>
    Harvesting IP Tags for Private Kubernetes Cluster
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Runtime Security
    3. Deploy AI Runtime Security Instance in Public Clouds
    4. Harvesting IP Tags for Private Kubernetes Cluster
    Download PDF
    AI Runtime Security

    Harvesting IP Tags for Private Kubernetes Cluster

    Table of Contents

    Harvesting IP Tags for Private Kubernetes Cluster

    Harvesting IP Tags for Private Kubernetes Cluster
    Where Can I Use This?
    What Do I Need?
    • AI Runtime Security
    • IP-Tag Collector as Redistribution Agent
    • AI Runtime Security
       on Strata Cloud Manager (SCM)
    • Kubernetes Plugin version 3.1.0 or above
    • AI Runtime Security
       image with PAN-OS 11.2.2
    The
    AI Runtime Security
     protects the traffic to and from the AI applications and models. These AI applications and models integrate both containerized and virtual machine workloads. Hence, the granular security policy for containers is necessary. In a Kubernetes environment, the lifecycle of a container pod is 3 minutes. You can harvest the IP tags (specifically, K8s labels like namespaces, services, and pods) mapping for your private cluster in your security policy using the IP-Tag collector in your
    AI Runtime Security
    . The
    AI Runtime Security
     supports the ability to register IP addresses and tags dynamically for your private kubernetes clusters. You can register your IP addresses and tags on the
    AI Runtime Security
     directly and also automatically remove IP tags on the source and destination IP addresses included in a firewall log. For more information on IP address and tags, see Use Dynamic Address Groups in Security Policy.
    Use the IP-Tag collector to harvest the IP tags for your private Kubernetes clusters and send these harvested IP to
    AI Runtime Security
     through local distribution. Perform the following steps:
    1. Bring up your
      AI Runtime Security
       instance using the Bootstrapping method. You can bootstrap the
      AI Runtime Security
       instance with the user data method.
      1. Enter the bootstrap configuration parameters as key-value pairs directly into the GCP user interface when deploying the AI Runtime Security. In your terraform template file, use a newline (\n) for each parameter, and if a parameter has multiple options, use commas to separate them.
      2. Add the following key-value to the user data field to enable the IP-Tag collector mode:
        plugin-op-commands=tag_collector_mode_flag:enable
      For more information, see Enter a Basic Configuration as User Data.
    2. Run the following command to verify the IP-Tag collector mode status:
      show system info | match tag-collector-mode
tag-collector-mode: enabled
    3. Onboard your Kubernetes cluster running the following commands:
      1. If you are able to
        scp
         your credential file to the tag-collector:
        scp import k8s-service-account 
 
set deviceconfig plugins kubernetes setup cluster-credentials <cluster_name> 
api-server-address <ip> cluster-type GKE cluster-credential-file service-account-json <filename>
      2. If you are not able to
        scp
         your credential to tag-collector:
        Gzip and base64 encode your credential file, and then use it in the following commands:
        set deviceconfig plugins kubernetes setup cluster-credentials <cluster_name> 
api-server-address <ip> cluster-type GKE cluster-credential-file service-account-cred <credential_str>

set deviceconfig plugins kubernetes setup cluster-credentials <cluster_name> api-server-address <api_address> labels <no-labels/labels>
    4. Configure the SCM region to enable the IP-Tag collector to send the IP tags to SCM. Run the following commands:
      To view the list of regions:
      request plugins kubernetes set-tag-collector-config region
      To input the name of your region for discovery:
      request plugins kubernetes set-tag-collector-config region <region_name>
    5. Enter
      configure
       to switch to configuration mode.
    6. Create the monitoring definitions on the IP-Tag collector running the following command:
      set deviceconfig plugins kubernetes monitoring-definition <mon_def_name> cluster-credentials <cluster_name> enable yes
      You can map only one cluster to a monitoring definition and one monitoring definition to a cluster.
    7. Enter
      commit
       to save your changes.
    8. For redistribution client to show up on the agent and for local distribution to work, run the following commands on your IP-Tag collector:
      set deviceconfig system service disable-userid-service no
commit

show redistribution service client all
      Run the following commands to show, debug, or reguest the Kubernetes plugin information: 
      show plugins kubernetes [ counters | details-dashboard | ip-details | status | tag-details ]
      debug plugins kubernetes [dump-cluster-response | kubernetes-db-dump | kubernetes-tags ]
      request plugins kubernetes [merge-logs | set-tag-collector-config | validate-cluster-creds ]

    Configure IP-Tag Collector as Redistribution Agent on
    AI Runtime Security

    Data redistribution also provides granularity, allowing you to redistribute only the types of information you specify to only the devices you select. You can also filter the IP user mappings or IP tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce policy. For more information, see Firewall Deployment for Data Redistribution.
    You can configure the IP-Tag collector as a redistribution agent on your
    AI Runtime Security
     console or on SCM. Plan the redistribution architecture, configure the data sources from which your redistribution agents obtain the data to redistribute to their clients, and then configure the authentication policy.
    For more information on configuring the IP-Tag collector as a redistribution agent, see Configure Data Redistribution and Using Strata Cloud Manager to Set up data redistribution.

    Add Address Group and Filter the IP-Tag Mappings for Private Kubernetes Clusters

    In a large-scale network, instead of configuring all your firewalls directly to query the mapping information sources, you can streamline resource usage by configuring some firewalls to collect mapping information through redistribution. Data redistribution also provides granularity, allowing you to redistribute only the types of information you specify to only the devices you select. Filter the IP tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce policy rules.
    After configuring SCM for your
    AI Runtime Security
     instance, following are the steps to add address group and filter IP tag mappings for your private Kubernetes clusters:
    1. Log in to
      Strata Cloud Manager
      .
    2. Select
      Manage
       >
      Configuration
       >
      NGFW and Prisma Access
       >
      Objects
       >
      Address
       >
      Address Groups
      >
      Add Address Group
       with the required IP address-to-tag mappings.
    3. Enter the Address group
      Name
      , select
      Dynamic
       as the address group
      Type
      .
    4. Click
      Add Match Criteria
      .
      You can see the list of Kubernetes tags sent from the IP-Tag collector to the SCM.
    5. Select the required Kubernetes tags, and then click
      Save
      .

    Add Security Policy Rule

    The security policy is where you define how you want to enforce traffic protection in your
    AI Runtime Security
     deployments. All traffic that passes through your AI Runtime Security instance is evaluated against your security policy, and rules are applied from the top down. For more information, see Security Policy.
    You can define Pre rules and Post rules in a shared context, as shared policies for all managed firewalls, or in a device context, to make the rules specific to a folder:
    Pre Rules
    —Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules to enforce the Acceptable Use Policy for an organization.
    Post Rules
    —Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and rules that are locally defined on the firewall. Post-rules typically include rules to deny access to traffic based on the
    App-ID™
    ,
    User-ID™
    , or
    Service
    .
    After you create the address group for your private k8s clusters on SCM, following are the steps to set up your security policy rule:
    1. Log in to
      Strata Cloud Manager
      .
    2. Go to
      Manage
       >
      Configuration
       >
      NGFW and Prisma Access
       >
      Security Services
       >
      Security Policy
      .
    3. Click
      Add Rule
      .
    4. Select
      Pre Rule
       or
      Post Rule
      .
    5. Enter your security policy rule name.
    6. Select
      Source
      and
      Destination
       match criteria.
      You can select your previously created address group under the
      Source
      section.
    7. Click
      Save
      .
    8. Click
      Push Config
       to push configuration changes to your
      AI Runtime Security
       instance.
      The Cloud Managed Devices tab (
      Workflows
       >
      NGFW Setup
       >
      Device Management
       >
      Cloud
       >
      Managed Devices
      ) displays all of your SCM onboarded firewalls, the folders they are assigned to, and important details about them. For more information, see Workflows: Device Management.
      After a successful Push Configuration, log in to your
      AI Runtime Security
       command line interface and run the following command to view the list of IP tags and security policies.
        show object registered-ip all

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.