Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.2.3 Handbook
    6.2.3
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Kubernetes Connector

    Kubernetes Connector

    When you create a fabric connector for Kubernetes, you are specifying how FortiADC can communicate with Kubernetes.

    FortiADC will be authenticated to periodically (default 30s) get Kubernetes objects (services, nodes) and dynamically populates and updates the related objects, including pool member and real server in its server pool configuration.

    Requirements:

    • The Kubernetes service is required to be exposed with NodePort type.

    To obtain the IP address, port, and secret token in Kubernetes:

    When configuring the Kubernetes connector in FortiADC, you must provide the IP address and port that the Kubernetes deployment is running on.

    1. On the primary node of your Kubernetes cluster, run kubectl config view to get the IP address.
      The following is an example. Take note of the IP address.

    2. Run kubectl get services to get the port number. FortiADC only supports "NodePort" service type.
      The following is an example:

      Take note of the port number of this service, i.e. service-1236 in the above example.
    3. Create a cluster role to grant the FortiADC permission to perform operations and retrieve objects.
      1. Run cat > <filename>.yaml to create a yaml file specifying the cluster role.
        For example, running cat > access_clusterrole.yaml will create the file "access_clusterrole.yaml".
        Then, type the following to insert it in the file. In this example, the role is named as psn-reader. You can give it other names as you desire. Remember to Type Ctrl-d at the end to save the file.

        apiVersion: rbac.authorization.k8s.io/v1

        kind: ClusterRole

        metadata:

        # "namespace" omitted since ClusterRoles are not namespaced

        name: psn-reader

        rules:

        - apiGroups: [""]

        resources: ["pods", "services", "nodes"]

        verbs: ["get", "watch", "list"]

      2. Run cat > <filename>.yaml to create a yaml file, then insert the following to attach the cluster role to a service account.
        In the following example, the file "cluster_role_bind.yaml" is created, and the role "psn-reader" is attached to the service account "default" for it to read pods, node, or services in default namespace.
        If you want to attach the role to a new service account, use kubectl create serviceaccount <Service_account_name> to create one, then attach the role to it.
        Remember to Type Ctrl-d at the end to save the file.

        ~# cat > cluster_role_bind.yaml

        apiVersion: rbac.authorization.k8s.io/v1

        kind: ClusterRoleBinding

        metadata:

        name: read-psn-global

        subjects:

        - kind: ServiceAccount

        name: default #name is case sensitive

        namespace: default

        roleRef:

        kind: ClusterRole

        name: psn-reader

        apiGroup: rbac.authorization.k8s.io

      3. Run kubectl apply -f access_clusterrole.yaml to execute the configurations in this file.
      4. Run kubectl apply -f cluster_role_bind.yaml to execute the configurations in this file.
    4. Get secret token.
      1. Run kubectl get secrets to view the secrets.
      2. Run kubectl describe secrets <secret_token_name> -n <service_account_name> to view the secret token. Take note of the token.
        In the following example, the information of the secret token "default-token-x8mth" stored in "default" service account is displayed.

    To create a Kubernetes Connector:

    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. Under Private SDN, select Kubernetes. The Kubernetes screen is displayed.
    4. Configure the following options, and then click Save. You will be required to provide the IP address, port, and the secret token you have obtained in the above section: To obtain the IP address, port, and secret token in Kubernetes:
      Name Type a name for the external connector object.
      Status

      Toggle on to enable the external connector object.

      Toggle off to disable the external connector object.
      Update Interval (s)

      Specify the update interval for the connector to get Kubernetes objects and dynamically updates the IP addresses.

      IP Type the IP address of the Kubernetes API server.
      Port

      Specify the port that FortiADC uses to communicate with the Kubernetes API server.

      Secret Token

      Specify the secret token.

    After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the real servers from the Kubernetes deployment and dynamically populates the objects in server pool configuration, as shown in the following screenshots.

    Previous
    Next

    Kubernetes Connector

    Kubernetes Connector

    When you create a fabric connector for Kubernetes, you are specifying how FortiADC can communicate with Kubernetes.

    FortiADC will be authenticated to periodically (default 30s) get Kubernetes objects (services, nodes) and dynamically populates and updates the related objects, including pool member and real server in its server pool configuration.

    Requirements:

    • The Kubernetes service is required to be exposed with NodePort type.

    To obtain the IP address, port, and secret token in Kubernetes:

    When configuring the Kubernetes connector in FortiADC, you must provide the IP address and port that the Kubernetes deployment is running on.

    1. On the primary node of your Kubernetes cluster, run kubectl config view to get the IP address.
      The following is an example. Take note of the IP address.

    2. Run kubectl get services to get the port number. FortiADC only supports "NodePort" service type.
      The following is an example:

      Take note of the port number of this service, i.e. service-1236 in the above example.
    3. Create a cluster role to grant the FortiADC permission to perform operations and retrieve objects.
      1. Run cat > <filename>.yaml to create a yaml file specifying the cluster role.
        For example, running cat > access_clusterrole.yaml will create the file "access_clusterrole.yaml".
        Then, type the following to insert it in the file. In this example, the role is named as psn-reader. You can give it other names as you desire. Remember to Type Ctrl-d at the end to save the file.

        apiVersion: rbac.authorization.k8s.io/v1

        kind: ClusterRole

        metadata:

        # "namespace" omitted since ClusterRoles are not namespaced

        name: psn-reader

        rules:

        - apiGroups: [""]

        resources: ["pods", "services", "nodes"]

        verbs: ["get", "watch", "list"]

      2. Run cat > <filename>.yaml to create a yaml file, then insert the following to attach the cluster role to a service account.
        In the following example, the file "cluster_role_bind.yaml" is created, and the role "psn-reader" is attached to the service account "default" for it to read pods, node, or services in default namespace.
        If you want to attach the role to a new service account, use kubectl create serviceaccount <Service_account_name> to create one, then attach the role to it.
        Remember to Type Ctrl-d at the end to save the file.

        ~# cat > cluster_role_bind.yaml

        apiVersion: rbac.authorization.k8s.io/v1

        kind: ClusterRoleBinding

        metadata:

        name: read-psn-global

        subjects:

        - kind: ServiceAccount

        name: default #name is case sensitive

        namespace: default

        roleRef:

        kind: ClusterRole

        name: psn-reader

        apiGroup: rbac.authorization.k8s.io

      3. Run kubectl apply -f access_clusterrole.yaml to execute the configurations in this file.
      4. Run kubectl apply -f cluster_role_bind.yaml to execute the configurations in this file.
    4. Get secret token.
      1. Run kubectl get secrets to view the secrets.
      2. Run kubectl describe secrets <secret_token_name> -n <service_account_name> to view the secret token. Take note of the token.
        In the following example, the information of the secret token "default-token-x8mth" stored in "default" service account is displayed.

    To create a Kubernetes Connector:

    1. Go to Security Fabric > External Connectors.
    2. Click Create New.
    3. Under Private SDN, select Kubernetes. The Kubernetes screen is displayed.
    4. Configure the following options, and then click Save. You will be required to provide the IP address, port, and the secret token you have obtained in the above section: To obtain the IP address, port, and secret token in Kubernetes:
      Name Type a name for the external connector object.
      Status

      Toggle on to enable the external connector object.

      Toggle off to disable the external connector object.
      Update Interval (s)

      Specify the update interval for the connector to get Kubernetes objects and dynamically updates the IP addresses.

      IP Type the IP address of the Kubernetes API server.
      Port

      Specify the port that FortiADC uses to communicate with the Kubernetes API server.

      Secret Token

      Specify the secret token.

    After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the real servers from the Kubernetes deployment and dynamically populates the objects in server pool configuration, as shown in the following screenshots.

    Previous
    Next