Skip to main content

Illumio Core 25.1 Install, Configure, Upgrade

Map Kubernetes Node or Workload Labels to Illumio Labels

Label mapping is a method of mapping some or all existing Kubernetes labels to Illumio labels. Label maps are an additional way to assign Illumio labels to container hosts or Kubernetes workloads in addition to existing methods, such as with container workload profiles and pairing profiles. Labels assigned through label maps take precedence; that is, they overwrite any labels assigned using other methods.

A label map is defined by a Kubernetes Custom Resource Definition (CRD) within a YAML file, which is typically installed via a Helm Chart. Installing the Helm Chart then applies the defined labels.

The label type must be created and exist in PCE first before new labels can be created through label mapping.

Kubernetes Node Labels or Kubernetes Workload Labels

You can map labels on Kubernetes nodes (also called host workloads) to Illumio labels, or map labels on Kubernetes Workloads to Illumio labels. Define labels for Kubernetes nodes in a nodeLabelMap section of your CRD, and labels for Kubernetes Workloads in a workloadLabelMap section.

Note

Note that Kubernetes Workloads is a term used only in CLAS-enabled deployments of Illumio Core for Kubernetes (contrasted to Container Workloads). Currently, there is no support for labeling non-CLAS Container Workloads.

Important

You can map Kubernetes Workload labels only to deployments running PCE version 24.5.0 or later.

Label Mapping CRD

The CRD is defined in the YAML file with a kind: LabelMap declaration, which in turn contains a nodeLabelMap section that applies to nodes (host workloads) or a workloadLabelMap section that applies to Kubernetes Workloads. The declaration can contain both sections.

Within the nodeLabelMap or workloadLabelMap section, Illumio label types are mapped with fromKey and toKey key-value pairs, where the fromKey value specifies a source Kubernetes label, and the toKey value paired with it defines the destination Illumio label type.

If an optional allowCreate: true is within a fromKey and toKey pair, the Illumio label value defined in that mapping is created if it does not already exist on the PCE.

An optional valuesMap: within a fromKey and toKey pair specifies one or more label value mappings for that label type, with from: value identifying the source Kubernetes label and the to: value following it specifying the destination Illumio label value. If no valuesMap: is specified, then label values for the mapped label type are not changed. Only the label type is changed in the PCE.

Example Label Maps

The following example label map for Kubernetes node labels performs these mapping functions:

  • The nodeLabelMap item creates a new Illumio loc label of Amazon (if it does not exist, per the allowCreate: true declaration). It maps this label to all nodes with the Kubernetes label topology.kubernetes.io/region with either value of eu-west-1 or eu-west-2.

  • With the second item under nodeLabelMap, for every node-type Kubernetes label, the map creates Illumio k8s-node labels with values based on the existing Kubernetes label values (because there is no associated valuesMap mapping definition).

kind: LabelMap
apiVersion: ic4k.illumio.com/v1alpha1
metadata:
  name: default
nodeLabelMap:
  - allowCreate: true
    fromKey: topology.kubernetes.io/region
    toKey: loc
    valuesMap:
      - from: eu-west-1
        to: Amazon
      - from: eu-west-2
        to: Amazon
  - allowCreate: true
    fromKey: node-type
    toKey: k8s-node

The following is a similar YAML file code excerpt that defines a label map for a Kubernetes Workload.

  • In the first declaration under workloadLabelMap, for every environ Kubernetes label, the map creates an Illumio env label type, and maps EKS values to AmazonK8SService label values for this type.

  • The next fromKey section maps workloads with the Kubernetes label stage to the Illumio label type role.

kind: LabelMap
apiVersion: ic4k.illumio.com/v1alpha1
metadata:
  name: default 

workloadLabelMap:
- fromKey: environ
  toKey: env
  allowCreate: false
  valuesMap:
    - from: EKS
      to: AmazonK8SService

- fromKey: stage
  toKey: role
  allowCreate: true
Show the Source of a PCE Label

Because a Kubernetes Workload can have its label assigned to it in any of three different ways (Container Workload Profile, Kubernetes annotations, or the label map CRD), the PCE now shows how a Kubernetes workload was labeled, that is, what is the source of the PCE label. The label source is indicated by an annotation that begins with the string com.ilo-result.<label_type> which is paired with a label source indicator.

The label source indicator can be one of these values:

  • container-workload-profile - Container Workload Profile

  • annotations - Kubernetes workload template annotation

  • label-map - LabelMap CRD

This is shown in both the PCE web UI (in the workload details page in the Kubernetes Attributes section) and also in the command line output produced by the kubectl get deploy command.