CloudGuard Controller for Kubernetes
Adding Kubernetes to CloudGuard Controller
Check Point CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. now protects North-South inspection for increased Kubernetes
Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services that facilitates both declarative configuration and automation. security.
The new Container security component is available in native Kubernetes and managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine, and others.
Prerequisite
-
Kubernetes version 1.12 and above
Note - Island Mode (NATed IP address for Nodes) is not supported.
Connecting to a Kubernetes Server
-
Configure the settings in Kubernetes
-
Create a service account for CloudGuard Controller that includes access to: endpoints, pods, services, and nodes.
Example:
Run these "
kubectl create
" commands in the order listed below:kubectl create serviceaccount cloudguard-controller
kubectl create clusterrole endpoint-reader --verb=get,list --resource=endpoints
kubectl create clusterrolebinding allow-cloudguard-access-endpoints --clusterrole=endpoint-reader --serviceaccount=default:cloudguard-controller
kubectl create clusterrole pod-reader --verb=get,list --resource=pods
kubectl create clusterrolebinding allow-cloudguard-access-pods --clusterrole=pod-reader --serviceaccount=default:cloudguard-controller
kubectl create clusterrole service-reader --verb=get,list --resource=services
kubectl create clusterrolebinding allow-cloudguard-access-services --clusterrole=service-reader --serviceaccount=default:cloudguard-controller
kubectl create clusterrole node-reader --verb=get,list --resource=nodes
kubectl create clusterrolebinding allow-cloudguard-access-nodes --clusterrole=node-reader --serviceaccount=default:cloudguard-controller
-
Get the Kubernetes URL:
kubectl cluster-info
-
It is necessary to have a service account token for the connection. Refer to the Kubernetes documentation for your version. For example:
-
For Kubernetes version 1.24 and higher, generate and export a token for the service account to a file. The token you create must not expire. If the token expires, the Data Center
Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. loses connectivity. To create a token that does not expire:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: cloudguard-controller-secret
annotations:
kubernetes.io/service-account.name: cloudguard-controller
type: kubernetes.io/service-account-token
EOF
kubectl create token cloudguard-controller > token_file
-
For Kubernetes version 1.23 and lower, export the service account token to a Base64 encoded file.
kubectl get secret $(kubectl get serviceaccount cloudguard-controller -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode -w 0 > token_file
-
-
-
Configure the settings in SmartConsole
-
In SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a new Data Center object in one of these ways:
-
In the top left corner, click Objects menu > More object types > Server > Data Center > Kubernetes.
-
In the top right corner, click Objects Pane > New > More > Server > Data Center > Kubernetes.
-
-
Enter a name for the Data Center object.
-
Enter the Kubernetes URL (from Step 1-b).
-
Import the service account token file (from Step 1-c).
-
Import CA certificate: connect to your Kubernetes Data Center and access kube/config. In the config, copy the *certificate-authority-data* of the relevant Data Center into a .txt file and use it as the CA certificate.
Note - The CA Certificate needs to be double Base64 encoded (encoded once more on top of how you receive it from Kubernetes).
-
Click Test Connections and make sure that the connection works.
-
Click OK.
-
Publish the SmartConsole session.
-
Install the Access Control policy on the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.
-