Deploy the CN-Series on OpenShift

On your OpenShift environment, deploy the CN-Series firewalls.
The pan-cni secures traffic on the default "eth0" interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
The pan-cni doesn't create any network and hence doesn't need IP addresses like other CNI plugins.
The CN-Series firewall on OpenShift can only be deployed as a DaemonSet. The CN-Series as a Kubernetes Service is not supported on OpenShift.
  1. Deploy your cluster.
    Refer to the cloud platform vendor’s documentation and verify that the OpenShift versions and CNI are supported for the CN-Series.
    Review the following:
  2. Use the workflow included in Secure Kubernetes Workloads with CN-Series.
    You must create the service credentials, and deploy the firewall YAMLs.
    Note: If your service credential file is over 10KB, you must gzip the file and then do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
  3. Configure the PAN-CNI plugin to work with the Multus CNI plugin.
    The Multus CNI on OpenShift functions as a "meta-plugin" that calls other CNI plugins. For each application you must:
    1. Deploy the PAN-CNI NetworkAttachmentDefinition in every pod namespace
      kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
    2. Modify the Application YAML.
      After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the annotation:
      paloaltonetworks.com/firewall: pan-fw
      k8s.v1.cni.cncf.io/networks: pan-cni
      If you have other networks in the above annotation, add
      pan-cni
      after the networks that need to be inspected. The networks that follow
      pan-cni
      are not redirected and inspected.
      If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under “interfaces” in the pan-cni-configmap.yaml.
      For example:
      template: metadata: annotations: paloaltonetworks.com/firewall: pan-fw k8s.v1.cni.cncf.io/networks: bridge-conf, macvlan-conf, sriov-conf, pan-cni

Recommended For You