Architecture
With the increased adoption of containers, the threat of unauthorized lateral movement from vulnerabilities and exploits has increased considerably on the east-west attack surface. In addition, destinations and sources may be other containers, bare-metal servers, or virtual machines running on-premises or in the cloud. Multiple disparate solutions create complexity in management and operational workflow, leaving your organization more open to attack.
Illumio provides a homogeneous segmentation solution for your applications, regardless of where they are running—on bare-metal servers, virtual machines, or containers. It is a single, unified solution with numerous points of integration, allowing you to easily and quickly secure your applications, regardless of their location or form.
A container is a loosely defined construct that abstracts a group of processes into an addressable entity, allowing it to run application instances within it. Containers are implemented using Linux namespaces and cgroups, allowing you to virtualize and limit system resources. Since containers operate at a process level and share the host OS, they require fewer resources than virtual machines. The isolation mechanism provided through Linux namespaces allows containers to have unique IP addresses. Illumio Core uses these mechanisms to program iptables in the network namespace.
Illumio Core for containers orchestrated with Kubernetes or OpenShift, uses the following architecture:
Kubernetes-based orchestration platforms such as native Kubernetes and Red Hat OpenShift integrate with Illumio Core by using the following two components in the cluster:
Kubelink - An Illumio software component that listens to event streams on the Kubernetes API server.
Containerized VEN (C-VEN) - An Illumio software component that provides visibility and enforcement on the nodes and the Pods.
Once these components are deployed in the cluster, they both report the following information to the Policy Compute Engine (PCE):
Summary - Information about the Kubernetes cluster and Illumio components deployed.
Workloads - Information about Kubernetes nodes.
Container Workloads - Information about Kubernetes Pods.
Virtual Services - Information about Kubernetes services.
Container Workload Profiles - Information about Kubernetes namespaces and policies.
Illumio Core visibility and enforcement occur at the Pod level in Kubernetes and OpenShift, with policies programmed into the iptables in the namespace provided by the Pod. This means only the Pods can be segmented, but containers inside a Pod cannot be segmented. The Pod is represented as a single container workload in the PCE, with the C-VEN providing details about the containers that comprise the Pod.