An Environment is a logical set of cloud instances, clusters, or namespaces on which a Cisco Panoptica controller has been deployed. These can be an on-prem VMs, cloud VPCs, or Kubernetes clusters. If the environment is located in a cloud account, the cloud account must be associated with Panoptica .

Environments are used to apply Panoptica runtime policies that regulate where workloads can run, and with whom they can communicate. You can, for example, define a policy that permits (or restricts) specific workloads (apps) to run on a specific named environment, or that allows (or denies) communication to or from workloads running on a specific environment.

You can include more than one cluster or namespace in an environment. You can also define an environment to include entities that are logically related, even if they span different clusters, or cloud accounts. So, for example, you can define an environment that includes AWS VPCs in different regions, that are used for a common purpose, such as a web front end, or an environment that includes namespaces from different clusters, identified by a common label. It is then a straightforward task to create and apply simple runtime rules to control activity and communication to workloads in these environments.

Define Environments

1. In the Panoptica Console, navigate to the Deployments page.

2. Select the Environments tab. This will show a list of your environments.

3. Click +New Environment.

4. In the General Details section, enter a name and description for the environment.

5. Select a risk level for the environment. This is the maximum risk level workloads running in this environment. You can define runtime environment policy rules to block workloads with a higher risk level from running in this environment.

6. Click NEXT.

7. In the Infrastructure Configuration section, select the platform (infrastructure) from the list. This can be AWS or Kubernetes. You can select a number of infrastructures for the same environment, and they can be a combination of AWS and Kubernetes.

8. Expand the platform to be included, and then press + Settings.

For AWS, enter the following setting details:

• the Cloud Account ID from the list of accounts which have been associated with Panoptica
• the region in your account
• the Network (VPC); the environment will include all instances in the VPC
• optionally, define tags for the environment, and assign them values (more than one tag can be assigned). You can use tags to associate workloads with an environment.

For Kubernetes, enter the following details:

• the cluster name
• select the namespaces to include in the environment, either by name or by label (for example, the label assigned to the namespace during controller deployment; see here; the environment will include all nodes in the namespace. You can select a number of names or labels.

9. Repeat for additional infrastructures for the environment.
10. When done, click FINISH.

View Environments

View a list of the environments in the ENVIRONMENTS tab of the Deployments page.

Modify Environments

To modify an existing environment:

1. Navigate to the Deployments page, and select the Environments tab. This will show a list of all environments.
2. Select the environment to be modified, and then click Edit.
3. Modify the General Details or Infrastructure Configuration sections, as necessary, and then click FINISH.

Delete an environment

You can delete environments from Panoptica. This removes the environment definition in Panoptica, but does not delete or change the actual host or cluster. Workloads running on these environments are not deleted. You can continue to view these workloads on your clusters, but will no longer see the grouping according to environments. In addition, runtime policies will continue to be applied to workloads (rules involving the deleted environment will no longer be applied).

To delete an environment:

1. Navigate to the Deployments page, and select the Environments tab. This will show a list of all environments.
2. Select the environment to be modified, and then click Delete.

Environment Advisor

The Panoptica Environment Advisor will recommend environments for your hosts or clusters, for namespaces that have running workloads that are not included in any other environment. The namespace name will be the suggested name for the environment.

In the example below, the workload billing, in the CustomerC namespace, is not in an environment.

The Environment Advisor will suggest a new environment for this. The suggested risk level is based on the risk of the workload. The affected workloads (1, in this example) are the workloads that will be included in this environment, if it is created.