Oracle Kubernetes (OKE) SDN connector using certificates

OCI SDN connectors support dynamic address groups based on Oracle Kubernetes (OKE) filters.

To enable an OCI SDN connector to fetch IP addresses from Oracle Kubernetes:

Configure the OCI SDN connector:
1. Go to Security Fabric > External Connectors.
2. Click Create New, and select Oracle Cloud Infrastructure (OCI).
3. Configure as shown substituting the region, tenant and client IDs, and client secret for your deployment. The update interval is in seconds.

Create dynamic firewall addresses for the configured SDN connector with supported Kubernetes filter:

Go to Policy & Objects > Addresses.
Click Create New, then select Address.

In the Filter field, select the desired filters. The following filters are supported:

Filter	Description
k8s_cluster	Name of Kubernetes cluster.
k8s_namespace	Namespace of a Kubernetes service or pod.
k8s_svcname	Name of a Kubernetes service.
k8s_nodename	Name of a Kubernetes node.
k8s_zone	Zone of a Kubernetes node.
k8s_region	Region of a Kubernetes node.
k8s_podname	Name of a Kubernetes pod.
k8s_label.xxx	Name of label of a Kubernetes resource (cluster/service/node/Pod).

Screenshot of Azure Kubernetes setup displaying the creation of dynamic firewall address

Confirm that the SDN connector resolves dynamic firewall IP addresses:
1. Go to Policy & Objects > Addresses.
2. Hover over the address created in step 2 to see a list of IP addresses for instances:

To configure an SDN connector through the CLI:

Configure the OCI SDN connector:
config system sdn-connector

edit "oci1"

set type oci

set tenant-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55cxxx"

set user-id "ocid1.user.oc1..aaaaaaaaq2lfspeo3uetzbzpiv2pqvzzevozccnys347stwssvizqlatfxxx"

set compartment-id "ocid1.compartment.oc1..aaaaaaaaelxxdjazqo7nzczpgypyiqcgkmytjry6nfq5345vw7eavpwnmxxx"

set oci-region ashburn

set oci-cert "cert-sha2"

set update-interval 30

next

end
Create dynamic firewall addresses for the configured SDN connector with supported Kubernetes filter:
config firewall address

edit "k8s_nodename"

set type dynamic

set sdn "oci1"

set filter "K8S_NodeName=129.213.120.172"

next

end
Confirm that the SDN connector resolves dynamic firewall IP addresses:
config firewall address

edit "k8s_nodename"

set type dynamic

set sdn "oci1"

set filter "K8S_NodeName=129.213.120.172"

config list

edit "10.0.32.2"

next

edit "10.244.2.2"

next

edit "10.244.2.3"

next

edit "10.244.2.4"

next

edit "10.244.2.5"

next

end

next

end

Oracle Kubernetes (OKE) SDN connector using certificates

OCI SDN connectors support dynamic address groups based on Oracle Kubernetes (OKE) filters.

To enable an OCI SDN connector to fetch IP addresses from Oracle Kubernetes:

Configure the OCI SDN connector:

Go to Security Fabric > External Connectors.
Click Create New, and select Oracle Cloud Infrastructure (OCI).
Configure as shown substituting the region, tenant and client IDs, and client secret for your deployment. The update interval is in seconds.

Create dynamic firewall addresses for the configured SDN connector with supported Kubernetes filter:

Go to Policy & Objects > Addresses.
Click Create New, then select Address.

In the Filter field, select the desired filters. The following filters are supported:

Filter	Description
k8s_cluster	Name of Kubernetes cluster.
k8s_namespace	Namespace of a Kubernetes service or pod.
k8s_svcname	Name of a Kubernetes service.
k8s_nodename	Name of a Kubernetes node.
k8s_zone	Zone of a Kubernetes node.
k8s_region	Region of a Kubernetes node.
k8s_podname	Name of a Kubernetes pod.
k8s_label.xxx	Name of label of a Kubernetes resource (cluster/service/node/Pod).

Screenshot of Azure Kubernetes setup displaying the creation of dynamic firewall address

Confirm that the SDN connector resolves dynamic firewall IP addresses:

Go to Policy & Objects > Addresses.
Hover over the address created in step 2 to see a list of IP addresses for instances:

To configure an SDN connector through the CLI:

Configure the OCI SDN connector:

config system sdn-connector

edit "oci1"

set type oci

set tenant-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55cxxx"

set user-id "ocid1.user.oc1..aaaaaaaaq2lfspeo3uetzbzpiv2pqvzzevozccnys347stwssvizqlatfxxx"

set compartment-id "ocid1.compartment.oc1..aaaaaaaaelxxdjazqo7nzczpgypyiqcgkmytjry6nfq5345vw7eavpwnmxxx"

set oci-region ashburn

set oci-cert "cert-sha2"

set update-interval 30

end

Create dynamic firewall addresses for the configured SDN connector with supported Kubernetes filter:

config firewall address

edit "k8s_nodename"

set type dynamic

set sdn "oci1"

set filter "K8S_NodeName=129.213.120.172"

end

Confirm that the SDN connector resolves dynamic firewall IP addresses:

config firewall address

edit "k8s_nodename"

set type dynamic

set sdn "oci1"

set filter "K8S_NodeName=129.213.120.172"

config list

edit "10.0.32.2"

edit "10.244.2.2"

edit "10.244.2.3"

edit "10.244.2.4"

edit "10.244.2.5"

end

Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Table of Contents

More Links

Administration Guide

Oracle Kubernetes (OKE) SDN connector using certificates

To enable an OCI SDN connector to fetch IP addresses from Oracle Kubernetes:

To configure an SDN connector through the CLI:

More Links

Oracle Kubernetes (OKE) SDN connector using certificates

To enable an OCI SDN connector to fetch IP addresses from Oracle Kubernetes:

To configure an SDN connector through the CLI: