Skip to main content

Illumio Core 25.1 Install, Configure, Upgrade

Host and Cluster Requirements

To deploy Illumio containers into your environment, you must meet the following requirements.

Supported Configurations for On-premises and IaaS

For full details on all supported configurations for Containerized VEN release 21.5.15 and earlier, see the C-VEN/Kubelink OS Support and Dependencies page on the Illumio Support Portal (under Software > OS Support).

Privileges

The privileges listed below should be provided on host-level and cluster-level for the respective components.

Host-Level
C-VEN

C-VEN requires the following privileges on the host:

  • C-VEN is a privileged container and requires access to the following system calls:

    • NET_ADMIN

    • SYS_MODULE

    • SYS_ADMIN

  • C-VEN requires persistent storage on the host to write iptables rules and logs.

  • C-VEN mounts volumes on the local host to be able to operate (mount points may differ depending on the orchestration platform).

Optionally, you can set the Priority Class to system-node-critical. This option is only supported in Kubernetes 1.17 and later, in a namespace other than kube-system. For more details, see the Kubernetes documentation.

Kubelink

Kubelink does not require specific privileges on the host because Kubelink:

  • Is not a privileged container.

  • Is a stateless container.

  • Does not require persistent storage.

Cluster-Level
Namespace

C-VENs and Kubelink are deployed in the illumio-system namespace. You can modify this namespace name according to your deployment (manifest file modification).

C-VEN

C-VEN requires the following privileges on the cluster:

  • C-VEN uses the illumio-ven ServiceAccount.

Kubelink

Kubelink requires the following privileges on the cluster:

  • Kubelink creates a new Cluster Role to list and watch events occurring on the Kubernetes API server for the following elements:

    • nodes

    • hostsubnets

    • replicationcontrollers

    • services

    • replicasets

    • daemonsets

    • namespaces

    • statefulsets

  • Kubelink uses the illumio-kubelink ServiceAccount.

Optionally, you can set the Priority Class to system-cluster-critical. This option is only supported in Kubernetes 1.17 and later, in a namespace other than kube-system. For more details, see the Kubernetes documentation.