Collect only node IP addresses with K8s SDN connectors

By default, Kubernetes (K8s) SDN connectors return both pod and node IP addresses. Peer K8s SDN connectors can be configured to resolve dynamic firewall IP addresses to only node IP addresses. Results can also be filtered by specific IP addresses.

Example

This example creates a K8s SDN connector and two dynamic firewall addresses. You configure one address to resolve only node IP addresses, while the other resolves pod and node IP addresses.

GUI configuration

To configure a K8s SDN connector in the GUI:

1. Go to Security Fabric > External Connectors and click Create New.

2. Select Kubernetes, then configure the connector settings:

   

   Name	kuber_cloud
   IP	35.236.76.254
   Port	Specify - 443
   Secret token	*********

3. Click OK.

To create the two dynamic firewall addresses in the GUI:

1. Go to Policy & Objects > Addresses and click Create New > Address.

   

   Name	k8s_node_only
   Type	Dynamic
   Sub Type	Fabric Connector Address
   SDN Connector	kuber_cloud
   SDN address type	Private
   Collect node addresses only	Enabled
   Filter	K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw

2. Click OK.

3. Click Create New > Address again to create the second address.

4. Configure the same settings as the first address, except set Name to k8s_node_pod and disable Collect node addresses only.

5. Click OK.

To check the resolved IP addresses of the two dynamic addresses in the GUI:

1. Go to Policy & Objects > Addresses.

2. In the address list, hover the cursor over the k8s_node_only address. Only the node IP address is resolved.

   

3. Hover over the k8s_node_pod address. The node and pod IP addresses are all resolved.

   

   You can verify the resolved IP addresses by accessing the K8s cluster directly. See Verify the resolved IP addresses.

CLI configuration

To configure a K8s SDN connector in the CLI:

config system sdn-connector
    edit "kuber_cloud"
        set type kubernetes
        set server "35.236.76.254"
        set server-port 443
        set secret-token *********
    next
end

To create the two dynamic firewall addresses in the CLI:

config firewall address
    edit "k8s_node_only"
        set type dynamic
        set sdn "kuber_cloud"
        set color 19
        set filter "K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw"
        set node-ip-only enable
    next
    edit "k8s_node_pod"
        set type dynamic
        set sdn "kuber_cloud"
        set color 19
        set filter "K8S_NodeName=gke-zhmkc-hzhong-pool-3cb2c973-5mhw"
        set node-ip-only disable
    next
end

To check the resolved IP addresses of the two dynamic addresses in the CLI:

#show firewall address
config firewall address
    ...
    edit "k8s_node_only"
        ...
        config list
            edit "10.0.2.12"
            next
        end
    next
    edit "k8s_node_pod"
        ...
        config list
            edit "10.0.2.12"
            next
            edit "10.32.3.2"
            next
            edit "10.32.3.3"
            next
            edit "10.32.3.4"
            next
            edit "10.32.3.5"
            next
            edit "10.32.3.6"
            next
            edit "10.32.3.7"
            next
            edit "10.32.3.8"
            next
            edit "10.32.3.9"
            next
        end
    next
end

You can verify the resolved IP addresses by accessing the K8s cluster directly.

Verify the resolved IP addresses

To confirm the node IP address:

fosqa@pc56:~$ kubectl get nodes gke-zhmkc-hzhong-pool-3cb2c973-5mhw -o wide
NAME                                  STATUS   ROLES    AGE    VERSION          INTERNAL-IP   EXTERNAL-IP     OS-IMAGE                             KERNEL-VERSION   CONTAINER-RUNTIME
gke-zhmkc-hzhong-pool-3cb2c973-5mhw   Ready    <none>   532d   v1.12.7-gke.10   10.0.2.12     35.236.118.65   Container-Optimized OS from Google   4.14.106+        docker://17.3.2

To confirm the node and pods IP addresses:

fosqa@pc56:~$ kubectl get pods --all-namespaces -o wide | grep gke-zhmkc-hzhong-pool-3cb2c973-5mhw
default       guestbook-qcg7j                                  1/1     Running   0          186d   10.32.3.9   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
default       redis-master-mstb4                               1/1     Running   0          186d   10.32.3.8   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
default       redis-slave-7tgcv                                1/1     Running   0          186d   10.32.3.5   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
kube-system   fluentd-gcp-scaler-6965bb45c9-2lpp2              1/1     Running   0          239d   10.32.3.4   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
kube-system   fluentd-gcp-v3.2.0-nnlnp                         2/2     Running   0          239d   10.0.2.12   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
kube-system   heapster-gke-7858846d4d-vqc4d                    3/3     Running   0          186d   10.32.3.6   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
kube-system   kube-dns-5995c95f64-rqn4b                        4/4     Running   0          186d   10.32.3.7   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
kube-system   kube-dns-autoscaler-8687c64fc-dq9fn              1/1     Running   0          239d   10.32.3.2   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
kube-system   kube-proxy-gke-zhmkc-hzhong-pool-3cb2c973-5mhw   1/1     Running   0          532d   10.0.2.12   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
kube-system   metrics-server-v0.3.1-5c6fbf777-7bchg            2/2     Running   0          239d   10.32.3.3   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>
kube-system   prometheus-to-sd-xndgs                           2/2     Running   0          186d   10.0.2.12   gke-zhmkc-hzhong-pool-3cb2c973-5mhw   <none>           <none>