Help
Blogs

Enhancing Cloud Security with Fortinet Solutions for Oracle Kubernetes Engine (OKE)

rsaraiva
Staff
Staff
‎07-11-2025 06:31 AM

As more organizations transition to cloud-native architectures and container-based deployments, maintaining strong security becomes a critical priority. The dynamic and distributed nature of these environments brings unique risks that demand a comprehensive and adaptive security approach. Fortinet delivers a robust portfolio of tools tailored to meet these challenges offering deep visibility, granular control, and end-to-end protection across your cloud ecosystem.

In this article, we’ll highlight essential areas of cloud security, such as source code and container vulnerability scanning, security best practices for Oracle Kubernetes Engine (OKE), and advanced FortiCNAPP features for Kubernetes workloads. We’ll also examine the role of FortiGate in monitoring outbound traffic and how FortiWeb Ingress Controller safeguards external-facing services. By implementing these strategies and leveraging Fortinet’s integrated solutions, organizations can significantly improve the security and resilience of their cloud-native applications.

 

OKE Benchmark Best Practices

Oracle Kubernetes Engine (OKE) offers a fully managed Kubernetes platform, but securing it effectively still depends on following established best practices. Applying industry benchmarks such as those from the CIS Kubernetes and OKE guidelines helps ensure your clusters are not only secure, but also reliable and cost-efficient. When leveraging FortiCNAPP for Kubernetes Security Posture Management (KSPM), it's essential to understand how its capabilities support compliance enforcement and strengthen the overall security of your OKE environment. 

Key Considerations:

  • Ensure the system:masters group is not used for user or component authentication after bootstrapping.
  • Run the kube-controller-manager with --use-service-account-credentials enabled.
  • Protect the root certificate (either an offline CA or a managed online CA with effective access controls).
  • Ensure intermediate and leaf certificates have an expiry date no more than 3 years in the future.
  • Implement a process for periodic access review, occurring no more than 24 months apart.
  • Follow Role Based Access Control (RBAC) Good Practices for authentication and authorization.

 

OKE_diagram3.png

 

Securing Kubernetes at Cloud Speed with FortiCNAPP

 

Code & Container Scanning: Understanding Vulnerabilities

 In today's fast-paced development environments, containerized applications are becoming the norm. However, with this shift comes the critical need for robust security measures. Code and container scanning are essential practices to identify and mitigate vulnerabilities within containerized applications. These scans help detect issues in the base images, application code, and dependencies, ensuring that potential security weaknesses are addressed before deployment.

 Key Considerations:

  • Minimize unnecessary content in container images.
  • Configure container images to run as unprivileged users.
  • Reference container images by sha256 digests or validate the image's digital signature at deploy time via admission control.
  • Regularly scan container images during creation and deployment, and patch known vulnerable software.

cnapp-1.png

 

FortiCNAPP for Kubernetes Admission Control

FortiCNAPP integrates seamlessly with Kubernetes Admission Controllers to enhance security during the deployment process. By using the ValidatingAdmissionWebhook, FortiCNAPP scans container images for vulnerabilities before they are deployed, ensuring that only secure images are allowed into the production environment. This proactive approach helps prevent the introduction of vulnerabilities and maintains the integrity of your Kubernetes clusters.

 Key Considerations:

  • Enable an appropriate selection of admission controllers.
  • Enforce a pod security policy using Pod Security Admission or a webhook admission controller.
  • Securely configure the admission chain plugins and webhooks.

cnapp-2.png

 

 See Integrate with Kubernetes Admission Controller 

 

FortiCNAPP Pod Visibility

Visibility into Kubernetes pods is crucial for maintaining security and operational efficiency. FortiCNAPP offers both sidecar and agent options to monitor pod activity. These agents provide detailed insights into processes, network connections, and other critical metrics within the pods. By leveraging these visibility options, organizations can detect and respond to threats in real-time, ensuring the security of their containerized applications.

 Key Considerations:

  • Apply appropriate Pod Security Standards policy for all namespaces and enforce it.
  • Set memory limits for workloads with a limit equal to or less than the request.
  • Enable Seccomp with appropriate syscalls profile for programs on supported nodes.
  • Enable AppArmor or SELinux with appropriate profiles for programs on supported nodes.

cnapp-3.png

 

Architecture Overview

The proposed architecture is a secure and scalable Oracle Cloud Infrastructure (OCI) deployment model focused on containerized workloads running on Oracle Kubernetes Engine (OKE). It incorporates both Web Application Firewall (WAF) for secure ingress and a Next-Generation Firewall (NGFW) for secured and inspected egress traffic. This setup adheres to Zero Trust principles while enabling centralized security enforcement, observability, and high availability.

 

architecturev2.png

 

Ingress Traffic Protection with FortiWeb

Protecting inbound traffic is a critical step in defending Kubernetes workloads against external attacks. FortiWeb enhances ingress security by delivering advanced features such as a Web Application Firewall (WAF), SSL/TLS offloading, and smart traffic distribution. These functions work together to filter out malicious activity, reduce the risk of data exposure, and ensure that only trusted requests reach your services.

Although FortiWeb can act as a Kubernetes Ingress Controller, its greatest advantage lies in reinforcing the security posture of publicly accessible applications regardless of the specific ingress solution deployed within the cluster, as depicted in the picture below:

Ingress FlowIngress Flow

Key Considerations:

  • Use WAF policies tailored to your application stack to detect and block common web exploits (e.g., SQL injection, XSS).
  • Terminate SSL/TLS at the edge to offload encryption overhead and inspect traffic securely.
  • Apply geo-blocking and IP reputation filtering to reduce exposure to known malicious sources.
  • Enable bot mitigation and DDoS protection to defend against automated and volumetric attacks.
  • Log and monitor ingress traffic patterns to detect anomalies and respond to threats in real time.
  • Integrate with Kubernetes-native tools (e.g., ConfigMaps, Secrets) for dynamic and secure configuration management.
  • Ensure high availability and failover for ingress traffic to maintain service continuity.

The FortiWeb VM is configured as a reverse proxy, allowing Internet users to access the HTTP service exposed by OKE. A server policy is in place to permit incoming HTTP traffic from the Internet to be redirected to the OKE load balancer, which then distributes the traffic across the internal pod nodes.

Accessing the application from Internet:

fweb_internet.gif

FWEB Packet capture:

The FortiWeb external ip address is 192.168.0.21.

fweb_packet_capture.gif

 

Egress Traffic Visibility with FortiGate

The egress traffic flow details how outbound connections originating from workloads running inside the OCI Oracle Kubernetes Engine (OKE) cluster are routed toward the public internet or external services, while being monitored, filtered, and protected by a FortiGate Next-Generation Firewall (NGFW).

This design ensures that all outbound traffic is subject to policy enforcement, threat detection, and logging before leaving the OCI environment, in alignment with Zero Trust and compliance frameworks as depicted in the picture below: 

Egress FlowEgress Flow

FortiGate Egress Control for OKE Workloads:

FortiGate leverages the OCI SDN Connector to access Oracle Kubernetes Engine (OKE) parameters, enabling dynamic discovery and real-time monitoring of Kubernetes resources such as pods, services, and namespaces. This capability empowers FortiGate to:

  • Automatically populate dynamic address groups using Kubernetes metadata (e.g., k8s_namespace, k8s_podname, k8s_label).

  • Enforce adaptive security policies that respond to workload changes.

  • Enforce egress control by blocking unauthorized traffic, including attempts to access sensitive endpoints like the Kubernetes API server, kubelet, and cloud metadata services.

Key Considerations:

  • Ensure CNI plugins in use support network policies.
  • Apply ingress and egress network policies to all workloads in the cluster.
  • Implement default network policies within each namespace, selecting all pods and denying everything.
  • Use a service mesh to encrypt all communications inside the cluster, if appropriate.
  • Ensure the Kubernetes API, kubelet API, and etcd are not exposed publicly on the Internet.
  • Filter access from workloads to the cloud metadata API.

The FortiGate VM is configured to inspect North-South traffic originating from the Spoke VCNs. All traffic coming from OKE is routed to the FortiGate, where NAT is performed to enable the worker nodes and PODs to access the Internet.

 

Testing the Internet connectivity:

From traceroute command it is possible to see that the packets are reaching the Fortigate’s internal ip address 192.168.0.40.

$ kubectl exec -it busybox -- /bin/sh

/ # ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8): 56 data bytes

64 bytes from 8.8.8.8: seq=0 ttl=117 time=1.547 ms

64 bytes from 8.8.8.8: seq=1 ttl=117 time=1.532 ms

64 bytes from 8.8.8.8: seq=2 ttl=117 time=1.532 ms

64 bytes from 8.8.8.8: seq=3 ttl=117 time=1.524 ms

64 bytes from 8.8.8.8: seq=4 ttl=117 time=1.467 ms

oke_traceroute.png

FortiGate Packet capture:

The FortiGate external ip address is 192.168.0.22 (port1) and it is the NATed ip address for busybox pod that has an ip address of 172.16.3.115 (port2).

fgt_packet_capture.jpg

 

Conclusion

Building secure and resilient OKE clusters on OCI requires a multi-layered approach to networking and security. From the VCN design and traffic flow segmentation to identity management and runtime policy enforcement, these best practices provide a hardened baseline for modern Kubernetes operations.

By implementing private subnets, robust access controls, and OCI-native integrations like Logging and Monitoring, you not only reduce the attack surface but also gain deep visibility and control. With NetworkPolicies and admission controllers in place, you achieve workload-level isolation and policy compliance.

Adopting these principles positions your team for secure Kubernetes lifecycle management, high availability, and strong alignment with compliance and DevSecOps goals.

By following these guidelines and leveraging Fortinet's comprehensive security solutions, organizations can enhance the security and efficiency of their cloud-native applications. For more advanced configurations and deployment in production environments, contact Fortinet's Cloud Consulting Services team at consulting@fortinet.com.

Popular Articles
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.