1. Home
    2. CN-Series
    3. Version 11.0
    4. CN-Series Deployment Guide
    5. Secure Kubernetes Workloads with CN-Series
    6. Deploy the CN-Series Firewalls
    7. Deploy the CN-Series Firewall as a Kubernetes CNF

    Deploy the CN-Series Firewall as a Kubernetes CNF

    You can now deploy the CN-Series as a Container Network Function (CNF) in your Kubernetes environment.
    CN-Series-as-a-daemonset and CN-Series-as-a-kubernetes-service deployment mode provide an automated security deployment and leverage the auto-scaling capabilities of Kubernetes. However, these deployment modes have limited insertion options and don’t support I/O acceleration. In addition, they limit the achievable throughput for the application pods that require inspection and use multiple network interfaces.
    Deploying the CN-series-as-a-kubernetes-CNF resolves these challenges for traffic that uses Service Function Chaining (SFC) through external entities such as cloud provider's native routing, vRouters, and Top of Rack (TOR) switches. The CN-series-as-a-kubernetes-CNF mode of deployment does not impact the application pods.
    Complete the following procedure to deploy the CN-Series-as-a-kubernetes-CNF.
    Before you begin, ensure the CN-Series YAML file version is compatible with the PAN-OS version:
    PAN-OS 10.2.0 or later requires YAML 3.0.0
    1. Set up your Kubernetes cluster. For more information, see Creating an Amazon EKS cluster and Multiple network interfaces for pods.
      To create a cluster in AWS EKS, do the following:
      1. Click the
        Services
         navigation menu, go to
        Containers
        ->
        Elastic Kubernetes Service
        .
      2. Click
        Create Cluster
        .
      3. Fill in the required details, and then click
        Create
        .
      1. Verify that the cluster has adequate resources. Make sure that cluster has the CN-Series Prerequisites resources to support the firewall:
        kubectl get nodes
        kubectl describe node <node-name>
        View the information under the Capacity heading in the command output to see the CPU and memory available on the specified node.
        The CPU, memory and disk storage allocation will depend on your needs. See CN-Series Performance and Scaling.
        Ensure that you have the following information:
        • Collect the Endpoint IP address for setting up the API server on Panorama. Panorama uses this IP address to connect to your Kubernetes cluster.
        • Collect the template stack name, device group name, Panorama IP address, and optionally the Log Collector Group Name from Panorama.
        • The location of the container image repository to which you downloaded the images.
    2. (
      optional
      ) If you configured a custom certificate in the Kubernetes plugin for Panorama, you must create the cert secret by executing the following command. Do not change the file name from ca.crt. The volume for custom certificates in pan-cn-mgmt-0.yaml, pan-cn-mgmt-1.yaml, pan-cn-ngfw-0.yaml, and pan-cn-ngfw.yaml-1 is optional.
      kubectl -n kube-system create secret generic custom-ca --from-file=ca.crt
    3. Edit the YAML files to provide the details required to deploy the CN-Series firewalls.
      You should replace the image path in the YAML files to include the path to your private registry and provide the required parameters. See Editable Parameters in CN-Series Deployment YAML Files for details.
      CN-Series-as-a-kubernetes-CNF in HA supports only active/passive HA with session and configuration synchronization.
      When you deploy the CN-Series-as-a-kubernetes-CNF in HA, there will be two PAN-CN-MGMT-CONFIGMAP, PAN-CN-MGMT, and PAN-CN-NGFW YAML files each for active and passive nodes as following:
      • pan-cn-mgmt-0.yaml
      • pan-cn-mgmt-1.yaml
      • pan-cn-mgmt-configmap-0.yaml
      • pan-cn-mgmt-configmap-1.yaml
      • pan-cn-ngfw-configmap-0.yaml
      • pan-cn-ngfw-configmap-1.yaml
      The following default values are defined in the pan-cn-mgmt-configmap-0.yaml and pan-cn-mgmt-configmap-1.yaml files.
      pan-cn-mgmt-configmap-0.yaml:
      metadata:
      name: pan-mgmt-config
      namespace: kube-system
      data:    
      PAN_SERVICE_NAME: pan-mgmt-svc-0  
      PAN_MGMT_SECRET: pan-mgmt-secret
      pan-cn-mgmt-configmap-1.yaml:
      metadata:
      name: pan-mgmt-config
      namespace: kube-system
      data:    
      PAN_SERVICE_NAME: pan-mgmt-svc-1 
      PAN_MGMT_SECRET: pan-mgmt-secret
      You can add the numa option for CPU pinning. Add the single numa node number for
      PAN_NUMA_ENABLED
       parameter in the pan-cn-ngfw-configmap-0.yaml and pan-cn-ngfw-configmap-1.yaml files.
      To successfully deploy the CN-Series-as-a-kubernetes-CNF in HA with layer 3 support:
      • In HA, each Kubernetes node should have at least three interfaces: Management (default), HA2, and data interface.
      • For CN-Series firewall in L3 mode, there should be at least two interfaces: Management (default) and data interface.
      • Modify the new Network Attachment definition YAML files with the following changes:
        • On the workernode, retrieve the
          pciBusID
           value from the hypervisor interface by running the following command:
          lspci | grep -i ether
          For example:
          00:05.0 Ethernet controller: Amazon.com, Inc. Elastic Network Adapter (ENA)
          00:06.0 Ethernet controller: Amazon.com, Inc. Elastic Network Adapter (ENA)
          00:07.0 Ethernet controller: Amazon.com, Inc. Elastic Network Adapter (ENA)
          00:08.0 Ethernet controller: Amazon.com, Inc. Elastic Network Adapter (ENA)
          00:09.0 Ethernet controller: Amazon.com, Inc. Elastic Network Adapter (ENA)
          00:0a.0 Ethernet controller: Amazon.com, Inc. Elastic Network Adapter (ENA)
          00:0b.0 Ethernet controller: Amazon.com, Inc. Elastic Network Adapter (ENA)
          00:0c.0 Ethernet controller: Amazon.com, Inc. Elastic Network Adapter (ENA)
          The PCI ordering is same as ordering of the eth interfaces as shown on AWS EC2 UI
          Add the above retrieved
          pciBusID
           value to the following Network definition files:
          net-attach-def-1.yaml
          net-attach-def-2.yaml
          net-attach-def-3.yaml
          net-attach-def-ha2-0.yaml
          net-attach-def-ha2-1.yaml
        • Retrieve the static IP address of the HA2 interface from the corresponding node instance on the AWS console and add it to the
          address
           parameter of
          net-attach-def-ha2-0.yaml
           and
          net-attach-def-ha2-1.yaml
           file.
    4. Deploy the CN-MGMT StatefulSet.
      By default, the management plane is deployed as a StatefulSet that provides fault tolerance. Only one firewall CN-NGFW pod can connect to a CN-MGMT StatefulSet.
      1. (
        Required for statically provisioned PVs only
        ) Deploy the Persistent Volumes (PVs) for the CN-MGMT StatefulSet.
        1. Create the directories to match the local volume names defined in the pan-cn-pv-local.yaml.
          You need six (6) directories on at least 2 worker nodes. Log in to each worker node on which the CN-MGMT StatefulSet will be deployed to create the directories. For example, to create directories named /mnt/pan-local1 to /mnt/pan-local6, use the command: 
          mkdir -p /mnt/pan-local1 /mnt/pan-local2 /mnt/pan-local3 /mnt/pan-local4 /mnt/pan-local5 /mnt/pan-local6
        2. Modify pan-cn-pv-local.yaml.
          Match the hostname under
          nodeaffinity
          , and verify that you have modified the directories you created above in
          spec.local.path
           and then, deploy the file to create a new storageclass pan-local-storage and local PVs.
      2. Verify that you have modified the pan-cn-mgmt-configmap and pan-cn-mgmt YAML files.
      3. Use Kubectl to run the yaml files.
        kubectl apply -f pan-cn-mgmt-configmap-0.yaml
        kubectl apply -f pan-cn-mgmt-configmap-1.yaml
        kubectl apply -f pan-cn-mgmt-secret.yaml
        kubectl apply -f pan-cn-mgmt-0.yaml
        kubectl apply -f pan-cn-mgmt-1.yaml
        You must run the pan-mgmt-serviceaccount.yaml, only if you had not previously completed the Create Service Accounts for Cluster Authentication.
      4. Verify that the CN-MGMT pods are up.
        It takes about 5-6 minutes.
        Use
        kubectl get pods -l app=pan-mgmt -n kube-system
        NAME READY STATUS RESTARTS AGEpan-mgmt-sts-0 1/1 Running 0 27hpan-mgmt-sts-1 1/1 Running 0 27h
    5. Deploy the CN-NGFW in k8s-CNF mode.
      1. Verify that you have modified the YAML files as detailed in Step 3.
        containers: - name: pan-ngfw-container image: <your-private-registry-image-path>
        You should ensure that the multus daemonset is installed and the network attachment definition files are created. The parameter value for
        PAN_SERVICE_NAME
         in pan-cn-ngfw-configmap-0.yaml and pan-cn-ngfw-configmap-1.yaml file should match the
        Service Name
         parameter value in pan-cn-mgmt-0.yaml and pan-cn-mgmt-1.yaml file respectively.
        For HA support, it is recommended to deploy DP pods on different worker nodes. You can ensure this from the
        yaml nodeSelector
         field or by turning on pod anti-affinity.
        To enable the HA support, you should ensure that the
        PAN_HA_SUPPORT
         parameter value is
        true
         in the following YAML files:
        pan-cn-mgmt-configmap-0.yaml
        pan-cn-mgmt-configmap-1.yaml
        For data interfaces for DP pods, the CNIs and interface resources should be added to DP YAML files as required. For example:
        k8s.v1.cni.cncf.io/networks: net-attach-1,net-attach-2,net-attach-3
        To enable the DPDK support, you should ensure that the
        PAN_DATA_MODE
         parameter value is
        dpdk
         in pan-cn-ngfw-configmap-0.yaml and pan-cn-ngfw-configmap-1.yaml file.
        Also, the
        HUGEPAGE_MEMORY_REQUEST
         parameter value should match the hugepage memory request in pan-cn-ngfw-0.yaml and pan-cn-ngfw-1.yaml file.
        For more information, see Configure DPDK on CN-Series Firewall.
      2. Use Kubectl apply to run the pan-cn-ngfw-configmap-0.yaml and pan-cn-ngfw-configmap-1.yaml.
        kubectl apply -f pan-cn-ngfw-configmap-0.yaml
        kubectl apply -f pan-cn-ngfw-configmap-1.yaml
      3. Use Kubectl apply to run the pan-cn-ngfw-0.yaml and pan-cn-ngfw-1.yaml.
        kubectl apply -f pan-cn-ngfw-0.yaml
        kubectl apply -f pan-cn-ngfw-1.yaml
      4. Verify that the CN-NGFW Pods are running.
        kubectl get pods -n kube-system -l app=pan-ngfw -o wide
    6. Deploy the CN-NGFW pods. Do the following:
      1. Verify that you have modified the YAML files as detailed in PAN-CN-NGFW-CONFIGMAP-0, PAN-CN-NGFW-CONFIGMAP-1, PAN-CN-NGFW-0, and PAN-CN-NGFW-1.
        containers: - name: pan-ngfw-container image: <your-private-registry-image-path>
      2. Use Kubectl apply to run the pan-cn-ngfw-configmap.yaml.
        kubectl apply -f pan-cn-ngfw-configmap.yaml
      3. Use Kubectl apply to run the pan-cn-ngfw.yaml.
        kubectl apply -f pan-cn-ngfw.yaml
      4. Verify that the CN-NGFW Pods are running.
        kubectl get pods -n kube-system -l app=pan-ngfw -o wide
    7. Verify that you can see CN-MGMT and CN-NGFW on the Kubernetes cluster. Run the following command:
      kubectl -n kube-system get pods

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo