CloudGuard Controller for Kubernetes

Connecting to a Kubernetes Server

1. Configure the settings in Kubernetes

   1. Create a service account for CloudGuard Controller that includes access to: endpoints, pods, services, and nodes.

      Example:

      Run these "kubectl create" commands in the order listed below:

      kubectl create serviceaccount cloudguard-controller

      kubectl create clusterrole endpoint-reader --verb=get,list --resource=endpoints

      kubectl create clusterrolebinding allow-cloudguard-access-endpoints --clusterrole=endpoint-reader --serviceaccount=default:cloudguard-controller

      kubectl create clusterrole pod-reader --verb=get,list --resource=pods

      kubectl create clusterrolebinding allow-cloudguard-access-pods --clusterrole=pod-reader --serviceaccount=default:cloudguard-controller

      kubectl create clusterrole service-reader --verb=get,list --resource=services

      kubectl create clusterrolebinding allow-cloudguard-access-services --clusterrole=service-reader --serviceaccount=default:cloudguard-controller

      kubectl create clusterrole node-reader --verb=get,list --resource=nodes

      kubectl create clusterrolebinding allow-cloudguard-access-nodes --clusterrole=node-reader --serviceaccount=default:cloudguard-controller

   2. Get the Kubernetes URL:

      kubectl cluster-info

   3. It is necessary to have a service account token for the connection. Refer to the Kubernetes documentation for your version. For example:

      • For Kubernetes version 1.24 and higher, generate and export a token for the service account to a file. The token you create must not expire. If the token expires, the Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. loses connectivity. To create a token that does not expire:

        kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata:   name: cloudguard-controller-secret   annotations:     kubernetes.io/service-account.name: cloudguard-controller type: kubernetes.io/service-account-token EOF

        kubectl create token cloudguard-controller > token_file

        Note: To add the data center in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., the token must be Base64 decoded.

      • For Kubernetes version 1.23 and lower, export the service account token to a Base64 encoded file.

        kubectl get secret $(kubectl get serviceaccount cloudguard-controller -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode -w 0 > token_file

2. Configure the settings in SmartConsole

   1. In SmartConsole, create a new Data Center object in one of these ways:

      • In the top left corner, click Objects menu > More object types > Server > Data Center > Kubernetes.

      • In the top right corner, click Objects Pane > New > More > Server > Data Center > Kubernetes.

   2. Enter a name for the Data Center object.

   3. Enter the Kubernetes URL (from Step 1-b).

   4. Import the service account token file (from Step 1-c).

   5. Import CA certificate (not mandatory): if you are interested in importing a CA certificate, connect to your Kubernetes Data Center and access .kube/config . In the config, copy the *certificate-authority-data* of the relevant Data Center into a .txt file and use it as the CA certificate.

   6. Click Test Connections and make sure that the connection works.

   7. Click OK.

   8. Publish the SmartConsole session.

   9. Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Kubernetes Imported Objects

Object	Description
Namespace	Group of resources in a single cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..
Node	A virtual or physical machine, depending on the Cluster.
Pod	The smallest deployable units of computing that you can create and manage in Kubernetes. A group of one or more containers, with shared storage and network resources, and a specification for how to run the containers.
Service	A method for exposing a network application that runs as one or more Pods in your Cluster.
Labels	Key-value pairs attached to Services and Nodes within a Kubernetes cluster.
Service Endpoint	Each Service object defines a logical set of endpoints (usually, these endpoints are Pods) along with a policy about how to make those pods accessible.
Tags	Keys and Values attached to the Object. Note - PODs get an implicit '__namespace' tag with the value of their namespace. You can use it, for example, when creating a Data Center Query to filter PODs by their namespace: Type in data center: pod Tag key=__namespace and Tag value=<the relevant namespace> The __namespace tag is supported staring R81.10 Jumbo HFA Take 131.

Connecting to a Kubernetes Data Center Server with Management API

Go to Management API Reference > Click on see arguments per Data Center Server type and select Kubernetes.

Notes: The token needs to be Base64 encoded (as you receive it from Kubernetes). The CA Certificate needs to be double Base64 encoded (encoded once more on top of how you receive it from Kubernetes).

Connecting to a Kubernetes Data Center Server with Terraform

See checkpoint_management_kubernetes_data_center_server.