Deploy the CN-Series on OpenShift


Deploy the CN-Series on OpenShift

Table of Contents

Deploy the CN-Series on OpenShift

On your OpenShift environment, deploy the CN-Series firewalls.
Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
    deployment on OpenShift environment
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
The pan-cni secures traffic on the default "eth0" interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.
The pan-cni doesn't create any network and hence doesn't need IP addresses like other CNI plugins.
PAN-OS 10.1.3 or later is required to deploy the CN-Series as Kubernetes Service on OpenShift. Additionally, the CN-Series as a Kubernetes Service on OpenShift only secures interface
  1. Deploy your cluster.
    Refer to the cloud platform vendor’s documentation and verify that the OpenShift versions and CNI are supported for the CN-Series. Review Get the image file for CN-Series Firewall and Editable parameters in CN-Series yaml files.
  2. Use the workflow included in Secure Kubernetes workloads with CN-Series.
    You must create the service credentials, and deploy the firewall YAMLs.
    Note: If your service credential file is over 10KB, you must gzip the file and then do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
  3. Configure the PAN-CNI plugin to work with the Multus CNI plugin.
    The Multus CNI on OpenShift functions as a "meta-plugin" that calls other CNI plugins. For each application you must:
    1. Deploy the PAN-CNI NetworkAttachmentDefinition in every pod namespace
      kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
    2. Modify the Application YAML.
      After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the annotation: pan-fw pan-cni
      If you have other networks in the above annotation, add
      after the networks that need to be inspected. The networks that follow
      are not redirected and inspected.
      If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under “interfaces” in the pan-cni-configmap.yaml.
      For example:
      template: metadata: annotations: pan-fw bridge-conf, macvlan-conf, sriov-conf, pan-cni
    CN-Series now supports OVN-Kubernetes Container Network Interface (CNI) plug-in on RedHat OpenShift version 4.13 and above, in the Kubernetes Service deployment mode and DaemonSet mode.

Recommended For You