Fortinet black logo

New Features

Private Cloud K8s Connector

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:295444
Download PDF

Private Cloud K8s Connector

FortiOS now supports automatically updating dynamic addresses for Kubernetes (K8S) using a K8S SDN connector, enabling FortiOS to manage K8S pods as global address objects, as with other connectors. This includes mapping the following attributes from K8S instances to dynamic address groups in FortiOS:

Filter Description
Namespace Filter service IP addresses in a given namespace.
ServiceName Filter service IP addresses by the given service name.
NodeName Filter node IP addresses by the given node name.
Label.XXX Filter service or node IP addresses with the given label XXX.
To configure K8S SDN connector using the GUI:
  1. Configure the K8S SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Kubernetes.
    3. Configure as shown substituting the IP address, port number, and secret token for your deployment. The update interval is in seconds.

  2. Create a dynamic firewall address for the configured K8S SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the K8S SDN connector will automatically populate and update IP addresses only for node instances that match the specified node name:

  3. Ensure that the K8S SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for node instances that match the node name configured in step 2:

To configure K8S SDN connector using CLI commands:
  1. Configure the K8S SDN connector:

    config system sdn-connector

    edit "kubernetes1"

    set type kubernetes

    set server "172.18.64.38"

    set server-port 6443

    set secret-token xxxxx

    set update-interval 30

    next

    end

  2. Create a dynamic firewall address for the configured K8S SDN connector with the supported K8S filter. In this example, the K8S SDN connector will automatically populate and update IP addresses only for node instances that match the specified node name:

    config firewall address

    edit "k8s_nodename"

    set type dynamic

    set sdn "kubernetes1"

    set filter "K8S_NodeName=van-201669-pc1"

    next

    end

  3. Confirm that the K8S SDN connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "k8s_nodename"

    set uuid 462112a2-1ab1-51e9-799c-652621ba8c0c

    set type dynamic

    set sdn "kubernetes1"

    set filter "K8S_NodeName=van-201669-pc1"

    config list

    edit "172.16.65.227"

    next

    end

    next

    end

Related Videos

sidebar video

SDN Connector for Kubernetes Platform

  • 755 views
  • 5 years ago

Private Cloud K8s Connector

FortiOS now supports automatically updating dynamic addresses for Kubernetes (K8S) using a K8S SDN connector, enabling FortiOS to manage K8S pods as global address objects, as with other connectors. This includes mapping the following attributes from K8S instances to dynamic address groups in FortiOS:

Filter Description
Namespace Filter service IP addresses in a given namespace.
ServiceName Filter service IP addresses by the given service name.
NodeName Filter node IP addresses by the given node name.
Label.XXX Filter service or node IP addresses with the given label XXX.
To configure K8S SDN connector using the GUI:
  1. Configure the K8S SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Kubernetes.
    3. Configure as shown substituting the IP address, port number, and secret token for your deployment. The update interval is in seconds.

  2. Create a dynamic firewall address for the configured K8S SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the K8S SDN connector will automatically populate and update IP addresses only for node instances that match the specified node name:

  3. Ensure that the K8S SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for node instances that match the node name configured in step 2:

To configure K8S SDN connector using CLI commands:
  1. Configure the K8S SDN connector:

    config system sdn-connector

    edit "kubernetes1"

    set type kubernetes

    set server "172.18.64.38"

    set server-port 6443

    set secret-token xxxxx

    set update-interval 30

    next

    end

  2. Create a dynamic firewall address for the configured K8S SDN connector with the supported K8S filter. In this example, the K8S SDN connector will automatically populate and update IP addresses only for node instances that match the specified node name:

    config firewall address

    edit "k8s_nodename"

    set type dynamic

    set sdn "kubernetes1"

    set filter "K8S_NodeName=van-201669-pc1"

    next

    end

  3. Confirm that the K8S SDN connector resolves dynamic firewall IP addresses using the configured filter:

    config firewall address

    edit "k8s_nodename"

    set uuid 462112a2-1ab1-51e9-799c-652621ba8c0c

    set type dynamic

    set sdn "kubernetes1"

    set filter "K8S_NodeName=van-201669-pc1"

    config list

    edit "172.16.65.227"

    next

    end

    next

    end