Upgrade and Uninstall Non-Helm Chart Deployments
This section describes how deployments that were not installed with Helm can be upgraded or uninstalled.
Upgrade Illumio Components
Illumio Core for Kubernetes and OpenShift is a flexible and modular solution that can be upgraded piece by piece.
For minor upgrades, Kubelink can be upgraded independently from the C-VEN and vice versa unless explicitly mentioned in the release notes.
For major upgrades, including PCE, Kubelink, and C-VEN, Illumio recommends the following process:
Upgrade the PCE to the new desired version.
Review the compatibility matrix between PCE, Kubelink, and C-VEN on the Illumio support website.
Upgrade Kubelink.
Upgrade C-VEN.
Upgrade Kubelink
The supported process to upgrade Kubelink is as follows:
Upload the new image to your private container registry.
Change the manifest file to point to the latest Kubelink image in the registry. You do not need to change the previously created secret for Kubelink.
Apply this new manifest file to the cluster.
illumio-kubelinkfollows the default update behavior of Kubernetes. For more information, see Kubernetes Documentation.
You can verify that the upgrade was successful in the PCE UI on the Container Clusters > Summary page and checking for the new Kubelink version.
Upgrade C-VEN
The supported process to upgrade C-VENs is as follows:
Upload the new image to your private container registry.
Change the manifest file to point to the latest C-VEN image in the registry. You do not need to change the previously created secret for C-VEN.
Apply this new manifest file to the cluster.
illumio-ven daemonsetfollows the default rolling update behavior of Kubernetes. For more information, see Kubernetes Documentation.
You can verify that the upgrade was successful in the PCE UI on the Container Clusters > Workloads page and clicking on any workload and checking for the new C-VEN version.
Uninstall Illumio from Your Cluster
To uninstall the Illumio components, you need to contact Illumio Professional Services to unpair the C-VENs and then delete the Illumio resources from your cluster.
Unpair C-VENs
Important
Contact Illumio Professional Services to unpair the C-VENs in your Kubernetes or OpenShift clusters.
Deleting C-VENs or DaemonSet will not properly unpair them from the PCE and can cause the following issues:
Workloads will go offline in the PCE UI after 5 minutes (defined by the default Offline Timers configured in the PCE).
Workloads will be left in the PCE UI as offline with the button to unpair them grayed out (this action is not supported by Illumio).
Firewall rules configured on the Host and Pods namespaces will remain untouched and active.
The current way to properly delete these workloads created in the PCE UI by C-VENs is by deleting the entire cluster in the PCE UI.
Important
Unpairing an individual C-VEN is not supported. It has to be done at the cluster level (through the DaemonSet), because the cluster is considered as a single entity from a security point of view.
If a node unjoins the cluster for any reason or due to the kubectl delete node <node_name> command, the PCE automatically unpairs the C-VEN and deletes the workload and Container workloads associated with the C-VEN that was running on the deleted node.
Delete Illumio Resources
To delete the existing Illumio resources created in your Kubernetes or OpenShift cluster, follow these steps:
Delete C-VEN Resources
Contact Illumio Professional Services to unpair the C-VENs and clean up existing iptables rules created by Illumio.
Check the Workloads and Container Workloads tabs under Infrastructure > Container Clusters > YourClusterName and validate that your nodes and Pods are no longer visible.
Delete the resources created during the C-VEN installation by using the following command:
kubectl delete -f illumio-ven-kubernetes.yml kubectl delete -f illumio-ven-secret.yml
oc delete -f illumio-ven-openshift.yml oc delete -f illumio-ven-secret.yml
Delete Kubelink Resources
Delete the resources created during the Kubelink installation.
Delete Kubelink resources from Kubernetes:
kubectl delete -f illumio-kubelink-kubernetes.yml kubectl delete -f illumio-kubelink-secret.yml
Delete Kubelink resources from OpenShift:
oc delete -f illumio-kubelink-openshift.yml oc delete -f illumio-kubelink-secret.yml
Check the Summary tab under Infrastructure > Container Clusters > YourClusterName and validate that your cluster is "Out of Sync". It takes approximately 10 minutes for the cluster Status to change from "In Sync" to "Out-of-Sync".
Finally, delete the container cluster from the PCE UI and verify that there are no resources left in your cluster such as, ConfigMap, Secrets, and others.
Delete Illumio Namespace
To delete the Illumio namespace in Kubernetes, use the following command:
kubectl delete ns illumio-system
To delete the Illumio namespace in OpenShift, use the following command:
oc delete project illumio-system