Collecting only node IP addresses with Kubernetes SDN connectors
By default, Kubernetes SDN connectors return both pod and node IP addresses. Peer Kubernetes SDN connectors can be configured to resolve dynamic firewall IP addresses to only node IP addresses. Results can also be filtered by specific IP addresses.
Example
In this example, a Kubernetes SDN connector and two dynamic firewall addresses are created. One of the addresses is configured to resolve only node IP addresses, while the other resolves both the pod and node IP addresses.
GUI configuration
To configure a Kubernetes SDN connector in the GUI:
-
Go to Security Fabric > External Connectors and click Create New.
-
Select Kubernetes, then configure the connector settings:
Name
kuber_cloud
IP
35.236.76.254
Port
Specify - 443
Secret token
*********
-
Click OK.
To create the two dynamic firewall addresses in the GUI:
-
Go to Policy & Objects > Addresses and click Create New > Address.
Name
k8s_node_only
Type
Dynamic
Sub Type
Fabric Connector Address
SDN Connector
kuber_cloud
SDN address type
Private
Collect node addresses only
Enabled
Filter
K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw
-
Click OK.
-
Click Create New > Address again to create the second address.
-
Configure the same settings as the first address, except set Name to k8s_node_pod and disable Collect node addresses only.
-
Click OK.
To check the resolved IP addresses of the two dynamic addresses in the GUI:
-
Go to Policy & Objects > Addresses.
-
In the address list, hover the cursor over the k8s_node_only address. Only the node IP address is resolved.
-
Hover over the k8s_node_pod address. The node and pod IP addresses are all resolved.
The resolved IP addresses can be verified by accessing the Kubernetes cluster directly, see Verify the resolved IP addresses.
CLI configuration
To configure a Kubernetes SDN connector in the CLI:
config system sdn-connector edit "kuber_cloud" set type kubernetes set server "35.236.76.254" set server-port 443 set secret-token ********* next end
To create the two dynamic firewall addresses in the CLI:
config firewall address edit "k8s_node_only" set type dynamic set sdn "kuber_cloud" set color 19 set filter "K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw" set node-ip-only enable next edit "k8s_node_pod" set type dynamic set sdn "kuber_cloud" set color 19 set filter "K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw" set node-ip-only disable next end
To check the resolved IP addresses of the two dynamic addresses in the CLI:
#show firewall address config firewall address ... edit "k8s_node_only" ... config list edit "10.0.2.12" next end next edit "k8s_node_pod" ... config list edit "10.0.2.12" next edit "10.32.3.2" next edit "10.32.3.3" next edit "10.32.3.4" next edit "10.32.3.5" next edit "10.32.3.6" next edit "10.32.3.7" next edit "10.32.3.8" next edit "10.32.3.9" next end next end
The resolved IP addresses can be verified by accessing the Kubernetes cluster directly.
Verify the resolved IP addresses
To confirm the node IP address:
fosqa@pc56:~$ kubectl get nodes gke-zhmkc-hzhong-pool-3cb2c973-5mhw -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME gke-zhmkc-hzhong-pool-3cb2c973-5mhw Ready <none> 532d v1.12.7-gke.10 10.0.2.12 35.236.118.65 Container-Optimized OS from Google 4.14.106+ docker://17.3.2
To confirm the node and pods IP addresses:
fosqa@pc56:~$ kubectl get pods --all-namespaces -o wide | grep gke-zhmkc-hzhong-pool-3cb2c973-5mhw default guestbook-qcg7j 1/1 Running 0 186d 10.32.3.9 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> default redis-master-mstb4 1/1 Running 0 186d 10.32.3.8 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> default redis-slave-7tgcv 1/1 Running 0 186d 10.32.3.5 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> kube-system fluentd-gcp-scaler-6965bb45c9-2lpp2 1/1 Running 0 239d 10.32.3.4 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> kube-system fluentd-gcp-v3.2.0-nnlnp 2/2 Running 0 239d 10.0.2.12 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> kube-system heapster-gke-7858846d4d-vqc4d 3/3 Running 0 186d 10.32.3.6 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> kube-system kube-dns-5995c95f64-rqn4b 4/4 Running 0 186d 10.32.3.7 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> kube-system kube-dns-autoscaler-8687c64fc-dq9fn 1/1 Running 0 239d 10.32.3.2 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> kube-system kube-proxy-gke-zhmkc-hzhong-pool-3cb2c973-5mhw 1/1 Running 0 532d 10.0.2.12 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> kube-system metrics-server-v0.3.1-5c6fbf777-7bchg 2/2 Running 0 239d 10.32.3.3 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none> kube-system prometheus-to-sd-xndgs 2/2 Running 0 186d 10.0.2.12 gke-zhmkc-hzhong-pool-3cb2c973-5mhw <none> <none>