Ease Deployment with OVN CNI Support for CN-Series on Red Hat OpenShift

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker

Title_Ease-Deployment-with-OVN-CNI-Support_palo-alto-networks.jpg

 

This blog was written in collaboration by Chintan Udeshi from Palo Alto Networks and Marc Curry from Red Hat.

 

 

Ease Deployment with OVN CNI Support for CN-Series on Red Hat OpenShift

 

We are pleased to announce the support for Red Hat OpenShift Networking’s OVN-Kubernetes Container Network Interface (CNI) plugin while running CN-Series Container Firewalls on Red Hat OpenShift. With this release, customers can use CN-Series container firewalls to protect applications running on Red Hat OpenShift clusters with the OVN-Kubernetes CNI plug-in. 

 

Red Hat OpenShift is a leading enterprise Kubernetes platform that enables a cloud-like experience everywhere it is deployed. Whether in the cloud, on-premise, or at the edge, Red Hat OpenShift gives you the ability to choose where you build, deploy, and run applications with a consistent experience.

 

Network Security Needs to Extend to Containers

 

Regardless of whether applications are running on bare metal, virtual machines, or containers using on-premise or cloud infrastructure, applications are all exposed to the same vulnerabilities as they run on the shared network stack. Therefore, containerized apps face the same threats that have traditionally plagued legacy apps. Shift-left security products help to identify and patch known vulnerabilities at scale, but leave applications vulnerable to unknown and unpatched vulnerabilities.

 

Red Hat OpenShift Networking’s OVN-Kubernetes CNI Plug-In

 

OVN-Kubernetes is based on the Open Virtual Network (OVN) open-source project and leverages OVN, which is vendor-agnostic, to manage network traffic flows. An OpenShift cluster using the OVN-Kubernetes CNI plug-in runs Open vSwitch (OVS) on each node, a multilayer virtual switch, which OVN then configures to implement the declared network configuration. [1]

 

Advantages of the OVN-Kubernetes CNI Plug-In

Red Hat has built upon OVN-Kubernetes' feature parity with feature-frozen OpenShift-SDN and focused exclusively on OVN-Kubernetes for all new networking feature development since its release. Here are the key advantages of OVN-Kubernetes leading to this shift:

 

  • Full support for IPv6 single-stack and IPv4/IPv6 dual-stack networking (on supported platforms). As is widely known, IPv6 is necessary to account for the IPv4 available addresses dwindling over time. 
  • Support for hybrid clusters containing both Linux and Windows workloads. Support for hybrid networking is important to end users, particularly those who have not, or will not for many reasons, switch to exclusively linux workloads.
  • Optional IPsec encryption for intra-cluster communications. The IPSec encryption option enhances data confidentiality and integrity within the cluster. Beginning with OCP 4.15, North-South (egress-ingress) capabilities will be enabled.
  • Offload of network data processing from host CPU to compatible network cards and data processing units (DPUs). Enhances the ability to scale the performance of the cluster by offloading onto additional hardware. 

 

CN-Series Container Firewall and Red Hat OpenShift

 

CN-Series has been supported on Red Hat OpenShift for a couple of years now with the OpenShift-SDN CNI. After numerous requests from customers to support the OVN-Kubernetes CNI plug-in alongside the existing support for OpenShift-SDN for CN-Series, we are now pleased to announce support for OVN-Kubernetes on OpenShift with Palo Alto Networks CN-Series Firewall to protect applications running on OpenShift clusters leveraging the OVN-Kubernetes CNI plug-in.


CN-Series is the industry’s first NGFW purpose-built for containers and has been designed to protect containerized apps from known and unknown threats while maintaining a consistent security posture across containerized and non-containerized applications running on-prem or in the cloud. Additionally, the network security and DevOps teams can continue to use the processes and tools they use today and ensure a frictionless deployment using Helm charts, Terraform templates, and operators. 

 

With OVN-kubernetes CNI support with CN-Series, customers can:

  1. Scale network security while executing digital transformation
  2. Protect containerized apps against known and unknown threats as shown in the figure below. 
  3. Maintain consistent tooling and management
  4. Implement IPsec encryption
  5. Use IPv6 routing
  6. Gather kubernetes network policy logs

 

Figure 1: Stopping the lateral movement of threats running on Red Hat OpenShift cluster using the CN-Series Firewall .Figure 1: Stopping the lateral movement of threats running on Red Hat OpenShift cluster using the CN-Series Firewall .

 

To learn more about how CN-Series can protect applications running on Red Hat OpenShift, please check out Securing Red Hat Clusters with CN-Series Firewall Video and CN-Series and Red Hat OpenShift Joint Solution Brief . You can deploy CN-Series from Red Hat OpenShift OpertorHub

 

Additional Reference Links:

About the OVN-Kubernetes CNI network plugin

[1] OVN-Kubernetes Red Hat Product Documentation

CN-Series Product Documentation

 

  • 2069 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors