Oracle Kubernetes (OKE) SDN connector
OCI SDN connectors support dynamic address groups based on Oracle Kubernetes (OKE) filters.
To filter out the Kubernetes IP addresses, the following address filters have been introduced:
k8s_compartment |
Name of compartment that the Kubernetes cluster created in. |
k8s_cluster |
Name of Kubernetes cluster. |
k8s_namespace | Namespace of a Kubernetes service or pod. |
k8s_servicename | Name of a Kubernetes service. |
k8s_nodename | Name of a Kubernetes node. |
k8s_region | Region of a Kubernetes node. |
k8s_zone | Zone of a Kubernetes node. |
k8s_podname |
name of a Kubernetes pod. |
k8s_label.xxx |
Name of label of a Kubernetes resource (cluster/service/node/Pod) |
To enable an OCI SDN connector to fetch IP addresses from Oracle Kubernetes:
- Configure the OCI SDN connector:
- Go to Security Fabric > Fabric Connectors.
- Click Create New, and select Oracle Cloud Infrastructure (OCI).
- Configure as shown substituting the region, tenant and client IDs, and client secret for your deployment. The update interval is in seconds.
- Create dynamic firewall addresses for the configured SDN connector with supported Kubernetes filter:
- Go to Policy & Objects > Addresses.
- Click Create New, then select Address.
- Configure the addresses.
- Confirm that the SDN connector resolves dynamic firewall IP addresses:
- Go to Policy & Objects > Addresses.
- Hover over the address created in step 2 to see a list of IP addresses for instances:
To configure an SDN connector through the CLI:
- Configure the OCI SDN connector:
config system sdn-connector
edit "oci1"
set type oci
set tenant-id "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55cxxx"
set user-id "ocid1.user.oc1..aaaaaaaaq2lfspeo3uetzbzpiv2pqvzzevozccnys347stwssvizqlatfxxx"
set compartment-id "ocid1.compartment.oc1..aaaaaaaaelxxdjazqo7nzczpgypyiqcgkmytjry6nfq5345vw7eavpwnmxxx"
set oci-region ashburn
set oci-cert "cert-sha2"
set update-interval 30
next
end
- Create dynamic firewall addresses for the configured SDN connector with supported Kubernetes filter:
config firewall address
edit "k8s_nodename"
set type dynamic
set sdn "oci1"
set filter "K8S_NodeName=129.213.120.172"
next
end
-
Confirm that the SDN connector resolves dynamic firewall IP addresses:
config firewall address
edit "k8s_nodename"
set uuid 052f1420-3ab8-51e9-0cf8-6db6bc3395c0
set type dynamic
set sdn "oci1"
set filter "K8S_NodeName=129.213.120.172"
config list
edit "10.0.32.2"
next
edit "10.244.2.2"
next
edit "10.244.2.3"
next
edit "10.244.2.4"
next
edit "10.244.2.5"
next
end
next
end