>
    Deploy the CN-Series on OpenShift
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Deploy the CN-Series on OpenShift
    Download PDF
    CN-Series

    Deploy the CN-Series on OpenShift

    Table of Contents

    Deploy the CN-Series on OpenShift

    On your OpenShift environment, deploy the CN-Series firewalls.
    Where Can I Use This?What Do I Need?
    • CN-Series deployment on OpenShift environment
    • CN-Series 10.1.x or above Container Images
    • Panorama running PAN-OS 10.1.x or above version
    The pan-cni secures traffic on the default "eth0" interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
    The pan-cni doesn't create any network and hence doesn't need IP addresses like other CNI plugins.
    PAN-OS 10.1.3 or later is required to deploy the CN-Series as Kubernetes Service on OpenShift. Additionally, the CN-Series as a Kubernetes Service on OpenShift only secures interface eth0.
    1. Deploy your cluster.
      Refer to the cloud platform vendor’s documentation and verify that the OpenShift versions and CNI are supported for the CN-Series. Review Get the image file for CN-Series Firewall and Editable parameters in CN-Series yaml files.
    2. Use the workflow included in Secure Kubernetes workloads with CN-Series.
      You must create the service credentials, and deploy the firewall YAMLs.
      Note: If your service credential file is over 10KB, you must gzip the file and then do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
    3. Configure the PAN-CNI plugin to work with the Multus CNI plugin.
      The Multus CNI on OpenShift functions as a "meta-plugin" that calls other CNI plugins. For each application you must:
      1. Deploy the PAN-CNI NetworkAttachmentDefinition in every pod namespace
        kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
      2. Modify the Application YAML.
        After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the annotation:
        paloaltonetworks.com/firewall: pan-fw
        k8s.v1.cni.cncf.io/networks: pan-cni
        If you have other networks in the above annotation, add pan-cni after the networks that need to be inspected. The networks that follow pan-cni are not redirected and inspected.
        If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under “interfaces” in the pan-cni-configmap.yaml.
        For example:
        
								template:
								    metadata:
								      annotations:
								         paloaltonetworks.com/firewall: pan-fw
								         k8s.v1.cni.cncf.io/networks: bridge-conf, macvlan-conf, sriov-conf, pan-cni
      CN-Series now supports OVN-Kubernetes Container Network Interface (CNI) plug-in on RedHat OpenShift version 4.13 and above, in the Kubernetes Service deployment mode and DaemonSet mode.

    © 2024 Palo Alto Networks, Inc. All rights reserved.