Secure Google Kubernetes Engine Services with Google Cloud Platform Plugin for Panorama

Understand how the instance group and the PANW named ports help secure services in Kubernetes cluster, and how to configure the cluster for Panorama management.
The VM-Series firewall provides a way to secure traffic entering or exiting a service deployed in a Google Kubernetes Engine (GKE) cluster. Configuring the Google Cloud Platform (GCP) plugin for Panorama™ establishes a connection between your GKE cluster and Panorama, allowing you to globally manage firewalls securing your services running in a GKE deployment.

Typical Workload Deployments in GKE

A GKE deployment leverages VPC networks and subnetworks in a GCP project for the networking between the Kubernetes clusters and other resources in the project. Containerized applications run on Kubernetes clusters, which are a collection VMs called nodes. By default, nodes are private and do not have outbound internet access.
A pod represents a a group of containers running a particular application in your cluster— pods run on one or more nodes in the Kubernetes cluster. A service in Kubernetes defines a logical group of pods, and a policy by which to access them—also referred to as a micro-service.
Services typically represent components of an application, such as a web service, database service, etcetera. Exposing a service as type LoadBalancer usually assigns a public IP address, which makes the application vulnerable to inbound attacks from within the cluster or external sources.
The following diagram shows multiple Kubernetes services running in multiple Kubernetes clusters within the same GCP project.
gcp_k8s.png

Components Required to Secure Workloads Deployed in GKE

Let’s look at the components used to secure services that are externally accessible.

VM-Series Firewalls

In the sample topology, the GKE instance group contains one or more VM-Series firewalls and shares the same networks and zones as the GKE cluster. It straddles the Untrust and Trust subnets to secure traffic to and from back-end services.
The firewalls in the instance group detect a PANW named port for each service of type LoadBalancer exposed to the internet. Each back-end service is behind an internal load balancer.

Google Kubernetes Engine Cluster

Google Kubernetes Engine services run in a GKE cluster. Google Cloud Platform Plugin for Panorama can support up to 100 exposed services per cluster.
To integrate with the GCP Plugin on Panorama, edit your application deployment’s config.yaml file as described in Deploy an Application.
The panw-named-port label is critical for differentiating the services. Using the panw-named-port label as a matching criteria, you can create firewall rules specific to each service, and steer traffic accordingly.

Google Cloud Platform Plugin on Panorama

Google Cloud Platform Plugin for Panorama configures the integration between the Kubernetes cluster running in your GCP deployment and Panorama.
The plugin stores the mapping information between a specific Panorama device group and a GKE cluster in a GKE project. A GKE project stores the integration information for up to four GKE clusters, each of which can expose up to 100 services. You can secure up to four GKE projects.When the plugin detects a new service in the Kubernetes cluster that it is monitoring, it creates Panorama service objects and NAT rules, inserting the VM-Series firewalls in the network path to secure traffic to and from the service.

Panorama

When you configure GCP plugin for Panorama, you associate a GKE cluster with a specific instance group in your GCP project. An instance group from GCP correlates with a device group in Panorama.
The GCP plugin enables Panorama to globally manage security policies, and profiles for all the firewalls in the device group.

A Sample Topology

The following diagram illustrates a load balancer sandwich deployment. This diagram highlights elements critical to integrating your GKE cluster with the GCP Plugin for Panorama.
To secure containerized applications, place the VM-Series firewall in front of your Kubernetes cluster so that all traffic going in and out of the application services can be secured. In addition to securing inbound traffic, the VM-Series firewall secures outbound access from the Kubernetes nodes, preventing data exfiltration.
In this sample topology, traffic enters the HTTP External Load Balancer (ELB), and according to the fully-qualified domain name (FQDN) is directed to a PANW named port. The instance group firewalls apply security policy and inspect all the traffic to services in the Trust subnet.
gcp_autoscaling_arch_plm.png
This diagram reflects the logical organization of services on a Kubernetes cluster. For example, it shows two clusters and three services (workloads). However, a Kubernetes cluster deployment is actually a single cluster whose resources are distributed across a node pool with multiple compute instance groups (not to be confused with the VM-Series firewall instance groups).

Related Documentation