IP-Address-to-Tag Mapping of Kubernetes Attributes
Focus
Focus
CN-Series

IP-Address-to-Tag Mapping of Kubernetes Attributes

Table of Contents

IP-Address-to-Tag Mapping of Kubernetes Attributes

Retrieve tags from every Kubernetes cluster that you are monitoring on Panorama.
Where Can I Use This?What Do I Need?
  • CN-Series deployment
  • CN-Series 10.1.x or above Container Images
  • Panorama running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client for CN-Series deployment with Helm
The Kubernetes plugin on Panorama creates tags for predefined tags in your Kubernetes clusters, user defined labels for Pods and Services, and service objects.
The plugin creates tags for the following Kubernetes objects:
  • Pod Classes: ReplicaSets, DaemonSets, StatefulSets
  • Service Types: ClusterIP, NodePort, LoadBalancer
  • Service Objects: port, targetPort, nodePort, and pod interfaces
By default, the Kubernetes plugin on Panorama retrieves the following predefined tags from every Kubernetes cluster that you are monitoring on Panorama, and creates tags in the format listed below. You can then use these tags as match criteria in Dynamic Address Groups and enforce Security policy for the underlying IP addresses associated with each tag.
The maximum length of each tag is 127 characters. Tags are truncated if they exceed the maximum character count. If two truncated tags are the same, a unique hash is added to the tags to differentiate them from one another.
You can use the Kubernetes plugin to distribute IP-address-to-tag mapping for pods, nodes, namespaces, and services deployed within the Kubernetes cluster to physical or VM-Series firewalls, even if you have not deployed CN-Series firewall in that cluster.
Predefined TagsTag Format on PanoramaIP Address Collected
DaemonSet
k8s.cl_<cluster-name>.ns_<namespace>.ds_<pod-name>
Pod IP addresses
ReplicaSet
k8s.cl_<cluster-name>.ns_<namespace>.rs_<pod-name>
Pod IP addresses
StatefulSet
k8s.cl_<cluster-name>.ns_<namespace>.ss_<pod-name>
Pod IP addresses
Service
k8s.cl_<cluster-name>.ns_<namespace>.svc_<svc-name>
Cluster IP addresses
Pod IP addresses
External Service
k8s.cl_<cluster-name>.ns_<namespace>.exsvc_<svc-name>
External Service IP addresses
LoadBalancer IP addresses
Nodes
k8s.cl_<cluster-name>.nodes
Private IP addresses of all nodes
External Nodes
k8s.cl_<cluster-name>.ex_nodes
Public IP addresses of all nodes
Namespace
k8s.cl_<cluster-name>.ns_<namespace>
All Cluster IP addresses in the namespace
All Pod IP addresses in the namespace
Interface
  • k8s.cl_<cluster-name>.ns_<namespace>.ds_<daemonset-name>.if_<interface>
  • k8s.cl_<cluster-name>.ns_<namespace>.rs_<replicaset-name>.if_<interface>
  • k8s.cl_<cluster-name>.ns_<namespace>.ss_<statefulset-name>.if_<interface>
All IP addresses of all interfaces on each pod in your deployment.
If you use labels to organize the Pods and services within the Kuberbetes cluster, the Kubernetes plugin on Panorama can query these labels and create tags for you. The following user-defined labels are supported:
User-Defined TagsTag Format on PanoramaIP Address Collected
Label
k8s.cl_<cluster-name>.ns_<namespace>.<label-key>.<label-value>
All Cluster IP addresses in that namespace that match the specified label.
All Pod IP addresses in that namespace that match the specified label.
Label Selectork8s.cl_<cluster-name>.<selector-name>
All Cluster IP addresses that match the specified selector.
All Pod IP addresses that match the specified selector.
The label selector matches for the specified label against Pods and Services within the Kubernetes cluster and maps the IP addresses associated with the label to a single tag. The Kubernetes plugin supports set-based and equality-based selectors for label key and label value.
The following equality-based selectors are supported:
  • key = value; key ==
  • value; key != value, for example, app = redis
You can also specify multiple selectors in an expression as a comma separated list. For example:
app == web, tier != backend
The following set-based selectors are supported:
  • key in (value1, value2)
  • key notin (value1, value2), for example, tier notin (frontend, backend)
  • key
  • !key
For the monitored Service Objects, the plugin generates ports for the port, targetPort, and nodePort service objects using the following naming scheme:
<namespace>-<svc_name>-<type>-<port_value>-<hash>
The hash ensures that even if you have overlapping namespaces and service names across k8s clusters, the service objects are unique.