Illumio Core What's New and Release Notes 24.5

C-VEN version: 23.4.3

Kubelink version: 5.3.1

Helm Chart version: 5.3.1

Support installation of Illumio Core for Kubernetes into a custom namespace 

You can now install Illumio Core for Kubernetes into a custom namespace instead of into the default namespace of illumio-system. The default namespace is overridden for backward compatibility by using the variable namespaceOverride: illumio-system.

For example, to install into the ilo namespace, specify the namespace with the --namespace option and the --set option specifying namespaceOverride to null:

helm install illumio -f illumio-values.yaml oci://quay.io/illumio/illumio --version 5.3.1 --namespace ilo --create-namespace --set namespaceOverride=null

Alternatively, specify the namespace with the --namespace option but also use --set to explicitly set namespaceOverride to ilo:

helm install illumio -f illumio-values.yaml oci://quay.io/illumio/illumio --version 5.3.1 --namespace ilo --create-namespace --set namespaceOverride=ilo

"Enforce NAT Mode 1:1" option creates public workload interface

Workloads now have a new optional feature "Enforced NAT mode 1:1" that, when enabled, ensures that pseudo-public IP addresses are detected and are then saved as workload interfaces even when the C-VEN (or VEN) cannot identify the datacenter or service provider. If this option remains disabled, the PCE either relies on the C-VEN to report the public IP address or derives it based on a datacenter match. When this option is enabled on a Container Cluster, the feature applies to all host workloads on all of its cluster nodes.

Map Kubernetes Workload labels to Illumio labels 

You can now map labels on Kubernetes Workloads to corresponding Illumio labels by using a workloadLabelMap section in a label mapping Custom Resource Definition (CRD) within a YAML, in a kind: LabelMap declaration. This Kubernetes Workload label mapping is otherwise defined like the existing feature for mapping Kubernetes node (or host workloads) labels to Illumio labels. See Map Kubernetes Node or Workload Labels to Illumio Labels.

Added Support for hostPort 

Traffic enforcement of Kubernetes Workloads, which have Pods exposed via hostPort, is now available.

Added support for Google Kubernetes Engine (GKE)

The Google Kubernetes Engine (GKE) is now a supported orchestration platform on Illumio Core for Kubernetes CLAS-enabled deployments that use PCE release 24.5.0 or later. For complete requirements for GKE support. see the Illumio Support Portal page on "Kubernetes Operator OS Support and Dependencies."

Kubernetes Workloads Show Label Source

A new a com.ilo.result.* annotation on a PCE label for a Kubernetes Workload now shows the source of that label with a code appended to the annotation: where the code cwp means from a Container Workload Profile, map means from a LabelMap, and annotations means from a Kubernetes annotation. These values are shown in the PCE UI on the workload details page (under the Kubernetes Attributes section), and at the command-line as part of the kubectl get deploy command output.

You cannot change an existing deployment in the illumio-system namespace to a custom namespace through an upgrade.

Mapping labels for Kubernetes Workloads is available only in CLAS-enabled deployments, and currently requires PCE release 24.5.0.