Configure Google Cloud Platform Plugin for Google Kubernetes Engine

In Panorama, configure the plugin to detect services in a Kubernetes cluster.
To enable Panorama to learn the internet exposed services in a GKE cluster, you must enable the Google Cloud Platform plugin on Panorama to establish a connection with your GCP project and the GKE cluster. Then, you must configure the device groups and templates to which the firewalls belong so that Panorama can push the configuration objects and policy rules to the managed firewalls.

Create a GKE Service Account Credential

To authenticate with your cluster and learn its services, Google Cloud Platform plugin needs a GKE role and role binding, and service credential files from your GKE cluster. You save the credential as a .json file so you can supply it when you Configure the GCP Plugin for GKE.
  1. Create a service account for your GKE cluster.
    1. Create a .yaml file for the ClusterRoleBinding. For example, create a text file named crb.yaml.
      apiVersion: rbac.authorization.k8s.io kind: ClusterRoleBinding metadata:    name: default-view roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: view subjects: - kind: ServiceAccount   name: default   namespace: default
    2. Use Google Cloud Shell to apply the role binding in crb.yaml.
      kubectl apply -f crb.yaml
    3. View the service account you just created.
      kubectl get serviceaccounts
  2. Save the service account credential to a .json file.
    1. On your local machine, change to the directory in which you want to save the credential.
    2. Use kubectl commands to create the token.
      MY_SA_TOKEN=‘kubectl get serviceaccounts default -o jsonpath=’{.secrets[0].name}’‘
    3. View the token name.
      $ echo $SA_TOKEN
    4. Display the credential.
      kubectl get secret $MY_SA_TOKEN -o json

Store the GCP Project Service Account Credential

For instructions on storing the service credential for the Compute Engine default service account, see the template Deployment Guide, under section 4.8 on page 12.
For general information, see Getting Started with Authentication.

Configure Panorama and Install the GCP Plugin for GKE

You must have a licensed version of Panorama™. See the Compatibility Matrix version information for GKE cluster security.
  1. To ensure synchronization, verify that your Panorama appliance and the firewalls in your GKE cluster are referencing the same NTP server. For example, time.google.com.
  2. On the firewalls associated with your GKE cluster, specify the IP address or FQDN for your Panorama server(s), and commit.
  3. In Panorama, add the firewalls associated with your GKE cluster as managed devices.
  4. Add a device group and assign the managed firewalls to your device group.
  5. Add a template. Name the template and accept the default VSYS.
  6. Select Add Stack. Name the stack,
    Add
    the template you just created, and select the firewalls protecting your Kubernetes cluster.
    Commit your changes.
  7. Select
    Network
    Interfaces
    .
    1. Configure a Layer 3 interface for the untrust zone.
      • Select
        Ethernet
        Add Interface
        .
      • Select
        Slot 1
        and the
        Interface Name
        .
        Set the
        Interface Type
        to Layer 3.
      • Select
        Config
        and set the Security Zone to the master zone for your GKE cluster. For example, us-central1-a.
      • Select
        IPV4
        and select the options for your network. This example uses DHCP.
      • Click
        OK
        .
  8. Assign the interfaces to a virtual router. Select
    Network
    Virtual Routers
    and modify or
    Add
    a router. This example uses
    default
    . Add the interfaces you created in the previous step, and Click
    OK
    .
  9. Configure network zones.
    1. Configure a zone for the untrust network.
      • Select
        Network
        Zones
        and specify a zone
        Name
        .
      • Set the Interface Type to Layer 3.
      • Under Interfaces,
        Add
        the Untrust interface.
      • Click
        OK
        .
    2. Configure a zone for the trust network.
  10. Commit the changes.
  11. Push the template to the firewalls.
  12. Select
    Panorama
    Plugins
    and install the plugin. The plugin name is gcp.

Configure the GCP Plugin for GKE

These steps configure the GCP Plugin for GKE.
  1. Select
    Panorama
    Google Cloud Platform
    Setup
    and
    Add
    service account credentials for both the GCP project associated with your GKE deployment, and the GKE cluster.
    1. Choose the
      Project
      service account credential type. Enter a name (it doesn’t have to be your project name), a description, and the GCP project ID. To view the project ID, in the Google Cloud Platform Console, view the project dashboard, and under Project info, look for the Project ID).
      Click the upload icon, browse to choose the JSON file you saved in Store the GCP Project Service Account Credential, and click
      Open
      . For security reasons, your local path is replaced with the placeholder
      fakepath
      .
    2. Choose the
      GKE
      service account credential type, and upload the JSON file you saved for your GKE project in Create a GKE Service Account Credential.
    3. Click
      OK
      .
      gcp_svc_acct_cred.png
  2. Add a GKE project. In Panorama, a GKE project stores the integration information for up to four GKE clusters, each of which can expose up to 100 services. You can secure up to four GKE projects.
    1. Select
      Panorama
      Google Cloud Platform
      GKE Clusters
      .
    2. Add
      a cluster.
    3. Specify a name and description.
    4. Choose the
      GCP Project Credential
      you uploaded earlier, a
      Device Group
      , and the
      Template Stack
      you created earlier.
    5. Add
      a cluster member. Specify the Cluster Name, GCP zone, and the cluster credential you uploaded earlier.
      gcp_add_clusters.png
  3. Commit your changes.
    Through the GCP plugin, Panorama learns the new Kubernetes service. It can take five to seven minutes for the firewalls to pick up the new NAT rule and service object.
  4. Review the GKE elements in Panorama.
    • Go to
      Panorama
      Google Cloud Platform
      GKE Clusters
      to view a list of your GKE projects. If the cluster you specified exists and configuration is correct, the Status is Authorized.
      gcp_authorized.png
      In the Action column click
      Show Port Mapping
      to view the ports for the services in the GKE cluster. Port 80 is the PANW named port. The other ports in this example are learned.
      gcp_svc_port_mapping.png
    • Select
      Objects
      and make sure your device group is selected. View the services you deployed. In this example, the predefined services are from the external HTTP load balancer.
      gcp_objects.png
    • Select
      Policies
      , and view the NAT Pre Rules.
      Any NAT rules you see were created by the plugin. The Services column displays the GKE services you exposed with the PANW named port. The IP address is the service address.
    gcp_pano_nat.png
  5. Consult the template Deployment Guide for cleanup instructions.

Recommended For You