Deploy CN-Series Firewalls With and Without the Helm Repository
Deploy CN-Series firewalls with Helm charts and templates.
The Helm repository contains charts and templates for
deploying the Palo Alto Networks CN-series containerized firewall
using the Helm Packet Manager for Kubernetes.
Prepare to Use the Helm Charts and Templates
Install the required software. These instructions
list the minimum versions, but you can install a later version in
the same family unless an upper limit is specified.
- Install a Kubernetes version between 1.16 - 1.24 and create a Kubernetes cluster.
- Deploy Panorama in a location that is accessible from the Kubernetes cluster and the CN-Series firewall you use to secure the cluster.
- Ensure that the Panorama PAN-OS version is 10.x.x or later.
- Install the Kubernetes plugin for Panorama version 1.0.x or 2.0.x.
- Install the Helm client version 3.6.0 or later.
Deploy the CN-Series Firewall Using the Repository
Use this procedure to clone the repository
and deploy from your local environment.
- Clone the repository from GitHub.$ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
- Change into a local directory for the cloned repository. For example:$ cd cn-series-helm
- Change to the subdirectory for your deployment.
- Use the directoryhelm_cnv1_10_1to deploy cnv1 10.1.x as a daemon set
- Use the directoryhelm_cnv2_10_2to deploy cnv2 as a service.
- Edit thevalues.yaml fileto enter your configuration information. The following values are from thehelm_cnv2_10_1_2subdirectory.# Default values for cn-series. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # Supports from PanOS version - 10.1.2 # The K8s environment # Valid deployTo tags are: [gke|eks|aks||native] # Openshift will be supported from 10.1.3 cluster: deployTo: eks# Firewall tags firewall: failoverMode: failopen operationMode: "k8s-service"# Panorama tags panorama: ip: "<Panorama-IP>" ip2: authKey: "<Panorama-auth-key>" deviceGroup: "<Panorama-device-group>" template: "<panorama-template-stack>" cgName: "<panorama-collector-group>"# Customer Support Portal PIN information csp: pinId: "" pinValue: :"" alternateUrl: :""# MP container tags mp: initImage: 018147215560.dkr.ecr.us-east-1.amazonaws.com/pan_cn_mgmt_init initVersion: 2.0.0-pkg image: 018147215560.dkr.ecr.us-east-1.amazonaws.com/panos_cn_mgmt version: 10.1.2-c38 cpuLimit: 4 # DP container tags dp: image: 018147215560.dkr.ecr.us-east-1.amazonaws.com/panos_cn_ngfw version: 10.1.2-c38 cpuLimit: 2 # CNI container tags cni: image: 018147215560.dkr.ecr.us-east-1.amazonaws.com/skrish-pan-cni version: latest ############ # Non essential configs ############ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. If not set and create is true, # a name is generated using the fullname template name: podSecurityContext: {} # fsGroup: 2000 securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 # service: # type: ClusterIP # port: 80# ingress: # enabled: false # annotations: {} # # kubernetes.io/ingress.class: nginx # # kubernetes.io/tls-acme: "true" # hosts: # - host: chart-example.local # paths: [] # tls: [] # # - secretName: chart-example-tls # # hosts: # # - chart-example.localresources: {} # We usually recommend not to specify default resources and to leave this as a # conscious choice for the user. This also increases chances charts run on # environments with littleresources, such as Minikube. # If you do want to specify resources, uncomment the following lines, # adjust them as necessary, and remove the curly braces after # 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: [] affinity: {}.
- View the rendered YAML files.helm install --debug --generate-name helm_cnv2_10_1_2/ --dry-run
- Deploy the HELM charts.helm install <deployment-name> directory
Deploy the CN-Series Firewall Without the Repository
To deploy without cloning the repository, add
the repository to your Helm client.
- Add the CN-Series repository to your local Helm client.Enter this command on a single line:$ helm repo add my-projecthttps://paloaltonetworks.github.io/cn-series-helm"cn-series" has been added to your repositories
- Confirm the repository has been added to your Helm client.$ helm search repo cn-series
- Select the Kubernetes cluster.$ kubectl config set-cluster NAME
- Deploy using the Helm chart repository. Edit the following command to include your configuration information.$ helm install cn-series/cn-series --name="deployment name"--set cluster.deployTo="gke|eks|aks|openshift"--set panorama.ip="panorama hostname or ip" --set panorama.ip2="panorama2 hostname or ip"--set-string panorama.authKey="vm auth key" --set panorama.deviceGroup="device group"--set panorama.template="template stack"--set panorama.cgName="collector group"--set cni.image="container repo"--set cni.version="container version"--set mp.initImage="container repo"--set mp.initVersion="container version"--set mp.image="container repo"--set mp.version="container version"--set mp.cpuLimit="cpu max"--set dp.image="container repo"--set dp.version="container version"--set dp.cpuLimit="cpu max"
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
