Configure the Kubernetes Plugin for Panorama
Focus
Focus
CN-Series

Configure the Kubernetes Plugin for Panorama

Table of Contents

Configure the Kubernetes Plugin for Panorama

Use the Kubernetes Plugin for Panorama to propagate labels to Panorama device groups
Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
    deployment
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
Use the Kubernetes Plugin for Panorama to propagate labels to Panorama device groups.
You can use the Kubernetes plugin to complete the integration of Panorama and the Kubernetes API. The plugin learns new labels and propagates them to Panorama device groups. These labels can include Kubernetes labels, services, namespaces, and other metadata from which Dynamic Address Group match criteria can be defined.
If the cluster credential file size is greater than 32KB, you will get an error message when importing the credentials file on the Panorama Kubernetes plugin. The error message displays the size of the file as the cause of the error.
If the cluster has many CA certificates in
ca.crt
bundle, the Kubernetes plugin only requires the top CA certificate. You must ensure to retain only the top CA certificate and remove all other CA certificates and
service.crt
from the credential file. You can then use this updated credential file.
This procedure assumes you have installed the supporting software listed in Prepare to Use the Helm Charts and Templates.
  1. Retrieve the pan-plugin-user service account credentials from the Kubernetes master.
    Enter each command as a single line:
    $ MY_TOKEN=`kubectl get serviceaccounts pan-plugin-user -n kube-system
      -o jsonpath='{.secrets[0].name}'`
    $ kubectl get secret $MY_TOKEN -n kube-system -o json >
      ~/Downloads/pan-plugin-user.json
  2. Create a Cluster definition in the Panorama Kubernetes plugin.
    Use the Kubernetes master address displayed in the Terraform output and the JSON credentials file located at
    ~/Downloads/pan-plugin-user.json
    .
    Define the labels you want to import from the Kubernetes API.
  3. Create a Notify Group definition in the Panorama Kubernetes plugin.
    This definition is used to propagate the labels learned from the Kubernetes API to a Panorama Device Group.
    Perform the following steps to create a Notify Group in the Panorama Kubernetes plugin:
    1. Select
      Panorama
      >
      Plugins
      >
      Kubernetes
      >
      Setup
      >
      Notify Groups
      , and
      Add
      .
    2. Enter a
      Name
      of up to 31 characters for the notify group.
    3. Select
      Enable sharing internal tags with Device Groups
      if you want to share internal tags in addition to the external tags (default) created for the cluster.
    4. Select the device groups to wich you want to register the tags.
    5. Click
      Ok
      .
  4. Create a Monitoring Definition in the Panorama plugin.
    Use the Cluster and Notify Group definitions created in the previous steps.
  5. Commit to Panorama.
  6. To confirm API connectivity and MP container registrations, go to the Monitoring Definition and click on the Detailed Status and Cluster MPs.
    You are now ready to deploy an application and secure it with the CN-Series firewall.

Recommended For You