AI Runtime Security
Harvesting IP Tags for Private Kubernetes Cluster
Table of Contents
Expand All
|
Collapse All
AI Runtime Security Docs
Harvesting IP Tags for Private Kubernetes Cluster
Harvesting IP Tags for Private Kubernetes Cluster
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The
AI Runtime Security
protects the traffic to and from the
AI applications and models. These AI applications and models integrate both
containerized and virtual machine workloads. Hence, the granular security policy for
containers is necessary. In a Kubernetes environment, the lifecycle of a container
pod is 3 minutes. You can harvest the IP tags (specifically, K8s labels like
namespaces, services, and pods) mapping for your private cluster in your security
policy using the IP-Tag collector in your AI Runtime Security
. The
AI Runtime Security
supports the ability to register IP addresses
and tags dynamically for your private kubernetes clusters. You can register your IP
addresses and tags on the AI Runtime Security
directly and also
automatically remove IP tags on the source and destination IP addresses included in
a firewall log. For more information on IP address and tags, see Use Dynamic Address Groups in Security
Policy.Use the IP-Tag collector to harvest the IP tags for your private Kubernetes clusters
and send these harvested IP to
AI Runtime Security
through local
distribution. Perform the following steps:- Bring up yourAI Runtime Securityinstance using the Bootstrapping method. You can bootstrap theAI Runtime Securityinstance with the user data method.
- Enter the bootstrap configuration parameters as key-value pairs directly into the GCP user interface when deploying the AI Runtime Security. In your terraform template file, use a newline (\n) for each parameter, and if a parameter has multiple options, use commas to separate them.
- Add the following key-value to the user data field to enable the IP-Tag collector mode:plugin-op-commands=tag_collector_mode_flag:enable
For more information, see Enter a Basic Configuration as User Data.Run the following command to verify the IP-Tag collector mode status:show system info | match tag-collector-mode tag-collector-mode: enabledOnboard your Kubernetes cluster running the following commands:- If you are able toscpyour credential file to the tag-collector:scp import k8s-service-account set deviceconfig plugins kubernetes setup cluster-credentials <cluster_name> api-server-address <ip> cluster-type GKE cluster-credential-file service-account-json <filename>If you are not able toscpyour credential to tag-collector:Gzip and base64 encode your credential file, and then use it in the following commands:set deviceconfig plugins kubernetes setup cluster-credentials <cluster_name> api-server-address <ip> cluster-type GKE cluster-credential-file service-account-cred <credential_str> set deviceconfig plugins kubernetes setup cluster-credentials <cluster_name> api-server-address <api_address> labels <no-labels/labels>
Configure the SCM region to enable the IP-Tag collector to send the IP tags to SCM. Run the following commands:To view the list of regions:request plugins kubernetes set-tag-collector-config regionTo input the name of your region for discovery:request plugins kubernetes set-tag-collector-config region <region_name>Enterconfigureto switch to configuration mode.Create the monitoring definitions on the IP-Tag collector running the following command:set deviceconfig plugins kubernetes monitoring-definition <mon_def_name> cluster-credentials <cluster_name> enable yesYou can map only one cluster to a monitoring definition and one monitoring definition to a cluster.Entercommitto save your changes.For redistribution client to show up on the agent and for local distribution to work, run the following commands on your IP-Tag collector:set deviceconfig system service disable-userid-service no commit show redistribution service client allRun the following commands to show, debug, or reguest the Kubernetes plugin information:show plugins kubernetes [ counters | details-dashboard | ip-details | status | tag-details ]debug plugins kubernetes [dump-cluster-response | kubernetes-db-dump | kubernetes-tags ]request plugins kubernetes [merge-logs | set-tag-collector-config | validate-cluster-creds ]Configure IP-Tag Collector as Redistribution Agent onAI Runtime SecurityData redistribution also provides granularity, allowing you to redistribute only the types of information you specify to only the devices you select. You can also filter the IP user mappings or IP tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce policy. For more information, see Firewall Deployment for Data Redistribution.You can configure the IP-Tag collector as a redistribution agent on yourAI Runtime Securityconsole or on SCM. Plan the redistribution architecture, configure the data sources from which your redistribution agents obtain the data to redistribute to their clients, and then configure the authentication policy.For more information on configuring the IP-Tag collector as a redistribution agent, see Configure Data Redistribution and Using Strata Cloud Manager to Set up data redistribution.Add Address Group and Filter the IP-Tag Mappings for Private Kubernetes ClustersIn a large-scale network, instead of configuring all your firewalls directly to query the mapping information sources, you can streamline resource usage by configuring some firewalls to collect mapping information through redistribution. Data redistribution also provides granularity, allowing you to redistribute only the types of information you specify to only the devices you select. Filter the IP tag mappings using subnets and ranges to ensure the firewalls collect only the mappings they need to enforce policy rules.After configuring SCM for yourAI Runtime Securityinstance, following are the steps to add address group and filter IP tag mappings for your private Kubernetes clusters:- Log in toStrata Cloud Manager.
- SelectManage>Configuration>NGFW and Prisma Access>Objects>Address>Address Groups>Add Address Groupwith the required IP address-to-tag mappings.
- Enter the Address groupName, selectDynamicas the address groupType.
- ClickAdd Match Criteria.You can see the list of Kubernetes tags sent from the IP-Tag collector to the SCM.
- Select the required Kubernetes tags, and then clickSave.
Add Security Policy RuleThe security policy is where you define how you want to enforce traffic protection in yourAI Runtime Securitydeployments. All traffic that passes through your AI Runtime Security instance is evaluated against your security policy, and rules are applied from the top down. For more information, see Security Policy.You can define Pre rules and Post rules in a shared context, as shared policies for all managed firewalls, or in a device context, to make the rules specific to a folder:Pre Rules—Rules that are added to the top of the rule order and are evaluated first. You can use pre-rules to enforce the Acceptable Use Policy for an organization.Post Rules—Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and rules that are locally defined on the firewall. Post-rules typically include rules to deny access to traffic based on theApp-ID™,User-ID™, orService.After you create the address group for your private k8s clusters on SCM, following are the steps to set up your security policy rule:- Log in toStrata Cloud Manager.
- Go toManage>Configuration>NGFW and Prisma Access>Security Services>Security Policy.
- ClickAdd Rule.
- SelectPre RuleorPost Rule.
- Enter your security policy rule name.
- SelectSourceandDestinationmatch criteria.You can select your previously created address group under theSourcesection.
- ClickSave.
- ClickPush Configto push configuration changes to yourAI Runtime Securityinstance.The Cloud Managed Devices tab (Workflows>NGFW Setup>Device Management>Cloud>Managed Devices) displays all of your SCM onboarded firewalls, the folders they are assigned to, and important details about them. For more information, see Workflows: Device Management.After a successful Push Configuration, log in to yourAI Runtime Securitycommand line interface and run the following command to view the list of IP tags and security policies.show object registered-ip all
Recommended For You