Illumio Core in their own data centers.
21.5.10 Illumio Core Maintenance Release
Illumio provides regular maintenance updates for reported bugs and security issues, and to add support for new operating system versions.
As a maintenance release, Illumio Core 21.5.10 solved software and security issues to refine the software and improve its reliability and performance.
For more information about the Illumio software release types and software support, see Versions and Compatibility on the Illumio Support portal (login required).
VEN Enhancements
The following enhancements were added in Illumio Core 21.5.10
Support on IBM Z With RHEL 7 and RHEL 8
In this release, the system supports installing and operating the VEN on IBM Z systems running Red Hat Enterprise Linux 7 (RHEL 7) and RHEL 8.
Label-based Security Setting for IP Forwarding
Illumio has enabled IP forwarding to hosts running Linux. A container networking solution routes the traffic to the VMs. To configure IP forwarding, use the new IP Forwarding tab in the PCE web console. In this tab, you can use labels and label groups to enable IP forwarding for the workloads that match the label combination.
VEN Compatibility Report Updates for IPv6 Support
Illumio supports IPv6 for workloads. This includes providing a warning in the Compatibility Report. The Compatibility Report is used to detect the possible issues before moving VEN out of idle state.
The following command and command options are supported:
On Linux and SunOS, this command option is available regardless of whether IPv6 is enabled:
ipv6_forwarding_enabled
At least 1 iptables forwarding rule is detected in the IPv6 forwarding chain. VEN removes existing iptables rules in the non-Idle policy state.
On Windows, we do not support all IPv6 transition tunnels that is a part of the IPv6 transition technology (RFC 4213). The following options are available:
teredo_tunneling_enabled
Teredo tunneling allows for IPv6 connectivity.
Teredo is an IPv6 transition tunnel.
We do not report on Teredo adapters.
IPv6 enabled
Continues to be supported.
Detects potential transition technology usage on Windows.
VEN Support on Rocky Linux
Beginning in the 21.5.10 release, the VEN is supported on the Rocky Linux OS.
PCE Platform Enhancements
In addition to the information provided in the release notes, this release optimizes PCE policy in the following ways.
Policy Provisioning Operations Optimized
In environments that use many label groups with Virtual Servers or Virtual Services, this release provides faster computation and delivery of policy changes to affected workloads, as well as faster policy provisioning overall.
Improved Performance for Container Workloads
In this release, Illumio provides improved performance by programming container host CIDRs instead of container host IP addresses. For traffic initiated by a container workload and destined for outside the container cluster, the PCE replaces the container host's IP address in the external workload's inbound policy with the subnet(s) for all container hosts in the container cluster. The subnets are constructed using the IP addresses and subnet masks of IPv4 host network interfaces, with a default gateway, as reported by the VEN on container hosts. This enhancement avoids a policy recalculation on workloads outside the cluster when the following events occur:
Scaling up of a Kubernetes service
Deleting and recreating of a Kubernetes pod on a different node in the cluster
Replacing of a Kubernetes node for upgrade or patch reasons.
By eliminating policy updates for workloads outside the cluster, this enhancement helps reduce the amount of time required to establish communication between the pod in the cluster and a workload outside the cluster.
Important
This feature must be enabled via the PCE runtime_env.yml using the following configuration:
agent_service: use_container_host_cidrs_in_container_policy: true
Improved Convergence Times
In this release, Illumio provides improved convergence times by preventing unnecessary IP address list updates. Previously, inbound policies on Virtual Servers were updated with all workload IP addresses, including the IP addresses of container workloads that are routable only within the Container Cluster. This occurred even though Virtual Servers outside a Container Cluster never see inbound traffic directly from a Container Workload IP. Now, with this enhancement, Container Workload IP addresses local to a Container Cluster are no longer delivered to Virtual Servers. This prevents unnecessary updates to the list of Container Workload IP addresses maintained on the SLB device that were caused by updates to Container Workloads.
This optimization, combined with the Improved performance by programming Container Host CIDRs instead of Container Host IP addresses enhancement, significantly decreases or eliminates the time required before a Virtual Server outside the Container Cluster allows inbound traffic from a Container Workload.
Important
This feature must be enabled via the PCE runtime_env.yml using the following configuration:
agent_service: exclude_container_ips_in_virtual_server_policy: true
Improved Performance for Kubelink Service Updates
In this release, Illumio provides improved performance by batch processing Kubelink service updates. Previously, when Kubelink cluster service updates occurred, the PCE immediately provisioned the changes to virtual services. Now, with this enhancement, the PCE aggregates the Kubelink-reported changes across all clusters and provisions the changes as batch updates. In environments with many container clusters and/or high rates of change to cluster services, this enhancement helps reduce PCE load and decreases policy distribution times.
If enabling this enhancement in a Supercluster, do so only in an environment where the container clusters are paired to the leader PCE.
Important
This feature must be enabled via the PCE runtime_env.yml. The value you specify in the runtime_env.yml setting determines the provisioning interval. Illumio has only certified a value of 180 seconds for this setting. Use the following configuration:
agent_service: container_cluster_service_provision_interval_seconds: 180
Rotate Database Passwords and Other Secrets
At any time, an Illumio Administrator can rotate the PCE database passwords and other auto-generated secrets used within the PCE. The new secrets take effect when the PCE is restarted. To rotate secrets, run the following command on any node:
sudo -u ilo-pce illumio-pce-ctl rotate-secrets
In a Supercluster, run this command once for each region.