AI Runtime Security
Configure Strata Cloud Manager to Secure VM Workloads and Kubernetes Clusters
Table of Contents
Expand All
|
Collapse All
AI Runtime Security Docs
Configure Strata Cloud Manager to Secure VM Workloads and Kubernetes Clusters
Strata Cloud Manager configurations to secure your VM workloads/vNets and Kubernetes
clusters post downloading the AI Runtime Security instance deployment Terraform template in
Strata Cloud Manager.
Where Can I Use This? | What Do I Need? |
---|---|
|
Prerequisites
- Deploy AI Runtime Security Instance specific to your cloud to Save and Download the Terraform template.
- Unzip and navigate to the `<unzipped-folder>` that has the following
structure:|____architecture |____LICENSE |____README.md |____security_project |____application_project |____helm |____modulesOn this page you'll:
- Configure Strata Cloud Managerto protect VM workloads and Kubernetes clusters
- Configure Strata Cloud Manager to secure VM workloads
- Configure your cloud and Strata Cloud Manager to secure the Kubernetes clusters
- Install a Kubernetes application with Helm
AI Runtime Security is only supported for public clusters on GCP, Azure, and AWS cloud platforms.GCP
AI Runtime Security post deployment configurations in Strata Cloud Manager to protect VM workloads and Kubernetes clusters.Where Can I Use This? What Do I Need? - Secure VMs and Kubernetes in Strata Cloud Manager
- Log in to Strata Cloud Manager.Configure AI Runtime Security instance (firewall) Interfaces:
- Select Manage → Configuration → NGFW and Prisma Access.Select Device Settings → Interfaces.Set the Configuration Scope to your AI Runtime Security folder.In Ethernet tab:Configure a Layer 3 Interface for eth1/1 and eth1/2:
- Interfaces: eth1/1 and eth1/2
- Location: Specify location if applicable
- Interface Type: Layer3
- IP Address: Dynamic (DHCP Client)
Select the Loopback tab, to configure the Loopback interface:- In IPv4s, enter the ILB (Internal Load Balancer) private IP address
- Set Security Zone to trust for eth1/2 and untrust for eth1/1
- Ensure VR (Virtual Router) is set to default or the same as eth1/2
Create zones. Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Zones.Configure a Logical Router:- Create a Logical Router and add the Layer 3 interfaces (eth1/1 and eth1/2).
- Configure a Static Route with the ILB static IP addresses for routing. Use the trust interface gateway IP address.
Add a security policy (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy → Add Rule).Ensure the policy allows health checks from the GCP Load Balancer (LB) pool to the internal LB IP from Strata Cloud Manager. Check session IDs to ensure the firewall responds correctly on the designated interfaces.Configurations to Secure VM Workloads
- Configure Static Routes for VPC endpoints.
- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Routing → Logical Routers.For VPC Subnet:
- Edit the IPv4 Static Routes and add the route for the VPC IPv4 range CIDR subnets.
- Set the Next Hop as eth1/2.
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
- Update the static route.
Save the Logical Router.Log in to Strata Cloud Manager.Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.Configurations to Secure the Kubernetes Clusters
- Add pod and service IP Subnets to AI Runtime Security trust firewall rules:
- Get the IP addresses for pod and service subnets:
- Go to Kubernetes Engine -> Clusters.Select a Cluster and copy the Cluster Pod IPv4 and IPv4 Service range IP addresses.Follow the AI Runtime Security Instance deployment in GCP to save and download the Terraform template.Edit the Terraform template to whitelist the following IP addresses in your VPC network firewall rules:
- Navigate to the `<unzipped-folder>/architecture/security_project` directory.
- Edit the `terraform.tfvars` file to add the copied IP addresses list
to your `source_ranges`.firewall_rules = { allow-trust-ingress = { name = "allow-trust-vpc" source_ranges = ["35.xxx.0.0/16", "130.xxx.0.0/22", "192.xxx.0.0/16", "10.xxx.0.0/14", "10.xx.208.0/20"] # 1st 2 IPs are for health check packets. Add APP VPC/Pod/Service CIDRs priority = "1000" allowed_protocol = "all" allowed_ports = [] } }
- Apply the Terraform:terraform init terraform plan terraform applyAdd static routes on the Logical Router for Kubernetes workloads:
- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Routing → Logical Routers.Configure Static Routes for the pod and service subnets for the Kubernetes workloads:Pod Subnet:
- Edit the IPv4 Static Routes and add a route with the Pod IPv4 range CIDR.
- Set the Next Hop as eth1/2 (trust interface).
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
Service Subnet:- Edit the IPv4 Static Routes add a route with the IPv4 Service range CIDR.
- Set the Next Hop as eth1/2 (trust interface).
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
Add source NAT Policy for Outbound Traffic:- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Network Policies → NAT.Create or modify a source NAT Policy:
- Source Zone: Trust
- Destination Zone: Untrust (eth1/1)
- Policy Name: trust2untrust or similar.
Configure NAT settings:Interface Address Section:- Set the Interface to eth1/1. (The translation happens at
eth1/1).If needed, create a complementary rule for the reverse direction (for example, untrust2trust).
Log in to Strata Cloud Manager.Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.Note: If you have a Kubernetes cluster running, follow the section to install a Kubernetes application with Helm.Install a Kubernetes Application with Helm
Follow the below steps to install a Kubernetes application on a Kubernetes cluster. - Change the directory to the Helm folder:cd <unzipped-folder>/architecture/helmCreate the `ai-runtime-security` directory and move the below files to this directory:mkdir ai-runtime-security mv Chart.yaml ai-runtime-security mv values.yaml ai-runtime-security mv templates ai-runtime-securityInstall the Helm chart:helm install ai-runtime-security ai-runtime-security --namespace kube-system --values ai-runtime-security/values.yamlVerify the Helm installation:#List all Helm releases helm list -A #Ensure the output shows your installation with details such as: NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION ai-runtime-security kube-system 1 2024-08-13 07:00 PDT deployed ai-runtime-security-0.1.0 11.2.2Check the pod status:kubectl get pods -A #Verify that the pods with names similar to `pan-cni-*****` are present.Check the endpoint slices:kubectl get endpointslice -n kube-system #Confirm that the output shows an ILB IP address: NAME ADDRESSTYPE PORTS ENDPOINTS AGE my-endpointslice IPv4 80/TCP 10.2xx.0.1,10.2xx.0.2 12hCheck the services running in the `kube-system` namespace:kubectl get svc -n kube-system #Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE pan-cni-sa ClusterIP 10.xx.0.1 <none> 443/TCP 24h pan-plugin-user-secret ClusterIP 10.xx.0.2 <none> 443/TCP 24hAnnotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to the AI Runtime Security instance (firewall) for inspection.
For example, for all new pods in the "default" namespace:annotations: paloaltonetworks.com/firewall: pan-fwkubectl annotate namespace default paloaltonetworks.com/firewall=pan-fwAzure
AI Runtime Security post deployment configurations in Strata Cloud Manager to protect VM workloads and Kubernetes clusters.Where Can I Use This? What Do I Need? - Secure VMs and Kubernetes in Strata Cloud Manager
- Log in to Strata Cloud Manager.Configure AI Runtime Security instance (firewall) Interfaces:
- Select Manage → Configuration → NGFW and Prisma Access.Select Device Settings → Interfaces.Set the Configuration Scope to your AI Runtime Security folder.In Ethernet tab:Configure a Layer 3 Interface for eth1/1 and eth1/2:
- Interfaces: eth1/1 and eth1/2
- Location: Specify location if applicable
- Interface Type: Layer3
- IP Address: Dynamic (DHCP Client)
Select the Loopback tab, to configure the Loopback interface:- In IPv4s, enter the ILB (Internal Load Balancer) private IP address
- Set Security Zone to trust for eth1/1 and untrust for eth1/2
- Ensure LR (Logical Router) is set to default or the same as eth1/1
Create zones. Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Zones.Configure a Logical Router:- Create a Logical Router and add the Layer 3 interfaces (eth1/1 and eth1/2).
- Configure a Static Route with the ILB static IP addresses for routing. Use the trust interface gateway IP address.
Add a security policy (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy → Add Rule).Ensure the policy allows health checks from the Azure Load Balancer (LB) pool to the internal LB IP from Strata Cloud Manager. Check session IDs to ensure the firewall responds correctly on the designated interfaces.Configurations to Secure VM Workloads
- Configure Static Routes for vNet endpoints.
- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Routing → Logical Routers.For vNet Subnet:
- Edit the IPv4 Static Routes and add the route for the vNet IPv4 range CIDR subnets.
- Set the Next Hop as eth1/1.
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
- Update the static route.
Save the Logical Router.Log in to Strata Cloud Manager.Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.Configurations to Secure the Kubernetes Clusters
- Add static routes on the Logical Router for Kubernetes workloads:
- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Routing → Logical Routers.Configure Static Routes for the pod and service subnets for the Kubernetes workloads:Pod Subnet:
- Edit the IPv4 Static Routes and add a route with the Pod IPv4 range CIDR.
- Set the Next Hop as eth1/1 (trust interface).
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
Service Subnet:- Edit the IPv4 Static Routes add a route with the IPv4 Service range CIDR.
- Set the Next Hop as eth1/1 (trust interface).
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
Add Source NAT policy for Outbound Traffic:- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Network Policies → NAT.Create or modify a source NAT Policy:
- Source Zone: Trust
- Destination Zone: Untrust (eth1/2)
- Policy Name: trust2untrust or similar.
Configure NAT settings:Interface Address Section:- Set the Interface to eth1/2. (The translation happens at
eth1/2).If needed, create a complementary rule for the reverse direction (for example, untrust2trust).
Log in to Strata Cloud Manager.Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.Note: If you have a Kubernetes cluster running, follow the section to install a Kubernetes application with Helm.Install a Kubernetes Application with Helm
Follow the below steps to install a Kubernetes application on a Kubernetes cluster. - Change the directory to the Helm folder:cd <unzipped-folder>/architecture/helmCreate the `ai-runtime-security` directory and move the below files to this directory:mkdir ai-runtime-security mv Chart.yaml ai-runtime-security mv values.yaml ai-runtime-security mv templates ai-runtime-securityInstall the Helm chart:helm install ai-runtime-security ai-runtime-security --namespace kube-system --values ai-runtime-security/values.yamlVerify the Helm installation:#List all Helm releases helm list -A #Ensure the output shows your installation with details such as: NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION ai-runtime-security kube-system 1 2024-08-13 07:00 PDT deployed ai-runtime-security-0.1.0 11.2.2Check the pod status:kubectl get pods -A #Verify that the pods with names similar to `pan-cni-*****` are present.Check the endpoint slices:kubectl get endpointslice -n kube-system #Confirm that the output shows an ILB IP address: NAME ADDRESSTYPE PORTS ENDPOINTS AGE my-endpointslice IPv4 80/TCP 10.2xx.0.1,10.2xx.0.2 12hCheck the services running in the `kube-system` namespace:kubectl get svc -n kube-system #Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE pan-cni-sa ClusterIP 10.xx.0.1 <none> 443/TCP 24h pan-plugin-user-secret ClusterIP 10.xx.0.2 <none> 443/TCP 24hAnnotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to the AI Runtime Security instance (firewall) for inspection.
For example, for all new pods in the "default" namespace:annotations: paloaltonetworks.com/firewall: pan-fwkubectl annotate namespace default paloaltonetworks.com/firewall=pan-fwAWS
AI Runtime Security post deployment configurations in Strata Cloud Manager to protect VM workloads and Kubernetes clusters.Where Can I Use This? What Do I Need? - Secure VMs and Kubernetes in Strata Cloud Manager
- Log in to Strata Cloud Manager.Configure AI Runtime Security: Network intercept (firewall) Interfaces:
- Select Manage → Configuration → NGFW and Prisma Access.Select Device Settings → Interfaces.Set the Configuration Scope to your AI Runtime Security folder.In Ethernet tab:Configure a Layer 3 Interface for eth1/1:
- Interfaces: eth1/1
- Location: Specify the location if applicable
- Interface Type: Layer3
- IP Address: Dynamic (DHCP Client)
Configure zones:- Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Zones.
- Set Security Zone to trust for eth1/1.
Configure a Logical Router:- Create a Logical Router and add the Layer 3 interface (eth1/1).
Add a security policy (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy → Add Rule). Set the action as allow.Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.Install a Kubernetes Application with Helm
Follow the below steps to install a Kubernetes application on a Kubernetes cluster by applying the helm chart. Prerequisites:- Go to your downloaded Terraform template and navigate to `<unzipped-folder>/architecture/helm`.
- Apply the Terraform for the `security_project` as shown in the AWS deployment
workflow. Deploying the Terraform for the security project creates the GWLB endpoints in your AWS account.
- Open the `values.yaml` file found in the path: `<unzipped-folder>/architecture/helm`.
- Update the `endpoints1` and `endpoints2` values with your GWLB endpoints
IP addresses. Below is a sample `values.yaml`
file:# Default values for ai-runtime-security. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # Configure vpc endpoint per zone. This makes sure kubernetes # traffic is not sent across zone. Endpoints can be added or # removed based on requirements and zone availability. # GWLB VPC endpoint zone1 IP address. endpoints1: "" endpoints1zone: us-east-1a # GWLB VPC endpoint zone2 IP address. endpoints2: "" endpoints2zone: us-east-1b # PAN CNI image. cniimage: gcr.io/pan-cn-series/airs/pan-cni:latest # Resource namespace name. namespace: kube-system # Kubernetes ClusterID value range 1-2048. clusterid: 1
- Apply the helm chart by following the below steps.
- Change the directory to the Helm folder:cd <unzipped-folder>/architecture/helmCreate the `ai-runtime-security` directory and move the below files to this directory:mkdir ai-runtime-security mv Chart.yaml ai-runtime-security mv values.yaml ai-runtime-security mv templates ai-runtime-securityInstall the Helm chart:helm install ai-runtime-security ai-runtime-security --namespace kube-system --values ai-runtime-security/values.yamlVerify the Helm installation:#List all Helm releases helm list -A #Ensure the output shows your installation with details such as: NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION ai-runtime-security kube-system 1 2024-08-13 07:00 PDT deployed ai-runtime-security-0.1.0 11.2.2Check the pod status:kubectl get pods -A #Verify that the pods with names similar to `pan-cni-*****` are present.Check the endpoint slices:kubectl get endpointslice -n kube-system #Confirm that the output shows an ILB IP address: NAME ADDRESSTYPE PORTS ENDPOINTS AGE my-endpointslice IPv4 80/TCP 10.2xx.0.1,10.2xx.0.2 12hCheck the services running in the `kube-system` namespace: