Deploy the CN-Series on OpenShift Operator Hub
On your OpenShift environment, deploy the CN-Series firewalls.
Prerequisites for CN-Series on Openshift Operator Hub:
You should ensure that the following prerequisites are met before deploying the CN-Series firewall on Openshift operator hub:
- License the CN-Series Firewall. CN-Series firewall licensing is managed by the Kubernetes plugin on Panorama. You should generate your authorization code and have it on hand when you are ready to deploy the CN-Series firewall. For more information see, License the CN-Series Firewall.
- Deploy Panorama— You must use Panorama to configure, deploy, and manage your CN-Series firewall deployment. For more information about deploying and setting up a Panorama appliance, see Set up Panorama.
- You should be RedHat customer with an OpenShift license and an account that has the permissions to create resources in OpenShift.
For more information, see How To Easily Deploy CN-series on RedHat Openshift Operator Hub.
Deploy the CN-Series on OpenShift Operator Hub:
The pan-cni secures traffic on the default
eth0interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
The pan-cni does not create a network and hence, does not need IP addresses like other CNI plugins.
PAN-OS 10.1.3 or later is required to deploy the CN-Series as a Kubernetes Service on OpenShift. Additionally, the CN-Series as a Kubernetes Service on OpenShift only secures interface
Following are the steps to deploy CN-Series firewall on your Redhat OpenShift operator hub:
- Log in to the Redhat OpenShift container console.
- Go toOperators, and then clickOperatorHub.
- EnterPalo Altoin the Operator search box.
- Clickpan-cn-series-operator.The install window opens when you click thepan-cn-series-operatortile.
- ClickInstallto install the pan-cn-series operator on your OpenShift cluster.If your service credential file is over 10KB, you must gzip the file and then, do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
- On the navigation menu, go toInstalled Operators, and then clickpan-cn-series-operatorthat you have installed.
- ClickCreate Instance.
- Enter a unique operandName.
- Enter thevCPU Limitfor DP and MP pods. For information on vCPU limits, see CN-Series Key Performance Metrics.
- Based on your PAN OS version, link to the appropriate images for DP, MP, and CNI in the CN-Series Container registry console.
- Under theCSPsection, enter the CSP CN-SeriesPin IDandPin value.
- Under theFailover Modesection:
- Select the preferredfailover modeoption.
- SelectDeploymentas the operation mode for K8s-service deployments or theDaemonsetas the operation mode for daemonset deployments
- Select thePanOS Version.
- Under thePanoramasection:
- Enter the CN-Series PanoramaAuth Key.
- Enter thecollector group(Cg) Name
- Enter theDevice Group
- Enter theIP Address
- Enter theTemplatename.
- On the Navigation menu, go topods.
- Select projectOpenShift-operatorsand then go tokube-systemto view the name and status of the CNI, management, and data plane pods that were deployed as part of the operand.You can check the firewall deployment status on Panorama. TheDevice Statewill change to Connected in less than five minutes after deployment.
- Configure the PAN-CNI plugin to work with the Multus CNI plugin.The Multus CNI on OpenShift functions as ameta-pluginthat calls other CNI plugins. For each application you must:
- Run the following command to deploy the pan-cni-net-attach-def.yaml in every pod namespace:kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
- Modify the Application YAML.After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the following annotation:paloaltonetworks.com/firewall: pan-fwk8s.v1.cni.cncf.io/networks: pan-cniIf you have other networks in the above annotation, addpan-cniafter the networks that need to be inspected. The networks that followpan-cniare not redirected and inspected.If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under theinterfacessection in thepan-cni-configmap.yamlfile.For example:template: metadata: annotations: paloaltonetworks.com/firewall: pan-fw k8s.v1.cni.cncf.io/networks: bridge-conf, macvlan-conf, sriov-conf, pan-cni
Recommended For You
Recommended videos not found.