>
    IP-Address-to-Tag Mapping of Kubernetes Attributes
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Deploy the CN-Series Firewalls
    4. Configure Panorama to Secure a Kubernetes Deployment
    5. IP-Address-to-Tag Mapping of Kubernetes Attributes
    Download PDF
    CN-Series

    IP-Address-to-Tag Mapping of Kubernetes Attributes

    Table of Contents

    IP-Address-to-Tag Mapping of Kubernetes Attributes

    Retrieve tags from every Kubernetes cluster that you are monitoring on Panorama.
    Where Can I Use This?What Do I Need?
    • CN-Series deployment
    • CN-Series 10.1.x or above Container Images
    • Panorama running PAN-OS 10.1.x or above version
    • Helm 3.6 or above version client for CN-Series deployment with Helm
    The Kubernetes plugin on Panorama creates tags for predefined tags in your Kubernetes clusters, user defined labels for Pods and Services, and service objects.
    The plugin creates tags for the following Kubernetes objects:
    • Pod Classes: ReplicaSets, DaemonSets, StatefulSets
    • Service Types: ClusterIP, NodePort, LoadBalancer
    • Service Objects: port, targetPort, nodePort, and pod interfaces
    By default, the Kubernetes plugin on Panorama retrieves the following predefined tags from every Kubernetes cluster that you are monitoring on Panorama, and creates tags in the format listed below. You can then use these tags as match criteria in Dynamic Address Groups and enforce Security policy for the underlying IP addresses associated with each tag.
    The maximum length of each tag is 127 characters. Tags are truncated if they exceed the maximum character count. If two truncated tags are the same, a unique hash is added to the tags to differentiate them from one another.
    You can use the Kubernetes plugin to distribute IP-address-to-tag mapping for pods, nodes, namespaces, and services deployed within the Kubernetes cluster to physical or VM-Series firewalls, even if you have not deployed CN-Series firewall in that cluster.
    Predefined TagsTag Format on PanoramaIP Address Collected
    DaemonSet
    k8s.cl_<cluster-name>.ns_<namespace>.ds_<pod-name>
    		Pod IP addresses
    ReplicaSet
    k8s.cl_<cluster-name>.ns_<namespace>.rs_<pod-name>
    		Pod IP addresses
    StatefulSet
    k8s.cl_<cluster-name>.ns_<namespace>.ss_<pod-name>
    		Pod IP addresses
    Service
    k8s.cl_<cluster-name>.ns_<namespace>.svc_<svc-name>
    Cluster IP addresses
    Pod IP addresses
    External Service
    k8s.cl_<cluster-name>.ns_<namespace>.exsvc_<svc-name>
    External Service IP addresses
    LoadBalancer IP addresses
    Nodes
    k8s.cl_<cluster-name>.nodes
    		Private IP addresses of all nodes
    External Nodes
    k8s.cl_<cluster-name>.ex_nodes
    		Public IP addresses of all nodes
    Namespace
    k8s.cl_<cluster-name>.ns_<namespace>
    All Cluster IP addresses in the namespace
    All Pod IP addresses in the namespace
    Interface
    • k8s.cl_<cluster-name>.ns_<namespace>.ds_<daemonset-name>.if_<interface>
    • k8s.cl_<cluster-name>.ns_<namespace>.rs_<replicaset-name>.if_<interface>
    • k8s.cl_<cluster-name>.ns_<namespace>.ss_<statefulset-name>.if_<interface>
    All IP addresses of all interfaces on each pod in your deployment.
    If you use labels to organize the Pods and services within the Kuberbetes cluster, the Kubernetes plugin on Panorama can query these labels and create tags for you. The following user-defined labels are supported:
    User-Defined TagsTag Format on PanoramaIP Address Collected
    Label
    k8s.cl_<cluster-name>.ns_<namespace>.<label-key>.<label-value>
    All Cluster IP addresses in that namespace that match the specified label.
    All Pod IP addresses in that namespace that match the specified label.
    Label Selectork8s.cl_<cluster-name>.<selector-name>
    All Cluster IP addresses that match the specified selector.
    All Pod IP addresses that match the specified selector.
    The label selector matches for the specified label against Pods and Services within the Kubernetes cluster and maps the IP addresses associated with the label to a single tag. The Kubernetes plugin supports set-based and equality-based selectors for label key and label value.
    The following equality-based selectors are supported:
    • key = value; key ==
    • value; key != value, for example, app = redis
    You can also specify multiple selectors in an expression as a comma separated list. For example:
    app == web, tier != backend
    The following set-based selectors are supported:
    • key in (value1, value2)
    • key notin (value1, value2), for example, tier notin (frontend, backend)
    • key
    • !key
    For the monitored Service Objects, the plugin generates ports for the port, targetPort, and nodePort service objects using the following naming scheme:
    <namespace>-<svc_name>-<type>-<port_value>-<hash>
    The hash ensures that even if you have overlapping namespaces and service names across k8s clusters, the service objects are unique.

    © 2024 Palo Alto Networks, Inc. All rights reserved.