Secure Google Kubernetes Engine Services with Google Cloud
Platform Plugin for Panorama
Understand how the instance group and the PANW named ports help secure services in Kubernetes cluster, and how to configure the cluster for Panorama management.
The VM-Series firewall provides a way to secure traffic entering or exiting a service deployed in a Google Kubernetes Engine (GKE) cluster. Configuring the Google Cloud Platform (GCP) plugin for Panorama™ establishes a connection between your GKE cluster and Panorama, allowing you to globally manage firewalls securing your services running in a GKE deployment.
Typical Workload Deployments in GKE
A GKE deployment leverages VPC networks and subnetworks in a GCP project for the networking between the Kubernetes clusters and other resources in the project. Containerized applications run on Kubernetes clusters, which are a collection VMs called nodes. By default, nodes are private and do not have outbound internet access.
Services typically represent components of an application, such as a web service, database service, etcetera. Exposing a service as type LoadBalancer usually assigns a public IP address, which makes the application vulnerable to inbound attacks from within the cluster or external sources.
The following diagram shows multiple Kubernetes services running in multiple Kubernetes clusters within the same GCP project.
Components Required to Secure Workloads Deployed in GKE
Let’s look at the components used to secure services that are externally accessible.
The firewalls in the instance group detect a PANW named port for each service of type LoadBalancer exposed to the internet. Each back-end service is behind an internal load balancer.
Google Kubernetes Engine Cluster
Google Kubernetes Engine services run in a GKE cluster. Google Cloud Platform Plugin for Panorama can support up to 100 exposed services per cluster.
To integrate with the GCP Plugin on Panorama, edit your application deployment’s config.yaml file as described in Deploy an Application.
panw-named-portlabel is critical for differentiating the services. Using the
panw-named-portlabel as a matching criteria, you can create firewall rules specific to each service, and steer traffic accordingly.
Google Cloud Platform Plugin on Panorama
The plugin stores the mapping information between a specific Panorama device group and a GKE cluster in a GKE project. A GKE project stores the integration information for up to four GKE clusters, each of which can expose up to 100 services. You can secure up to four GKE projects.When the plugin detects a new service in the Kubernetes cluster that it is monitoring, it creates Panorama service objects and NAT rules, inserting the VM-Series firewalls in the network path to secure traffic to and from the service.
Google Cloud Platform Plugin for Panorama configures the integration between the Kubernetes cluster running in your GCP deployment and Panorama.
When you configure GCP plugin for Panorama, you associate a GKE cluster with a specific instance group in your GCP project. An instance group from GCP correlates with a device group in Panorama.
A Sample Topology
The following diagram illustrates a load balancer sandwich deployment. This diagram highlights elements critical to integrating your GKE cluster with the GCP Plugin for Panorama.
To secure containerized applications, place the VM-Series firewall in front of your Kubernetes cluster so that all traffic going in and out of the application services can be secured. In addition to securing inbound traffic, the VM-Series firewall secures outbound access from the Kubernetes nodes, preventing data exfiltration.
In this sample topology, traffic enters the HTTP External Load Balancer (ELB), and according to the fully-qualified domain name (FQDN) is directed to a PANW named port. The instance group firewalls apply security policy and inspect all the traffic to services in the Trust subnet.
This diagram reflects the logical organization of services on a Kubernetes cluster. For example, it shows two clusters and three services (workloads). However, a Kubernetes cluster deployment is actually a single cluster whose resources are distributed across a node pool with multiple compute instance groups (not to be confused with the VM-Series firewall instance groups).
Recommended For You
Recommended videos not found.