Prepare Your Environment
Important
The following steps for preparing your environment are no longer needed when deploying Illumio Core for Kubernetes version 3.0.0 and beyond, which now uses Helm Chart for deploying C-VEN and Kubelink. This section is included here for backwards compatibility and historical purposes. If you are deploying using Helm Chart, skip this section and follow the instructions in the "Create a Container Cluster in the PCE" topic.
You need to do these steps before C-VEN installation and pairing.
Caution
If the prerequisite steps are not done before C-VEN and Kubelink installation, then containerized environments and Kubelink can get disrupted.
Unique Machine ID
Some of the functionality and services provided by the Illumio C-VEN and Kubelink depend on the Linux machine-id of each Kubernetes cluster node. Each machine-id must be unique in order to take advantage of the functionality. By default, the Linux operating system generates a random machine-id to give each Linux host uniqueness. However, there are cases when machine-id's can be duplicated across machines. This is common across deployments that clone machines from a golden image, for example, spinning up virtual machines from VMware templates, creating compute instances from a reference image, or from a template from a Public Cloud source.
Important
Illumio Core requires a unique machine-id on all nodes. This issue is more likely to occur with on-premises or IaaS deployments, rather than with Managed Kubernetes Services (from Cloud Service Providers). For more information about how to create a new unique machine-id, see Troubleshooting.
Create Labels
For details on creating labels, see "Labels and Label Groups" in Security Policy Guide. The labels shown below are used in examples throughout this document. You are not required to use the same labels
Name | Label Type |
|---|---|
Kubernetes Cluster | Application |
OpenShift Cluster | Application |
Production | Environment |
Development | Environment |
Data Center | Location |
Cloud | Location |
Kubelink | Role |
Node | Role |
Master | Role |
Worker | Role |
Push Kubelink and C-VEN Images to Your Container Registry
In order to install Illumio Core for containers, you first need to upload (or push) Kubelink and C-VEN container images to your container registry. The files in the C-VEN and Kubelink packages you've downloaded are as follows:
C-VEN illumio-ven-21.5.x-xxxx.k8s.x86_64.tgz package includes:
A Docker image
illumio-ven-21.5.x-xxxx.tgz
Configuration files:
illumio-ven-secret.ymlillumio-ven-kubernetes.ymlillumio-ven-openshift.yml
Kubelink illumio-kubelink-2.1.x.tar.gz package includes:
A docker image
kubelink-image.tar.gz
Configuration files in kube-yaml
illumio-kubelink-secret.ymlillumio-kubelink-kubernetes.ymlillumio-kubelink-openshift.ymlillumio-kubelink-namespace.yml
Caution
These images are not publicly available and should not be posted on a publicly open container registry without Illumio's consent.
In a self-managed deployment, Kubelink and C-VEN images can be pushed to a private container registry. In OpenShift, a container registry is provided as part of the platform, and images can be pushed to this registry for simplicity and better authentication. In the case of Kubernetes, there is no container registry provided by default and must be provided as an external component.
In a cloud-managed deployment, Cloud Service Providers (CSPs) provide integration of private container registries such as, Amazon ECR, Microsoft ACR, and so on. These registries can securely be used to host Illumio's container images for Kubelink and C-VEN. Refer to the documentation provided by the respective CSPs to learn how to push images to those registries.
To push Kubelink and C-VEN container images to your private container registry, use the following commands (based on docker):
Log in to your private container registry.
docker login <docker-registry>
Load Kubelink and C-VEN container images on your local computer.
docker load -i kubelink-image.tar.gz docker load -i illumio-ven-yy.y.x-xxxx.tgz
Verify that docker images are loaded on your computer.
docker image ls
Tag the Kubelink and C-VEN container image IDs with the name of your container registry.
docker tag <illumio-kubelink-image-id> <docker-registry>/illumio-kubelink:y.y.x.xxxxxx docker tag <illumio-ven-image-id> <docker-registry>/illumio-ven:yy.y.x-xxxx
Verify that images are tagged on your computer and ready to be pushed to your private container registry.
docker image ls
Push Kubelink and C-VEN container images on your private container registry.
docker push <docker-registry>/illumio-kubelink:y.y.x.xxxxxx docker push <docker-registry>/illumio-ven:yy.y.x-xxxx
After pushing images to your private container registry, proceed to the next section.