On your OpenShift environment, deploy the CN-Series firewalls.
Where Can I Use
This?
What Do I Need?
CN-Series
deployment on OpenShift
environment
CN-Series 10.1.x or above Container Images
Panorama
running PAN-OS 10.1.x or above
version
The pan-cni secures traffic on the default
"eth0" interface of the application pod. If you have multi-homed
pods, you can configure the CN-NGFW pod to secure additional interfaces
that are configured with a bridge-based connection to communicate
with other pods or the host. Depending on the annotation in the
application YAML, you can configure the CN-Series firewall to inspect
traffic from all the interfaces or a selected number of interfaces
attached to each pod.
The pan-cni doesn't create any network
and hence doesn't need IP addresses like other CNI plugins.
PAN-OS
10.1.3 or later is required to deploy the CN-Series as Kubernetes Service
on OpenShift. Additionally, the CN-Series as a Kubernetes Service
on OpenShift only secures interface
You must create the service credentials, and deploy the firewall YAMLs.
Note: If your service credential file is over 10KB, you must gzip the file
and then do a base64 encoding of the compressed file before you upload or
paste the contents of the file into the Panorama CLI or API.
Configure the PAN-CNI plugin to work with the Multus
CNI plugin.
The Multus CNI on OpenShift functions as a "meta-plugin"
that calls other CNI plugins. For each application you must:
Deploy the PAN-CNI NetworkAttachmentDefinition in every pod
namespace
After you deploy the pan-cni-net-attach-def.yaml,
in the app pod yaml add the annotation:
paloaltonetworks.com/firewall: pan-fw
k8s.v1.cni.cncf.io/networks: pan-cni
If
you have other networks in the above annotation, add
pan-cni
after
the networks that need to be inspected. The networks that follow
pan-cni
are
not redirected and inspected.
If your pod has multiple network
interfaces, you must specify the interface names for which you want
the CN-NGFW pod to inspect traffic, under “interfaces” in the pan-cni-configmap.yaml.
CN-Series now supports OVN-Kubernetes Container Network Interface
(CNI) plug-in on RedHat OpenShift version 4.13 and above, in the Kubernetes
Service deployment mode and DaemonSet mode.