Fortinet white logo
Fortinet white logo

Administration Guide

AliCloud Kubernetes SDN connector using access key

AliCloud Kubernetes SDN connector using access key

When an AliCloud SDN connector is configured, dynamic address objects can support Kubernetes filters based on cluster, service, node, pod, and more.

The following address filters can be applied:

  • K8S_Cluster
  • K8S_Namespace
  • K8S_ServiceName
  • K8S_NodeName
  • K8S_PodName
  • K8S_Region
  • K8S_Zone
  • K8S_Label
To configure an AliCloud SDN connector with a Kubernetes filter in the GUI:
  1. Configure the AliCloud SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select AliCloud.
    3. Configure the settings as needed and click OK.

  2. Create a dynamic firewall address with the supported Kubernetes filter:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New > Address and enter a name.
    3. Configure the following settings:
      1. For Type, select Dynamic.
      2. For Sub Type, select Fabric Connector Address.
      3. For SDN Connector, select the connector created in step 1.
      4. For SDN address type, select Private.
      5. For Filter, select K8S_Cluster=zhmcluster.
    4. Click OK.

      The corresponding IP addresses are dynamically updated and resolved after applying the Kubernetes filter.

  3. Confirm that the AliCloud SDN connector resolves dynamic firewall IP addresses using the configured filter:
    1. Go to Policy & Objects > Addresses.
    2. In the address table, hover over the address created in step 2 to view which IPs it resolves to:

To configure an AliCloud SDN connector with a Kubernetes filter in the CLI:
  1. Configure the AliCloud SDN connector:
    config system sdn-connector
        edit "ali1"
            set type alicloud
            set access-key "****************"
            set secret-key xxxxxxxx
            set region "us-west-1"
        next
    end
  2. Create a dynamic firewall address with the supported Kubernetes filter:
    config firewall address
        edit "ali_add1"
            set type dynamic
            set sdn "ali1"
            set color 10
            set filter "K8S_Cluster=zhmcluster1"
        next
    end
  3. Confirm that the AliCloud SDN connector resolves dynamic firewall IP addresses using the configured filter:
    config firewall address
        edit "ali_add1"
            show
                config firewall address
                    edit "ali_add1"
                        set uuid c48e4f00-5435-51eb-0547-aced5cf80f1f
                        set type dynamic
                        set sdn "ali1"
                        set color 10
                        set filter "K8S_Cluster=zhmcluster1"
                        config list
                            edit "10.0.0.28"
                            next
                            edit "10.0.0.29"
                            next
                            edit "10.0.0.30"
                            next
                            ...
                        end
                    next
                end
        next
    end

Related Videos

sidebar video

Kubernetes Filters for AliCloud SDN Connector

  • 824 views
  • 3 years ago

AliCloud Kubernetes SDN connector using access key

AliCloud Kubernetes SDN connector using access key

When an AliCloud SDN connector is configured, dynamic address objects can support Kubernetes filters based on cluster, service, node, pod, and more.

The following address filters can be applied:

  • K8S_Cluster
  • K8S_Namespace
  • K8S_ServiceName
  • K8S_NodeName
  • K8S_PodName
  • K8S_Region
  • K8S_Zone
  • K8S_Label
To configure an AliCloud SDN connector with a Kubernetes filter in the GUI:
  1. Configure the AliCloud SDN connector:
    1. Go to Security Fabric > External Connectors.
    2. Click Create New, and select AliCloud.
    3. Configure the settings as needed and click OK.

  2. Create a dynamic firewall address with the supported Kubernetes filter:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New > Address and enter a name.
    3. Configure the following settings:
      1. For Type, select Dynamic.
      2. For Sub Type, select Fabric Connector Address.
      3. For SDN Connector, select the connector created in step 1.
      4. For SDN address type, select Private.
      5. For Filter, select K8S_Cluster=zhmcluster.
    4. Click OK.

      The corresponding IP addresses are dynamically updated and resolved after applying the Kubernetes filter.

  3. Confirm that the AliCloud SDN connector resolves dynamic firewall IP addresses using the configured filter:
    1. Go to Policy & Objects > Addresses.
    2. In the address table, hover over the address created in step 2 to view which IPs it resolves to:

To configure an AliCloud SDN connector with a Kubernetes filter in the CLI:
  1. Configure the AliCloud SDN connector:
    config system sdn-connector
        edit "ali1"
            set type alicloud
            set access-key "****************"
            set secret-key xxxxxxxx
            set region "us-west-1"
        next
    end
  2. Create a dynamic firewall address with the supported Kubernetes filter:
    config firewall address
        edit "ali_add1"
            set type dynamic
            set sdn "ali1"
            set color 10
            set filter "K8S_Cluster=zhmcluster1"
        next
    end
  3. Confirm that the AliCloud SDN connector resolves dynamic firewall IP addresses using the configured filter:
    config firewall address
        edit "ali_add1"
            show
                config firewall address
                    edit "ali_add1"
                        set uuid c48e4f00-5435-51eb-0547-aced5cf80f1f
                        set type dynamic
                        set sdn "ali1"
                        set color 10
                        set filter "K8S_Cluster=zhmcluster1"
                        config list
                            edit "10.0.0.28"
                            next
                            edit "10.0.0.29"
                            next
                            edit "10.0.0.30"
                            next
                            ...
                        end
                    next
                end
        next
    end