Deploy the CN-Series on OpenShift Operator Hub

Table of Contents

Deploy the CN-Series on OpenShift Operator Hub

On your OpenShift environment, deploy the CN-Series firewalls.

Where Can I Use This?	What Do I Need?
CN-Series deployment	CN-Series 10.1.x or above Container Images Panorama running PAN-OS 10.2.x version and above

The CN-Series Container firewall is now available on RedHat Openshift platform Operator Hub. You can deploy, configure, and operate CN-Series container firewalls directly from RedHat Operator Hub.

Prerequisites for CN-Series on Openshift Operator Hub:

The following are the prerequisites for deploying the CN-Series firewall on the Openshift operator hub:

License the CN-Series firewall. The Kubernetes plugin on Panorama manages the CN-Series firewall licensing. Generate your authorization code and have it on hand when you're ready to deploy the CN-Series firewall. For more information see, License the CN-Series Firewall.
Generate the VM Auth Key on Panorama.
Install a Device Certificate on the CN-Series Firewall.
Create Service Accounts for Cluster Authentication.
Deploy Panorama— You must use Panorama to configure, deploy, and manage your CN-Series firewall deployment. For more information about deploying and setting up a Panorama appliance, see Set up Panorama.
Install the Kubernetes Plugin for the CN-Series Firewall.
The OpenShift cluster must adhere to the CN-Series Prerequisites.
Ensure that you have the access to the Palo Alto Networks Customer Service Portal (CSP) and have Flex credits.
Ensure that you are a RedHat customer with an OpenShift license and an account that has the permissions to create resources in OpenShift.
Ensure that the OpenShift cluster adheres to the CN-Series Prerequisites.

For more information, see How To Easily Deploy CN-series on RedHat Openshift Operator Hub.

Deploy the CN-Series on an OpenShift Operator hub:

The pan-cni secures traffic on the default eth0 interface of the application pod. If you have multi-homed pods, you can configure the CN-NGFW pod to secure additional interfaces that are configured with a bridge-based connection to communicate with other pods or the host. Depending on the annotation in the application YAML, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces attached to each pod.

The pan-cni does not create a network and hence, does not need IP addresses like other CNI plugins.

You require PAN-OS 10.2 or later to deploy the CN-Series on OpenShift Operator hub.

Following are the steps to deploy the CN-Series firewall on your Redhat OpenShift operator hub:

Log in to the Redhat OpenShift container console.
Go to Operators, and then click OperatorHub.
Enter Palo Alto in the Operator search box.
Click pan-cn-series-operator.

The install window opens when you click the pan-cn-series-operator tile.
Click Install to install the pan-cn-series operator on your OpenShift cluster.

Complete he pre-installation steps before the next deployment steps given here.

If your service credential file is over 10KB, you must gzip the file and then do a base64 encoding of the compressed file before you upload or paste the contents of the file into the Panorama CLI or API.
On the navigation menu, go to Installed Operators, and then click pan-cn-series-operator that you have installed.
Click Create Instance.
Enter a unique operand Name.
Enter the Minimum Replicas for DP, Memory Unit, and vCPU Limit for DP and MP pods. For information on vCPU limits, see CN-Series Key Performance Metrics.
Enter the Panorama IP Address.
Optional Enter the Secondary Panorama IP Address for your HA deployment.
Enter the CN-Series Panorama Auth Key.
Enter the Panorama Device Group.
Enter the Panorama Template Stack.
Enter the Panorama Log Collector Group Name.
Optional Enter the Customer Support Portal (CSP) Pin ID, Pin value, and Alternate URL.
Based on your PAN-OS version, link to the appropriate images for DP, MP, and CNI in the CN-Series Container registry console.
Click Create.
On the Navigation menu, go to pods.
Select project OpenShift-operators and then go to kube-system to view the name and status of the CNI, management, and data plane pods that you deployed as part of the operand.

You can check the firewall deployment status on Panorama. The Device State will change to Connected in less than 5 minutes after deployment.
Configure the PALO ALTO NETWORKS-CNI plugin to work with the Multus CNI plugin.
The Multus CNI on OpenShift functions as a meta-plugin that calls other CNI plugins. For each application you must:
1. Run the following command to deploy the pan-cni-net-attach-def.yaml in every pod namespace:
  
  kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
2. Modify the Application YAML.
  
  After you deploy the pan-cni-net-attach-def.yaml, in the app pod yaml add the following annotation:
  
  paloaltonetworks.com/firewall: pan-fw
  
  k8s.v1.cni.cncf.io/networks: pan-cni
  
  If you have other networks in the above annotation, add pan-cni after the networks that need inspection. The networks that follow pan-cni are not redirected and inspected.
  
  If your pod has multiple network interfaces, you must specify the interface names for which you want the CN-NGFW pod to inspect traffic, under the interfaces section in the pan-cni-configmap.yaml file.
  
  For example:
```
								template:
								    metadata:
								      annotations:
								         paloaltonetworks.com/firewall: pan-fw
								         k8s.v1.cni.cncf.io/networks: pan-cni
```