Description
This article describes the procedure to integrate a Minikube Kubernetes in VirtualBox with FortiGate Private SDN Connector. The integration can protect the Kubernetes Cluster from external threats with FortiGate when exposing the application or services to the public.
Minikube is a lightweight tool to deploy a one-node Kubernetes Cluster. It requires a docker or Virtual Machine to deploy.
In this example, the cluster is deployed with a VirtualBox.
Scope
FortiGate.
Solution
The deployment of Kubernetes will need to install a Minikube and VirtualBox. The procedure below will provide a guide to set up the environment.
- VirtualBox installation:Refer to the link below for the installation guide: https://www.virtualbox.org/
- Kubernetes Installation: Kubernetes use Kubectl for CLI operation and the cluster can be set up on various OS platform.Refer guide below for setup: https://kubernetes.io/docs/tasks/tools/
- Minikube Installation: Minikube can be installed on different OS platforms and will need to fulfill the minimum requirements below:
- 2 CPUs or more.
- 2GB of free memory.
- 20GB of free disk space.
- Internet connection.
- Container or virtual machine manager, such as: Docker, QEMU, Hyperkit, Hyper-V, KVM, Parallels, Podman, VirtualBox, or VMware Fusion/Workstation.
Refer to the link below for the installation guide: https://minikube.sigs.k8s.io/docs/start/
After the 'minikube start' is executed in the CLI command, it will create a one-node Kubernetes and automatically choose the driver available. To deploy with a specific driver execute the command below:
minikube start <----- Automatically choose driver available.
minikube start --driver=<driver name> <----- Specific driver to mount Minikube.
minikube start --driver=none <----- Deploy Minikube without driver (only available to Linux OS).
After the minikube is deployed, the IP Address can be verified with the command below:
- VirtualBox Port Forwarding: In this example, the Minikube is deployed with VirtualBox and VirtualBox will create 2 network interfaces for the Minikube VM by default.
Adapter 1: NAT (External device or host connection).
Adapter 2: Host-only Adapter (Internal Kubernetes connection).
For Kubernetes to be accessible from the host or external devices, the NAT adapter needs to configure port forwarding. In VirtualBox, go to minikube -> Settings -> Network -> Adapter 1 -> Advanced -> Port Forwarding -> Create new rules:
Host IP: Interface IP connected to external devices (By default, localhost is applied).
Host Port: Any port between 1-65535 for external devices connection.
Guest Port: Kubernetes cluster port.
The Kubernetes cluster port can be obtained from the command below:
- Kubernetes deployment: After Kubernetes has been deployed, the pods, services, and other components of Kubernetes can be set up accordingly. The deployment can be configured in YAML or JSON file and deployed with the command below:
kubectl apply -f <YAML file or JSON file path>
- Kubernetes authentication for API access: Kubernetes API requires authentication to access. Hence, Kubernetes needs to create Service Account and Cluster Role and bind the Cluster Role to the Service Account. The Service Account will provide a FortiToken for FortiGate to authenticate itself and query for dynamic IP addresses from Kubernetes API.
Refer to the guide below for more information:
Note:
Versions of Kubernetes before v1.22 automatically created long-term credentials for accessing the Kubernetes API. This older mechanism was based on creating FortiToken Secrets that could then be mounted into running Pods. In more recent versions, including Kubernetes v1.26, API credentials are obtained directly by using the TokenRequest API, and are mounted into Pods using a projected volume.
The tokens obtained using this method have bounded lifetimes and are automatically invalidated when the Pod they are mounted into is deleted.
It is still possible to manually create a service account FortiToken Secret; for example, if a FortiToken that never expires.
Example of YAML is provided below:
apiVersion: v1
kind: Secret
metadata:
name: <token name>
annotations:
kubernetes.io/service-account.name: <service account name>
type: kubernetes.io/service-account-token
- FortiGate configuration: The configuration of FortiGate Private Cloud Kubernetes Connector is provided below: Private Cloud K8s Connector
The IP address and a port number need to point towards the port forwarding exposed at the VirtualBox NAT Adapter in Step 3
Note:
The Secret FortiToken is obtained from the configuration from Step 5.
The FortiToken is encoded with base64 and needs to be decoded for application in the FortiGate Private SDN Connector configuration.
Use the kubectl command below to get the FortiToken:
kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='fortigateconnector')].data.token}"| base64 –decode
OR
kubectl get secrets -o json
Copy the FortiToken in the output below and decode manually with Base64:
- Query dynamic address for Kubernetes: After the connection is established, FortiGate is able to query all the IP Addresses from Kubernetes.
Refer to the below link for configuration:
Collecting only node IP addresses with Kubernetes SDN connectors
- Application of Kubernetes in Firewall Policy: After the address is obtained from Kubernetes, it can be applied in a firewall policy similar to an ordinary firewall object.
Related documents:
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/295444/private-cloud-k8s-connector
https://minikube.sigs.k8s.io/docs/start/
https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/
