Fortinet Document Library

Version:


Table of Contents

More Links

Private cloud Kubernetes SDN connector using secret token
7.0.0
Download PDF
Copy Link

Obtaining the IP address, port, and secret token in Kubernetes

Configuring a Kubernetes (K8s) private cloud SDN connector in FortiOS requires the IP address and port that the K8s deployment is running on, as well as an authentication token.

To obtain the IP address, port, and secret token in K8s:
  1. When configuring the K8s SDN connector in FortiOS, you must provide the IP address and port that the K8s deployment is running on. Run kubectl cluster-info to obtain the IP address and port. Note down the IP address and port. The following shows the IP address and port for a local cluster:

    The following shows the IP address and port for customer-managed K8s on Google Cloud Platform:

  2. Generate the authentication token:
    1. Create a service account to store the authentication token:
      1. Run the kubectl create serviceaccount <Service_account_name> command. For example, if the service account name is fortigateconnector, the command is kubectl create serviceaccount fortigateconnector.
      2. Run the kubectl get serviceaccounts command to verify that you created the service account. The account should show up in the service account list.
    2. Create a cluster role. K8s 1.6 and later versions allow you to configure role-based access control (RBAC). RBAC is an authorization mechanism to manage resource permissions on K8s. You must create a cluster role to grant the FortiGate permission to perform operations and retrieve objects:
      1. Create the yaml file by running the vi <filename>.yaml command. For example, if the yaml file name is fgtclusterrole, the command is vi fgtclusterrole.yaml. Paste the following:

        apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: # "namespace" omitted since ClusterRoles are not namespaced name: fgt-connector rules: - apiGroups: [""] resources: ["pods", "namespaces", "nodes" , "services"] verbs: ["get", "watch", "list"]

        The resources list specifies the objects that FortiOS can retrieve. The verbs list specifies the operations that FortiOS can perform.

      2. Run the Kubectl apply -f <filename>.yaml command to apply the yaml file to create the cluster role. In this example, the command is Kubectl apply -f fgtclusterrole.yaml.
      3. Run the kubectl create clusterrolebinding fgt-connector --clusterrole=<cluster_rolename> --serviceaccount=default:<service_account_name> to attach the cluster role to the service account. In this example, the command is kubectl create clusterrolebinding fgt-connector --clusterrole=fgt-connector --serviceaccount=default:fortigateconnector.
    3. Run the kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='fortigateconnector')].data.token}"| base64 --decode command to obtain the secret token. As the token is Base64 encoded, the command includes base64 --decode to extract the decoded keystring. Note down the token.

More Links

Obtaining the IP address, port, and secret token in Kubernetes

Configuring a Kubernetes (K8s) private cloud SDN connector in FortiOS requires the IP address and port that the K8s deployment is running on, as well as an authentication token.

To obtain the IP address, port, and secret token in K8s:
  1. When configuring the K8s SDN connector in FortiOS, you must provide the IP address and port that the K8s deployment is running on. Run kubectl cluster-info to obtain the IP address and port. Note down the IP address and port. The following shows the IP address and port for a local cluster:

    The following shows the IP address and port for customer-managed K8s on Google Cloud Platform:

  2. Generate the authentication token:
    1. Create a service account to store the authentication token:
      1. Run the kubectl create serviceaccount <Service_account_name> command. For example, if the service account name is fortigateconnector, the command is kubectl create serviceaccount fortigateconnector.
      2. Run the kubectl get serviceaccounts command to verify that you created the service account. The account should show up in the service account list.
    2. Create a cluster role. K8s 1.6 and later versions allow you to configure role-based access control (RBAC). RBAC is an authorization mechanism to manage resource permissions on K8s. You must create a cluster role to grant the FortiGate permission to perform operations and retrieve objects:
      1. Create the yaml file by running the vi <filename>.yaml command. For example, if the yaml file name is fgtclusterrole, the command is vi fgtclusterrole.yaml. Paste the following:

        apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: # "namespace" omitted since ClusterRoles are not namespaced name: fgt-connector rules: - apiGroups: [""] resources: ["pods", "namespaces", "nodes" , "services"] verbs: ["get", "watch", "list"]

        The resources list specifies the objects that FortiOS can retrieve. The verbs list specifies the operations that FortiOS can perform.

      2. Run the Kubectl apply -f <filename>.yaml command to apply the yaml file to create the cluster role. In this example, the command is Kubectl apply -f fgtclusterrole.yaml.
      3. Run the kubectl create clusterrolebinding fgt-connector --clusterrole=<cluster_rolename> --serviceaccount=default:<service_account_name> to attach the cluster role to the service account. In this example, the command is kubectl create clusterrolebinding fgt-connector --clusterrole=fgt-connector --serviceaccount=default:fortigateconnector.
    3. Run the kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='fortigateconnector')].data.token}"| base64 --decode command to obtain the secret token. As the token is Base64 encoded, the command includes base64 --decode to extract the decoded keystring. Note down the token.