Description
This article explains private Cloud K8s SDN connector.
Solution
FortiOS automatically updates dynamic addresses for Kubernetes (K8S) by using a K8S SDN connector, enabling FortiOS to manage K8S pods as global address objects, as with other connectors.
This includes mapping the following attributes from K8S instances to dynamic address groups in FortiOS:
Configure the K8S SDN connector.
- Go to Security Fabric -> Fabric Connectors.
- Select 'Create New', and select 'Kubernetes'.
- Configure as shown substituting the IP address, port number, and secret FortiToken for the deployment. The update interval is in seconds.
- Select 'Create New', and select 'Kubernetes'.
- Configure as shown substituting the IP address, port number, and secret FortiToken for the deployment. The update interval is in seconds.
Create a dynamic firewall address for the configured K8S SDN connector.
- Go to Policy & Objects -> Addresses.
- Select 'Create New', then select 'Address'.
- Configure the address as shown, selecting the desired filter in the Filter dropdown list.
In this example, the K8S SDN connector will automatically populate and update IP addresses only for node instances that match the specified node name:
Ensure that the K8S SDN connector resolves dynamic firewall IP addresses.
- Go to Policy & Objects -> Addresses.
- Go to Policy & Objects -> Addresses.
Hover over the address created to see a list of IP addresses for node instances that match the node name configured:
To configure K8S SDN connector from CLI.
- Configure the K8S SDN connector:
In this example, the K8S SDN connector will automatically populate and update IP addresses only for node instances that match the specified node name:
- Configure the K8S SDN connector:
# config system sdn-connector- Create a dynamic firewall address for the configured K8S SDN connector with the supported K8S filter.
edit "kubernetes1"
set type kubernetes
set server "172.18.64.38"
set server-port 6443
set secret-token xxxxx
set update-interval 30
next
end
In this example, the K8S SDN connector will automatically populate and update IP addresses only for node instances that match the specified node name:
# config firewall address- Confirm that the K8S SDN connector resolves dynamic firewall IP addresses using the configured filter:
edit "k8s_nodename"
set type dynamic
set sdn "kubernetes1"
set filter "K8S_NodeName=van-201669-pc1"
next
end
# config firewall address
edit "k8s_nodename"
set uuid 462112a2-1ab1-51e9-799c-652621ba8c0c
set type dynamic
set sdn "kubernetes1"
set filter "K8S_NodeName=van-201669-pc1"
# config list
edit "172.16.65.227"
next
end
next
end
