Deploy the CN-Series on OpenShift
Table of Contents
10.2
Expand all | Collapse all
-
- CN-Series Deployment Checklist
- CN-Series Prerequisites
- Install a Device Certificate on the CN-Series Firewall
- Create Service Accounts for Cluster Authentication
- Install the Kubernetes Plugin and Set up Panorama for CN-Series
- Get the Images and Files for the CN-Series Deployment
- Editable Parameters in CN-Series Deployment YAML Files
- Enable Horizontal Pod Autoscaling on the CN-Series
- Secure 5G With the CN-Series Firewall
- Enable Inspection of Tagged VLAN Traffic
- Enable IPVLAN
- Uninstall the Kubernetes Plugin on Panorama
- Features Not Supported on the CN-Series
Deploy the CN-Series on OpenShift
On your OpenShift environment, deploy the CN-Series firewalls.
The pan-cni secures traffic on the default
"eth0" interface of the application pod. If you have multi-homed
pods, you can configure the CN-NGFW pod to secure additional interfaces
that are configured with a bridge-based connection to communicate
with other pods or the host. Depending on the annotation in the
application YAML, you can configure the CN-Series firewall to inspect
traffic from all the interfaces or a selected number of interfaces
attached to each pod.
The pan-cni doesn't create any network
and hence doesn't need IP addresses like other CNI plugins.
PAN-OS
10.1.3 or later is required to deploy the CN-Series as Kubernetes Service
on OpenShift. Additionally, the CN-Series as a Kubernetes Service
on OpenShift only secures interface
eth0
.- Deploy your cluster.Refer to the cloud platform vendor’s documentation and verify that the OpenShift versions and CNI are supported for the CN-Series.Review the following:
- Use the workflow included in Secure Kubernetes Workloads with CN-Series.You must create the service credentials, and deploy the firewall YAMLs.Note: If your service credential file is over 10KB, you must gzip the file and then do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
- Configure the PAN-CNI plugin to work with the Multus CNI plugin.The Multus CNI on OpenShift functions as a "meta-plugin" that calls other CNI plugins. For each application you must:
- Deploy the PAN-CNI NetworkAttachmentDefinition in every pod namespacekubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
- Modify the Application YAML.After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the annotation:paloaltonetworks.com/firewall: pan-fwk8s.v1.cni.cncf.io/networks: pan-cniIf you have other networks in the above annotation, addpan-cniafter the networks that need to be inspected. The networks that followpan-cniare not redirected and inspected.If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under “interfaces” in the pan-cni-configmap.yaml.For example:template: metadata: annotations: paloaltonetworks.com/firewall: pan-fw k8s.v1.cni.cncf.io/networks: bridge-conf, macvlan-conf, sriov-conf, pan-cni