CN-Series Firewalls for Securing Kubernetes Deployments

Learn how the containerized version of PAN-OS secures Kubernetes environments in the public and private cloud.
As you adopt Kubernetes (k8s) and containers for application development and operational agility, the CN-Series enables the security administrators to provision security for the containerized applications across different Kubernetes environments. The CN-Series firewall facilitates consistent policy enforcement when multiple teams are involved in the application lifecycle:
  • Platform (PAAS) Admin - Manages the Kubernetes clusters and other infrastructure components in public and private cloud.
  • App teams - Deploy their individual containerized and other applications in Kubernetes namespaces/projects provided by PAAS admin.
  • Security Admin - Provisions security for the entire deployment including Kubernetes clusters and individual containerized applications.
The CN-Series firewall requires Panorama and the Kubernetes plugin on Panorama to enable centralized management, licensing, and security policy enforcement. The container native firewall is integrated into Kubernetes to enable the use of Kubernetes constructs and deploy the firewalls along with the applications. The firewall fits together with Kubernetes networking to apply policy before NAT and it uses labels to dynamically learn of changes to IP addresses to enforce security policies as containers come and go rapidly.
nfg-concept.png
And as your containerized applications communicate with other applications running in VMs, physical servers or other containers, the CN-Series firewall and Panorama provide oversight and control over traffic between container pods, between individual containers, and with other workload types, including virtual machines and bare-metal servers.
  1. Review the supported environmentsand components required for the CN-Series firewall on Kubernetes.
    Make sure to purchase the auth code for the CN-Series firewalls.
  2. Get the images and files for the CN-Series.
  3. Register the auth code on the CSP and generatethe registration PIN for the device certificate.
  4. Create the service accounts for cluster authentication.
  5. Edit the YAML files for deploying the firewall within your Kubernetes cluster.
  6. Deploy the CN-Series firewalls within the cluster.
  7. Configure Panorama to secure your Kubernetes setup.
    Monitor the logs on Panorama to verify that your policies work as expected.

Recommended For You