Deploy the CN-Series Firewall on GKE
Table of Contents
Expand all | Collapse all
-
- CN-Series Deployment Checklist
- CN-Series Prerequisites
- Install a Device Certificate on the CN-Series Firewall
- Create Service Accounts for Cluster Authentication
- Install the Kubernetes Plugin and Set up Panorama for CN-Series
- Get the Images and Files for the CN-Series Deployment
- Editable Parameters in CN-Series Deployment YAML Files
- Enable Horizontal Pod Autoscaling on the CN-Series
- Secure 5G With the CN-Series Firewall
- Enable Inspection of Tagged VLAN Traffic
- Enable IPVLAN
- Uninstall the Kubernetes Plugin on Panorama
- Features Not Supported on the CN-Series
Deploy the CN-Series Firewall on GKE
After you review the CN-Series Core Building Blocks and the
high-level overview of the workflow in Secure Kubernetes Workloads with CN-Series, you can
start deploying the CN-Series firewall on GKE platform to secure
traffic between containers within the same cluster, as well as between
containers and other workload types such as virtual machines and
bare-metal servers.
You need standard Kubernetes tools such as kubectl or Helm
to deploy and manage your Kubernetes clusters, apps, and firewall
services.
For more information, see Deploy CN-Series Firewalls With (Recommended) and Without the Helm Repository. Panorama
is not designed to be an orchestrator for Kubernetes cluster deployment
and management. Templates for cluster management are provided by Managed
Kubernetes providers. Palo Alto Networks provides community-supported templates
for deploying CN-Series with Helm and Terraform.
Before moving from deploying CN-Series as a DaemonSet to
CN-Series as a Service or vice versa, you must delete and reapply
plugin-serviceaccount.yaml
.
For more information, see Create Service Accounts for Cluster Authentication.- When you deploy CN-Series as a DaemonSet on GKE, thepan-plugin-cluster-mode-secretmust not exist.
- When you deploy CN-Series as a Kubernetes service on GKE, thepan-plugin-cluster-mode-secretmust be present.