>
    Deploy the CN-Series Firewall as a Kubernetes Service on GKE
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. Deploy the CN-Series Firewall on GKE
    4. Deploy the CN-Series Firewall as a Kubernetes Service on GKE
    Download PDF
    CN-Series

    Deploy the CN-Series Firewall as a Kubernetes Service on GKE

    Table of Contents

    Deploy the CN-Series Firewall as a Kubernetes Service on GKE

    Where Can I Use This?What Do I Need?
    • CN-Series deployment
    • CN-Series 10.1.x or above Container Images
    • Panorama running PAN-OS 10.1.x or above version
    • Helm 3.6 or above version client for CN-Series deployment using Helm
    Complete the following procedure to deploy the CN-Series firewall as a Kubernetes Service on GKE platform:
    1. Set up your Kubernetes cluster.
      To create a cluster in GKE, do the following:
      1. Click the navigation menu, go to Kubernetes Engine, and then select clusters.
      2. Click Create.
      3. Select the GKE Standard as the cluster mode that you want to use, and then click Configure.
      4. Enter the cluster basic information including Name, Version, Location, Node subnet, and then click Create.
        If your cluster is on GKE, make sure to enable the Kubernetes Network Policy API to allow the cluster administrator to specify which pods are allowed to communicate with each other. This API is required for the CN-NGFW and CN-MGMT Pods to communicate.
      1. Verify that the cluster has adequate resources. The default GKE node pool specification is not adequate for the CN-Series firewall. You must ensure that cluster has the CN-Series Prerequisites resources to support the firewall:
        kubectl get nodes
        kubectl describe node <node-name>
        View the information under the Capacity heading in the command output to see the CPU and memory available on the specified node.
        The CPU, memory and disk storage allocation will depend on your needs. See CN-Series Performance and Scaling.
        Ensure you have the following information:
        • Collect the Endpoint IP address for setting up the API server on Panorama.
          Panorama uses this IP address to connect to your Kubernetes cluster.
        • Collect the template stack name, device group name, Panorama IP address, and optionally the Log Collector Group Name from Panorama.
          For more information, see Create a Parent Device group and template stack.
        • Collect the authorization code and auto-registration PIN ID and value.
        • The location of the container image repository to which you downloaded the images.
    2. (optional) If you configured a custom certificate in the Kubernetes plugin for Panorama, you must create the cert secret by executing the following command. Do not change the file name from ca.crt. The volume for custom certificates in pan-cn-mgmt.yaml and pan-cn-ngfw.yaml is optional.
      kubectl -n kube-system create secret generic custom-ca --from-file=ca.crt
    3. Edit the YAML files to provide the details required to deploy the CN-Series firewalls.
      You must ensure that the value of PAN_PANORAMA_IP parameter on your YAML file matches with your actual Panorama IP address as shown in the diagram below:
      You must ensure that the parameter value of PAN_DEVICE_GROUP and PAN_TEMPLATE on your YAML file matches with the name of the device group and template stack that you created on Panorama as shown in the diagram below:
      You must ensure that the parameter value of PAN_PANORAMA_CG_NAME is same as the log collector name that you created.
      For more information, see Editable parameters in CN-Series deployment yaml files for details.
    4. If you are using autoscaling in your Kubernetes environment, see Enable Horizontal Pod scaling.
    5. Deploy the CN-NGFW service. Perform the following steps:
      When deployed as a Kubernetes Service, instances of the CN-NGFW can be deployed on security nodes and application pod traffic is redirected to an available CN-NGFW instance for inspection and enforcement.
      1. Verify that you have created the service account using the pan-cni-serviceaccount.yaml.
        See Create Service Account for Cluster Authentication.
      2. Use Kubectl to run the pan-cni-configmap.yaml.
        kubectl apply -f pan-cni-configmap.yaml
      3. Use kubectl to run the pan-cn-ngfw-svc.yaml.
        kubectl apply -f pan-cn-ngfw-svc.yaml
        This yaml must be deployed before pan-cni.yaml.
      4. Use Kubectl to run the pan-cni.yaml.
        kubectl apply -f pan-cni.yaml
      5. Verify that you have modified the pan-cni-configmap and pan-cni YAML files.
      6. Run the following command and verify that your output is similar to the following example.
    6. Deploy the CN-MGMT StatefulSet.
      By default, the management plane is deployed as a StatefulSet that provides fault tolerance. Up to 30 firewall CN-NGFW pods can connect to a CN-MGMT StatefulSet.
      1. (Required for statically provisioned PVs only) Deploy the Persistent Volumes (PVs) for the CN-MGMT StatefulSet.
        1. Create the directories to match the local volume names defined in the pan-cn-pv-local.yaml.
          You need six (6) directories on at least 2 worker nodes. Log in to each worker node on which the CN-MGMT StatefulSet will be deployed to create the directories. For example, to create directories named /mnt/pan-local1 to /mnt/pan-local6, use the command: 
          mkdir -p /mnt/pan-local1 /mnt/pan-local2 /mnt/pan-local3 /mnt/pan-local4 /mnt/pan-local5 /mnt/pan-local6
        2. Modify pan-cn-pv-local.yaml.
          Match the hostname under nodeaffinity, and verify that you have modified the directories you created above in spec.local.path then deploy the file to create a new storageclass pan-local-storage and local PVs.
      2. Verify that you have modified the pan-cn-mgmt-configmap and pan-cn-mgmt YAML files
        Sample pan-cn-mgmt-configmap from EKS.
        
	apiVersion: v1
kind: ConfigMap
metadata:
  name: pan-mgmt-config
  namespace: kube-system
data:
  PAN_SERVICE_NAME: pan-mgmt-svc
  PAN_MGMT_SECRET: pan-mgmt-secret
  # Panorama settings
  PAN_PANORAMA_IP: "<panorama-IP>"
  PAN_DEVICE_GROUP: "<panorama-device-group>"
  PAN_TEMPLATE_STACK: "<panorama-template-stack>"
  PAN_CGNAME: "<panorama-collector-group>"
  # ctnr mode: "k8s-service", "k8s-ilbservice"
  PAN_CTNR_MODE_TYPE: "k8s-service"
#Non-mandatory parameters
  # Recommended to have same name as the cluster name provided in Panorama Kubernetes plugin - helps with easier identification of pods if managing multiple clusters with same Panorama
  #CLUSTER_NAME: "<Cluster name>"
  #PAN_PANORAMA_IP2: ""
  # Comment out to use CERTs otherwise PSK for IPSec between pan-mgmt and pan-ngfw
  #IPSEC_CERT_BYPASS: ""         # No values needed
  # Override auto-detect of jumbo-frame mode and force enable system-wide
  #PAN_JUMBO_FRAME_ENABLED: "true"
  # Start MGMT pod with GTP enabled. For complete functionality, need GTP 
  # enable at Panorama as well.
  #PAN_GTP_ENABLED: "true"
  # Enable high feature capacities. These need high memory for MGMT pod and
  # higher/matching memory than specified below for NGFW pod.
  #PAN_NGFW_MEMORY="6Gi"
  #PAN_NGFW_MEMORY="40Gi"
  # For enabling faster datapath - AF_XDP, default is AF_PACKETV2. This requires kernel support.
  #PAN_DATA_MODE: "next-gen"
  #HPA params
  #PAN_CLOUD: "EKS"
  #PAN_NAMESPACE_EKS: "EKSNamespace"
  #PUSH_INTERVAL: "15" #time interval to publish metrics to AWS cloudwatch
        Sample pan-cn-mgmt.yaml
        initContainers:        - name: pan-mgmt-init          image: <your-private-registry-image-path>     
         containers:        - name: pan-mgmt          image: <your-private-registry-image-path>          terminationMessagePolicy: FallbackToLogsOnError
      3. Use Kubectl to run the yaml files.
        kubectl apply -f pan-cn-mgmt-configmap.yaml
        kubectl apply -f pan-cn-mgmt-slot-crd.yaml
        kubectl apply -f pan-cn-mgmt-slot-cr.yaml
        kubectl apply -f pan-cn-mgmt-secret.yaml
        kubectl apply -f pan-cn-mgmt.yaml
        You must run the pan-mgmt-serviceaccount.yaml, only if you had not previously completed the Create Service Account for Cluster Authentication.
      4. Verify that the CN-MGMT pods are up by running the following command:
        kubectl get pods -l app=pan-mgmt -n kube-system
        It takes about 5-6 minutes.
    7. Deploy the CN-NGFW pods.
      1. Verify that you have modified the YAML files as detailed in PAN-CN-NGFW-CONFIGMAP and PAN-CN-NGFW.
        containers: - name: pan-ngfw-container image: <your-private-registry-image-path>
      2. Use Kubectl apply to run the pan-cn-ngfw-configmap.yaml.
        kubectl apply -f pan-cn-ngfw-configmap.yaml
      3. Use Kubectl apply to run the pan-cn-ngfw.yaml.
        kubectl apply -f pan-cn-ngfw.yaml
      4. Verify that the CN-NGFW Pods are running.
        kubectl get pods -n kube-system -l app=pan-ngfw -o wide
    8. Enable horizontal pod autoscaling by performing the following steps:
      1. Deploy the Custom Metrics Stack Driver Adapter in your CN-Series cluster. The cluster name must be provided through a K8s secret.
      2. Download the GKE-specific HPA yaml files from the Palo Alto Networks GitHub repository.
      3. If your CN-MGMT is deployed in a custom namespace, update pan-cn-adapater.yaml with the custom namespace. The default namespace is kube-system.
      4. Update the HPA parameters in the GKE-specific pan-cn-mgmt-configmap.yaml.
        #PAN_CLOUD: "GKE"
        #HPA_NAME: "<name>" #unique name to identify hpa resource per namespace or per tenant
        #PUSH_INTERVAL: "15" #time interval to publish metrics to stackdriver
      5. Modify the pan-cn-hpa-dp.yaml and pan-cn-hpa-mp.yaml with the HPA_NAME (replace with the name) as updated in above pan-cn-mgmt-configmap.yaml file and update the metric based on which HPA should be triggered.
        1. Enter the minimum and maximum number of replicas.
        2. (Optional) Change the scale down and scale up frequency values to suit your deployment. If you do not change these values, the default values are used.
        3. (Optional) Change the threshold value for each metric you want to use for scaling. If you do not change these values, the default values are used.
        4. Save the changes.
      6. Deploy the HPA yaml files. The files must be deployed in the order described below.
        1. Use Kubectl to run the pan-cn-adapter.yaml
          kubectl apply -f pan-cn-adapter.yaml
        2. Use Kubectl to run the pan-cn-crole.yaml
          kubectl apply -f pan-cn-crole.yaml
        3. Use Kubectl to run the pan-cn-hpa-dp.yaml
          kubectl apply -f pan-cn-hpa-dp.yaml
        4. Use Kubectl to run the pan-cn-hpa-mp.yaml
          kubectl apply -f pan-cn-hpa-mp.yaml
      7. Verify your deployment.
        • Use kubectl to verify that the custom metrics adapter pod in the custom metrics namespace.
          kubectl get pods -n custom-metrics
        • Use kubectl to check for the HPA resource.
          kubectl get hpa -n kube-system
          kubectl describe hpa <hpa-name> -n kube-system
      For more information, see Enable Horizontal Pod Autoscaling on the CN-Series.
    9. Verify that you can see CN-MGMT, CN-NGFW and the PAN-CNI on the Kubernetes cluster.
      kubectl -n kube-system get pods
    10. Annotate the application yaml or namespace so that the traffic from their new pods is redirected to the firewall.
      You need to add the following annotation to redirect traffic to the CN-NGFW for inspection:
      annotations:       	   	 paloaltonetworks.com/firewall: pan-fw
      For example, for all new pods in the “default” namespace:
      kubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw
      On some platforms, the application pods can start when the pan-cni is not active in the CNI plugin chain. To avoid such scenarios, you must specify the volumes as shown here in the application pod YAML.
      volumes:      - name: pan-cni-ready        hostPath:          path: /var/log/pan-appinfo/pan-cni-ready          type: Directory
    11. Deploy your application in the cluster.

    © 2024 Palo Alto Networks, Inc. All rights reserved.