Where Can I Use
This? | What Do I Need? |
|
- CN-Series 10.1.x or above Container Images
- Panorama running PAN-OS 10.1.x or above
version
- Helm 3.6 or above version client for CN-Series deployment with helm
chart
|
The CN-Series firewall requires three Service
accounts with the minimum permissions that authorize it to communicate
with your Kubernetes cluster resources. The service account (pan-plugin-user)
created with the plugin-serviceaccount.yaml enables
the Kubernetes plugin on Panorama to authenticate with the Kubernetes cluster
for retrieving metadata on the pods.The other two yaml files, pan-mgmt-serviceaccount.yaml and pan-cni-serviceaccount.yaml,
create the pan-mgmt-sa and the pan-cni-sa service accounts to enable
the authentication between the fault tolerant CN-Mgmt pods, and
between the CN-MGMT pod and the CN-NGFW pods.
By default,
the YAML files create the service account and the secret in the kube-system
namespace; the Kubernetes plugin will only look for the secret in
the kube-system namespace.
To create the service accounts,
your Kubernetes cluster should be ready.