CloudGuard Controller for Kubernetes

Adding Kubernetes to CloudGuard Controller

Check Point CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. now protects North-South inspection for increased Kubernetes security.

The new Container security component is available in native Kubernetes and managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine, and others.

Prerequisite

Kubernetes version 1.12 and above

Note - Island Mode (NATed IP address for Nodes) is not supported.

Connecting to a Kubernetes Server

Configure the settings in Kubernetes

Create a service account for CloudGuard Controller that includes access to: endpoints, pods, services, and nodes.

Example:

Run these "kubectl create" commands in the order listed below:

kubectl create serviceaccount cloudguard-controller

kubectl create clusterrole endpoint-reader --verb=get,list --resource=endpoints

kubectl create clusterrolebinding allow-cloudguard-access-endpoints --clusterrole=endpoint-reader --serviceaccount=default:cloudguard-controller

kubectl create clusterrole pod-reader --verb=get,list --resource=pods

kubectl create clusterrolebinding allow-cloudguard-access-pods --clusterrole=pod-reader --serviceaccount=default:cloudguard-controller

kubectl create clusterrole service-reader --verb=get,list --resource=services

kubectl create clusterrolebinding allow-cloudguard-access-services --clusterrole=service-reader --serviceaccount=default:cloudguard-controller

kubectl create clusterrole node-reader --verb=get,list --resource=nodes

kubectl create clusterrolebinding allow-cloudguard-access-nodes --clusterrole=node-reader --serviceaccount=default:cloudguard-controller

Get the Kubernetes URL:

kubectl cluster-info

It is necessary to have a service account token for the connection. Refer to the Kubernetes documentation for your version. For example:

For Kubernetes version 1.24 and higher, generate and export a token for the service account to a file. The token you create must not expire. If the token expires, the Data Center Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. loses connectivity. To create a token that does not expire:

kubectl apply -f - <<EOF

apiVersion: v1

kind: Secret

metadata:

name: cloudguard-controller-secret

annotations:

kubernetes.io/service-account.name: cloudguard-controller

type: kubernetes.io/service-account-token

EOF

kubectl create token cloudguard-controller > token_file

Note: To add the data center in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., the token must be Base64 decoded.

For Kubernetes version 1.23 and lower, export the service account token to a Base64 encoded file.

kubectl get secret $(kubectl get serviceaccount cloudguard-controller -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode -w 0 > token_file

Configure the settings in SmartConsole
1. In SmartConsole, create a new Data Center object in one of these ways:
  - In the top left corner, click Objects menu > More object types > Server > Data Center > Kubernetes.
  - In the top right corner, click Objects Pane > New > More > Server > Data Center > Kubernetes.
2. Enter a name for the Data Center object.
3. Enter the Kubernetes URL (from Step 1-b).
4. Import the service account token file (from Step 1-c).
5. Import CA certificate (not mandatory): if you are interested in importing a CA certificate, connect to your Kubernetes Data Center and access .kube/config . In the config, copy the *certificate-authority-data* of the relevant Data Center into a .txt file and use it as the CA certificate.
6. Click Test Connections and make sure that the connection works.
7. Click OK.
8. Publish the SmartConsole session.
9. Install the Access Control policy on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

Kubernetes Imported Objects

Object	Description
Namespace	Group of resources in a single cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..
Node	A virtual or physical machine, depending on the Cluster.
Pod	The smallest deployable units of computing that you can create and manage in Kubernetes. A group of one or more containers, with shared storage and network resources, and a specification for how to run the containers.
Service	A method for exposing a network application that runs as one or more Pods in your Cluster.
Labels	Key-value pairs attached to Services and Nodes within a Kubernetes cluster.
Service Endpoint	Each Service object defines a logical set of endpoints (usually, these endpoints are Pods) along with a policy about how to make those pods accessible.
Tags	Keys and Values attached to the Object.