CloudGuard Controller for Kubernetes

Connecting to a Kubernetes Server

1. Configure the settings in Kubernetes

   1. Create a service account for CloudGuard Controller that includes access to: endpoints, pods, services, and nodes.

      Example:

      Run these "kubectl create" commands in the order listed below:

      kubectl create serviceaccount cloudguard-controller

      kubectl create clusterrole endpoint-reader --verb=get,list --resource=endpoints

      kubectl create clusterrolebinding allow-cloudguard-access-endpoints --clusterrole=endpoint-reader --serviceaccount=default:cloudguard-controller

      kubectl create clusterrole pod-reader --verb=get,list --resource=pods

      kubectl create clusterrolebinding allow-cloudguard-access-pods --clusterrole=pod-reader --serviceaccount=default:cloudguard-controller

      kubectl create clusterrole service-reader --verb=get,list --resource=services

      kubectl create clusterrolebinding allow-cloudguard-access-services --clusterrole=service-reader --serviceaccount=default:cloudguard-controller

      kubectl create clusterrole node-reader --verb=get,list --resource=nodes

      kubectl create clusterrolebinding allow-cloudguard-access-nodes --clusterrole=node-reader --serviceaccount=default:cloudguard-controller

   2. Get the Kubernetes URL:

      kubectl cluster-info

   3. It is necessary to have a service account token for the connection. Refer to the Kubernetes documentation for your version. For example:

      • For Kubernetes version 1.24 and higher, generate and export a token for the service account to a file. The token you create must not expire. If the token expires, the Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. loses connectivity. To create a token that does not expire:

        kubectl apply -f - <<EOF apiVersion: v1 kind: Secret metadata: name: cloudguard-controller-secret annotations: kubernetes.io/service-account.name: cloudguard-controller type: kubernetes.io/service-account-token EOF

        kubectl create token cloudguard-controller > token_file

      • For Kubernetes version 1.23 and lower, export the service account token to a Base64 encoded file.

        kubectl get secret $(kubectl get serviceaccount cloudguard-controller -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode -w 0 > token_file

2. Configure the settings in SmartConsole

   1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data Center object in one of these ways:

      • In the top left corner, click Objects menu > More object types > Server > Data Center > Kubernetes.

      • In the top right corner, click Objects Pane > New > More > Server > Data Center > Kubernetes.

   2. Enter a name for the Data Center object.

   3. Enter the Kubernetes URL (from Step 1-b).

   4. Import the service account token file (from Step 1-c).

   5. Import CA certificate: connect to your Kubernetes Data Center and access kube/config. In the config, copy the *certificate-authority-data* of the relevant Data Center into a .txt file and use it as the CA certificate.

      Note - The CA Certificate needs to be double Base64 encoded (encoded once more on top of how you receive it from Kubernetes).

   6. Click Test Connections and make sure that the connection works.

   7. Click OK.

   8. Publish the SmartConsole session.

   9. Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.