Repository for Palo Alto Networks Kubernetes Security - CN Series.

CN-Series Next-Generation Firewall Deployment

This is a repository for YAMLs to deploy CN-Series Next-Generation firewall from Palo Alto Networks.

All the YAMLs required to deploy CN-Series on a given cloud platform are present under that cloud platform specific directory. Users can use these YAMLs as is to deploy CN-Series quickly after filling in just these fields from their setup:

In pan-cni.yaml, pan-cn-mgmt.yaml and pan-cn-ngfw.yaml:
    image: <your-private-registry-image-path>

In pan-cn-mgmt-secret.yaml:
    PAN_PANORAMA_AUTH_KEY: <panorama-auth-key>
    # Thermite Certificate retrieval 

In pan-cn-mgmt-configmap.yaml:
    # Panorama settings
    PAN_PANORAMA_IP: <panorama-IP>
    PAN_DEVICE_GROUP: <panorama-device-group>
    PAN_TEMPLATE_STACK: <panorama-template-stack>
    PAN_CGNAME: <panorama-collector-group>
    # Intended License Bundle type - "CN-X-BASIC", "CN-X-BND1", "CN-X-BND2"
    # based on the authcode applied on the Panorama K8S plugin
    PAN_BUNDLE_TYPE: <license-bundle-type>

For production deployment, it's expected users would want to customize the YAMLs as per below:

  • Resources (cpu, memory) fields in pan-cn-mgmt.yaml and pan-cn-ngfw.yaml are pre-populated but should be customized to better suit the deployment scenario.
  • There are some optional fields in the configmaps which users can add e.g. PAN_PANORAMA_IP2 for Panorama in HA, or CLUSTER_NAME for easier identification when managing multiple Kubernetes clusters under the same Panorama. Note: For complex setup and advanced topics needing modifications in the YAMLs, refer to the deployment documentations for details. Changing a field might require modification in multiple places and multiple YAMLs.

Once the YAMLs have been modified as desired, these YAMLs can be deployed as:

kubectl apply -f plugin-serviceaccount.yaml
kubectl apply -f pan-cni-serviceaccount.yaml
kubectl apply -f pan-mgmt-serviceaccount.yaml
kubectl apply -f pan-cni-configmap.yaml
kubectl apply -f pan-cni.yaml
kubectl apply -f pan-cn-mgmt-secret.yaml
kubectl apply -f pan-cn-mgmt-configmap.yaml
kubectl apply -f pan-cn-mgmt.yaml
kubectl apply -f pan-cn-ngfw-configmap.yaml
kubectl apply -f pan-cn-ngfw.yaml

To enable the security for the application pods, apply the following annotation to their YAMLs, OR, to enable the security for all the pods in a given namespace, apply this annotation to the namespace: paloaltonetworks.com/firewall: pan-fw e.g. for "default" namespace

kubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw

Multus and OpenShift

Multus CNI acts as a "meta-plugin", that calls other CNI plugins. OpenShift comes with multus enabled, so its pan-cni.yaml takes care of that. For platforms where Multus is optional and supported e.g. self-managed (native), a separate pan-cni-multus.yaml is provided which should be used instead of pan-cni.yaml.

To make PAN-CNI plugin work with multus, these 2 extra steps are needed for the application pods:

  • A NetworkAttachmentDefinition "pan-cni" needs to be deployed in every app pod's namespace kubectl apply -f pan-cni-net-attach-def.yaml -n <target-namespace>
  • An annotation k8s.v1.cni.cncf.io/networks: pan-cni in the app pod yaml

Refer to the deployment documentations for more details on it.


Developer Sites


Copyright © 2021 Palo Alto Networks, Inc. All rights reserved.