CN-Series Deployment Guide
    : Deploy the CN-Series on OpenShift Operator Hub
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series Deployment Guide
    4. Secure Kubernetes Workloads with CN-Series
    5. Deploy the CN-Series Firewalls
    6. Deploy the CN-Series on OpenShift Operator Hub
    Download PDF

    CN-Series Deployment Guide

    Deploy the CN-Series on OpenShift Operator Hub

    Table of Contents

    Deploy the CN-Series on OpenShift Operator Hub

    On your OpenShift environment, deploy the CN-Series firewalls.
    The CN-Series Container firewall is now available on RedHat Openshift platform Operator Hub. You can deploy, configure, and operate CN-Series container firewalls directly from RedHat Operator Hub.
    Prerequisites for CN-Series on Openshift Operator Hub:
    You should ensure that the following prerequisites are met before deploying the CN-Series firewall on Openshift operator hub:
    Deploy the CN-Series on OpenShift Operator Hub:
    The pan-cni secures traffic on the default
    eth0
     interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
    The pan-cni does not create a network and hence, does not need IP addresses like other CNI plugins.
    PAN-OS 10.1.3 or later is required to deploy the CN-Series as a Kubernetes Service on OpenShift. Additionally, the CN-Series as a Kubernetes Service on OpenShift only secures interface
    eth0
    .
    Following are the steps to deploy CN-Series firewall on your Redhat OpenShift operator hub:
    1. Log in to the Redhat OpenShift container console.
    2. Go to
      Operators
      , and then click
      OperatorHub
      .
    3. Enter
      Palo Alto
       in the Operator search box.
    4. Click
      pan-cn-series-operator
      .
      The install window opens when you click the
      pan-cn-series-operator
       tile.
    5. Click
      Install
       to install the pan-cn-series operator on your OpenShift cluster.
      You should ensure that the pre-installation steps are completed before the next deployment steps given here.
      If your service credential file is over 10KB, you must gzip the file and then, do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
    6. On the navigation menu, go to
      Installed Operators
      , and then click
      pan-cn-series-operator
       that you have installed.
    7. Click
      Create Instance
      .
    8. Enter a unique operand
      Name
      .
    9. Enter the
      vCPU Limit
       for DP and MP pods. For information on vCPU limits, see CN-Series Key Performance Metrics.
    10. Based on your PAN OS version, link to the appropriate images for DP, MP, and CNI in the CN-Series Container registry console.
    11. Under the
      CSP
       section, enter the CSP CN-Series
      Pin ID
       and
      Pin value
      .
    12. Under the
      Failover Mode
       section:
      1. Select the preferred
        failover mode
         option.
      2. Select
        Deployment
         as the operation mode for K8s-service deployments or the
        Daemonset
         as the operation mode for daemonset deployments
      3. Select the
        PanOS Version
        .
    13. Under the
      Panorama
       section:
      1. Enter the CN-Series Panorama
        Auth Key
        .
      2. Enter the
        collector group(Cg) Name
      3. Enter the
        Device Group
      4. Enter the
        IP Address
      5. Enter the
        Template
         name.
    14. Click
      Create
      .
    15. On the Navigation menu, go to
      pods
      .
    16. Select project
      OpenShift-operators
       and then go to
      kube-system
       to view the name and status of the CNI, management, and data plane pods that were deployed as part of the operand.
      You can check the firewall deployment status on Panorama. The
      Device State
       will change to Connected in less than five minutes after deployment.
    17. Configure the PAN-CNI plugin to work with the Multus CNI plugin.
      The Multus CNI on OpenShift functions as a
      meta-plugin
       that calls other CNI plugins. For each application you must:
      1. Run the following command to deploy the pan-cni-net-attach-def.yaml in every pod namespace:
        kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
      2. Modify the Application YAML.
        After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the following annotation:
        paloaltonetworks.com/firewall: pan-fw
        k8s.v1.cni.cncf.io/networks: pan-cni
        If you have other networks in the above annotation, add
        pan-cni
         after the networks that need to be inspected. The networks that follow
        pan-cni
         are not redirected and inspected.
        If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under the
        interfaces
         section in the
        pan-cni-configmap.yaml
         file.
        For example:
        
								template:
								    metadata:
								      annotations:
								         paloaltonetworks.com/firewall: pan-fw
								         k8s.v1.cni.cncf.io/networks: bridge-conf, macvlan-conf, sriov-conf, pan-cni

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.