With the increased adoption of containers, the threat of unauthorized lateral movement from vulnerabilities and exploits increases considerably in the east-west attack surface. In addition, consumers and providers may be other containers, bare-metal servers, or virtual machines running on-premises or in the cloud. Multiple disparate solutions create complexity in management and operational workflow, leaving your organization more open to attack.
Illumio Core provides a homogenous segmentation solution for your applications regardless of where they are running - bare-metal servers, virtual machines, or containers. It is a single unified solution with many points of integration, including how you can easily and quickly secure your applications regardless of their location or form.
A container is a loosely defined construct that abstracts a group of processes into an addressable entity, which can run application instances inside it. Containers are implemented using Linux namespaces and cgroups allowing you to virtualize and limit system resources. Since containers operate at a process-level and share the host OS, they require fewer resources than virtual machines. The isolation mechanism provided through Linux namespaces allows containers to have unique IP addresses. Illumio Core uses these mechanisms to program iptables in the network namespace.
Illumio Core for containers orchestrated with Kubernetes or OpenShift, uses the following architecture:
Kubernetes-based orchestration platforms such as, native Kubernetes, OpenShift, AWS EKS, Microsoft Azure AKS, and others integrate with Illumio Core by using the following two components in the cluster:
- Kubelink - An Illumio software component that listens to events stream on the Kubernetes API server.
- Containerized VEN (C-VEN) - An Illumio software component that provides visibility and enforcement on the nodes and the Pods.
Once these components are deployed in the cluster, they both report the following information to the Policy Compute Engine (PCE):
- Summary - Information about the Kubernetes cluster and Illumio components deployed.
- Workloads - Information about Kubernetes nodes.
- Container Workloads - Information about Kubernetes Pods.
- Virtual Services - Information about Kubernetes services.
- Container Workload Profiles - Information about Kubernetes namespaces and policies.
Illumio Core visibility and enforcement occur at the Pod level in Kubernetes and OpenShift, with policies programmed into the iptables in the namespace provided by the Pod. This means only the Pods can be segmented but containers inside a Pod cannot be segmented. The Pod is represented as a single container workload in the PCE, with the C-VEN providing details about the containers that are a part of the Pod.