The CN-Series firewall is now licensed based on the number of vCPUs (cores) used by the CN-NGFW pods deployed in your Kubernetes environment. After creating your deployment profile on the Palo Alto Networks Customer Support Site, you apply the authcode and specify the number of vCPUs in the Kubernetes plugin. The CN-Series can use up to the number of vCPUs to license the CN-Series. If you deploy more CN-NGFW pods that require more than the number of vCPUs, you have a 30-day grace period to add more vCPUs or delete enough pods. If you exceed the 30-day grace period, the entire cluster is delicensed.

You can now use interface numbers as match criteria in dynamic address groups. If your Kubernetes cluster includes pods with multiple interfaces, you now separate traffic for inspection and enforcement based on the interface.

k8s.cl_<cluster-name>.ns_<namespace>.ds_<daemonset-name>.if_<interface>

k8s.cl_<cluster-name>.ns_<namespace>.rs_<replicaset-name>.if_<interface>

If your Kubernetes cluster API-server certificate is signed by a certificate chain, the authentication from the Kubernetes plugin for Panorama requires every certificate in the chain. You can now add one or more custom certificates that are used to create a chain of trust to authenticate to your API server. If your API server uses a certificate chain, you must combine all the certificates in the chain into a single .crt file and encode it with base64 encoding before adding it to the plugin.