Red Hat OpenShift's OVN-Kubernetes Container Network Interface (CNI) plug-in is the default network provider for OpenShift Container Platform, beginning with Red Hat OpenShift 4.12, taking over for OpenShift-SDN as the primary network provider in OpenShift clusters.
Now, Palo Alto Networks’ CN-Series Container Next-Generation Firewall (NGFW) product formally supports the OVN-Kubernetes CNI plug-in on OpenShift clusters in addition to OpenShift-SDN.
Red Hat OpenShift Networking's OVN-Kubernetes CNI plug-in
If the ovn-kubernetes CNI plug-in is new to your team, allow us to introduce you to its functionality and some of the ways it differs from the OpenShift-SDN CNI plug-in.
OVN-Kubernetes is based on the Open Virtual Network (OVN) open source project and leverages OVN, which is vendor-agnostic, to manage network traffic flows. An OpenShift cluster using the ovn-kubernetes CNI plug-in runs Open vSwitch (OVS) on each node, a multilayer virtual switch, which OVN then configures to implement the declared network configuration. See the OVN-Kubernetes Red Hat product documentation for more information.
Advantages of the OVN-Kubernetes CNI plug-in
Red Hat has built upon OVN-Kubernetes' feature parity with feature-frozen OpenShift-SDN and focused exclusively on OVN-Kubernetes for all new networking feature development since its release. Here we explain just a few of the initial key advantages of OVN-Kubernetes leading to this shift:
- Full support for IPv6 single-stack and IPv4/IPv6 dual-stack networking (on supported platforms). As is widely known, IPv6 is necessary to account for the IPv4 available addresses dwindling over time.
- Support for hybrid clusters containing both Linux and Windows workloads. Support for hybrid networking is important to end users, particularly those who have not, or will not for many reasons, switch to exclusively Linux workloads.
- Optional IPsec encryption for intra-cluster communications. The IPSec encryption option enhances data confidentiality and integrity within the cluster. Beginning with OCP 4.15, North-South (egress-ingress) capabilities will be enabled.
- Offload of network data processing from host CPU to compatible network cards and data processing units (DPUs). Enhances the ability to scale the performance of the cluster by offloading onto additional hardware.
Palo Alto Networks CN-Series Container NGFW
CN-Series is an industry-leading containerized next-generation firewall, purpose-built for containers and Kubernetes environments. CN-Series is designed to protect containerized applications against modern application attacks and data exfiltration carried out by advanced and ever-evolving security adversaries. Palo Alto Network’s CN-Series protects from threats both known and unknown while ensuring consistent security posture and performance across hybrid cloud environments.
To ease the adoption and enhance the experience of the CN-Series firewall, network security and DevOps teams can use the tooling and processes that they are familiar with and already use in their environments to deploy and configure the product, including Helm charts, Terraform templates, and Kubernetes Operators.
Getting started
Try out their supported methods of deployment, as described in their product documentation, today on OpenShift.
