Configure the Kubernetes plugin - PaloAltoNetworks/cn-series-deploy GitHub Wiki

The following steps are needed to complete the integration of the Panorama with the Kubernetes API. This is done using the Kubernetes plugin for Panorama. It's purpose is to learn new labels and propagate those labels to Panorama device groups. These labels may include Kubernetes labels, services, namespaces, and other metadata from which Dynamic Address Group match criteria may be defined.

Steps

1. Configure the Kubernetes Plugin for Panorama.

   1. Retrieve the pan-plugin-user service account credentials from the Kubernetes master.

      $ MY_TOKEN=`kubectl get serviceaccounts pan-plugin-user -n kube-system -o jsonpath='{.secrets[0].name}'`
      $ kubectl get secret $MY_TOKEN -n kube-system -o json > ~/Downloads/pan-plugin-user.json
      

   2. Create a Cluster definition in the Panorama Kubernetes plugin. Use the Kubernetes master address displayed in the terraform output and the JSON credentials file located at ~/Downloads/pan-plugin-user.json. Define the labels that will be imported from the Kubernetes API.

   3. Create a Notify Group definition in the Panorama Kubernetes plugin. This will be used to propagate the labels learned from the Kubernetes API to a Panorama Device Group.

   4. Create a Monitoring Definition in the Panorama plugin. Use the Cluster and Notify Group definitions created in the previous steps.

   5. Commit to Panorama.

   6. Confirm API connectivity and MP container registrations by clicking on the Detailed Status and Cluster MPs within the Monitoring Definition.

2. You are now ready to deploy a sample application and protect it with the CN-Series Firewall.