Onboard the Kubernetes Connector - To onboard your Kubernetes cluster, choose the capabilities that fit your needs and download the Helm chart values. Install the Helm charts in your Kubernetes environment to grant Cortex Cloud permissions to collect the data. - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-04
Category
Administrator Guide
Abstract

To onboard your Kubernetes cluster, choose the capabilities that fit your needs and download the Helm chart values. Install the Helm charts in your Kubernetes environment to grant Cortex Cloud permissions to collect the data.

Follow this wizard to deploy your Kubernetes Connector. The Kubernetes onboarding wizard is designed to facilitate the seamless setup of Kubernetes data into Cortex Cloud. The guided experience requires minimal user input; simply select the capabilities that fit your needs and download the custom installer file. For full control of the setup, you can use the advanced settings. Based on the onboarding settings, Cortex Cloud then creates a custom installer file for running in your Kubernetes environment. This file, once executed in your Kubernetes environment, grants Cortex Cloud the necessary permissions to collect the data. The installer file must be executed in your Kubernetes environment to complete the onboarding process. The connector then appears in Kubernetes Connectors.

  1. Navigate to SettingsData Sources & Integrations.

  2. On the Add Data Sources & Integrations page, click Create Integration, search for Kubernetes, then hover over it and click Add Another Instance.

  3. In the Kubernetes Connect onboarding wizard, enable the solutions that fit your needs:

    • Posture Management: (Enabled by default) A lightweight posture management solution for continuous discovery, policy enforcement, and proactive scanning of vulnerabilities, secrets, malware, compliance, and misconfigurations.

    • Realtime Protection: A solution that monitors workloads in real time to detect and block malicious activity, instantly preventing attacks as they happen.

  4. (Optional) Click Edit to configure advanced settings and then click Apply Changes:

    • Posture Management:

      Setting

      Notes

      Scan Cadence (Hours)

      Define how often to scan (from every one to 24 hours). Default is 12 hours.

      Policy Enforcement by the Admission Controller

      Select to allow enforcement policies to be configured, ensuring that only compliant resources are admitted into the cluster.

      Registry Scanning (OpenShift Only)

      Select this option to scan OpenShift Platform Registry images for vulnerabilities, malware, and exposed secrets.

      Select the scanning configuration option to enable security checks for your images:

      • All (Default) Scans all container images, including all versions (tags), in all discovered repositories.

      • Latest tag: Scans only images tagged 'latest' in all discovered repositories.

      • Day modified: Scans container images created or modified in the last few days. You can select a range of up to 90 days for the scan. The default is set to 7.

      Refer to OpenShift container registry for information on the instances that were automatically created by the Kubernetes deployment.OpenShift container registry

    • Realtime Protection:

      Note

      This option is not supported for Fargate.

      Note

      Enabling Realtime Protection installs the agent on your Kubernetes clusters as a DaemonSet.

      Setting

      Notes

      Node Selector

      Enter node labels to have the agent run on nodes that match the node labels.

      Run on all nodes (Including Master)/Run only on master node

      Select one of the options.

      Endpoint tags

      Select endpoint tags with relevant context to assign to agents during installation. You can reference the full list of tags under All endpoints.

      Deployment Platform

      Select the Kubernetes deployment platform:

      • Standard

      • Bottlerocket OS

      • Google GCOS

      • OpenShift

  5. (Optional) Click Edit Profile to customize the Kubernetes Connector's profile:

    Setting

    Notes

    Profile Name

    A profile name is automatically generated, including the date and time of creation. You can manually change the profile name.

    Version

    Select which version of the Kubernetes Connector to install.

    Cluster Resource Identifier

    (Optional) Enter the Kubernetes cluster resource identifier. If you do not specify the resource identifier, the installer will identify the cluster on its own.

    Note

    For Fargate, you must provide the cluster resource identifier.

    The format of the identifier is arn:aws:eks:<region>:<account-id>:cluster/<cluster-name>.

    Namespace

    Enter the name for the Kubernetes namespace. The default is "panw".

    To ensure proper data parsing in an AWS Fargate environment, a Fargate Profile must be explicitly configured for the namespace where the connector is installed (typically panw) and for the kube-system namespace if the cluster is fully Fargate-based. Because the system identifies Fargate clusters by scanning for active workloads during deployment, a Fargate profile that contains no running pods will not be recognized as such. Furthermore, since this detection occurs at installation, any transition from EC2 to Fargate requires an agent update to trigger a new scan and ensure the environment is correctly identified and monitored.

    Proxy Gateway

    Enable this option if network traffic between Cortex Cloud and your Kubernetes cluster must route through a proxy gateway. Enter the following details:

    • Proxy IP: The full IP address and port number for your HTTP proxy server. For example: 192.168.1.1:8080

    • Authentication: Select None or Basic. Enter the username and password for a proxy user account that has permission to pass traffic to the Kubernetes cluster.

      Note

      Basic authentication is only supported in Posture Management. If deploying Realtime Protection, select None .

    Auto Upgrade

    Enable Auto Upgrade to ensure the Kubernetes Connector and its installed capabilities are automatically updated to a newer version when available. This minimizes manual maintenance and ensures continuous access to the latest features and security patches.

    Select the Upgrade Strategy:

    • Latest Available Version (GA): Automatically upgrade to the newest version as soon as it is released to gain immediate access to all new features.

    • One release before the latest one (N-1): Maintain a policy to always remain one version behind the latest available release.

      Note

      If you install the latest version but select the N-1 strategy, this policy will take effect starting from the next upgrade cycle (it will not immediately downgrade your current installation).

      If you choose an older version and keep the latest strategy, the latest version will be installed.

    Select Advanced to customize the upgrade schedule. Define whether to be upgraded immediately or to delay the upgrade by a specified number of days. You can then specify the preferred day and time for the upgrade to be applied.

  6. Click Generate.

  7. To complete the onboarding of the Kubernetes Connector, you must download the Helm chart values values.yaml and run it in your Kubernetes environment: helm repo add cortex https://paloaltonetworks.github.io/cortex-cloud --force-update

  8. Install the Helm charts in your Kubernetes environment: helm upgrade --install konnector cortex/konnector --wait-for-jobs --create-namespace --namespace pan --values <profile-name>.values.yaml

  9. Verify the deployment succeeded when you see Status: Deployed.

    When the Kubernetes Connector is deployed, the initial discovery scan is started, and the connector appears in Data Sources & IntegrationsKubernetesKubernetes Connectors.