Secure Google Kubernetes Engine Services with Google Cloud Platform Plugin for Panorama
Understand how the instance group and the PANW named ports help secure services in Kubernetes cluster, and how to configure the cluster for Panorama management.
The VM-Series firewall provides a way to secure traffic entering or exiting a service deployed in a Google Kubernetes Engine (GKE) cluster. Configuring the Google Cloud Platform (GCP) plugin for Panorama™ establishes a connection between your GKE cluster and Panorama, allowing you to globally manage firewalls securing your services running in a GKE deployment.
Typical Workload Deployments in GKE
A GKE deployment leverages VPC networks and subnetworks in a GCP project for the networking between the Kubernetes clusters and other resources in the project. Containerized applications run on Kubernetes clusters, which are a collection VMs called nodes. By default, nodes are private and do not have outbound internet access.
A pod represents a a group of containers running a particular application in your cluster— pods run on one or more nodes in the Kubernetes cluster. A service in Kubernetes defines a logical group of pods, and a policy by which to access them—also referred to as a micro-service.
Services typically represent components of an application, such as a web service, database service, etcetera. Exposing a service as type LoadBalancer usually assigns a public IP address, which makes the application vulnerable to inbound attacks from within the cluster or external sources.
The following diagram shows multiple Kubernetes services running in multiple Kubernetes clusters within the same GCP project.
Components Required to Secure Workloads Deployed in GKE
Let’s look at the components used to secure services that are externally accessible.
In the sample topology, the GKE instance group contains one or more VM-Series firewalls and shares the same networks and zones as the GKE cluster. It straddles the Untrust and Trust subnets to secure traffic to and from back-end services.
The firewalls in the instance group detect a PANW named port for each service of type LoadBalancer exposed to the internet. Each back-end service is behind an internal load balancer.
Google Kubernetes Engine Cluster
Google Kubernetes Engine services run in a GKE cluster. Google Cloud Platform Plugin for Panorama can support up to 100 exposed services per cluster.
To integrate with the GCP Plugin on Panorama, edit your application deployment’s config.yaml file as described in Deploy an Application.The panw-named-port label is critical for differentiating the services. Using the panw-named-port label as a matching criteria, you can create firewall rules specific to each service, and steer traffic accordingly.
Google Cloud Platform Plugin on Panorama
Google Cloud Platform Plugin for Panorama configures the integration between the Kubernetes cluster running in your GCP deployment and Panorama.The plugin stores the mapping information between a specific Panorama device group and a GKE cluster in a GKE project. A GKE project stores the integration information for up to four GKE clusters, each of which can expose up to 100 services. You can secure up to four GKE projects.When the plugin detects a new service in the Kubernetes cluster that it is monitoring, it creates Panorama service objects and NAT rules, inserting the VM-Series firewalls in the network path to secure traffic to and from the service.
When you configure GCP plugin for Panorama, you associate a GKE cluster with a specific instance group in your GCP project. An instance group from GCP correlates with a device group in Panorama.
A Sample Topology
The following diagram illustrates a load balancer sandwich deployment. This diagram highlights elements critical to integrating your GKE cluster with the GCP Plugin for Panorama.
To secure containerized applications, place the VM-Series firewall in front of your Kubernetes cluster so that all traffic going in and out of the application services can be secured. In addition to securing inbound traffic, the VM-Series firewall secures outbound access from the Kubernetes nodes, preventing data exfiltration.
In this sample topology, traffic enters the HTTP External Load Balancer (ELB), and according to the fully-qualified domain name (FQDN) is directed to a PANW named port. The instance group firewalls apply security policy and inspect all the traffic to services in the Trust subnet.
This diagram reflects the logical organization of services on a Kubernetes cluster. For example, it shows two clusters and three services (workloads). However, a Kubernetes cluster deployment is actually a single cluster whose resources are distributed across a node pool with multiple compute instance groups (not to be confused with the VM-Series firewall instance groups).
Secure Kubernetes Services in a Google Kubernetes Engine Cluster
To secure north-south traffic for a Google Kubernetes Engine cluster (GKE), deploy the VM-Series firewalls in an instance group and configure the GCP plugin on ...
Set Up the VM-Series Firewall on Google Cloud Platform
Deploy the VM-Series Firewall on a Google Cloud Engine Instance. ...
Configure Google Cloud Platform Plugin for Google Kubernetes Engine
In Panorama, configure the plugin to detect services in a Kubernetes cluster. ...
Deploy a Community-Supported Terraform Template
Deploy a community-supported Terraform template to expose services running in a Kubernetes cluster to the Google Cloud Platform plugin for Panorama. ...
VM-Series Firewall on Google Cloud Platform
Deploy the VM-Series firewall from Google Cloud Platform Marketplace, enable Google Stackdriver monitoring, and enable VM-Series firewalls to monitoring Google Compute Engine instances. ...
Prepare to Set Up the VM-Series Firewall on Google Public Cloud
Information to gather and tasks to complete before deploying the VM-series firewall on a Google Compute Engine instance. ...
Deploy the VM-Series Firewall from Google Cloud Launcher
Use a Cloud Launcher solution to deploy the VM-Series firewall with the minimum management, untrusted, and trusted interfaces. ...
About the VM-Series Firewall on Google Cloud Platform
Prepare to deploy a VM-Series firewall on a Google Compute Engine instance. ...
Enable Google Stackdriver Monitoring on the VM Series Firewall
Monitor PAN-OS metrics from Google Stackdriver. ...