Onboard a Kubernetes Cluster

You can onboard a Kubernetes cluster to CloudGuard Native. When this is done, you see clusters, nodes, and pods in the CloudGuard Native Cloud Inventory page, and are able to run compliance assessments on them.

The cluster can be on an on-premises host, or on in a cloud environment, including managed Kubernetes environments such as AKS on Azure, EKS on AWS, and GKE on GCP Cloud.

As part of the onboarding process, a CloudGuard Native agent is deployed on the cluster, which reports information back to CloudGuard Native. This information shows details of the inventory (resources) of the cluster, which is used, for example, to run compliance assessments on the cluster. The CloudGuard Native agent communicates with CloudGuard Native over the internet.

Supported Kubernetes versions

  • Kubernetes v1.12 and higher

  • Helm v3.0 and higher

Required Permissions

The CloudGuard Native agent requires Kubernetes list and get permissions for these resources:

  • pods

  • nodes

  • nodes/proxy

  • services

  • ingresses

  • networkpolicies

  • podsecuritypolicies

  • roles

  • rolebindings

  • clusterroles

  • clusterrolebindings

  • globalnetworkpolicies

  • serviceaccounts.

Connectivity Requirements

The CloudGuard Native pod must have connectivity to both CloudGuard Native (https://api-cpx.dome9.com) and the Quay image registry (https://quay.io/checkpoint).

If the CloudGuard Native pod image is uploaded to a private repository, connectivity to Quay is not necessary. In this case, the Helm chart parameter image.repository should be changed to indicate this (the location of the image). See https://github.com/CheckPointSW/charts/tree/master/checkpoint/cp-resource-management for more information about setting this parameter.

Onboard a Cluster

Follow the steps below to onboard a Kubernetes cluster to CloudGuard Native.

Onboarding Automation

Follow these steps to automate the onboarding process from the command line.

Example

Upgrade the agent

Follow the steps below to upgrade the agent from an earlier version to v1.1.0

Uninstall the Agent