CloudGuard Controller for Kubernetes
Adding Kubernetes to CloudGuard Controller
Check Point CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. now protects North-South inspection for increased Kubernetes security.
The new Container security component is available in native Kubernetes and managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine, and others.
Prerequisite
-
Kubernetes version 1.12 and above
Note - Island Mode (NATed IP address for Nodes) is not supported.
Connecting to a Kubernetes Server
-
Configure the settings in Kubernetes
-
Create a service account for CloudGuard Controller that includes access to: endpoints, pods, services, and nodes.
Example:
Run these "
kubectl create
" commands in the order listed below:kubectl create serviceaccount cloudguard-controller
kubectl create clusterrole endpoint-reader --verb=get,list --resource=endpoints
kubectl create clusterrolebinding allow-cloudguard-access-endpoints --clusterrole=endpoint-reader --serviceaccount=default:cloudguard-controller
kubectl create clusterrole pod-reader --verb=get,list --resource=pods
kubectl create clusterrolebinding allow-cloudguard-access-pods --clusterrole=pod-reader --serviceaccount=default:cloudguard-controller
kubectl create clusterrole service-reader --verb=get,list --resource=services
kubectl create clusterrolebinding allow-cloudguard-access-services --clusterrole=service-reader --serviceaccount=default:cloudguard-controller
kubectl create clusterrole node-reader --verb=get,list --resource=nodes
kubectl create clusterrolebinding allow-cloudguard-access-nodes --clusterrole=node-reader --serviceaccount=default:cloudguard-controller
-
Get the Kubernetes URL:
kubectl cluster-info
-
It is necessary to have a service account token for the connection. Refer to the Kubernetes documentation for your version. For example:
-
For Kubernetes version 1.24 and higher, generate and export a token for the service account to a file. The token you create must not expire. If the token expires, the Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. loses connectivity. To create a token that does not expire:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: cloudguard-controller-secret
annotations:
kubernetes.io/service-account.name: cloudguard-controller
type: kubernetes.io/service-account-token
EOF
kubectl create token cloudguard-controller > token_file
Note: To add the data center in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., the token must be Base64 decoded.
-
For Kubernetes version 1.23 and lower, export the service account token to a Base64 encoded file.
kubectl get secret $(kubectl get serviceaccount cloudguard-controller -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode -w 0 > token_file
-
-
-
Configure the settings in SmartConsole
-
In SmartConsole, create a new Data Center object in one of these ways:
-
In the top left corner, click Objects menu > More object types > Server > Data Center > Kubernetes.
-
In the top right corner, click Objects Pane > New > More > Server > Data Center > Kubernetes.
-
-
Enter a name for the Data Center object.
-
Enter the Kubernetes URL (from Step 1-b).
-
Import the service account token file (from Step 1-c).
-
Import CA certificate (not mandatory): if you are interested in importing a CA certificate, connect to your Kubernetes Data Center and access .kube/config . In the config, copy the *certificate-authority-data* of the relevant Data Center into a .txt file and use it as the CA certificate.
-
Click Test Connections and make sure that the connection works.
-
Click OK.
-
Publish the SmartConsole session.
-
Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.
-
Kubernetes Imported Objects
Object |
Description |
---|---|
Namespace |
Group of resources in a single cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.. |
Node |
A virtual or physical machine, depending on the Cluster. |
Pod |
The smallest deployable units of computing that you can create and manage in Kubernetes. A group of one or more containers, with shared storage and network resources, and a specification for how to run the containers. |
Service |
A method for exposing a network application that runs as one or more Pods in your Cluster. |
Labels |
Key-value pairs attached to Services and Nodes within a Kubernetes cluster. |
Service Endpoint |
Each Service object defines a logical set of endpoints (usually, these endpoints are Pods) along with a policy about how to make those pods accessible. |
Tags |
Keys and Values attached to the Object. |