Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

Resources

Upgrade Path Tool

AWS Cookbook

6.2.0
Download PDF
Copy Link

AWS Kubernetes (EKS) Fabric connector

AWS Fabric connectors support dynamic address groups based on AWS Kubernetes (EKS) filters. The following summarizes minimum permissions for this deployment:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"ec2:Describe*",

"eks:DescribeCluster",

"eks:ListClusters"

],

"Resource": "*"

}

]

}

Once you have the proper permissions for EKS, you must follow the steps at Managing Users or IAM Roles for your Cluster for EKS to properly pull data from the cluster. The following shows a successful pull of IP addresses from the EKS cluster:

awsd getting IPs from EKS cluster: dchao-cluster (us-west-2), endpoint: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/services

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/nodes

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s node ip: 172.31.34.72, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s node ip: 18.237.109.243, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/pods

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s pod ip: 172.31.34.72, podname: aws-node-7kbm5, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.45.127, podname: coredns-6f647f5754-85m88, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.38.147, podname: coredns-6f647f5754-87ch7, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.34.72, podname: kube-proxy-ks9pw, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

After configuring the above, follow the instructions in the FortiOS Cookbook to complete configuration.

Resources

AWS Kubernetes (EKS) Fabric connector

AWS Fabric connectors support dynamic address groups based on AWS Kubernetes (EKS) filters. The following summarizes minimum permissions for this deployment:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"ec2:Describe*",

"eks:DescribeCluster",

"eks:ListClusters"

],

"Resource": "*"

}

]

}

Once you have the proper permissions for EKS, you must follow the steps at Managing Users or IAM Roles for your Cluster for EKS to properly pull data from the cluster. The following shows a successful pull of IP addresses from the EKS cluster:

awsd getting IPs from EKS cluster: dchao-cluster (us-west-2), endpoint: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/services

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/nodes

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s node ip: 172.31.34.72, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s node ip: 18.237.109.243, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/pods

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s pod ip: 172.31.34.72, podname: aws-node-7kbm5, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.45.127, podname: coredns-6f647f5754-85m88, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.38.147, podname: coredns-6f647f5754-87ch7, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.34.72, podname: kube-proxy-ks9pw, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

After configuring the above, follow the instructions in the FortiOS Cookbook to complete configuration.