Deploy the CN-Series Firewall as a Kubernetes Service on
Complete the following procedure to deploy the CN-Series firewall as a Kubernetes Service on OKE platform:
Oracle Linux 8.5 OS is the only qualified environment for deploying the CN-Series firewall on OKE.
- Set up your Kubernetes cluster.To create a cluster in OKE, do the following:
- Log in to the Oracle Cloud Infrastructure.
- Click the navigation menu, go toUnder Solutions and Platform, and then clickDeveloper Services.
- ClickKubernetes Clusters.
- Select a Compartment and clickCreate Cluster.
- In the Create Cluster dialog box, clickCustom Createand then, clickLaunch Workflow.
- On theCreate Clusterpage, enter the clusterNameand other details.
- ClickNextto review the details you entered for the new cluster.
- On the Review page, clickCreate Cluster.
- You must ensure that cluster has the CN-Series Prerequisites resources to support the firewall:kubectl get nodeskubectl describe node <node-name>View the information under the Capacity heading in the command output to see the CPU and memory available on the specified node.The CPU, memory and disk storage allocation will depend on your needs. See CN-Series Performance and Scaling.Ensure you have the following information:
- Collect the Endpoint IP address for setting up the API server on Panorama.Panorama uses this IP address to connect to your Kubernetes cluster.
- Collect the template stack name, device group name, Panorama IP address, and optionally the Log Collector Group Name from Panorama.For more information, see Create a parent Device Group and Template Stack.
- Have the location of the container image repository ready to which you downloaded the images.
- (optional) If you configured a custom certificate in the Kubernetes plugin for Panorama, you must create the cert secret by executing the following command. Do not change the file name from ca.crt. The volume for custom certificates in pan-cn-mgmt-dynamic-pv.yaml and pan-cn-ngfw.yaml is optional.kubectl -n kube-system create secret generic custom-ca --from-file=ca.crt
- Edit the YAML files to provide the details required to deploy the CN-Series firewalls.You must ensure that the value ofPAN_PANORAMA_IPparameter on your YAML file matches with your actual Panorama IP address as shown in the diagram below:You must ensure that the parameter value ofPAN_DEVICE_GROUPandPAN_TEMPLATEon your YAML file matches with the name of the device group and template stack that you created on Panorama as shown in the diagram below:You must ensure that the parameter value ofPAN_PANORAMA_CG_NAMEis same as the log collector name that you created.For more information, see Editable Parameters in CN-Series Deployment YAML Files for details.
- Deploy the CN-NGFW service. Perform the following steps:When deployed as a Kubernetes Service, instances of the CN-NGFW can be deployed on security nodes and application pod traffic is redirected to an available CN-NGFW instance for inspection and enforcement.When deploying the CN-Series firewall on OKE as a Kubernetes Service, you can use the yaml files from the pan-cn-k8s-service native folder.
- Verify that you have created the service account using the pan-cni-serviceaccount.yaml.
- Use Kubectl to run the pan-cni-configmap.yaml.kubectl apply -f pan-cni-configmap.yaml
- Use kubectl to run the pan-cn-ngfw-svc.yaml.kubectl apply -f pan-cn-ngfw-svc.yamlThis yaml must be deployed before pan-cni.yaml.
- Use Kubectl to run the pan-cni.yaml.kubectl apply -f pan-cni.yaml
- Verify that you have modified the pan-cni-configmap and pan-cni YAML files.
- Run the following command and verify that your output is similar to the following example.
- Deploy the CN-MGMT StatefulSet.By default, the management plane is deployed as a StatefulSet that provides fault tolerance. Up to 30 firewall CN-NGFW pods can connect to a CN-MGMT StatefulSet.
- Verify that you have modified the pan-cn-mgmt-configmap and pan-cn-mgmt YAML files.Sample pan-cn-mgmt-configmap from OKE.apiVersion: v1 kind: ConfigMap metadata: name: pan-mgmt-config namespace: kube-system data: PAN_SERVICE_NAME: pan-mgmt-svc PAN_MGMT_SECRET: pan-mgmt-secret # Panorama settings PAN_PANORAMA_IP: "<panorama-IP>" PAN_DEVICE_GROUP: "<panorama-device-group>" PAN_TEMPLATE_STACK: "<panorama-template-stack>" PAN_CGNAME: "<panorama-collector-group>" PAN_CTNR_MODE_TYPE: "k8s-service" #Non-mandatory parameters # Recommended to have same name as the cluster name provided in Panorama Kubernetes plugin - helps with easier identification of pods if managing multiple clusters with same Panorama #CLUSTER_NAME: "<Cluster name>" #PAN_PANORAMA_IP2: "" # Comment out to use CERTs otherwise PSK for IPSec between pan-mgmt and pan-ngfw #IPSEC_CERT_BYPASS: "" # No values needed # Override auto-detect of jumbo-frame mode and force enable system-wide #PAN_JUMBO_FRAME_ENABLED: "true" # Start MGMT pod with GTP enabled. For complete functionality, need GTP # enable at Panorama as well. #PAN_GTP_ENABLED: "true" # Enable high feature capacities. These need high memory for MGMT pod and # higher/matching memory than specified below for NGFW pod. # Refer to the system requirements documentation to see the max supported NGFW CPU size # supported for each memory profile. #PAN_NGFW_MEMORY: "6.5Gi" #PAN_NGFW_MEMORY: "48Gi" #PAN_NGFW_MEMORY: "56Gi"Sample pan-cn-mgmt-dynamic-pv.yamlinitContainers: - name: pan-mgmt-init image: <your-private-registry-image-path> command: ["/usr/bin/pan_start.sh"] imagePullPolicy: Alwayscontainers: - name: pan-mgmt image: <your-private-registry-image-path> terminationMessagePolicy: FallbackToLogsOnErrorUse Kubectl to run the yaml files.kubectl apply -f pan-cn-mgmt-configmap.yamlkubectl apply -f pan-cn-mgmt-slot-crd.yamlkubectl apply -f pan-cn-mgmt-slot-cr.yamlkubectl apply -f pan-cn-mgmt-secret.yamlkubectl apply -f pan-cn-mgmt-dynamic-pv.yamlYou must run the pan-mgmt-serviceaccount.yaml, only if you had not previously completed the Create Service Account for Cluster Authentication.Verify that the CN-MGMT pods are up by running the following command:kubectl get pods -l app=pan-mgmt -n kube-systemIt takes about 5-6 minutes.Deploy the CN-NGFW pods.
Verify that you can see CN-MGMT, CN-NGFW and the PAN-CNI on the Kubernetes cluster.kubectl -n kube-system get podsAnnotate the application yaml or namespace so that the traffic from their new pods is redirected to the firewall.You need to add the following annotation to redirect traffic to the CN-NGFW for inspection:
- Verify that you have modified the YAML files as detailed in PAN-CN-NGFW-CONFIGMAP and PAN-CN-NGFW.containers: - name: pan-ngfw-container image: <your-private-registry-image-path>
- Use Kubectl apply to run the pan-cn-ngfw-configmap.yaml.kubectl apply -f pan-cn-ngfw-configmap.yaml
- Use Kubectl apply to run the pan-cn-ngfw.yaml.kubectl apply -f pan-cn-ngfw.yaml
- Verify that the CN-NGFW Pods are running.kubectl get pods -n kube-system -l app=pan-ngfw -o wide
For example, for all new pods in the “default” namespace:annotations: paloaltonetworks.com/firewall: pan-fwkubectl annotate namespace default paloaltonetworks.com/firewall=pan-fwOn some platforms, the application pods can start when the pan-cni is not active in the CNI plugin chain. To avoid such scenarios, you must specify the volumes as shown here in the application pod YAML.volumes: - name: pan-cni-ready hostPath: path: /var/log/pan-appinfo/pan-cni-ready type: DirectoryDeploy your application in the cluster.
Recommended For You
Recommended VideosRecommended videos not found.