Deploy Kubernetes Agent Controller
After you pressed Add Kubernetes Cluster, follow the steps below to deploy the Kubernetes Agent controller to the Kubernetes Cluster.
- Click download fcli to download the fcli command line tool for deploying Container Protection on the Kubernetes Cluster.
- Transfer the file to a location where there is access to the Kubernetes cluster using kubectl. On the command line, change the permission of the fcli command line tool:
- Kubectl is used to access the Kubernetes cluster. Make sure the Kubectl user that is configured to access the Kubernetes cluster has cluster-admin access.
- Execute the deploy command shown on Add Kubernetes Cluster page in kubectl:
- If the fcli command was executed successfully, run the command below to verify it:
- A successful deployment should look like below with the command:
If the fcli download link does not work, use the following download links:
Operating System |
FCLI Command Line Tool Download Link |
---|---|
Mac OS | https://forticwp-kubernetes-agent.s3.amazonaws.com/mac/fcli |
Linux | https://forticwp-kubernetes-agent.s3.amazonaws.com/linux/fcli |
chmod +x fcli
For Example, use the following command to display the Kubectl config file which provides the current context and user information:
Kubectl config view
For setting up the cluster-admin access, the user needs to have the following rules setup:
- apiGroups - *
- resources - *
- verbs - *
This is how the rules in the cluster admin file should be configured:
./fcli deploy kubernetes --token <AccessToken> --region <Region>
kubectl get pods -n fortinet
Note: Make sure the scanner node has enough space to pull and scan images before deploying the Kubernetes Agent pods. To prevent the Kubernetes Agent pods from being deployed on nodes that are not ready, use the following command: kubectl taint nodes <node name> node.kubernetes.io/not-ready:NoSchedule Example: kubectl taint nodes ip-192-168-51-200.eu-central-1.compute.internal node.kubernetes.io/not-ready:NoSchedule |