Kubernetes Plugin on Panorama—The
Kubernetes plugin manages the licenses for the CN-Series firewall.
Licensing is based on the number of cores you choose to allocate
to CN-NGFW pods. Each CN-NGFW pod uses a license token, and the
tokens are managed locally on Panorama after you activate the auth
code and retrieve the specified number of tokens from the Palo Alto
Networks license server. As each CN-NGFW comes up on the Kubernetes
nodes, Panorama distributes the license tokens locally.
The Kubernetes plugin on Panorama also enables you to monitor your clusters and
leverage Kubernetes labels that you use to organize Kubernetes objects such as
pods, services, deployments and the associated identifying attributes, so that
you can create context-aware Security policy rules. The Kubernetes plugin
communicates with the API server and retrieves metadata in near realtime, to
enable visibility into the applications running within the cluster. The
Kubernetes plugin collects namespaces, services, and labels from your Kubernetes
clusters to create tags for the IP-address-to-tag mapping for the associated
objects within the cluster which can then be used in Security policies. For
details, see
IP-Address-to-Tag Mapping of Kubernetes
Attributes.
It also collects information on the ports specified
in your application YAML and creates Service Objects.
While these tags and service objects are automatically
shared with the CN-NGFW pods in each cluster, you can also enable
sharing of the tags and service objects with hardware-based or VM-Series
firewalls. The tags become available as match criteria in Dynamic
Address Groups, which you can then use to secure traffic between
pods or namespaces, to an internet-exposed service, or outbound
connections.
Palo Alto Networks recommends deploying Panorama in an HA configuration so that the Panorama peer
continues to receive IP address updates in the event of a failure. If you deploy
a single instance of Panorama, in the event of a failure the traffic from any
existing applications pods are not impacted, and the current policies are
enforced on the CN-NGFW pods. When a new pod comes up, all the rules with the
source "ANY" will match to this new pod, and traffic from this new pod will be
allowed or blocked depending on your policy rules. For example, if there is an
Anti-Spyware policy rule to block outbound access from any source to the
outside world, then this rule will apply to the new pod, and the profile can
secure traffic. If there is a default Deny rule, then traffic from this
new pod will be denied.
You can use the Kubernetes plugin to distribute IP-address-to-tag mapping for
pods, nodes, namespaces, and services deployed within the Kubernetes cluster to
physical or VM-Series firewalls, even if you have not deployed CN-Series
firewalls in that cluster.