Extend FortiManager firewall policies to Kubernetes
Big picture
Use FortiManager firewall policies to secure workloads in your Kubernetes cluster.
Value
The Calico Enterprise/Fortinet integration lets you control Kubernetes clusters directly and apply policy using the FortiManager UI as the primary interface. This allows firewall administrators to leverage existing tools and workflows as they learn and adopt Kubernetes orchestration at their own pace.
Concepts
Integration at a glance
This Calico Enterprise/Fortinet solution lets you directly control Kubernetes policies using FortiManager.
The basic workflow is:
- Determine the Kubernetes pods that you want to securely communicate with each other.
- Label these pods using a key-value pair where key is the
tigera.io/address-group
, and value is the pod matching a label name. - In the FortiManager, select the cluster’s ADOM, and create an address group using the key-value pair associated with the pods.
- Create firewall policies using the address groups for IPv4 Source address and IPv4 Destination Address, and select services and actions as you normally would to allow or deny the traffic. Under the covers, the Calico Enterprise integration controller periodically reads the FortiManager firewall policies for your Kubernetes cluster, converts them to Calico Enterprise global network policies, and applies them to clusters.
- Use the Calico Enterprise Manager UI to verify the integration, and then FortiManager UI to make all updates to policy rules.
The default value for reading FortiManager firewall policies is three seconds. To change the value, modify environment variable FW_FORTIMGR_EW_POLL_INTERVAL in FortiManager integration manifest; units are in seconds.
Before you begin
Supported version
- FortiManager v6.4
Required
- Pull secret that you used during Calico Enterprise installation
- IPv4 CIDR’s or IP addresses of all Kubernetes nodes; this is required for FortiManager to treat Kubernetes nodes as trusted hosts.
- Login access to Calico Enterprise Manager UI
Recommended
- Experience with tiered policy and global network policy
- Experience creating and administering FortiGate/FortiManager firewall policies
How to
- Create a tier
- Configure FortiManager to communicate with firewall controller
- Create a FortiManager config map
- Install FortiManager password as secrets
- Deploy the firewall controller in the Kubernetes cluster
- Verify the integration
Create a tier
Create a Calico Enterprise tier in the Calico Enterprise Manager UI for each Kubernetes cluster you want to secure. We recommend that you create a new tier (rather than reusing an existing tier) for all global network policies created by the Calico Enterprise integration controller.
Configure FortiManager to communicate with firewall controller
- Determine and note the CIDR’s or IP addresses of all Kubernetes nodes that can run the
tigera-firewall-controller
.
This is required to explicitly allow thetigera-firewall-controller
to access the FortiManager API. - From system settings, create an Admin profile with Read-Write access for
Policy & Objects
.
For example:tigera_api_user_profile
- Create a JSON API administrator and associate this user with the
tigera_api_user_profile
profile and add CIDR or IP address of your Kubernetes cluster nodes astrusted hosts
. - Note the username and password.
Create a FortiManager config map
-
Create a namespace for the tigera-firewall-controller.
kubectl create namespace tigera-firewall-controller
-
In this FortiManager ConfigMap manifest, add your FortiManager device information in the data section:
tigera.firewall.fortimanager-policies
. For example:tigera.firewall.fortimanager-policies: |
- name: prod-east1
ip: 3.2.1.4
username: api_user
adom: root
tier: <tier-name>
packagename: sacramento
password:
secretKeyRef:
name: fortimgr-east1
key: pwd-fortimgr-east1Where:
Field Description name FortiManager device name. ip FortiManager Management IP address. adom FortiManager ADOM name that manages Kubernetes cluster. packagename FortiManager Firewall package. All firewall rules targeted for Kubernetes cluster are packed under this package. username JSON api access account name to Read/Write FortiManager address objects. password Secret in tigera-firewall-controller namespace, to store FortiManager password tier Tier name you created in Calico Enterprise Manager UI password.secretKeyRef.name Name of the secret to store password. password.secretKeyRef.key Key name in the secret, which stores password. -
Apply the manifest.
kubectl apply -f https://downloads.tigera.io/ee/v3.19.4/manifests/fortimanager-device-configmap.yaml
Install FortiManager password as secrets
Store each FortiManager password as a secret in the tigera-firewall-controller
namespace.
For example, in the ConfigMap for FortiMgr prod-east1
, store its password as a secret name as fortimgr-east1
, with key as pwd-fortimgr-east1
.
kubectl create secret generic fortimgr-east1 \
-n tigera-firewall-controller \
--from-literal=pwd-fortimgr-east1=<fortimgr-password>
Deploy the firewall controller in the Kubernetes cluster
-
Install your pull secret.
kubectl create secret generic tigera-pull-secret \
--from-file=.dockerconfigjson=<path/to/pull/secret> \
--type=kubernetes.io/dockerconfigjson -n tigera-firewall-controller -
Apply the manifest.
kubectl apply -f https://downloads.tigera.io/ee/v3.19.4/manifests/fortimanager.yaml
Verify the integration
- Log in to FortiManager with the correct ADOM.
- Select Policy & Objects, Object Configuration, and create new Address Groups.
- Click Policy packages and select the Package assigned to your Kubernetes cluster.
- Create a test firewall policy with the following fields: Name, IPv4 Source Address, IPv4 Destination Address, Service and Action.
- Log in to the Calico Enterprise Manager UI, and under the tier that you specified in the ConfigMap, verify that the GlobalNetworkPolicies are created.