Fortinet black logo

Handbook

Kubernetes Connector

Kubernetes Connector

When you create a fabric connector for Kubernetes, you are specifying how FortiADC can communicate with Kubernetes.

FortiADC will be authenticated to periodically (default 30s) get Kubernetes objects (services, nodes) and dynamically populates and updates the related objects, including pool member and real server in its server pool configuration.

Requirements:

  • The Kubernetes service is required to be exposed with NodePort type.

To obtain the IP address, port, and secret token in Kubernetes:

When configuring the Kubernetes connector in FortiADC, you must provide the IP address and port that the Kubernetes deployment is running on.

  1. On the primary node of your Kubernetes cluster, run kubectl config view to get the IP address.
    The following is an example. Take note of the IP address.

  2. Run kubectl get services to get the port number. FortiADC only supports "NodePort" service type.
    The following is an example:

    Take note of the port number of this service, i.e. service-1236 in the above example.
  3. Create a cluster role to grant the FortiADC permission to perform operations and retrieve objects.
    1. Run cat > <filename>.yaml to create a yaml file specifying the cluster role.
      For example, running cat > access_clusterrole.yaml will create the file "access_clusterrole.yaml".
      Then, type the following to insert it in the file. In this example, the role is named as psn-reader. You can give it other names as you desire. Remember to Type Ctrl-d at the end to save the file.

      apiVersion: rbac.authorization.k8s.io/v1

      kind: ClusterRole

      metadata:

      # "namespace" omitted since ClusterRoles are not namespaced

      name: psn-reader

      rules:

      - apiGroups: [""]

      resources: ["pods", "services", "nodes"]

      verbs: ["get", "watch", "list"]

    2. Run cat > <filename>.yaml to create a yaml file, then insert the following to attach the cluster role to a service account.
      In the following example, the file "cluster_role_bind.yaml" is created, and the role "psn-reader" is attached to the service account "default" for it to read pods, node, or services in default namespace.
      If you want to attach the role to a new service account, use kubectl create serviceaccount <Service_account_name> to create one, then attach the role to it.
      Remember to Type Ctrl-d at the end to save the file.

      ~# cat > cluster_role_bind.yaml

      apiVersion: rbac.authorization.k8s.io/v1

      kind: ClusterRoleBinding

      metadata:

      name: read-psn-global

      subjects:

      - kind: ServiceAccount

      name: default #name is case sensitive

      namespace: default

      roleRef:

      kind: ClusterRole

      name: psn-reader

      apiGroup: rbac.authorization.k8s.io

    3. Run kubectl apply -f access_clusterrole.yaml to execute the configurations in this file.
    4. Run kubectl apply -f cluster_role_bind.yaml to execute the configurations in this file.
  4. Get secret token.
    1. Run kubectl get secrets to view the secrets.
    2. Run kubectl describe secrets <secret_token_name> -n <service_account_name> to view the secret token. Take note of the token.
      In the following example, the information of the secret token "default-token-x8mth" stored in "default" service account is displayed.

To create a Kubernetes Connector:

  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Under Private SDN, select Kubernetes. The Kubernetes screen is displayed.
  4. Configure the following options, and then click Save. You will be required to provide the IP address, port, and the secret token you have obtained in the above section: To obtain the IP address, port, and secret token in Kubernetes:
    Name Type a name for the external connector object.
    Status

    Toggle on to enable the external connector object.

    Toggle off to disable the external connector object.

    Update Interval (s)

    Specify the update interval for the connector to get Kubernetes objects and dynamically updates the IP addresses.

    IP Type the IP address of the Kubernetes API server.
    Port

    Specify the port that FortiADC uses to communicate with the Kubernetes API server.

    Secret Token

    Specify the secret token.

After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the real servers from the Kubernetes deployment and dynamically populates the objects in server pool configuration, as shown in the following screenshots.

Kubernetes Connector

When you create a fabric connector for Kubernetes, you are specifying how FortiADC can communicate with Kubernetes.

FortiADC will be authenticated to periodically (default 30s) get Kubernetes objects (services, nodes) and dynamically populates and updates the related objects, including pool member and real server in its server pool configuration.

Requirements:

  • The Kubernetes service is required to be exposed with NodePort type.

To obtain the IP address, port, and secret token in Kubernetes:

When configuring the Kubernetes connector in FortiADC, you must provide the IP address and port that the Kubernetes deployment is running on.

  1. On the primary node of your Kubernetes cluster, run kubectl config view to get the IP address.
    The following is an example. Take note of the IP address.

  2. Run kubectl get services to get the port number. FortiADC only supports "NodePort" service type.
    The following is an example:

    Take note of the port number of this service, i.e. service-1236 in the above example.
  3. Create a cluster role to grant the FortiADC permission to perform operations and retrieve objects.
    1. Run cat > <filename>.yaml to create a yaml file specifying the cluster role.
      For example, running cat > access_clusterrole.yaml will create the file "access_clusterrole.yaml".
      Then, type the following to insert it in the file. In this example, the role is named as psn-reader. You can give it other names as you desire. Remember to Type Ctrl-d at the end to save the file.

      apiVersion: rbac.authorization.k8s.io/v1

      kind: ClusterRole

      metadata:

      # "namespace" omitted since ClusterRoles are not namespaced

      name: psn-reader

      rules:

      - apiGroups: [""]

      resources: ["pods", "services", "nodes"]

      verbs: ["get", "watch", "list"]

    2. Run cat > <filename>.yaml to create a yaml file, then insert the following to attach the cluster role to a service account.
      In the following example, the file "cluster_role_bind.yaml" is created, and the role "psn-reader" is attached to the service account "default" for it to read pods, node, or services in default namespace.
      If you want to attach the role to a new service account, use kubectl create serviceaccount <Service_account_name> to create one, then attach the role to it.
      Remember to Type Ctrl-d at the end to save the file.

      ~# cat > cluster_role_bind.yaml

      apiVersion: rbac.authorization.k8s.io/v1

      kind: ClusterRoleBinding

      metadata:

      name: read-psn-global

      subjects:

      - kind: ServiceAccount

      name: default #name is case sensitive

      namespace: default

      roleRef:

      kind: ClusterRole

      name: psn-reader

      apiGroup: rbac.authorization.k8s.io

    3. Run kubectl apply -f access_clusterrole.yaml to execute the configurations in this file.
    4. Run kubectl apply -f cluster_role_bind.yaml to execute the configurations in this file.
  4. Get secret token.
    1. Run kubectl get secrets to view the secrets.
    2. Run kubectl describe secrets <secret_token_name> -n <service_account_name> to view the secret token. Take note of the token.
      In the following example, the information of the secret token "default-token-x8mth" stored in "default" service account is displayed.

To create a Kubernetes Connector:

  1. Go to Security Fabric > External Connectors.
  2. Click Create New.
  3. Under Private SDN, select Kubernetes. The Kubernetes screen is displayed.
  4. Configure the following options, and then click Save. You will be required to provide the IP address, port, and the secret token you have obtained in the above section: To obtain the IP address, port, and secret token in Kubernetes:
    Name Type a name for the external connector object.
    Status

    Toggle on to enable the external connector object.

    Toggle off to disable the external connector object.

    Update Interval (s)

    Specify the update interval for the connector to get Kubernetes objects and dynamically updates the IP addresses.

    IP Type the IP address of the Kubernetes API server.
    Port

    Specify the port that FortiADC uses to communicate with the Kubernetes API server.

    Secret Token

    Specify the secret token.

After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the real servers from the Kubernetes deployment and dynamically populates the objects in server pool configuration, as shown in the following screenshots.