Kubernetes Clusters generally have an average of 4 nodes, and every node would have 1 Kubernetes agent installed for monitoring and security protection from Container Protection.
Each node uses 1 license seat from FortiCWP Container Guardian.
Container Guardian not only provides container protection, but also provides Workload Protection for the same host(VM).
For Example, if the Container Guardian has 200 license seats capacity, it will also provide Workload Protection service for 200 virtual machines.
Click Company at the top right hand side from the main dashboard to access the Company Info.
In the example below, under License Purchased section, the Container Guardian license has 200 nodes capacity or 200 license seats.
In Service Info section, it shows that it still has 27 in use out of 200 nodes, so there are still 173 nodes available.
Go to Configure > Kubernetes Cluster page, under Total Node # column, it shows the total number of nodes used from each cluster.
The Container Guardian Status column shows the status of each cluster.
Click on the Action button to turn On/Off the Container Guardian.
When Container Guardian is turned off, all license seats used by the cluster will be released and become available for other clusters.
In the example above, there are 4 nodes used by the GKE Kubernetes cluster, when the Container Guardian is turned off, all 4 nodes' license seats will be released, and the total number of license seats available would increase to 177.
|Container Guardian Status||Description|
|On||Container Guardian manually turned on by user.|
|Off by User||Container Guardian manually turned off by user.|
|Off by System||Container Guardian automatically turned off by the system due to insufficient license seat.|
In the case when the number of available license seats are used up, and there are not enough license seats for the newly added Kubernetes cluster. Container Protection will optimize resource distribution by turning off 1 or more clusters. The clusters that are turned off will have Off by System status, but are still awaiting in queue to have license seats assigned to them when become available.
When a cluster is turned off, all the license seats assigned are free up and made available for other clusters.
The system determines which cluster(s) to turn off following the precedence below:
- Unhealthy Kubernetes Agent Status - the clusters with unhealthy status would take first precedence to be turned off over other clusters with healthy status.
- Number of nodes - the clusters with the least number of nodes will take second precedence to be turned off to minimize the number of clusters that need to be turned off
Container Protection checks every 30 minutes to determine which Kubernetes cluster that needs to be turned off to optimize resource distribution.
For example, the cluster below that is unhealthy and at the same time only has 1 node would be turned off first by the system when all license seats are used up.
|To avoid getting cluster(s) turned off by system, turn off the unhealthy clusters or clusters that are not in priority for container protection service.|