Create namespaces

About creating Microsegmentation namespaces

Before proceeding, we recommend reviewing basic Microsegmentation namespace concepts.
You have one parent namespace, represented by your Prisma ID, an eighteen-character string of integers. For example: /826920578209172635</code>. You also have a child namespace for each cloud account you’ve onboarded to Prisma Cloud. These bear the friendly name of your cloud account, as well as its ID. For example: /aws-dev-826088932159. You may need to manually create child namespaces if:
  • You have cloud accounts that you did not onboard to Prisma Cloud.
  • You are hosting your own infrastructure or have on-premise workloads.
To create children namespaces, you must have
namespace editor
privileges in the parent namespace. Once you have your children namespaces created, you must create grandchildren namespaces before deploying your enforcers. After an enforcer has registered in a namespace, you can’t move it to another namespace. You have to uninstall and reinstall the enforcer to switch namespaces.
Create one grandchild namespace for each Kubernetes/OpenShift cluster. You should not have multiple Kubernetes/OpenShift clusters in a single Microsegmentation namespace. For the virtual machines, you can create one namespace per host, or group them together as desired.
You can use the
Network Security
section of the Prisma Cloud web interface to create your namespaces. Alternatively, you can use apoctl to create them, as described below.

Set environment variables

Copy your parent namespace from the web interface, as shown below.
Set a PARENT environment variable and paste in the value you copied.
export PARENT=/803920923337065472
If you have children namespaces that already exist, create CHILD environment variables containing their names. In the example below, we use aws-dev-826088932159 and aws-prod-826088932159.
export CHILD1=aws-dev-826088932159 export CHILD2=aws-prod-826088932159

Create child namespaces

Set CHILD environment variables containing the desired names for the children namespaces.
export CHILD3=my-private-cloud export CHILD4=bare-metal-infra
Use the following command to create the first child namespace.
cat <<EOF | apoctl api create namespace -n $PARENT -f - name: $CHILD3 type: CloudAccount defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Next, create the second child namespace.
cat <<EOF | apoctl api create namespace -n $PARENT -f - name: $CHILD4 type: CloudAccount defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Confirm the creation.
apoctl api list namespace -n $PARENT --output yaml
Repeat these steps to add other children as needed.

Create grandchild namespaces

Create environment variables containing the desired names for your grandchild namespaces. An example follows.
export GRANDCHILD1=k8s export GRANDCHILD2=vm
Use the following command to create the first grandchild namespace under aws-dev-826088932159.
cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD1 -f - name: $GRANDCHILD1 type: Group defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Next, create the second grandchild namespace under aws-dev-826088932159.
cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD1 -f - name: $GRANDCHILD2 type: Group defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Confirm the creation.
apoctl api list namespace -n $PARENT/$CHILD1 --output yaml
Now create the first grandchild namespace under aws-prod-826088932159.
cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD2 -f - name: $GRANDCHILD1 type: Group defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Create the second grandchild namespace under aws-prod-826088932159.
cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD2 -f - name: $GRANDCHILD2 type: Group defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Confirm the creation.
apoctl api list namespace -n $PARENT/$CHILD2 --output yaml
Repeat these steps to add other grandchildren, as desired. You should now have a basic namespace structure and can proceed to deploy enforcers.

Recommended For You