On your OpenShift environment, deploy the CN-Series firewalls.
Where Can I Use
What Do I Need?
deployment on OpenShift
CN-Series 10.1.x or above Container Images
running PAN-OS 10.1.x or above
The pan-cni secures traffic on the default
"eth0" interface of the application pod. If you have multi-homed
pods, you can configure the CN-NGFW pod to secure additional interfaces
that are configured with a bridge-based connection to communicate
with other pods or the host. Depending on the annotation in the
application YAML, you can configure the CN-Series firewall to inspect
traffic from all the interfaces or a selected number of interfaces
attached to each pod.
The pan-cni doesn't create any network
and hence doesn't need IP addresses like other CNI plugins.
10.1.3 or later is required to deploy the CN-Series as Kubernetes Service
on OpenShift. Additionally, the CN-Series as a Kubernetes Service
on OpenShift only secures interface
You must create the service credentials, and deploy the firewall YAMLs.
Note: If your service credential file is over 10KB, you must gzip the file
and then do a base64 encoding of the compressed file before you upload or
paste the contents of the file into the Panorama CLI or API.
Configure the PAN-CNI plugin to work with the Multus
The Multus CNI on OpenShift functions as a "meta-plugin"
that calls other CNI plugins. For each application you must:
Deploy the PAN-CNI NetworkAttachmentDefinition in every pod