Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart
Deploy CN-Series firewalls with Helm charts and templates.
Where Can I Use This?
What Do I Need?
CN-Series
deployment
CN-Series 10.1.x or above Container Images
Panorama
running PAN-OS 10.1.x or above version
Helm 3.6 or above version client
for CN-Series deployment with Helm
The Helm repository contains charts and templates for deploying the Palo Alto Networks
CN-series containerized firewall using the Helm Packet Manager for Kubernetes.
You can download CN-Series Helm Charts from GitHub.
Install the required software. These instructions
list the minimum versions, but you can install a later version in
the same family unless an upper limit is specified.
Deploy CN-Series firewall 10.1.x, 10.2.x, 11.0.x, or 11.1.x container images.
Install a Kubernetes version between 1.16 - 1.25 and create a Kubernetes
cluster. For more information on supported kubernetes version for your environments, see
and apply the yaml. The service account
enables the permissions that Panorama requires to authenticate to the cluster for
retrieving Kubernetes labels and resource information. This service account is named
pan-plugin-user
by default. Run the following command to deploy the
plugin-serviceaccount.yaml
file:
kubectl apply -f plugin-serviceaccount.yaml
kubectl -n kube-system get secrets | grep pan-plugin-user
To view the secrets associated with this service account.
kubectl -n kube-system get secrets <secrets-from-above-command> -o json >>
cred.json
Create the credential file, named
cred.json
in this example, that
includes the secrets and save this file. You need to upload this file to Panorama to
set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series
firewall.
On
Openshift
, you must manually deploy the
pan-cni-net-attach-def.yaml
for each Openshift namespace file
before deploying the Helm charts.
Edit the
values.yaml file
to enter your configuration
information. The following values are from the
helm_cnv1
subdirectory.
# The K8s environment
# Valid deployTo tags are: [gke|eks|aks||native]
# Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments.
cluster:
deployTo: eks
multus: disable
Persisten volume claims are not deleted when a HELM Chart is uninstalled. You must
ensure that you clear these claims beforehand for the HELM install to work.
and apply the yaml. The service account
enables the permissions that Panorama requires to authenticate to the cluster for
retrieving Kubernetes labels and resource information. This service account is named
pan-plugin-user
by default. Run the following command to deploy the
plugin-serviceaccount.yaml
file:
kubectl apply -f plugin-serviceaccount.yaml
kubectl -n kube-system get secrets | grep pan-plugin-user
To view the secrets associated with this service account.
kubectl -n kube-system get secrets <secrets-from-above-command> -o json >>
cred.json
Create the credential file, named
cred.json
in this example, that
includes the secrets and save this file. You need to upload this file to Panorama to
set up the Kubernetes plugin for monitoring the clusters in Install the Kubernetes plugin for CN-Series
firewall.
On
Openshift
, you must manually deploy the
pan-cni-net-attach-def.yaml
for each Openshift namespace file
before deploying the Helm charts.
Add the CN-Series repository to your local Helm client.
Persistent volume claims are not deleted when a HELM Chart is uninstalled. You must
ensure that you clear these claims beforehand for the HELM install to work.