Deploy the CN-Series on OpenShift Operator Hub

On your OpenShift environment, deploy the CN-Series firewalls.
The CN-Series Container firewall is now available on RedHat Openshift platform Operator Hub. You can deploy, configure, and operate CN-Series container firewalls directly from RedHat Operator Hub.
Prerequisites for CN-Series on Openshift Operator Hub:
You should ensure that the following prerequisites are met before deploying the CN-Series firewall on Openshift operator hub:
Deploy the CN-Series on OpenShift Operator Hub:
The pan-cni secures traffic on the default
eth0
interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
The pan-cni does not create a network and hence, does not need IP addresses like other CNI plugins.
PAN-OS 10.1.3 or later is required to deploy the CN-Series as a Kubernetes Service on OpenShift. Additionally, the CN-Series as a Kubernetes Service on OpenShift only secures interface
eth0
.
Following are the steps to deploy CN-Series firewall on your Redhat OpenShift operator hub:
  1. Log in to the Redhat OpenShift container console.
  2. Go to
    Operators
    , and then click
    OperatorHub
    .
  3. Enter
    Palo Alto
    in the Operator search box.
  4. Click
    pan-cn-series-operator
    .
    The install window opens when you click the
    pan-cn-series-operator
    tile.
  5. Click
    Install
    to install the pan-cn-series operator on your OpenShift cluster.
    You should ensure that the pre-installation steps are completed before the next deployment steps given here.
    If your service credential file is over 10KB, you must gzip the file and then, do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
  6. On the navigation menu, go to
    Installed Operators
    , and then click
    pan-cn-series-operator
    that you have installed.
  7. Click
    Create Instance
    .
  8. Enter a unique operand
    Name
    .
  9. Enter the
    vCPU Limit
    for DP and MP pods. For information on vCPU limits, see CN-Series Key Performance Metrics.
  10. Based on your PAN OS version, link to the appropriate images for DP, MP, and CNI in the CN-Series Container registry console.
  11. Under the
    CSP
    section, enter the CSP CN-Series
    Pin ID
    and
    Pin value
    .
  12. Under the
    Failover Mode
    section:
    1. Select the preferred
      failover mode
      option.
    2. Select
      Deployment
      as the operation mode for K8s-service deployments or the
      Daemonset
      as the operation mode for daemonset deployments
    3. Select the
      PanOS Version
      .
  13. Under the
    Panorama
    section:
    1. Enter the CN-Series Panorama
      Auth Key
      .
    2. Enter the
      collector group(Cg) Name
    3. Enter the
      Device Group
    4. Enter the
      IP Address
    5. Enter the
      Template
      name.
  14. Click
    Create
    .
  15. On the Navigation menu, go to
    pods
    .
  16. Select project
    OpenShift-operators
    and then go to
    kube-system
    to view the name and status of the CNI, management, and data plane pods that were deployed as part of the operand.
    You can check the firewall deployment status on Panorama. The
    Device State
    will change to Connected in less than five minutes after deployment.
  17. Configure the PAN-CNI plugin to work with the Multus CNI plugin.
    The Multus CNI on OpenShift functions as a
    meta-plugin
    that calls other CNI plugins. For each application you must:
    1. Run the following command to deploy the pan-cni-net-attach-def.yaml in every pod namespace:
      kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
    2. Modify the Application YAML.
      After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the following annotation:
      paloaltonetworks.com/firewall: pan-fw
      k8s.v1.cni.cncf.io/networks: pan-cni
      If you have other networks in the above annotation, add
      pan-cni
      after the networks that need to be inspected. The networks that follow
      pan-cni
      are not redirected and inspected.
      If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under the
      interfaces
      section in the
      pan-cni-configmap.yaml
      file.
      For example:
      template: metadata: annotations: paloaltonetworks.com/firewall: pan-fw k8s.v1.cni.cncf.io/networks: bridge-conf, macvlan-conf, sriov-conf, pan-cni

Recommended For You