What’s New in Panorama Plugin for Kubernetes 2.0.0
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
What’s New in Panorama Plugin for Kubernetes 2.0.0
The Panorama plugin for Kubernetes 2.0.0
introduces a number of new features. Kubernetes plugin 2.0.0 is
required for the CN-Series running PAN-OS 10.1.x. There is no direct
upgrade path from 10.0.x to 10.1.x for the CN-Series; you must redeploy
the CN-Series to move to 10.1. For more information, see Upgrade the CN-Series Firewall.
Core-Based Licensing
The CN-Series firewall is now licensed based
on the number of vCPUs (cores) used by the CN-NGFW pods deployed
in your Kubernetes environment. After creating your deployment profile
on the Palo Alto Networks Customer Support Site, you apply the authcode
and specify the number of vCPUs in the Kubernetes plugin. The CN-Series
can use up to the number of vCPUs to license the CN-Series. If you
deploy more CN-NGFW pods that require more than the number of vCPUs,
you have a 30-day grace period to add more vCPUs or delete enough
pods. If you exceed the 30-day grace period, the entire cluster
is delicensed.
Multiple Interface Support
You can now use interface numbers as
match criteria in dynamic address groups. If your Kubernetes cluster
includes pods with multiple interfaces, you now separate traffic
for inspection and enforcement based on the interface.
k8s.cl_<cluster-name>.ns_<namespace>.ds_<daemonset-name>.if_<interface>
k8s.cl_<cluster-name>.ns_<namespace>.rs_<replicaset-name>.if_<interface>
Custom Certificate Chaining
If your Kubernetes cluster API-server
certificate is signed by a certificate chain, the authentication
from the Kubernetes plugin for Panorama requires every certificate
in the chain. You can now add one or more custom certificates that
are used to create a chain of trust to authenticate to your API
server. If your API server uses a certificate chain, you must combine
all the certificates in the chain into a single .crt file and encode
it with base64 encoding before adding it to the plugin.