1. Home
    2. CN-Series
    3. CN-Series Deployment Guide
    4. Secure Kubernetes Workloads with CN-Series
    5. Install the Kubernetes Plugin and Set up Panorama for CN-Series

    Install the Kubernetes Plugin and Set up Panorama for CN-Series

    Install the Kubernetes plugin on Panorama and set it up to monitor your Kubernetes clusters.
    You can deploy the Panorama appliance on-premises or in the cloud, as long as the Panorama appliance can connect with the Kubernetes clusters where you want to deploy the CN-Series firewalls. This workflow takes you through the process of installing the Kubernetes plugin, activating the auth code and setting up the Kubernetes plugin to monitor your clusters.
    1. Deploy a Panorama with software version 10.0 and install the minimum content version.
      1. Check Now
         (
        Panorama
        Dynamic Updates
        ) for the minimum content release version on PAN-OS 10.0.
      2. Check Now
         (
        Panorama
        Software
        ) for the software version.
        Locate and download the model-specific file for the release version to which you are upgrading. For example, to upgrade an M-Series appliance to Panorama 10.0.0, download the Panorama_m-10.0.0 image; to upgrade a Panorama virtual appliance to Panorama 10.0.0, download the Panorama_pc-10.0.0 image.
        After a successful download, the
        Action
         column changes from Download to Install for the downloaded image.
    2. Verify that your Panorama is in Panorama mode, if you want Panorama to collect the firewall logs.
    3. Install the Kubernetes plugin on Panorama.
      1. Log in to the Panorama Web Interface, select
        Panorama
        Plugins
         and click
        Check Now
         to get the list of available plugins.
      2. Select
        Download
         and
        Install
         the Kubernetes plugin
        After you successfully install, Panorama refreshes and the Kubernetes plugin displays on the
        Panorama
         tab.
        You can also verify the General Information widget on the Panorama
        Dashboard
        .
    4. Commit your changes on Panorama.
      Click
      Commit to Panorama
      . The commit creates the interfaces and virtual wires and the associated template named
      K8S-Network-Setup
      . It can take up to one minute for the interfaces to display on Panorama. The template has 30 virtual wires; a pair of interfaces that are part of a virtual wire to secure an application. Therefore, the CN-NGFW can secure a maximum of 30 application pods on a node.
    5. Get the CN-Series license tokens on Panorama.
      1. Choose your workflow.
        If your Panorama has internet access you can activate the authcode on the Kubernetes plugin. If your Panorama does not have internet access, you must Allocate CN-Series Tokens to Panorama and then upload the license key.
        • Activate the authcode on the Kubernetes plugin.
          1. Select
            Panorama
            Plugins
            Kubernetes
            Setup
            Licenses
            .
          2. Select
            Activate/update using authorization code
            , and enter the auth code and the number of licenses you need for each of the nodes you want to protect with CN-Series firewalls.
            You must activate the auth code to enable the CN-MGMT to connect with Panorama. Every node in the cluster uses a token.
            If you deploy the CN-Series firewall without activating the license, you have a 4-hour grace period after which the firewalls stop processing traffic. After the grace period, the CN-NGFW instances will either failopen (default) or failclosed based on the (FAILOVER_MODE) defined in the
            pan-cn-ngfw-configmap.yaml
            .In fail-open mode the firewall will receive the packets and send it out without applying any security policies. Transitioning to fail-open will require a restart and cause a brief disruption of traffic during that (expected around 10-30 seconds). In fail-closed mode, the firewall will drop all the packets it receives. A fail-close will bring down the CN-NGFW Pod and release the tokens to the available token pool for licensing new CN-NGFW Pods.
        • Upload the license key to Panorama.
          1. Log in to the CLI on Panorama.
            Use SSH to log into the CLI.
          2. Enter
            request plugins kubernetes manually-upload-license file
            .
          3. Paste the contents of the file.
      2. Verify that the number of available license tokens is updated.
    6. Generate VM Auth Key.
      Log in to the Panorama CLI, and use the following operational command:
        request bootstrap vm-auth-key generate lifetime <1-8760>
      For example to generate a key that is valid for 24 hrs, enter the following:
        request bootstrap vm-auth-key generate lifetime 24
        VM auth key 755036225328715 generated.
  Expires at: 2020/01/29 12:03:52
    7. Create a parent Device Group and Template Stack.
      You must create a template stack and a device group, and you will later reference this template stack and device group when you edit the YAML file to deploy the CN-MGMT Pods. The Kubernetes plugin on Panorama creates a template called K8S-Network-Setup, and this template will be part of the template stack you define here.
      1. Create a template stack and add the K8S-Network-Setup template the template stack.
        1. Select
          Panorama
          Templates
           and
          Add Stack
          .
        2. Enter a unique
          Name
           to identify the stack.
        3. Add and select the K8S-Network-Setup template.
        4. Click
          OK
          .
      2. Create a device group.
        1. Select
          Panorama
          Device Groups
           and click
          Add
          .
        2. Enter a unique
          Name
           and a
          Description
           to identify the device group.
        3. Select the
          Parent Device Group
           (default is
          Shared
          ) that will be just above the device group you are creating in the device group hierarchy.
        4. Click
          OK
          .
      3. (
        If you are using a Panorama virtual appliance
        ) Create a Log Collector and add it to a Log Collector Group.
        1. Select
          Panorama
          Collector Groups
           and
          Add
           a Collector Group.
        2. Enter a
          Name
           for the Collector Group.
        3. Enter the
          Minimum Retention Period
           in days (1 to 2,000) for which the Collector Group will retain firewall logs.
          By default, the field is blank, which means the Collector Group retains logs indefinitely.
        4. Add
           Log Collectors (1 to 16) to the Collector Group Members list.
        5. Select
          Commit
          Commit and Push
           and then
          Commit and Push
           your changes to Panorama and the Collector Group you configured.
    8. Set up the Kubernetes plugin for monitoring the clusters.
      Add the Kubernetes cluster information so that Panorama can access the API endpoint for the cluster and authenticate using the service account credentials in order to query the API server. You can add up to 32 service account credentials on Panorama; Panorama supports only one service account credential for a Kubernetes cluster.
      To ensure that the plugin and the Kubernetes clusters are in sync, the plugin polls the Kubernetes API server at a configured interval and listens for notifications from the Kubernetes Watch API at a predefined interval (not user configurable).
      After you add the cluster information, Panorama always retrieves the such as service, node, replica set and creates tags for them to enable you to gain visibility and to control traffic to and from these clusters. Optionally, you can specify whether you want Panorama to retrieve information on the Kubernetes labels and create tags for these also. See IP-Address-to-Tag Mapping of Kubernetes Attributes for a list of supported attributes.
      1. Check the monitoring interval.
        The default interval at which Panorama polls the Kubernetes API server endpoint is 30 seconds.
        1. Select
          Panorama
          Plugins
          Kubernetes
          Setup
          General
          .
        2. Verify that
          Enable Monitoring
           is selected.
        3. Click the gear icon to edit the
          Monitoring Interval
           and change to a range of 30-300 seconds.
      2. Select
        Panorama
        Plugins
        Kubernetes
        Setup
        Cluster
        , and
        Add Cluster
        .
        Make sure that you do not add the same Kubernetes cluster to more than one Panorama (single instance or HA pair) appliance because you may see inconsistencies in how the IP-address-to mappings are registered to the device groups.
      3. Enter a
        Name
         and the
        API Server Address
        .
        This is the Endpoint IP address for the cluster that you must get from your Kubernetes deployment. Enter a name, up to 20 characters, to uniquely identify the name of the cluster. You cannot modify this name because Panorama uses the cluster name when it creates tags for the pods, nodes, services it discovers within the cluster.
        The format of the API server address can be a hostname or an IP address:port number, and you do not need to specify the port if you are using port 443, which is the default port.
      4. Select the
        Type
         of environment on which your cluster is deployed.
        The available options are AKS, EKS, GKE, Native Kubernetes, OpenShift, and Other.
      5. Upload the service account
        Credential
         that Panorama requires to communicate with the cluster. In the previous step of this workflow, this filename for this service account was
        plugin-svc-acct.json
        .
        If your service credential file is over 10KB, you must gzip the file and then do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
      6. Click
        OK
        .
        You can leave the Label Filter and Label Selector configuration for later. This is an optional task that enables you to retrieve any custom or user-defined labels for which you want Panorama to create tags.
    9. (
      Optional
      ) Configure a proxy for each cluster.
      Unlike the other plugins, the Kubernetes plugin does not use the proxy configured under
      Panorma
      Setup
      Services
      . Instead if you want to enable or bypass a proxy, you must enter the proxy for each cluster. When configured, the Kubernetes plugin uses this proxy server IP address to make all API calls to the API server for this cluster.
      1. Log in to the CLI on Panorama.
      2. Enter the following CLI commands to configure the proxy server for this Kubernetes cluster.
        >
        configure> set plugins kubernetes setup cluster-credentials <cluster-name>  cluster-proxy enable-proxy <yes/no> proxy-port <port>   proxy-server <IP> proxy-user <username>  secure-proxy-password <password>
        *** username and password are optional ***

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo