The CN-Series firewall is designed to
provide the tools you need to secure the applications in your containerized
environment. To understand how the CN-Series fits into a containerized
network, it is important understand some key concepts.
—the foundation of your containerized environment;
all your containerized applications run on top of a cluster.
—depending on the cluster, a node might be a virtual
or physical machine that contains the necessary services required
—the smallest deployable computing unit that you
can deploy and manage in Kubernetes. The CN-Series firewall is deployed
in a distributed PAN-OS architecture as two pods: CN-MGMT and CN-NGFW.
See CN-Series Core Building Blocks for more information.
—a namespace is a virtual cluster that is
backed by a physical cluster. In an environment with many users
spread across multiple teams and functions, a namespace can be used
to separate them on a single cluster.
Container Network Interface (CNI)
—a plugin that configures
network interfaces for containers. Additionally, the CNI removes
the allocated resources used for networking when a container is
—in a Kubernetes deployment, a DaemonSet
ensure that some or all nodes run a copy of a particular pod. And
as nodes are added to a Kubernetes cluster, a copy of the pod defined
by the DaemonSet is added to each new node. When you deploy the
CN-Series firewall as a DaemonSet, a copy of the CN-NGFW pod is
deployed on each (up to 30 per CN-MGMT pair) node in your cluster.
—an abstraction that exposes an
application running on a set of pods as network service. When you
deploy the CN-Series as a service, the number of CN-NGFW pods deployed
is defined by you when setting up your yaml files.
Horizontal Pod Autoscaler (HPA)
the number of pods in a deployment, replica set, or stateful set
based on various metrics such as CPU utilization or session utilization.
is supported on the CN-Series as a Kubernetes service only.