When you create a fabric connector for Kubernetes, you are specifying how FortiADC can communicate with Kubernetes.
FortiADC will be authenticated to periodically (default 30s) get Kubernetes objects (services, nodes) and dynamically populates and updates the related objects, including pool member and real server in its server pool configuration.
- The Kubernetes service is required to be exposed with NodePort type.
When configuring the Kubernetes connector in FortiADC, you must provide the IP address and port that the Kubernetes deployment is running on.
- On the master node of your Kubernetes cluster, run
kubectl config viewto get the IP address.
The following is an example. Take note of the IP address.
kubectl get servicesto get the port number. FortiADC only supports "NodePort" service type.
The following is an example:
Take note of the port number of this service, i.e. service-1236 in the above example.
- Create a cluster role to grant the FortiADC permission to perform operations and retrieve objects.
cat > <filename>.yamlto create a yaml file specifying the cluster role.
For example, running
cat > access_clusterrole.yamlwill create the file "access_clusterrole.yaml".
Then, type the following to insert it in the file. In this example, the role is named as
psn-reader. You can give it other names as you desire. Remember to Type
Ctrl-dat the end to save the file.
# "namespace" omitted since ClusterRoles are not namespaced
- apiGroups: [""]
resources: ["pods", "services", "nodes"]
verbs: ["get", "watch", "list"]
cat > <filename>.yamlto create a yaml file, then insert the following to attach the cluster role to a service account.
In the following example, the file "cluster_role_bind.yaml" is created, and the role "psn-reader" is attached to the service account "default" for it to read pods, node, or services in default namespace.
If you want to attach the role to a new service account, use
kubectl create serviceaccount <Service_account_name>to create one, then attach the role to it.
Remember to Type
Ctrl-dat the end to save the file.
~# cat > cluster_role_bind.yaml
- kind: ServiceAccount
name: default #name is case sensitive
kubectl apply -f access_clusterrole.yamlto execute the configurations in this file.
kubectl apply -f cluster_role_bind.yamlto execute the configurations in this file.
- Get secret token.
kubectl get secretsto view the secrets.
kubectl describe secrets <secret_token_name> -n <service_account_name>to view the secret token. Take note of the token.
In the following example, the information of the secret token "default-token-x8mth" stored in "default" service account is displayed.
To create a Kubernetes Connector:
- Go to Security Fabric > External Connectors.
- Click Create New.
- Under Private SDN, select Kubernetes. The Kubernetes screen is displayed.
- Configure the following options, and then click Save. You will be required to provide the IP address, port, and the secret token you have obtained in the above section: To obtain the IP address, port, and secret token in Kubernetes:
Name Type a name for the external connector object. Status
Toggle on to enable the external connector object.
Toggle off to disable the external connector object.
Update Interval (s)
Specify the update interval for the connector to get Kubernetes objects and dynamically updates the IP addresses.
IP Type the IP address of the Kubernetes API server. Port
Specify the port that FortiADC uses to communicate with the Kubernetes API server.
Specify the secret token.
After the connector is created, you can select this connector when creating a server pool. FortiADC will then get the IP addresses of the real servers from the Kubernetes deployment and dynamically populates the objects in server pool configuration, as shown in the following screenshots.