Skip to main content

Illumio Core 25.1 Install, Configure, Upgrade

VEN Support for Standalone Containers

This topic describes how to enable support for standalone (unorchestrated) containers running on a host. It covers configuring changes on the PCE as well as on VENs supporting standalone containers.

Note

This topic describes VEN support for standalone containers only. It doesn't describe support for orchestrated container engines such as Kubernetes or OpenShift. For orchestrated containers, use the Illumio Core for Kubernetes and OpenShift product.

Capabilities

Illumio Core supports the use of containerized workloads such as those provided by Docker and Podman.

VENs protect standalone containers:

  • To and from container hosts

  • To and from containers through CIHP (Container Inherit Host Policy), given some limitations. (See Requirements and Limitations.)

Requirements and Limitations

Note

Illumio recommends that you use an orchestration platform to manage your containers. Illumio provides a complete solution for Kubernetes-based platforms. See Illumio Core for Kubernetes and OpenShift.

  • This support does not provide segmentation between containers on the same host.

  • This support does not represent the container as a workload (map or policy object), and each container is implicitly part of the Docker host (the workload).

  • The containers must share the same policies as the host.

  • CIHP is supported on RHEL 8 / Oracle Linux 8 / Ubuntu 22 and later with Illumio Core 22.5 and later.

  • In Illumio Core 21.5 and later, if you want to enforce traffic on the containers hosts only, allow all the traffic to containers and bypass CIHP by enabling IP forwarding. See Enable IP Forwarding.

  • Segmentation between containers is not supported.

Verify support for your standalone container

Before installing regular VENs on a standalone container, first verify support.

  1. Verify that the VEN is supported on your version of Linux. (See the Illumio Support Portal.)

  2. Verify that your version of the Container Engine is listed in the following table:

    Container Engine

    Supported Versions

    Docker

    19.03, 20.10

    Podman

    3.0 and 4.0

Configure the PCE to support containers

Follow these steps to configure the PCE to support containers running on a host.

  1. Configure Containers to inherit host policy.

    This is disabled by default. Enabling support copies the host policy (all Illumio iptables related rules) into the filter:FORWARD chain so that packets forwarded to containers are controlled by the Illumio security policy.

    Set a scope of Illumio labels for host with containers:

    1. Go to Settings > Security.

    2. Click the Containers Policy tab and then click Edit.

    3. Add scope for host with containers.

      You can define a narrow scope with specific label values or a broad scope that encompasses all workloads. For more information, see "Ruleset Scope" in the Security Policy Guide.

  2. Pair workloads with containers. If they are already paired, go to the Security section of the workload's details page and verify that the workload's containers settings shows Container Inherit Host Policy: Yes

  3. Write rules to cover the port mapping between the host and the container. Below is an example scenario of container access:

    rules-host-to-container.jpeg

    To allow access to the container on Host_1 port 80, create an intra-scope rule for access within the application group and extra-scope rule for access from outside of the application group.

    The example rule below allows any workload to access container port 80 on Host_1. Notice the service includes port 80 of container port and port 8888 of host port.

    Rule allowing access to container on Host_1:

    allow_access_container.jpeg

    Docker will have rules to NAT port 8888 to port 80.

  4. Verify traffic flows to the containers on the VEN.

    Verify in the log at /opt/illumio_ven_data/log/vtapdrop.log that there is no dropped traffic to the containers. In the /opt/illumio_ven_data/log/vtapflow.log file, verify that there are flows to the containers on the VEN when workload is enforced.

    The highlighted log entry below below shows the flow between host_2 192.168.125.208:54253 to container on Host_1 172.17.0.2:80:

    ==> /opt/illumio_ven_data/log/vtapflow.log <==
2020-02-03T16:47:15.104-08:00 docker0 O 0 4 192.168.125.208 172.17.0.2 6 64886 80 12286 C 0 U SWID=3c1b9f96-969a-472e-bbbc-9d1c93751ef9 TBI=0 TBO=116
2020-02-03T16:48:15.157-08:00 docker0 O 0 4 192.168.125.208 172.17.0.2 6 64885 80 72339 C 0 U SWID=3c1b9f96-969a-472e-bbbc-9d1c93751ef9 TBI=0 TBO=116

    Inbound traffic from Host_2 to Host_1 will not be shown in vtapflow.log, only traffic to container IP address from Host_2.