Fortinet black logo

AWS Administration Guide

Home FortiGate Public Cloud 7.2.0 AWS Administration Guide
7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

AWS EKS SDN connector

AWS EKS SDN connector

AWS SDN connectors support dynamic address groups based on AWS Kubernetes (EKS) filters. The following summarizes minimum permissions for this deployment:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"ec2:Describe*",

"eks:DescribeCluster",

"eks:ListClusters"

],

"Resource": "*"

}

]

}

Once you have the proper permissions for EKS, you must follow the steps at Enabling IAM principal access to your cluster for EKS to properly pull data from the cluster. The following shows a successful pull of IP addresses from the EKS cluster:

awsd getting IPs from EKS cluster: dchao-cluster (us-west-2), endpoint: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/services

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/nodes

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s node ip: 172.31.34.72, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s node ip: 18.237.109.243, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/pods

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s pod ip: 172.31.34.72, podname: aws-node-7kbm5, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.45.127, podname: coredns-6f647f5754-85m88, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.38.147, podname: coredns-6f647f5754-87ch7, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.34.72, podname: kube-proxy-ks9pw, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

After configuring the above, follow the instructions in the FortiOS Cookbook to complete configuration.

Previous
Next

AWS EKS SDN connector

AWS SDN connectors support dynamic address groups based on AWS Kubernetes (EKS) filters. The following summarizes minimum permissions for this deployment:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"ec2:Describe*",

"eks:DescribeCluster",

"eks:ListClusters"

],

"Resource": "*"

}

]

}

Once you have the proper permissions for EKS, you must follow the steps at Enabling IAM principal access to your cluster for EKS to properly pull data from the cluster. The following shows a successful pull of IP addresses from the EKS cluster:

awsd getting IPs from EKS cluster: dchao-cluster (us-west-2), endpoint: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/services

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/nodes

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s node ip: 172.31.34.72, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s node ip: 18.237.109.243, nodename: ip-172-31-34-72.us-west-2.compute.internal

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

kube url: https://F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com/api/v1/pods

kube host: F57B834C1ADA8ED7FA3CAFB36073D384.gr7.us-west-2.eks.amazonaws.com:443:100.21.79.123

k8s pod ip: 172.31.34.72, podname: aws-node-7kbm5, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.45.127, podname: coredns-6f647f5754-85m88, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.38.147, podname: coredns-6f647f5754-87ch7, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

k8s pod ip: 172.31.34.72, podname: kube-proxy-ks9pw, namespace: kube-system

cluster: dchao-cluster, region: us-west-2, zone: us-west-2b

After configuring the above, follow the instructions in the FortiOS Cookbook to complete configuration.

Previous
Next