Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Kubernetes Administration Guide

    Home FortiGate Private Cloud 7.4.0 Kubernetes Administration Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Obtaining the IP address, port, and secret token in Kubernetes

    Obtaining the IP address, port, and secret token in Kubernetes

    Configuring a Kubernetes (K8s) private cloud SDN connector in FortiOS requires the IP address and port that the K8s deployment is running on, as well as an authentication token.

    To obtain the IP address, port, and secret token in K8s:
    1. When configuring the K8s SDN connector in FortiOS, you must provide the IP address and port that the K8s deployment is running on. Run kubectl cluster-info to obtain the IP address and port. Note down the IP address and port. The following shows the IP address and port for a local cluster:

      The following shows the IP address and port for customer-managed K8s on Google Cloud Platform:

    2. Generate the authentication token:
      1. Create a service account to store the authentication token:
        1. Run the kubectl create serviceaccount <Service_account_name> command. For example, if the service account name is fortigateconnector, the command is kubectl create serviceaccount fortigateconnector.
        2. Run the kubectl get serviceaccounts command to verify that you created the service account. The account should show up in the service account list.
      2. Create a cluster role. K8s 1.6 and later versions allow you to configure role-based access control (RBAC). RBAC is an authorization mechanism to manage resource permissions on K8s. You must create a cluster role to grant the FortiGate permission to perform operations and retrieve objects:
        1. Create the yaml file by running the vi <filename>.yaml command. For example, if the yaml file name is fgtclusterrole, the command is vi fgtclusterrole.yaml. Paste the following: 
          
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
 name: fgt-connector

rules:
- apiGroups: [""]

  resources: ["pods", "namespaces", "nodes" , "services"]
  verbs: ["get", "watch", "list"]

          The resources list specifies the objects that FortiOS can retrieve. The verbs list specifies the operations that FortiOS can perform.

        2. Run the Kubectl apply -f <filename>.yaml command to apply the yaml file to create the cluster role. In this example, the command is Kubectl apply -f fgtclusterrole.yaml.
        3. Run the kubectl create clusterrolebinding fgt-connector --clusterrole=<cluster_rolename> --serviceaccount=default:<service_account_name> to attach the cluster role to the service account. In this example, the command is kubectl create clusterrolebinding fgt-connector --clusterrole=fgt-connector --serviceaccount=default:fortigateconnector.
      3. Run the kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='fortigateconnector')].data.token}"| base64 --decode command to obtain the secret token. As the token is Base64 encoded, the command includes base64 --decode to extract the decoded keystring. Note down the token.
    Previous
    Next

    More Links

    Private cloud Kubernetes SDN connector using secret token

    Obtaining the IP address, port, and secret token in Kubernetes

    Obtaining the IP address, port, and secret token in Kubernetes

    Configuring a Kubernetes (K8s) private cloud SDN connector in FortiOS requires the IP address and port that the K8s deployment is running on, as well as an authentication token.

    To obtain the IP address, port, and secret token in K8s:
    1. When configuring the K8s SDN connector in FortiOS, you must provide the IP address and port that the K8s deployment is running on. Run kubectl cluster-info to obtain the IP address and port. Note down the IP address and port. The following shows the IP address and port for a local cluster:

      The following shows the IP address and port for customer-managed K8s on Google Cloud Platform:

    2. Generate the authentication token:
      1. Create a service account to store the authentication token:
        1. Run the kubectl create serviceaccount <Service_account_name> command. For example, if the service account name is fortigateconnector, the command is kubectl create serviceaccount fortigateconnector.
        2. Run the kubectl get serviceaccounts command to verify that you created the service account. The account should show up in the service account list.
      2. Create a cluster role. K8s 1.6 and later versions allow you to configure role-based access control (RBAC). RBAC is an authorization mechanism to manage resource permissions on K8s. You must create a cluster role to grant the FortiGate permission to perform operations and retrieve objects:
        1. Create the yaml file by running the vi <filename>.yaml command. For example, if the yaml file name is fgtclusterrole, the command is vi fgtclusterrole.yaml. Paste the following: 
          
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
 name: fgt-connector

rules:
- apiGroups: [""]

  resources: ["pods", "namespaces", "nodes" , "services"]
  verbs: ["get", "watch", "list"]

          The resources list specifies the objects that FortiOS can retrieve. The verbs list specifies the operations that FortiOS can perform.

        2. Run the Kubectl apply -f <filename>.yaml command to apply the yaml file to create the cluster role. In this example, the command is Kubectl apply -f fgtclusterrole.yaml.
        3. Run the kubectl create clusterrolebinding fgt-connector --clusterrole=<cluster_rolename> --serviceaccount=default:<service_account_name> to attach the cluster role to the service account. In this example, the command is kubectl create clusterrolebinding fgt-connector --clusterrole=fgt-connector --serviceaccount=default:fortigateconnector.
      3. Run the kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='fortigateconnector')].data.token}"| base64 --decode command to obtain the secret token. As the token is Base64 encoded, the command includes base64 --decode to extract the decoded keystring. Note down the token.
    Previous
    Next