: What’s New in Panorama Plugin for Kubernetes 3.0.0
Focus
Focus

What’s New in Panorama Plugin for Kubernetes 3.0.0

Table of Contents

What’s New in Panorama Plugin for Kubernetes 3.0.0

The Kubernetes plugin 3.0.0 is required for the CN-Series running PAN-OS 10.2.x. and supports the following functionalities:
The Kubernetes 3.0.0 Plugin works only with Panorama 10.2 and Pan OS 10.2 devices. However, it can manage 10.1 firewall devices on 10.2 Panorama.
  • To upgrade to a Kubernetes 3.0.0 Plugin, download the Kubernetes 3.0.0 Plugin and upgrade your Panorama to 10.2 which will automatically install the downloaded Kubernetes 3.0.0 Plugin. However, if you have not downloaded the Kubernetes 3.0.0 Plugin before upgrading the Panorama, the upgrade will be stopped.
  • You cannot use a Kubernetes 2.0.0 Plugin with Panorama 10.2.
  • You will find four default templates on Panorama after downgrading the Kubernetes plugin from 3.0.0. The unnecessary templates can be deleted manually.

Retrieve IPv6 Addresses for Multus CNI Setup

In a Multus CNI setup, each pod has multiple interfaces and these interfaces can have IPv6 or IPv4 addresses. The Kubernetes 3.0.0 Plugin queries and collects the IPv4 and IPv6 addresses for Multus CNI.

Tag Pruning

Tag Pruning increases the scalability of the plugin and the number of tags collected by the plugin. It enables the plugin to collect an increased number of tags and push them to Panorama without IP addresses. Panorama has only a 10MB payload limitation, and with Tag Pruning, the plugin can send empty tags to Panorama and only send IP addresses for tags that are used in Security Policies. In case of a shared DG on Panorama, the plugin cannot learn the DAGs and hence the IP addresses will not be pushed.

Service Account Validation

The Kubernetes 3.0.0 Plugin supports service account file validation as a pre-commit, where the validation takes place after the user adds a service account file and commits the credentials. By using this method, the plugin can implement periodic checks for service accounts and update their status accordingly.

Dashboard

The Panorama only holds the tags without IP addresses for tags not used in DG security Policies. With Tag Pruning, the plugin pushes the IP/tag mappings on to the plugin UI and you will be able to navigate the Dashboard to see the IP/tag mappings. You will have an option to view IP addresses (IPv4 and IPv6) associated to all tags learnt by the plugin and then look for the tags associated to each IP address when you click associated tags.