Basics of Container Security Using Prisma AIRS Runtime Security
Focus
Focus
Prisma AIRS

Basics of Container Security Using Prisma AIRS Runtime Security

Table of Contents

Basics of Container Security Using Prisma AIRS Runtime Security

CNI chaining concepts and how Prisma AIRS secures your east-west traffic using Container Network Interface (CNI) chaining.
Where Can I Use This?What Do I Need?
  • Securing Kubernetes Clusters
This page introduces you to the CNI chaining functionality in Prisma AIRS and explains how it uses this method to secure east-west traffic inside Kubernetes clusters. Kubernetes hides network complexities from external security tools, enabling attackers to conceal malicious traffic within pod communications and exploit vulnerabilities in the container runtime. With CNI chaining, you can integrate Prisma AIRS as an additional security inspection layer alongside your existing primary CNI plugin outside your Kubernetes cluster, without replacing your current network configuration.
Key Concepts
Before you begin, it's important to understand the following key concepts in a containerized environment:
  • Cluster: The foundation of your containerized environment where all containerized applications run.
  • Node: A physical or virtual machine that contains the necessary services required for pods.
  • Pod: The smallest deployable computing unit that you can deploy and manage in Kubernetes.
  • Namespace: Virtual clusters that are used to separate users and functions on a single physical cluster logically.
  • Container Network Interface (CNI): A plugin that configures network interfaces for containers and removes the allocated resources used for networking when a container is deleted.
  • Prisma AIRS AI Runtime: Network Intercept: The core security inspection layer that analyzes and enforces policy rules on redirected container traffic.
  • Helm chart: A package manager for Kubernetes used for deploying and configuring Prisma AIRS components within the cluster.
  • DaemonSet: Ensures that some or all nodes run a copy of a particular pod, and as nodes are added, a copy of the DaemonSet pod is added to each new node.
  • Kubernetes Service: An abstraction that exposes an application running on a set of pods as a network service.
CNI Chaining: How Prisma AIRS Protects Containers
To effectively inspect containerized applications, Prisma AIRS AI Runtime: Network intercept uses CNI chaining to create secure tunnels between your applications and Prisma AIRS AI Runtime: Network intercept. The CNI chaining redirects container traffic out of your Kubernetes cluster to Prisma AIRS AI Runtime: Network intercept, which is deployed outside the cluster. This provides complete visibility and control that internal-only solutions can’t achieve and enables comprehensive east-west traffic analysis that traditional security approaches often miss.
The architecture diagram in figure 1 illustrates how Prisma AIRS achieves application-specific visibility and control of container traffic in all directions, including both inbound and outbound, as well as east-west traffic within the Kubernetes cluster. Prisma AIRS AI Runtime: Network intercept delivers comprehensive security through native Kubernetes integration by acting as an additional CNI plugin alongside your existing primary CNI plugin, such as Calico or Flannel. This CNI chaining is used to bypass network address translation (NAT) limitations, providing direct access to the Kubernetes network for enhanced visibility. When containers communicate, traffic flows through both plugins before reaching its destination:
  • First, through your primary CNI for basic networking functions, like IP assignment and routing.
  • Then, through Prisma AIRS AI Runtime: Network security for deep inspection.
CNI chaining establishes tunnels to redirect traffic from your pod applications to Prisma AIRS AI Runtime: Network intercept, enabling thorough traffic inspection.
Management Options
Choose the management approach that best suits your environment:
Prerequisites for Container Security for Prisma AIRS
  • Panorama Plugin for Kubernetes.
  • YAML Files—The YAML files that include the required fields and object specifications for deploying the resources in your Kubernetes clusters, and are published on GitHub.
  • Multus CNI.
Supported Environments
  • Kubernetes Versions: 1.30 and above with CNI specification 0.4.0+.
  • Compatible CNI Plugins: Calico, Flannel, Weave Net, and Cilium.
  • Container Runtimes: Docker, containerd, and CRI-O.
  • Cloud Platforms: AWS EKS, Azure AKS, Google GKE, Red Hat OpenShift, and Rancher.
​​Additional Resources
For more information on container security with Prisma AIRS AI Runtime: Network intercept, you can refer to the following resources: