In this tutorial, the Kubernetes agent will be deployed on the Kubernetes cluster node installed in AWS EKS.
First, the EC2 instance public IP address will need to be added to the EKS cluster node to allow access from the EC2 instance. Then the AWS user can log into an AWS EC2 instance and then connect to the EKS cluster node. Lastly, the fcli command line tool will be downloaded and executed in the EKS cluster node to deploy the Kubernetes agent.
- From AWS console, search and go to EC2, select an EC2 instance that you will be using, and record down the public IP address.
- Now search and go to EKS, and click on the kubernetes cluster and select Configuration > Networking tab.
- Click Manage networking, then click Advanced Settings drop down menu to add the EC2 instance public IP address to the list of public access endpoint, the IP should end in "/32".
- Go back to the EC2 instance, click Connect and select SSH client tab, use the command to connect to the instance on a SSH client like Git Bash, Putty, etc.
- When you log into the EC2 instance, type
aws configure, enter your AWS Access Key ID and AWS Secret Access Key, leave Default region name and Default output format as empty. (The AWS Access Key ID and AWS Secret Access Key is only accessible to you when you created your AWS account)
- Now you can access the AWS EKS cluster, type
aws eks --region <region> update-kuberconfig --name <cluster name>
- Check to see if you have access to cluster nodes:
kubectl get nodes
- Download the fcli command line tool:
- Change the permission of the fcli command line tool:
chmod +x fcli
For example: if the IP 22.214.171.124, then enter 126.96.36.199/32. Then click Save changes.
aws eks --region us-west-2 update-kubeconfig --name autotestcluster
- There are two methods to deploy the Kubernetes agent controller. The first method of deployment is execute the fcli command tool in one command while the second method splits the command into multiple consecutive commands.
- Execute the deploy command as shown from Add Kubernetes Cluster page on kubectl command line:
- Execute the deploy command separately:
fcli config <Token>Note: The token provided from Add Kubernetes Cluster page.
- When prompt for region, enter "
global" for non-European region, and "
eu" for European region.
fcli deploy kubernetes
./fcli deploy kubernetes --token <AccessToken> --region <Region>
- If the fcli command was executed successfully, run the command below to verify it:
- A successful deployment should look like below with all worker nodes, controller, and scanner in Running status.
kubectl get pods -n fortinet
Note: Make sure the scanner node has enough space to pull and scan images before deploying the Kubernetes Agent pods. To prevent the Kubernetes Agent pods from being deployed on nodes that are not ready, use the following command:
kubectl taint nodes <node name> node.kubernetes.io/not-ready:NoSchedule
Example: kubectl taint nodes ip-192-168-51-200.eu-central-1.compute.internal node.kubernetes.io/not-ready:NoSchedule