October 30, 2020
Integration with Prisma Cloud
In this private beta release, we offer a preview of Aporeto’s integration into Prisma Cloud. We do not support any upgrades to this release, only fresh installs.
We continue to host the Aporeto control plane for customers who do not wish to upgrade.
If you are still using the Aporeto-hosted control plane, do not upgrade your enforcers or
You must migrate to the Prisma-hosted platform to obtain further updates.
We have removed content for the Aporeto-hosted control plane from
This section now contains content for the Prisma-hosted offering.
We have renamed the product and control plane as follows.
|Previous term||New term|
|Aporeto||Prisma Cloud Identity-Based Microsegmentation (Microsegmentation)|
|control plane||Microsegmentation Console|
Automated Windows install
We have extended
apoctl protect to support Windows.
Refer to the installation documentation for more details.
Streamlined enforcer deployment
We’ve made it easier to deploy enforcers with the following changes.
- Namespace concepts and creation guidance added.
- Discovery mode enabled by default.
- Host protection enabled by default for Linux and Windows hosts.
- Reduced types of processing units to either an entire host or a pod.
We now offer
apoctl oam ping to help you troubleshoot connectivity issues at layer 3, 4, and 7.
Refer to Troubleshooting connectivity for more information.
Remote access to enforcer logs
You can now download an enforcer’s logs and other data to your local host. See Troubleshooting enforcer for details.
This release adds the following new roles.
- Infrastructure Administrator: can edit all resources except namespaces.
- Infrastructure Viewer: can view all resources.
- Application Developer: can edit network policies, services, service dependencies, and token scope policies. Can view processing units and external networks.
- Application Viewer: can view network policies, services, service dependencies, token scope policies, processing units, and external networks.
Operator now optional
We no longer require the operator on Kubernetes or OpenShift clusters. By default, we don’t deploy it.
Removal of unused features
Due to a lack of adoption, we have removed:
- Enforcer’s audit logging capabilities
- Namespace auditor role
- App integrations such as the Clair vulnerability scanner and others
Namespace Editor role: If you have any API authorizations using this role, migrate them to the Namespace Administrator role. We will remove the Namespace Editor role in a future release.
Host services: If you are using host services, migrate to external networks and network policies. We will remove host services in a future release.
kubenet: If your Kubernetes clusters use
kubenet, migrate them to CNI plugins. GKE clusters use
kubenetby default. Pass the
--enable-network-policyflag to modify them to use CNI plugins instead.
APO-146: You no longer have to manually issue the following commands before installing the enforcer on RHEL 8 and RHEL CoreOS 8 (used by OpenShift 4) hosts:
modprobe ip_tables modprobe iptable_nat
CNS-121: When multiple clients attempt to connect to the same HTTP service on a Windows host, some may experience timeouts.
CNS-126: After decommissioning an enforcer, you may find some of its iptables rules still in place.
CNS-153: When using relative time values with
apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use
-9h5m. Another workaround for this issue is to use absolute time values.
CNS-280: If you manually create an app credential and name it
apoctl protect k8smay delete it. To avoid this potential issue, do not name your app credentials
CNS-361: Network address translation (NAT) between pods on the same host may cause packets to be dropped if traffic does not occur for twenty-four seconds or longer.