Deploy the CN-Series on OpenShift Operator Hub

On your OpenShift environment, deploy the CN-Series firewalls.
The CN-Series Container firewall is now available on RedHat Openshift platform Operator Hub. You can deploy, configure, and operate CN-Series container firewalls directly from RedHat Operator Hub.
Prerequisites for CN-Series on Openshift Operator Hub:
You should ensure that the following prerequisites are met before deploying the CN-Series firewall on Openshift operator hub:
Deploy the CN-Series on OpenShift Operator Hub:
The pan-cni secures traffic on the default
interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
The pan-cni does not create a network and hence, does not need IP addresses like other CNI plugins.
PAN-OS 10.1.3 or later is required to deploy the CN-Series as a Kubernetes Service on OpenShift. Additionally, the CN-Series as a Kubernetes Service on OpenShift only secures interface
Following are the steps to deploy CN-Series firewall on your Redhat OpenShift operator hub:
  1. Log in to the Redhat OpenShift container console.
  2. Go to
    , and then click
  3. Enter
    Palo Alto
    in the Operator search box.
  4. Click
    The install window opens when you click the
  5. Click
    to install the pan-cn-series operator on your OpenShift cluster.
    You should ensure that the pre-installation steps are completed before the next deployment steps given here.
    If your service credential file is over 10KB, you must gzip the file and then, do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
  6. On the navigation menu, go to
    Installed Operators
    , and then click
    that you have installed.
  7. Click
    Create Instance
  8. Enter a unique operand
  9. Enter the
    vCPU Limit
    for DP and MP pods. For information on vCPU limits, see CN-Series Key Performance Metrics.
  10. Based on your PAN OS version, link to the appropriate images for DP, MP, and CNI in the CN-Series Container registry console.
  11. Under the
    section, enter the CSP CN-Series
    Pin ID
    Pin value
  12. Under the
    Failover Mode
    1. Select the preferred
      failover mode
    2. Select
      as the operation mode for K8s-service deployments or the
      as the operation mode for daemonset deployments
    3. Select the
      PanOS Version
  13. Under the
    1. Enter the CN-Series Panorama
      Auth Key
    2. Enter the
      collector group(Cg) Name
    3. Enter the
      Device Group
    4. Enter the
      IP Address
    5. Enter the
  14. Click
  15. On the Navigation menu, go to
  16. Select project
    and then go to
    to view the name and status of the CNI, management, and data plane pods that were deployed as part of the operand.
    You can check the firewall deployment status on Panorama. The
    Device State
    will change to Connected in less than five minutes after deployment.
  17. Configure the PAN-CNI plugin to work with the Multus CNI plugin.
    The Multus CNI on OpenShift functions as a
    that calls other CNI plugins. For each application you must:
    1. Run the following command to deploy the pan-cni-net-attach-def.yaml in every pod namespace:
      kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
    2. Modify the Application YAML.
      After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the following annotation: pan-fw pan-cni
      If you have other networks in the above annotation, add
      after the networks that need to be inspected. The networks that follow
      are not redirected and inspected.
      If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under the
      section in the
      For example:
      template: metadata: annotations: pan-fw bridge-conf, macvlan-conf, sriov-conf, pan-cni

Recommended For You