>
    Deploy the CN-Series Firewall as a Kubernetes Service on AWS EKS
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Deploy the CN-Series Firewall on EKS
    4. Deploy the CN-Series Firewall as a Kubernetes Service on AWS EKS
    Download PDF
    CN-Series

    Deploy the CN-Series Firewall as a Kubernetes Service on AWS EKS

    Table of Contents

    Deploy the CN-Series Firewall as a Kubernetes Service on AWS EKS

    Where Can I Use This?What Do I Need?
    • CN-Series deployment
    • CN-Series 10.1.x or above Container Images
    • Panorama running PAN-OS 10.1.x or above version
    • Helm 3.6 or above version client for CN-Series deployment with Helm
    Complete the following procedure to deploy the CN-Series firewall as a Kubernetes Service.
    Before you begin, ensure the CN-Series YAML file version is compatible with the PAN-OS version.
    • PAN-OS 10.1.2 or later requires YAML 2.0.2
    • PAN-OS 10.1.0 and 10.1.1 require YAML 2.0.0 or 2.0.1
    1. Set up your Kubernetes cluster.
      To create a cluster in AWS EKS, do the following:
      1. Click the Services navigation menu, go to Containers->Elastic Kubernetes Service.
      2. Click Create Cluster.
      3. Fill in the required details, and then click Create.
      1. Verify that the cluster has adequate resources. Make sure that cluster has the CN-Series Prerequisites resources to support the firewall:
        kubectl get nodes
        kubectl describe node <node-name>
        View the information under the Capacity heading in the command output to see the CPU and memory available on the specified node.
        The CPU, memory and disk storage allocation will depend on your needs. See CN-Series Performance and Scaling.
        Ensure you have the following information:
        • Collect the Endpoint IP address for setting up the API server on Panorama. Panorama uses this IP address to connect to your Kubernetes cluster.
        • Collect the template stack name, device group name, Panorama IP address, and optionally the Log Collector Group Name from Panorama.
        • Collect the authorization code and auto-registration PIN ID and value.
        • The location of the container image repository to which you downloaded the images.
    2. (optional) If you configured a custom certificate in the Kubernetes plugin for Panorama, you must create the cert secret by executing the following command. Do not change the file name from ca.crt. The volume for custom certificates in pan-cn-mgmt.yaml and pan-cn-ngfw.yaml is optional.
      kubectl -n kube-system create secret generic custom-ca --from-file=ca.crt
    3. Edit the YAML files to provide the details required to deploy the CN-Series firewalls.
      You need to replace the image path in the YAML files to include the path to your private registry and provide the required parameters. See Editable parameters in CN-Series deployment yaml files for details.
    4. Update the storage class. To support the CN-Series deployed on AWS Outpost, you must use the storage driver aws-ebs-csi-driver, which ensures that Outpost pulls the volumes from the Outpost during dynamic Persistent Volume (PV) creation.
      1. Apply the following yaml.
        kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-0.10"
      2. Verify that the ebs-sc controller is running.
        kubectl -n kube-system get pods
      3. Update pan-cn-storage-class.yaml to match the example below.
        apiVersion: v1
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: ebs-sc
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
  type: gp2
      4. Add storageClassName: ebs-sc to pan-cn-mgmt.yaml in the locations shown below.
        volumeClaimTemplates:
  - metadata:
      name: panlogs
    spec:
      #storageClassName: pan-cn-storage-class //For better disk iops performance for logging
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: ebs-sc     //
      resources:
        requests:
          storage: 20Gi # change this to 200Gi while using storageClassName for better disk iops
  - metadata:
      name: varlogpan
    spec:
      #storageClassName: pan-cn-storage-class //For better disk iops performance for dp logs
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: ebs-sc
      resources:
        requests:
          storage: 20Gi # change this to 200Gi while using storageClassName for better disk iops
  - metadata:
      name: varcores
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: ebs-sc
      resources:
        requests:
          storage: 2Gi
  - metadata:
      name: panplugincfg
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: ebs-sc
      resources:
        requests:
          storage: 1Gi
  - metadata:
      name: panconfig
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: ebs-sc
      resources:
        requests:
          storage: 8Gi
  - metadata:
      name: panplugins
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: ebs-sc
      resources:
        requests:
          storage: 200Mi
    5. If you are using autoscaling in your Kubernetes environment, do the following:
      1. Deploy the Amazon CloudWatch Metrics Adapter for Kubernetes in your CN-Series as a Service cluster. You must allow CloudWatch complete access to both IAM roles associated with your Kubernetes pods and clusters. To publish the custom metrics to CloudWatch, the worker nodes’ role must have the AWS managed policy CloudWatchAgentServerPolicy so that the HPA can retrieve them.
      2. Download the EKS-specific HPA yaml files from the Palo Alto Networks GitHub repository.
      3. If your CN-MGMT is deployed in a custom namespace, update pan-cn-adapater.yaml with the custom namespace. The default namespace is kube-system.
      4. Modify pan-cn-hpa-dp.yaml and pan-cn-hpa-mp.yaml.
        1. Enter the minimum and maximum number of replicas.
        2. (Optional) Change the scale down and scale up frequency values to suit your deployment. If you do not change these values, the default values are used.
        3. Copy the following section for each metric you want to use for scaling.
          - type: Pods
    pods:
      metric:
       name: pansessionactive
      target:
        type: AverageValue
averageValue: 30
        4. Change the name the metric you want to use and set the averageValue to the threshold described in the table above. If you do not change these values, the default values are used.
        5. Save you changes.
          For more information, see Horizontal Pod Autoscaling.
      5. Deploy the HPA yaml files. The files must be deployed in the order described below.
        1. Use Kubectl to run the pan-cn-adapter.yaml
          kubectl apply -f pan-cn-adapter.yaml
        2. Use Kubectl to run the pan-cn-externalmetrics.yaml
          kubectl apply -f pan-cn-externalmetrics.yaml
        3. Use Kubectl to run the pan-cn-hpa-dp.yaml
          kubectl apply -f pan-cn-hpa-dp.yaml
        4. Use Kubectl to run the pan-cn-hpa-mp.yaml
          kubectl apply -f pan-cn-hpa-mp.yaml
      6. Verify your deployment.
        Use kubectl to verify that the custom metrics adapter pod in the custom metrics namespace.
        kubectl get pods -n custom-metrics
        Use kubectl to check for the HPA resource.
        kubectl get hpa -n kube-system
        kubectl describe hpa <hpa-name> -n kube-system
    6. Deploy the CN-NGFW service.
      1. Verify that you have created the service account using the pan-cni-serviceaccount.yaml.
        See Create Service Account for Cluster Authentication.
      2. Use Kubectl to run the pan-cni-configmap.yaml.
        kubectl apply -f pan-cni-configmap.yaml
      3. Use kubectl to run the pan-cn-ngfw-svc.yaml.
        kubectl apply -f pan-cn-ngfw-svc.yaml
        This yaml must be deployed before pan-cni.yaml.
      4. Use Kubectl to run the pan-cni.yaml.
        kubectl apply -f pan-cni.yaml
      5. Verify that you have modified the pan-cni-configmap and pan-cni YAML files.
      6. Run the following command and verify that your output is similar to the following example.
        kubectl get pods -n kube-system | grep pan-cni
    7. Deploy the CN-MGMT StatefulSet.
      By default, the management plane is deployed as a StatefulSet that provides fault tolerance. Up to 30 firewall CN-NGFW pods can connect to a CN-MGMT StatefulSet.
      1. (Required for statically provisioned PVs only) Deploy the Persistent Volumes (PVs) for the CN-MGMT StatefulSet.
        1. Create the directories to match the local volume names defined in the pan-cn-pv-local.yaml.
          You need six (6) directories on at least 2 worker nodes. Log in to each worker node on which the CN-MGMT StatefulSet will be deployed to create the directories. For example, to create directories named /mnt/pan-local1 to /mnt/pan-local6, use the command: 
          mkdir -p /mnt/pan-local1 /mnt/pan-local2 /mnt/pan-local3 /mnt/pan-local4 /mnt/pan-local5 /mnt/pan-local6
        2. Modify pan-cn-pv-local.yaml.
          Match the hostname under nodeaffinity, and verify that you have modified the directories you created above in spec.local.path then deploy the file to create a new storageclass pan-local-storage and local PVs.
      2. Verify that you have modified the pan-cn-mgmt-configmap and pan-cn-mgmt YAML files.
        Sample pan-cn-mgmt-configmap from EKS.
        
	apiVersion: v1
kind: ConfigMap
metadata:
  name: pan-mgmt-config
  namespace: kube-system
data:
  PAN_SERVICE_NAME: pan-mgmt-svc
  PAN_MGMT_SECRET: pan-mgmt-secret
  # Panorama settings
  PAN_PANORAMA_IP: "<panorama-IP>"
  PAN_DEVICE_GROUP: "<panorama-device-group>"
  PAN_TEMPLATE_STACK: "<panorama-template-stack>"
  PAN_CGNAME: "<panorama-collector-group>"
  # ctnr mode: "k8s-service", "k8s-ilbservice"
  PAN_CTNR_MODE_TYPE: "k8s-service"
#Non-mandatory parameters
  # Recommended to have same name as the cluster name provided in Panorama Kubernetes plugin - helps with easier identification of pods if managing multiple clusters with same Panorama
  #CLUSTER_NAME: "<Cluster name>"
  #PAN_PANORAMA_IP2: ""
  # Comment out to use CERTs otherwise PSK for IPSec between pan-mgmt and pan-ngfw
  #IPSEC_CERT_BYPASS: ""         # No values needed
  # Override auto-detect of jumbo-frame mode and force enable system-wide
  #PAN_JUMBO_FRAME_ENABLED: "true"
  # Start MGMT pod with GTP enabled. For complete functionality, need GTP 
  # enable at Panorama as well.
  #PAN_GTP_ENABLED: "true"
  # Enable high feature capacities. These need high memory for MGMT pod and
  # higher/matching memory than specified below for NGFW pod.
  #PAN_NGFW_MEMORY="6Gi"
  #PAN_NGFW_MEMORY="40Gi"
  # For enabling faster datapath - AF_XDP, default is AF_PACKETV2. This requires kernel support.
  #PAN_DATA_MODE: "next-gen"
  #HPA params
  #PAN_CLOUD: "EKS"
  #PAN_NAMESPACE_EKS: "EKSNamespace"
  #PUSH_INTERVAL: "15" #time interval to publish metrics to AWS cloudwatch
        Sample pan-cn-mgmt.yaml
        initContainers:        - name: pan-mgmt-init          image: <your-private-registry-image-path>     
         containers:        - name: pan-mgmt          image: <your-private-registry-image-path>          terminationMessagePolicy: FallbackToLogsOnError
      3. Use Kubectl to run the yaml files.
        kubectl apply -f pan-cn-mgmt-configmap.yaml
        kubectl apply -f pan-cn-mgmt-slot-crd.yaml
        kubectl apply -f pan-cn-mgmt-slot-cr.yaml
        kubectl apply -f pan-cn-mgmt-secret.yaml
        kubectl apply -f pan-cn-mgmt.yaml
        You must run the pan-mgmt-serviceaccount.yaml, only if you had not previously completed the Create Service Account for Cluster Authentication.
      4. Verify that the CN-MGMT pods are up.
        It takes about 5-6 minutes.
        Use kubectl get pods -l app=pan-mgmt -n kube-system
    8. Deploy the CN-NGFW pods.
      1. Verify that you have modified the YAML files as detailed in PAN-CN-NGFW-CONFIGMAP and PAN-CN-NGFW.
        containers: - name: pan-ngfw-container image: <your-private-registry-image-path>
      2. Use Kubectl apply to run the pan-cn-ngfw-configmap.yaml.
        kubectl apply -f pan-cn-ngfw-configmap.yaml
      3. Use Kubectl apply to run the pan-cn-ngfw.yaml.
        kubectl apply -f pan-cn-ngfw.yaml
      4. Verify that the CN-NGFW Pods are running.
        kubectl get pods -n kube-system -l app=pan-ngfw -o wide
    9. Enable Horizontal Pod Autoscaling on the CN-Series.
    10. Verify that you can see CN-MGMT, CN-NGFW and the PAN-CNI on the Kubernetes cluster.
      kubectl -n kube-system get pods
    11. Annotate the application yaml or namespace so that the traffic from their new pods is redirected to the firewall.
      You need to add the following annotation to redirect traffic to the CN-NGFW for inspection:
      annotations:       	   	 paloaltonetworks.com/firewall: pan-fw
      For example, for all new pods in the “default” namespace:
      kubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw
      On some platforms, the application pods can start when the pan-cni is not active in the CNI plugin chain. To avoid such scenarios, you must specify the volumes as shown here in the application pod YAML.
      volumes:      - name: pan-cni-ready        hostPath:          path: /var/log/pan-appinfo/pan-cni-ready          type: Directory
    12. Deploy your application in the cluster.

    © 2024 Palo Alto Networks, Inc. All rights reserved.