Fortinet black logo

AWS Administration Guide

AWS Kubernetes (EKS) Fabric connector

Copy Link
Copy Doc ID 9e3b59dc-ba0b-11e9-a989-00505692583a:87895
Download PDF

AWS Kubernetes (EKS) Fabric connector

AWS Fabric connectors support dynamic address groups based on AWS Kubernetes (EKS) filters. The following summarizes minimum permissions for this deployment:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"ec2:Describe*",

"eks:DescribeCluster",

"eks:ListClusters"

],

"Resource": "*"

}

]

}

Once you have the proper permissions for EKS, you must follow the steps at Managing Users or IAM Roles for your Cluster for EKS to properly pull data from the cluster. The following shows a successful pull of IP addresses from the EKS cluster:

awsd getting IPs from EKS cluster: dchao-cluster (us-west-2), endpoint: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/services

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/nodes

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s node ip: 172.31.34.72, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s node ip: 18.237.109.243, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/pods

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s pod ip: 172.31.34.72, podname: aws-node-7kbm5, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.45.127, podname: coredns-6f647f5754-85m88, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.38.147, podname: coredns-6f647f5754-87ch7, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.34.72, podname: kube-proxy-ks9pw, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

After configuring the above, follow the instructions in the FortiOS Cookbook to complete configuration.

AWS Kubernetes (EKS) Fabric connector

AWS Fabric connectors support dynamic address groups based on AWS Kubernetes (EKS) filters. The following summarizes minimum permissions for this deployment:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"ec2:Describe*",

"eks:DescribeCluster",

"eks:ListClusters"

],

"Resource": "*"

}

]

}

Once you have the proper permissions for EKS, you must follow the steps at Managing Users or IAM Roles for your Cluster for EKS to properly pull data from the cluster. The following shows a successful pull of IP addresses from the EKS cluster:

awsd getting IPs from EKS cluster: dchao-cluster (us-west-2), endpoint: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/services

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/nodes

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s node ip: 172.31.34.72, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s node ip: 18.237.109.243, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/pods

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s pod ip: 172.31.34.72, podname: aws-node-7kbm5, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.45.127, podname: coredns-6f647f5754-85m88, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.38.147, podname: coredns-6f647f5754-87ch7, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.34.72, podname: kube-proxy-ks9pw, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

After configuring the above, follow the instructions in the FortiOS Cookbook to complete configuration.