Fortinet black logo

Online Help

Deploy Kubernetes Agent Controller

Copy Link
Copy Doc ID 4a6f3c4b-8d0f-11eb-a7dc-00505692583a:926783

Deploy Kubernetes Agent Controller

After you pressed Add Kubernetes Cluster, follow the steps below to deploy the Kubernetes Agent controller to the Kubernetes Cluster.

  1. Click download fcli to download the fcli command line tool for deploying Container Protection on the Kubernetes Cluster.
  2. If the fcli download link does not work, use the following download links:

    Operating System

    FCLI Command Line Tool Download Link

    Mac OS https://forticwp-kubernetes-agent.s3.amazonaws.com/mac/fcli
    Linux https://forticwp-kubernetes-agent.s3.amazonaws.com/linux/fcli
  3. Transfer the file to a location where there is access to the Kubernetes cluster using kubectl. On the command line, change the permission of the fcli command line tool:
  4. chmod +x fcli

  5. Kubectl is used to access the Kubernetes cluster. Make sure the Kubectl user that is configured to access the Kubernetes cluster has cluster-admin access.
  6. For Example, use the following command to display the Kubectl config file which provides the current context and user information:

    Kubectl config view

    For setting up the cluster-admin access, the user needs to have the following rules setup:

    - apiGroups - *

    - resources - *

    - verbs - *

    This is how the rules in the cluster admin file should be configured:

  7. Execute the deploy command shown on Add Kubernetes Cluster page in kubectl:
  8. ./fcli deploy kubernetes --token <AccessToken> --region <Region>

  9. If the fcli command was executed successfully, run the command below to verify it:
  10. kubectl get pods -n fortinet

  11. A successful deployment should look like below with the command:

Note: Make sure the scanner node has enough space to pull and scan images before deploying the Kubernetes Agent pods. To prevent the Kubernetes Agent pods from being deployed on nodes that are not ready, use the following command:

kubectl taint nodes <node name> node.kubernetes.io/not-ready:NoSchedule

Example: kubectl taint nodes ip-192-168-51-200.eu-central-1.compute.internal node.kubernetes.io/not-ready:NoSchedule

Deploy Kubernetes Agent Controller

After you pressed Add Kubernetes Cluster, follow the steps below to deploy the Kubernetes Agent controller to the Kubernetes Cluster.

  1. Click download fcli to download the fcli command line tool for deploying Container Protection on the Kubernetes Cluster.
  2. If the fcli download link does not work, use the following download links:

    Operating System

    FCLI Command Line Tool Download Link

    Mac OS https://forticwp-kubernetes-agent.s3.amazonaws.com/mac/fcli
    Linux https://forticwp-kubernetes-agent.s3.amazonaws.com/linux/fcli
  3. Transfer the file to a location where there is access to the Kubernetes cluster using kubectl. On the command line, change the permission of the fcli command line tool:
  4. chmod +x fcli

  5. Kubectl is used to access the Kubernetes cluster. Make sure the Kubectl user that is configured to access the Kubernetes cluster has cluster-admin access.
  6. For Example, use the following command to display the Kubectl config file which provides the current context and user information:

    Kubectl config view

    For setting up the cluster-admin access, the user needs to have the following rules setup:

    - apiGroups - *

    - resources - *

    - verbs - *

    This is how the rules in the cluster admin file should be configured:

  7. Execute the deploy command shown on Add Kubernetes Cluster page in kubectl:
  8. ./fcli deploy kubernetes --token <AccessToken> --region <Region>

  9. If the fcli command was executed successfully, run the command below to verify it:
  10. kubectl get pods -n fortinet

  11. A successful deployment should look like below with the command:

Note: Make sure the scanner node has enough space to pull and scan images before deploying the Kubernetes Agent pods. To prevent the Kubernetes Agent pods from being deployed on nodes that are not ready, use the following command:

kubectl taint nodes <node name> node.kubernetes.io/not-ready:NoSchedule

Example: kubectl taint nodes ip-192-168-51-200.eu-central-1.compute.internal node.kubernetes.io/not-ready:NoSchedule