Deploy Kubelink
Download the required resources such as Kubelink docker image, secret file, and deployment file from the Illumio Support portal (login required).
Prerequisites
Kubelink deployment file provided by Illumio. For OpenShift deployments, the file name is
illumio-kubelink-openshift.yml.Kubelink secret file provided by Illumio. This file name is
illumio-kubelink-secret.yml.Illumio's Kubelink docker image uploaded to your private docker registry.
Create Container Cluster
Log into the PCE as a user with Global Organization Owner privileges.
From the PCE web console menu, choose Infrastructure > Container Clusters.
Click Add.
Enter a Name.
Save the Container Cluster.
You will see a summary page of the new Container Cluster. Copy the values of the Cluster ID and Cluster Token found under the Cluster Pairing Token section.
Once you have the values, you can exit the Container Cluster page.
Configure Container Workload Profile
When configuring a new Container Cluster, it is recommended to set the default settings shared by all the Container Workload Profiles. Illumio provides a Container Workload Profile template that can be used for that purpose. By defining the default Policy State and minimum set of labels common to all namespaces in the cluster, you will save time later on when new namespaces are discovered by Kubelink. Each new profile created will inherit what was defined in the template.
SSL Verification
Illumio does not provide a simple way to redefine all at once the labels associated to each profile all at once in this release, so it is strongly recommended to use this template to define the default values for all profiles part of the same cluster.
To define the default parameters for all profiles using a template, under Container Workload Profiles, click on Edit default settings and fill in the different fields. An example is shown below:
Once you validate, you should see something like the following:
Configure Kubelink Secret
This step assumes that you have created a Container Cluster object in the PCE. You will need the Cluster ID and Cluster Token values for the Kubelink secret.
sshto the master node.Open the kubelink secret YAML file and modify the
stringData.ilo_server= the PCE URL and port. Example:https://mypce.example.com:8443ilo_cluster_uuid= Cluster ID value from previous step. Example:dc1ecbf9-f481-44a7-a4b7-fb028b1b4eceilo_cluster_token= Cluster Token from previous step. Example:1_d37ea3dcd34ae8ae2a78fb33f4e159cc4003e95cc4babe0d992062127a21dab4ignore_cert= SSL verification. The value is boolean and is recommended to be set to false so that Kubelink requires PCE certificate verification. Example: 'false'log_level= Log level where '0' for debug, '1' for info, '2' for warn, or '3' for error. Example: '1'
SSL Verification
Illumio does not recommend turning off SSL verification (
ignore_cert: 'true'); however, this is an option for deployments in which the PCE uses a self-signed certificate.Contents of a modified illumio-kubelink-secret.yml file are shown below.
# # Copyright 2013-2020 Illumio, Inc. All Rights Reserved. # apiVersion: v2 kind: Secret metadata: name: illumio-kubelink-config namespace: kube-system type: Opaque stringData: ilo_server: https://mypce.example.com:8443 # Example: https://mypce.example.com:8443 ilo_cluster_uuid: dc1ecbf9-f481-44a7-a4b7-fb028b1b4ece # Example: cc4997c1-408b-4f1d-a72b-91495c24c6a0 ilo_cluster_token: 1_d37ea3dcd34ae8ae2a78fb33f4e159cc4003e95cc4babe0d992062127a21dab4 # Example: 170b8aa3dd6d8aa3c284e9ea016e8653f7b51cb4b0431d8cbdba11508763f3a3 ignore_cert: 'false' # Set to 'true' to ignore the PCE certificate log_level: '1' # Default log level is info
Note
If you are going to use a private PKI to sign the PCE certificate, see Implement Kubelink with a Private PKI before deploying Kubelink.
Save the changes.
Create the Kubelink secret using the file.
oc create -f illumio-kubelink-secret.yml
Deploy Kubelink
Modify the Kubelink configuration file to point to the correct docker image. The example in this document has kubelink:<version#> uploaded to registry.example.com:443/illumio, which means the image link in this example is registry.example.com:443/illumio/kubelink:<version#>
Edit the Kubelink configuration YAML file. For OpenShift clusters, the file name will be
illumio-kubelink-openshift.yml.Inside the YAML you will find the
spec: > template: > spec: > containers:section. Paste the image link in theimage:attribute. The string should be wrapped in single quotes as shown in the example below.
Save the changes.
Below is a snippet from an example of the Kubelink configuration for OpenShift to illustrate the image location.
apiVersion: apps/v1beta1 kind: Deployment metadata: name: illumio-kubelink namespace: kube-system spec: replicas: 1 selector: matchLabels: app: illumio-kubelink template: metadata: labels: app: illumio-kubelink spec: # nodeSelector: # node-role.kubernetes.io/master: "" serviceAccountName: illumio-kubelink tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule containers: - name: illumio-kubelink image: 'registry.example.com:443/illumio/illumio-kubelink:<version#>' imagePullPolicy: Always env: - name: ILO_SERVER valueFrom: secretKeyRef: name: illumio-kubelink-config key: ilo_server(Optional) If you're using a private PKI to sign the PCE certificate, make sure you add the references to the root CA certificate that signed the PCE certificate. For more details, see Implement Kubelink with a Private PKI.
To deploy Kubelink, run the following command:
oc apply -f illumio-kubelink-openshift.yml
After Kubelink is successfully installed, you can check the cluster information by using the Illumio PCE web console. From the main menu, navigate to Infrastructure > Container Clusters.
Below is an example of a healthy container cluster state reported by Kubelink.
