Deploy the CN-Series on OpenShift
Focus
Focus

CN-Series

Deploy the CN-Series on OpenShift

Table of Contents

Deploy the CN-Series on OpenShift

On your OpenShift environment, deploy the CN-Series firewalls.
Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
    deployment on OpenShift environment
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
The pan-cni secures traffic on the default "eth0" interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
The pan-cni doesn't create any network and hence doesn't need IP addresses like other CNI plugins.
PAN-OS 10.1.3 or later is required to deploy the CN-Series as Kubernetes Service on OpenShift. Additionally, the CN-Series as a Kubernetes Service on OpenShift only secures interface
eth0
.
  1. Deploy your cluster.
    Refer to the cloud platform vendor’s documentation and verify that the OpenShift versions and CNI are supported for the CN-Series. Review Get the image file for CN-Series Firewall and Editable parameters in CN-Series yaml files.
  2. Use the workflow included in Secure Kubernetes workloads with CN-Series.
    You must create the service credentials, and deploy the firewall YAMLs.
    Note: If your service credential file is over 10KB, you must gzip the file and then do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
  3. Configure the PAN-CNI plugin to work with the Multus CNI plugin.
    The Multus CNI on OpenShift functions as a "meta-plugin" that calls other CNI plugins. For each application you must:
    1. Deploy the PAN-CNI NetworkAttachmentDefinition in every pod namespace
      kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
    2. Modify the Application YAML.
      After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the annotation:
      paloaltonetworks.com/firewall: pan-fw
      k8s.v1.cni.cncf.io/networks: pan-cni
      If you have other networks in the above annotation, add
      pan-cni
      after the networks that need to be inspected. The networks that follow
      pan-cni
      are not redirected and inspected.
      If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under “interfaces” in the pan-cni-configmap.yaml.
      For example:
      template: metadata: annotations: paloaltonetworks.com/firewall: pan-fw k8s.v1.cni.cncf.io/networks: bridge-conf, macvlan-conf, sriov-conf, pan-cni
    CN-Series now supports OVN-Kubernetes Container Network Interface (CNI) plug-in on RedHat OpenShift version 4.13 and above, in the Kubernetes Service deployment mode and DaemonSet mode.

Recommended For You