* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Automation: The Key to Co...

# Automation: The Key to Consistent Security for Kubernetes

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomation-for-kubernetes%2F)  
[](https://twitter.com/share?text=Automation%3A+The+Key+to+Consistent+Security+for+Kubernetes&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomation-for-kubernetes%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fautomation-for-kubernetes%2F&title=Automation%3A+The+Key+to+Consistent+Security+for+Kubernetes&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/automation-for-kubernetes/&ts=markdown)  
\[\](mailto:?subject=Automation: The Key to Consistent Security for Kubernetes)  
Link copied  
By [Rishi Bhargava](https://www.paloaltonetworks.com/blog/author/rishi-bhargava/?ts=markdown "Posts by Rishi Bhargava") and [Sudeep Padiyar](https://www.paloaltonetworks.com/blog/author/sudeep-padiyar/?ts=markdown "Posts by Sudeep Padiyar")  
Feb 05, 2021  
5 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown)  
[security](https://www.paloaltonetworks.com/blog/tag/security/?ts=markdown)

How is Kubernetes security managed in your organization? This question has become top of mind for security and DevOps teams as their job responsibilities get increasingly intertwined in the cloud native applications world. There are Kubernetes network policies and next-generation firewall (NGFW) security policies, and the teams crafting these policies tend to be different. A unified approach is needed so that consistent policies are applied with access control and advanced security services such as threat prevention and application segmentation. If a unified approach is not used, it is very cumbersome to figure out application connectivity issues post-deployment.

Automation is the key to helping cloud security teams pre-provision security policies to ensure they are in place and consistent before applications are deployed. Enabling communication and having checks and balances between different teams is important to having the right security controls on the network.

**Kubernetes Network Policy: The Building Block**

Since Kubernetes network policies have been introduced, they've been used extensively to bring in basic access control between application pods. In a Kubernetes cluster configured with default settings, all pods can discover and communicate with each other without any restrictions. The Kubernetes object type NetworkPolicy lets you allow and block traffic to pods.

When customers run multiple applications in a Kubernetes cluster or are sharing a cluster among multiple teams, it's a security best practice to create network policies that permit pods that need to communicate with each other to do so, while blocking other network traffic.

Here is a small sample of a policy file that denies all ingress traffic to a cluster. The policies are expressed in YAML files so it is very easy for DevOps teams to automate this with Kubernetes tooling.

![Sample Policy File](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-16.png)

*Figure 1: Sample Policy File*

**Enter CN-Series: Industry's first Kubernetes Native Next-Generation Firewall**

Cloud-native applications can be kept nimble and secure with the industry's first Machine Learning-powered next-generation firewall (ML-Powered NGFW) built specifically for Kubernetes environments. The Palo Alto Networks [CN-Series](https://www.paloaltonetworks.com/blog/2020/06/network-cn-series/?ts=markdown) containerized firewall provides deep layer 7 visibility into container traffic and enforces threat prevention policies to protect allowed traffic across Kubernetes namespace boundaries. These container firewalls make the most of native Kubernetes orchestration by integrating firewall deployment directly into the DevOps workflow--a single command is all it takes for simultaneous deployment on all nodes of a Kubernetes cluster.

![Industry’s first Kubernetes Native Firewall](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-17.png)

*Figure 2: CN-Series: Industry's first Kubernetes Native Firewall*

Security Policies for CN-Series are applied via Panorama UX or XML APIs. Customers currently using Kubernetes tooling like Helm for applying network policies and XML APIs for PAN-OS based policies have desired a common automation mechanism for both.

**Cortex XSOAR + CN-Series: Better Automation for Kubernetes Security**

DevOps engineers typically configure network policies along with the application deployments in Kubernetes. Until recently, when CN-Series was deployed within the Kubernetes cluster(s) using automated mechanisms like Helm Charts, PAN-OS security policies had to be configured separately in Panorama.

That changes with this key innovation from Palo Alto Networks. We combine the native automation in Kubernetes with Cortex XSOAR and its integration with PAN-OS to help customers completely automate security for applications deployed in Kubernetes.

![CN-Series policy management automation with Cortex XSOAR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-18.png)

*Figure 3: CN-Series Policy Management Automation with Cortex XSOAR*

Customers want to continue to leverage the automation capabilities in Kubernetes. To make that easier, we extended the network policy constructs in Kubernetes. It now includes PAN-OS attributes like [app-id](https://www.paloaltonetworks.com/technologies/app-id?ts=markdown), [url filtering](https://www.paloaltonetworks.com/products/threat-detection-and-prevention/web-security?ts=markdown), [vulnerability protection,](https://docs.paloaltonetworks.com/threat-prevention.html) etc. as shown below.

![Sample of network policy constructs in Kubernetes with PAN-OS attributes](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-19.png)

*Figure 4: Sample of Network Policy Constructs in Kubernetes with PAN-OS Attributes*

This is how simple the end to end automated flow would be:

1. Security admins can now provide the required security services for specific containerized applications upfront to the automation teams as explained in the picture above.
2. DevOps teams can include these policies as code templates in their CI/CD pipelines
3. When the network policies are applied to Kubernetes, notifications from Kubernetes watcher triggers a Cortex XSOAR playbook. The Cortex XSOAR playbook translates the opaque PAN-OS objects along with src, dest, allow/deny to create the PAN-OS policies automatically for the relevant Kubernetes clusters.
4. Cortex XSOAR has a setting for auto commit of the policies in Panorama, so the security admin can do the commits to allow for manual checking if desired.

Here is the workflow for the automated Cortex XSOAR playbook setup that tracks incidents and debug issues:

![Sample of Cortex XSOAR playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/word-image-20.png)

*Figure 5: Sample of Cortex XSOAR playbook*

**Summary**

Palo Alto Networks strongly believes container adoption demands comprehensive protection all the way from scanning container registries in the CI/CD pipeline to network security in production deployments. We have built a comprehensive suite of products in [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/compute-security/container-security?ts=markdown), [CN-Series firewalls](https://www.paloaltonetworks.com/resources/datasheets/cn-series-container-firewall?ts=markdown) and [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/xsoar?ts=markdown) to ensure security concerns do not remain a hindrance for our customers in their container adoption journey.

Automation is one of the key benefits of Kubernetes. Palo Alto Networks further augments securing Kubernetes using Cortex XSOAR, CN-Series, Panorama and Kubernetes network Policy with PAN-OS extensions! The [video](https://www.youtube.com/watch?v=PbfaES5hGCU&feature=youtu.be&t=12) explains the new capabilities in detail.

Note: This CN-Series Content Pack will be coming soon to Cortex XSOAR Marketplace. If you are new to Cortex XSOAR, do take a test drive of our full-featured, free [Community Edition](https://start.paloaltonetworks.com/sign-up-for-community-edition.html).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown)

[#### Turn Insight Into Action With Coralogix and Cortex XSOAR](https://www.paloaltonetworks.com/blog/security-operations/coralogix-and-cortex-xsoar/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Cortex XSOAR Marketplace's Top Contributors for April - June 2023!](https://www.paloaltonetworks.com/blog/security-operations/cortex-xsoar-marketplaces-top-contributors-for-april-june-2023/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown)

[#### Automating Identity Lifecycle Management](https://www.paloaltonetworks.com/blog/security-operations/automating-ilm/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Cortex XSOAR for SolarStorm Breach Rapid Response](https://www.paloaltonetworks.com/blog/security-operations/cortex-xsoar-solarstorm-sunburst/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://www.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown)

[#### Deloitte's Cloud Migration Success: Transforming SecOps with Cortex XSOAR](https://www.paloaltonetworks.com/blog/security-operations/deloittes-cloud-migration-success-transforming-secops-with-cortex-xsoar/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language