The service account (pan-plugin-user) created with the
plugin-serviceaccount.yaml
enables the Kubernetes plugin on
Panorama to authenticate with the Kubernetes cluster for retrieving metadata on the
pods. The other two yaml files,
pan-mgmt-serviceaccount.yaml
and
pan-cni-serviceaccount.yaml
, create the
pan-mgmt-sa and the pan-cni-sa service accounts to enable the authentication between
the fault tolerant CN-Mgmt pods, and between the CN-MGMT pod and the CN-NGFW pods.
For more information, see
Components Required to Secure Kubernetes Clusters
with CN-Series Firewall.