Create Service Accounts for Cluster Authentication
Table of Contents
10.2
Expand all | Collapse all
-
- CN-Series Deployment Checklist
- CN-Series Prerequisites
- Install a Device Certificate on the CN-Series Firewall
- Create Service Accounts for Cluster Authentication
- Install the Kubernetes Plugin and Set up Panorama for CN-Series
- Get the Images and Files for the CN-Series Deployment
- Editable Parameters in CN-Series Deployment YAML Files
- Enable Horizontal Pod Autoscaling on the CN-Series
- Secure 5G With the CN-Series Firewall
- Enable Inspection of Tagged VLAN Traffic
- Enable IPVLAN
- Uninstall the Kubernetes Plugin on Panorama
- Features Not Supported on the CN-Series
Create Service Accounts for Cluster Authentication
The CN-Series firewall requires three Service
accounts with the minimum permissions that authorize it to communicate
with your Kubernetes cluster resources. The service account (pan-plugin-user)
created with the
plugin-serviceaccount.yaml
enables
the Kubernetes plugin on Panorama to authenticate with the Kubernetes cluster
for retrieving metadata on the pods.The other two yaml files, pan-mgmt-serviceaccount.yaml
and pan-cni-serviceaccount.yaml
,
create the pan-mgmt-sa and the pan-cni-sa service accounts to enable
the authentication between the fault tolerant CN-Mgmt pods, and
between the CN-MGMT pod and the CN-NGFW pods. By default,
the YAML files create the service account and the secret in the kube-system
namespace; the Kubernetes plugin will only look for the secret in
the kube-system namespace.
To create the service accounts,
your Kubernetes cluster should be ready.
- Run the service account YAML for theplugin-serviceaccount.yaml.This service account enables the permissions that Panorama requires to authenticate to the GKE cluster for retrieving Kubernetes labels and resource information. This service account is named pan-plugin-user by default.
- kubectl apply -f plugin-serviceaccount.yaml
- kubectl -n kube-system get secrets | grep pan-plugin-userTo view the secrets associated with this service account.If you are using kubernetes version 1.24 or above, run the following command to view the secrets associated with this service account:kubectl -n kube-system get secrets | grep pan-plugin-user-secret
- kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.jsonCreate the credential file, named cred.json in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes Plugin and Set up Panorama for CN-Series.
- Run thepan-mgmt-serviceaccount.yamlandpan-cni-serviceaccount.yaml.Thepan-mgmt-serviceaccount.yamlcreates a service account named pan-sa, and is required to enable the CN-MGMT and CN-NGFW Pods to communicate with each other, the PAN-CNI, and the Kubernetes API server. If you modify this service account name, you must also update the YAML files that you use to deploy the CN-MGMT and CN-NFGW Pods.Thepan-cni-serviceaccount.yamlcreates a service account named pan-cni-sa.kubectl apply -f pan-mgmt-serviceaccount.yamlkubectl apply -f pan-cni-serviceaccount.yaml
- Verify the service accounts.kubectl get serviceaccounts -n kube-system