This page introduces you to the CNI chaining functionality in Prisma AIRS and explains how it uses this method to secure
east-west traffic inside Kubernetes clusters. Kubernetes hides network complexities from
external security tools, enabling attackers to conceal malicious traffic within pod
communications and exploit vulnerabilities in the container runtime. With CNI chaining,
you can integrate Prisma AIRS as an additional security
inspection layer alongside your existing primary CNI plugin outside your Kubernetes
cluster, without replacing your current network configuration.
Key Concepts
Before you begin, it's important to understand the following key concepts in a
containerized environment:
Cluster: The foundation of your containerized environment where all
containerized applications run.
Node: A physical or virtual machine that contains the necessary
services required for pods.
Pod: The smallest deployable computing unit that you can deploy and
manage in Kubernetes.
Namespace: Virtual clusters that are used to separate users and
functions on a single physical cluster logically.
Container Network Interface (CNI): A plugin that configures network
interfaces for containers and removes the allocated resources used for
networking when a container is deleted.
Prisma AIRS AI Runtime: Network Intercept: The core security
inspection layer that analyzes and enforces policy rules on redirected
container traffic.
Helm chart: A package manager for Kubernetes used for deploying and
configuring Prisma AIRS components within the cluster.
DaemonSet: Ensures that some or all nodes run a copy of a particular
pod, and as nodes are added, a copy of the DaemonSet pod is added to each
new node.
Kubernetes Service: An abstraction that exposes an application
running on a set of pods as a network service.
CNI Chaining: How Prisma AIRS Protects Containers
To effectively inspect containerized applications, Prisma AIRS
AI Runtime: Network intercept uses CNI chaining to create secure tunnels between
your applications and Prisma AIRS AI Runtime: Network
intercept. The CNI chaining redirects container traffic out of your Kubernetes
cluster to Prisma AIRS AI Runtime: Network intercept, which
is deployed outside the cluster. This provides complete visibility and control that
internal-only solutions can’t achieve and enables comprehensive east-west traffic
analysis that traditional security approaches often miss.
The architecture diagram in figure 1 illustrates how Prisma AIRS achieves application-specific visibility and control of container traffic in all
directions, including both inbound and outbound, as well as east-west traffic within
the Kubernetes cluster. Prisma AIRS AI Runtime: Network
intercept delivers comprehensive security through native Kubernetes integration by
acting as an additional CNI plugin alongside your existing primary CNI plugin, such
as Calico or Flannel. This CNI chaining is used to bypass network address
translation (NAT) limitations, providing direct access to the Kubernetes network for
enhanced visibility. When containers communicate, traffic flows through both plugins
before reaching its destination:
First, through your primary CNI for basic networking functions, like IP
assignment and routing.
Then, through Prisma AIRS AI Runtime: Network
security for deep inspection.
CNI chaining establishes tunnels to redirect traffic from your pod applications to
Prisma AIRS AI Runtime: Network intercept, enabling
thorough traffic inspection.
Management Options
Choose the management approach that best suits your environment:
Panorama Management: Use the Kubernetes Plugin on Panorama for
centralized policy management across multiple clusters.
Strata Cloud Manager: Deploy tag collector integration for dynamic
workload discovery and automated IP tag harvesting.
Prerequisites for Container Security for Prisma AIRS
YAML Files—The YAML files that include the required fields and object
specifications for deploying the resources in your Kubernetes clusters, and
are published on GitHub.
Multus CNI.
Supported Environments
Kubernetes Versions: 1.30 and above with CNI specification
0.4.0+.
Compatible CNI Plugins: Calico, Flannel, Weave Net, and Cilium.
Container Runtimes: Docker, containerd, and CRI-O.
Cloud Platforms: AWS EKS, Azure AKS, Google GKE, Red Hat OpenShift,
and Rancher.
Additional Resources
For more information on container security with Prisma AIRS AI
Runtime: Network intercept, you can refer to the following resources: