>
    Custom Metric Based HPA Using KEDA in EKS Environments
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series HSF
    4. Custom Metric Based HPA Using KEDA in EKS Environments
    Download PDF
    CN-Series

    Custom Metric Based HPA Using KEDA in EKS Environments

    Table of Contents

    Custom Metric Based HPA Using KEDA in EKS Environments

    Where Can I Use This?What Do I Need?
    • CN-Series HSF Firewall deployment
    • CN-Series 11.0.x or above Container Images
    • Panorama running PAN-OS 11.0.x or above version
    HPA implementation in EKS environments requires you to use KEDA (Kubernetes-based Event Driven Autoscaler). The following are prerequisites for custom metrics based HPA implementation:
    • Enable HPA for clustering from YAML.
      • Ensure that the HPA params are filled in the pan-cn-mgmt-configmap.yaml file.
      • Ensure that the PAN_NAMESPACE_EKS field has a unique name across your AWS account in your region. This avoids overwriting metrics from different CN clusters with the same EKS namespace.
    • CN-MGMT publishing metrics to Cloudwatch.
      The CN-MGMT pod requires necessary permissions to access the Cloudwatch resource, collect CN-NGFW metrics, and publish custom metrics to Cloudwatch. This is done by adding the CloudWatchFullAccess policy to the node IAM role which you specified while creating the nodegroup.
    • Deploy the Cluster Autoscaler from AWS. For more information, see Cluster Autoscaler.

    Authenticate KEDA with AWS

    To authenticate KEDA, you can associate an IAM role with the keda operator service account by annotating the role-arn in the keda service account. This step is recommended because this avoids adding Cloudwatch access to the node IAM role and enables only the keda service account to gain access to the Cloudwatch and not the entire node on which keda is running.
    To Associate an IAM role with the keda operator service account:
    1. Create an IAM OIDC provider for your cluster - You need to create an IAM OIDC provider only once for a cluster.
    2. Create an IAM role and attach an IAM policy to it with the permissions that your service accounts need. Ensure that you provide the Cloudwatch access policy while performing this step.
    3. Associate an IAM role with a service account – Complete this task for each Kubernetes service account that needs access to AWS resources.
    4. Deploy the Cluster Autoscaler from AWS. For more information, see Cluster Autoscaler.

    Deploy the KEDA Pods

    To deploy the Keda pods, download the latest keda files.
    kubectl apply -f keda-2.7.1.yaml
    The plugin modifies and applies the yaml based on the inputs you provide as per your scaling requirements.
    Observe the values in Cloudwatch console and check how the target pods scale in and out.

    © 2024 Palo Alto Networks, Inc. All rights reserved.