: How Does the Panorama Plugin for Azure Secure Kubernetes Services?
Focus
Focus

How Does the Panorama Plugin for Azure Secure Kubernetes Services?

Table of Contents

How Does the Panorama Plugin for Azure Secure Kubernetes Services?

Learn how the Azure plugin for Panorama works to secure Azure Kubernetes services.
You can use VM-Series firewalls to secure inbound traffic for Azure Kubernetes Service (AKS) clusters. The VM-Series firewall can only secure services exposed by a load balancer (such as an Azure Load Balancer). Outbound traffic can only be monitored.
This chapter reviews different components that enable the Azure Plugin for Panorama to connect to an AKS cluster.

Requirements

This solution requires the following components. See the Panorama plugin information in the Compatibility Matrix for the minimum version requirements.

A Sample Hub-and-Spoke Topology to Secure AKS Clusters

The following diagram illustrates a sample auto scale deployment that secures inbound traffic for Azure AKS clusters. Let’s review some of the components.
  • Auto Scaling Infrastructure—The Azure Auto Scaling templates create the messaging infrastructure and the basic hub and spoke architecture.
  • AKS Clusters—The Palo Alto Networks AKS template creates an AKS cluster in a new VNet. Given the name of the Spoke resource group, the template tags the VNet and AKS cluster with the Spoke resource group name, so the resource group can be discovered by the Azure Auto Scaling plugin for Panorama. The Azure plugin for Panorama queries service IP addresses on the Staging ILB to learn about AKS cluster services.
    Only one Spoke firewall scale set can be associated with an AKS Cluster; if you expose multiple services in a single AKS cluster, they must be protected by the same Spoke.
    For each resource group, create a subnet-based address group. In the above diagram, for example, create an address group for 10.240.0.0/24 (AKS Cluster 1).
  • VNet Peering—You must manually configure VNET peering to communicate with other VNets in the same region.
    Cross-region peering is not supported.
    You can use other automation tools to deploy AKS clusters. If you deploy in an existing VNet (the Hub Firewall VNet, for example) you must manually configure VNet peering to the inbound and outbound hub and spoke resource groups, and manually tag the VNet and AKS cluster with the resource group name.
  • User Defined Routes and Rules—You must manually configure user-defined routes and rules (see User-Defined Routing). In the diagram above, incoming traffic can be redirected, according to UDR rules, to the Firewall ILB for inspection. Outbound traffic exiting an AKS Cluster is redirected to the Hub Firewall ILB with Azure user-defined routing (UDR) rules. The solution assumes Allow All as a default policy for Kubernetes orchestration to function as-is, but to apply policy you can use an allowlist or a denylist to allow or deny outbound traffic.

User-Defined Routing

You must manually create user-defined routing and routing rules to govern inbound or outbound traffic.
Inbound
In the above diagram, inbound traffic from the Application gateway is driven to the backend pool, and based on UDR rules, redirected to the Firewall ILB. For example, create a UDR pointing to the VNet subnet so that the traffic for Kubernetes services is pointed to the firewall ILB.
Outbound
On the Hub firewall set, for each AKS cluster being protected, you must create static routes for the cluster subnet CIDR, with the next hop being the gateway address of the Hub VNet trust subnet.
All outbound traffic for an AKS cluster is directed to the Hub firewall set with a single UDR rule.

AKS Cluster Communication

The Panorama plugin for Azure can only communicate with the AKS controller node for a given AKS cluster. For Outbound AKS traffic, the next hop is the Hub Firewall ILB. Because Outbound traffic is monitored, you must Allow All traffic. The following topics emphasize common practices that help you establish connectivity. Keep them in mind when you plan your networks and subnets.

Create AKS Cluster Authentication

When you connect the AKS cluster in Azure plugin for Panorama you must enter a secret authorization token. Use Kubernetes commands to perform the following steps.
  1. Create a ClusterRole.
  2. Create a ClusterRoleBinding.
    1. Create a .yaml file for the ClusterRoleBinding. For example, create a text file named crb.yaml.
        apiVersion: rbac.authorization.k8s.io   kind: ClusterRoleBinding   metadata:      name: default-view   roleRef:     apiGroup: rbac.authorization.k8s.io     kind: ClusterRole     name: view   subjects:   - kind: ServiceAccount   name: default   namespace: default
    2. Use Azure Cloud Shell to apply the crb.yaml role binding.
      kubectl apply -f crb.yaml
    3. View the service account you just created.
      kubectl get serviceaccounts
  3. Save the service account credential to a .json file.
    1. On your local machine, change to the directory in which you want to save the credential.
    2. Use kubectl commands to create the token.
      MY_SA_TOKEN=‘kubectl get serviceaccounts default -o jsonpath=’{.secrets[0].name}’‘
    3. View the token name.
      $ echo $MY_SA_TOKEN
    4. Display the credential.
      kubectl get secret $MY_SA_TOKEN -o json

Use An Address Group to Identify Traffic

To create some granularity for monitored Outbound traffic, create an address group specifically for the AKS cluster VNet subnet (for example, 10.240.0.97/32 in the above diagram). You can then write rules that allow incoming or returning traffic rather than using Allow All.
If you create an address group, be careful to maintain the communication between the AKS controller and any worker nodes. See Add the Subnet Address Group to the Top-Level Policy.
If communication is interrupted, application traffic can be lost or your application deployment might have problems.

Add the Subnet Address Group to the Top-Level Policy

To maintain connectivity, the address group must be part of the top-level policy in Panorama. You can configure the cluster address group, or bootstrap the cluster to configure the cluster address group.
Add the address group to the top-level policy before you configure VNet peering or User-Defined Routing.

Prevent Application Disruption when Workload and AKS Cluster VNets Are Peered

If an AKS cluster co-exists with VM workloads that run in separate VNets, and the VNet is peered with both the workload spoke (Inbound) and the Hub (Outbound), you must create address groups to differentiate the workloads and the AKS traffic, and add the address group to Top-Level Policy as described above.

Dynamic Address Groups with Kubernetes Labels

When monitoring an AKS cluster resource, the Azure plugin automatically generates the following IP tags for AKS services.
  aks.<aks cluster name>.<aks service name>
Tags are not generated for nodes, pods, or other resources.
If the AKS service has any labels, the tag is as follows (one per label):
  aks.<aks cluster name>.svc.<label>.<value>
If a labelSelector tag is defined for a cluster, the plugin generates the following IP tag:
  aks_<labelSelector>.<aks cluster name>.<aks service name>