On your OpenShift environment, deploy the CN-Series firewalls.
The pan-cni secures traffic on the default
"eth0" interface of the application pod. If you have multi-homed
pods, you can configure the CN-NGFW pod to secure additional interfaces
that are configured with a bridge-based connection to communicate
with other pods or the host. Depending on the annotation in the
application YAML, you can configure the CN-Series firewall to inspect
traffic from all the interfaces or a selected number of interfaces
attached to each pod.
The pan-cni doesn't create any network
and hence doesn't need IP addresses like other CNI plugins.
CN-Series firewall on OpenShift can only be deployed as a DaemonSet.
The CN-Series as a Kubernetes Service is not supported on OpenShift.
Deploy your cluster.
Refer to the cloud platform vendor’s documentation and
verify that the OpenShift versions and CNI are supported for the
You must create the service credentials, and deploy the
Note: If your service credential file
is over 10KB, you must gzip the file and then do a base64 encoding
of the compressed file before you upload or paste the contents of
the file into the Panorama CLI or API.
Configure the PAN-CNI plugin to work with the Multus
The Multus CNI on OpenShift functions as a "meta-plugin"
that calls other CNI plugins. For each application you must:
Deploy the PAN-CNI NetworkAttachmentDefinition in every pod