CloudGuard Controller for Kubernetes

Adding Kubernetes to CloudGuard Controller

Check Point CloudGuard ControllerClosed Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. now protects North-South inspection for increased KubernetesClosed Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services that facilitates both declarative configuration and automation. security.

The new Container security component is available in native Kubernetes and managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine, and others.

Prerequisite

  • Kubernetes version 1.12 and above

Note - Island Mode (NATed IP address for Nodes) is not supported.

Connecting to a Kubernetes Server

Kubernetes Imported Objects

Object

Description

Namespace

Group of resources in a single clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

Node

A virtual or physical machine, depending on the Cluster.

Pod

The smallest deployable units of computing that you can create and manage in Kubernetes. A group of one or more containers, with shared storage and network resources, and a specification for how to run the containers.

Service

A method for exposing a network application that runs as one or more Pods in your Cluster.

Labels

Key-value pairs attached to Services and Nodes within a Kubernetes cluster.

Service Endpoint

Each Service object defines a logical set of endpoints (usually, these endpoints are Pods) along with a policy about how to make those pods accessible.

Tags

Keys and Values attached to the Object.

Note - PODs get an implicit '__namespace' tag with the value of their namespace. You can use it, for example, when creating a Data Center Query to filter PODs by their namespace:

  • Type in data center: pod

  • Tag key=__namespace and Tag value=<the relevant namespace>

The __namespace tag is supported staring R81.10 Jumbo HFA Take 131.

Connecting to a Kubernetes Data Center Server with Management API

Go to Management API Reference > Click on see arguments per Data Center Server type and select Kubernetes.

Notes:

  • The token needs to be Base64 encoded (as you receive it from Kubernetes).

  • The CA Certificate needs to be double Base64 encoded (encoded once more on top of how you receive it from Kubernetes).

Connecting to a Kubernetes Data Center Server with Terraform

See checkpoint_management_kubernetes_data_center_server.