This repository contains charts and templates for deploying the Palo Alto Networks CN-series containerized firewall using the Helm Package Manager for Kubernetes
The Helm Charts support 10.1.x and 10.2.x PanOS versions. The Helm Charts is based on v3.0 yaml set which can be found at https://github.com/PaloAltoNetworks/Kubernetes/tree/v3.0.3
The Release Notes and Deployment Guide is at https://docs.paloaltonetworks.com/cn-series/cn-series-firewall-release-notes/cn-series-firewall-release-notes
- CN-Series
- CN-Series 10.1.x container images
- Panorama
- Panorama 10.1.x
- Kubernetes plugin for Panorama version 1.0.x,2.0.x
- Panorama must be accessible from the Kubernetes cluster
- Kubernetes
- Kubernetes 1.16 - 1.24 cluster
- A current kubeconfig file
- Helm
- Helm 3.6+ client
-
Clone the repository from GitHub
$ git clone https://github.com/PaloAltoNetworks/cn-series-helm.git
- Change into the repo directory
$ cd cn-series-helm
helm_cnv1 are charts that deploy as a daemon set
helm_cnv2 are charts that deploy as a service
helm_cnv3 are charts that deploy as a cnf
- Edit the
values.yaml
file and plug in your specific configs. Make sure to read through the values.yaml to chose the specific deployment tyoe and additional configurations.
Use the public-facing CN-Series repository for images from https://console.cloud.google.com/gcr/images/pan-cn-series/GLOBAL
Below is an example of values.yaml
for cnv1
# The K8s environment
# Valid deployTo tags are: [gke|eks|aks|openshift|native]
# Valid multus tags are : [enable|disable] Keep the multus as enable for openshift and native deployments.
cluster:
deployTo: eks
multus: disable
# Panorama tags
panorama:
ip: panorama.acmewidgets.com
ip2:
authKey: "000000000000000"
deviceGroup: my-devicegroup
template: my-stack
cgName: my-collector
# MP container tags
mp:
initImage: gcr.io/pan-cn-series/pan_cn_mgmt_init
initVersion: latest
image: gcr.io/pan-cn-series/panos_cn_mgmt
version: 10.2.3
cpuLimit: 4
# DP container tags
dp:
image: gcr.io/pan-cn-series/panos_cn_ngfw
version: 10.2.3
cpuLimit: 2
# CNI container tags
cni:
image: gcr.io/pan-cn-series/pan_cni
version: latest
- To view the rendered YAMLs
helm install --debug --generate-name helm_cnv1/ --dry-run
Do a lint check on the helm charts
helm lint helm_cnv1/
- To deploy the helm charts
helm install <deployment-name> helm_cnv1
-
Add the cn-series repo to your local Helm client
$ helm repo add my-project https://paloaltonetworks.github.io/cn-series-helm
"cn-series" has been added to your repositories
- Confirm the repo has been added to your Helm client
$ helm search repo cn-series
NAME CHART VERSION APP VERSION DESCRIPTION
cn-series/cn-series 2.0.0 10.2.0 Palo Alto Networks CN-Series firewall Helm char...
- Select the Kubernetes cluster
$ kubectl config set-cluster NAME
- Deploy using the Helm chart repo
$ helm install cn-series/cn-series --name="deployment name" \
--set cluster.deployTo="gke|eks|aks|openshift"
--set cluster.multus="enable|disable"
--set panorama.ip="panorama hostname or ip" \
--set panorama.ip2="panorama2 hostname or ip" \
--set-string panorama.authKey="vm auth key" \
--set panorama.deviceGroup="device group" \
--set panorama.template="template stack" \
--set panorama.cgName="collector group" \
--set cni.image="container repo" \
--set cni.version="container version" \
--set mp.initImage="container repo" \
--set mp.initVersion="container version" \
--set mp.image="container repo" \
--set mp.version="container version" \
--set mp.cpuLimit="cpu max" \
--set dp.image="container repo" \
--set dp.version="container version" \
--set dp.cpuLimit="cpu max"
Add additional parameters to the above command with respect to your desired deployment and configuration.