Create Service Accounts for Cluster Authentication
Focus
Focus
CN-Series

Create Service Accounts for Cluster Authentication

Table of Contents

Create Service Accounts for Cluster Authentication

Where Can I Use This?
What Do I Need?
  • CN-Series
    deployment
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment with helm chart
The CN-Series firewall requires three Service accounts with the minimum permissions that authorize it to communicate with your Kubernetes cluster resources.
For service account creation, you require
pan-mgmt-serviceaccount.yaml
,
pan-cni-serviceaccount.yaml
, and
plugin-serviceaccount.yaml
files.
The service account (pan-plugin-user) created with the
plugin-serviceaccount.yaml
enables the Kubernetes plugin on Panorama to authenticate with the Kubernetes cluster for retrieving metadata on the pods. The other two yaml files,
pan-mgmt-serviceaccount.yaml
and
pan-cni-serviceaccount.yaml
, create the pan-mgmt-sa and the pan-cni-sa service accounts to enable the authentication between the fault tolerant CN-Mgmt pods, and between the CN-MGMT pod and the CN-NGFW pods. For more information, see Components Required to Secure Kubernetes Clusters with CN-Series Firewall.
By default, the YAML files create the service account and the secret in the kube-system namespace; the Kubernetes plugin will only look for the secret in the kube-system namespace.
To create the service accounts, your Kubernetes cluster should be ready.
  1. Run the service account YAML for the
    plugin-serviceaccount.yaml
    .
    This service account enables the permissions that Panorama requires to authenticate to the GKE cluster for retrieving Kubernetes labels and resource information. This service account is named pan-plugin-user by default.
    1. kubectl apply -f plugin-serviceaccount.yaml
    2. kubectl -n kube-system get secrets | grep pan-plugin-user
      To view the secrets associated with this service account.
      If you are using kubernetes version 1.24 or above, run the following command to view the secrets associated with this service account:
      kubectl -n kube-system get secrets | grep pan-plugin-user-secret
    3. kubectl -n kube-system get secrets <secrets-from-above-command> -o json >> cred.json
      Create the credential file, named cred.json in this example, that includes the secrets and save this file. You need to upload this file to Panorama to set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes Plugin and Set up Panorama for CN-Series.
  2. Run the
    pan-mgmt-serviceaccount.yaml
    and
    pan-cni-serviceaccount.yaml
    .
    The
    pan-mgmt-serviceaccount.yaml
    creates a service account named pan-sa, and is required to enable the CN-MGMT and CN-NGFW Pods to communicate with each other, the PAN-CNI, and the Kubernetes API server. If you modify this service account name, you must also update the YAML files that you use to deploy the CN-MGMT and CN-NFGW Pods.The
    pan-cni-serviceaccount.yaml
    creates a service account named pan-cni-sa.
    kubectl apply -f pan-mgmt-serviceaccount.yaml
    kubectl apply -f pan-cni-serviceaccount.yaml
  3. Verify the service accounts.
    kubectl get serviceaccounts -n kube-system
    If you are using HELM chart, the steps 2,3 are automated by the HELM chart and doesn't need to be manually carried out.

Recommended For You