Custom Metric Based HPA Using KEDA in EKS Environments
Where Can I Use This?
What Do I Need?
CN-Series HSF Firewall deployment
CN-Series 11.0.x or above Container Images
Panorama running PAN-OS 11.0.x or above version
HPA implementation in EKS environments
requires you to use KEDA (Kubernetes-based Event Driven Autoscaler).
The following are prerequisites for custom metrics based HPA implementation:
Enable HPA for clustering from YAML.
Ensure that
the HPA params are filled in the pan-cn-mgmt-configmap.yaml file.
Ensure that the PAN_NAMESPACE_EKS field has
a unique name across your AWS account in your region. This avoids
overwriting metrics from different CN clusters with the same EKS
namespace.
CN-MGMT publishing metrics to Cloudwatch.
The CN-MGMT pod
requires necessary permissions to access the Cloudwatch resource,
collect CN-NGFW metrics, and publish custom metrics to Cloudwatch.
This is done by adding the CloudWatchFullAccess policy
to the node IAM role which you specified while creating the nodegroup.
Deploy the Cluster Autoscaler from AWS. For more information,
see Cluster Autoscaler.
Authenticate KEDA with AWS
To authenticate KEDA, you can associate an IAM role
with the keda operator service account by annotating the role-arn
in the keda service account. This step is recommended because this
avoids adding Cloudwatch access to the node IAM role and enables
only the keda service account to gain access to the Cloudwatch and
not the entire node on which keda is running.
To Associate an IAM role with the keda operator service account:
Create an IAM role and attach an
IAM policy to it with the permissions that your service accounts
need. Ensure that you provide the Cloudwatch access policy while
performing this step.
