Before you begin, it's important to understand the following key concepts in a containerized environment:

• Cluster: The foundation of your containerized environment where all containerized applications run.
• Node: A physical or virtual machine that contains the necessary services required for pods.
• Pod: The smallest deployable computing unit that you can deploy and manage in Kubernetes.
• Namespace: Virtual clusters that are used to separate users and functions on a single physical cluster logically.
• Container Network Interface (CNI): A plugin that configures network interfaces for containers and removes the allocated resources used for networking when a container is deleted.
• Prisma AIRS AI Runtime: Network Intercept: The core security inspection layer that analyzes and enforces policy rules on redirected container traffic.
• Helm chart: A package manager for Kubernetes used for deploying and configuring Prisma AIRS components within the cluster.
• DaemonSet: Ensures that some or all nodes run a copy of a particular pod, and as nodes are added, a copy of the DaemonSet pod is added to each new node.
• Kubernetes Service: An abstraction that exposes an application running on a set of pods as a network service.

To effectively inspect containerized applications, Prisma AIRS AI Runtime: Network intercept uses CNI chaining to create secure tunnels between your applications and Prisma AIRS AI Runtime: Network intercept. The CNI chaining redirects container traffic out of your Kubernetes cluster to Prisma AIRS AI Runtime: Network intercept, which is deployed outside the cluster. This provides complete visibility and control that internal-only solutions can’t achieve and enables comprehensive east-west traffic analysis that traditional security approaches often miss.

The architecture diagram in figure 1 illustrates how Prisma AIRS achieves application-specific visibility and control of container traffic in all directions, including both inbound and outbound, as well as east-west traffic within the Kubernetes cluster. Prisma AIRS AI Runtime: Network intercept delivers comprehensive security through native Kubernetes integration by acting as an additional CNI plugin alongside your existing primary CNI plugin, such as Calico or Flannel. This CNI chaining is used to bypass network address translation (NAT) limitations, providing direct access to the Kubernetes network for enhanced visibility. When containers communicate, traffic flows through both plugins before reaching its destination:

• First, through your primary CNI for basic networking functions, like IP assignment and routing.
• Then, through Prisma AIRS AI Runtime: Network security for deep inspection.

CNI chaining establishes tunnels to redirect traffic from your pod applications to Prisma AIRS AI Runtime: Network intercept, enabling thorough traffic inspection.

Choose the management approach that best suits your environment:

• Panorama Management: Use the Kubernetes Plugin on Panorama for centralized policy management across multiple clusters.
• Strata Cloud Manager: Deploy tag collector integration for dynamic workload discovery and automated IP tag harvesting.

For more information on container security with Prisma AIRS AI Runtime: Network intercept, you can refer to the following resources:

• Webpage: Protect Container Networks Inside and Out
• Datasheet: Container Runtime Security with Prisma AIRS