What's New and Release Notes 25.2

Scaling a Deployment with changed labels was not being updated on PCE (E-107274)

After deploying a workload with a non-existing label, create labels on the PCE and wait a few minutes before updating and applying the YAML to change the number of replicas. The deployment was not properly updated on the PCE. This issue is resolved.

When C-VEN starts first, a 404 from PCE when getting CLAS token ( E-109259)

When C-VEN is started first, it tries to contact the PCE in order to obtain CLAS token, but receives a 404 error. This is expected behavior for this scenario, which is only momentary. Kubelink eventually starts normally, and C-VEN obtains the CLAS tokens as expected.

Helm install fails with Helm version 3.12.2 but works with 3.10 (E-108128)

When installing with Helm version 3.12.2, the installation fails with a YAML parse error.

Workaround: Use Helm version 3.10, or version 3.12.3 or later.

Re-adding node does not re-pair it (E-98120)

After deleting a node and re-adding the same node, the node does not reappear, and previously established policy disappears from the node.

Workaround: Uninstall and re-install Illumio Core for Kubernetes from scratch with the node present.

CLAS on IKS with Calico, the flow of ClusterIP is not displayed correctly (E-109238)

In a CLAS environment on IKS with Calico, when running traffic to a clusterIP service from a pod, flows were being displayed incorrectly. Sometimes flows were incorrectly shown as Allowed. Other times, flows that should not be present were being shown as Blocked. This issue is resolved.

Kubernetes cluster falsely detected as an OpenShift cluster (E-107910)

After deployment, Kubelink falsely detected a Kubernetes cluster as an OpenShift cluster based on misinterpretations of installed VolumeReplicationClass and VolumeReplications APIs on the cluster. This issue is resolved.

Problem when label from PCE was deleted after Kubelink starts (E-107779)

When creating a new workload on PCE, Kubelink uses cached or preloaded labels to label a workload. However, if the label was deleted before the workload was actually created, the PCE responded with a 406 status error. This issue is resolved.

Kubelink did not properly apply label mappings with PCE using two-sided management ports (E-105391)

Label mappings were not properly applied when using the LabelMap CRD if the PCE used two-sided management ports. This issue is resolved.

CLAS: NodePort - pod rules are not removed after disabling rule (E-111689)

After disabling a NodePort rule that opens it to outside VMs, iptables entries for pods with a virtual service's targetPort are not removed as expected. The pod is still opened. Host iptables are removed, so traffic does not go through, but the pod ports stay opened towards original IPs.

There is no workaround available.

Non-CLAS mode: Failed to clean up the pods (E-109687)

After deleting a non-CLAS container cluster, the cluster gets deleted but Container Workloads are not deleted, and remain present.

CLAS-mode Kubelink pod gets restarted once when deploying Illumio Core for Kubernetes (E-109284)

The Kubelink pod is restarted after deploying Illumio Core for Kubernetes in CLAS mode.

There is no workaround. Kubelink runs properly after this single restart.

CLAS: Container Workload Profile label change is not applied to Kubernetes Workloads, only to Virtual Services (E-109168)

In CLAS environments, after changing a label in a Container Workload Profile, the Kubernetes Workloads that are managed by that Profile do not have their labels changed as expected. No changes to these Kubernetes Workloads occur even when the Profile is changed to "No Label Allowed;" the original labels remain in the Kubernetes Workloads. However, Virtual Services managed by that profile do successfully have their labels changed properly.

No workaround is available.

CLAS - The etcd pod crashes when node reboots (E-106236)

The etcd pod crashes if one of the nodes in the cluster is rebooted.

There is no workaround available.