###This repository contains the NeuVector operator container image, which can deploy and manage the NeuVector security cluster components on the OpenShift container platform. Follow Operator installation instructions on https://docs.openshift.com/container-platform/4.2/operators/olm-adding-operators-to-cluster.html .
The NeuVector Container Security platform can be deployed and configured on OpenShift and Kubernetes. For example,

-- Login as a normal user

oc login -u <user_name>

-- Create a new project
Note: If the --node-selector argument is used when creating a project this will restrict pod placement such as for the Neuvector enforcer to specific nodes.

oc new-project neuvector

-- Push NeuVector images to OpenShift docker registry
Note: For OpenShift 4.2+, you may need to change default docker-registry from docker-registry.default.svc:5000 to image-registry.openshift-image-registry.svc:5000 in the commands below

docker login -u <user_name> -p `oc whoami -t` docker-registry.default.svc:5000
docker tag docker.io/neuvector/enforcer docker-registry.default.svc:5000/neuvector/enforcer
docker tag docker.io/neuvector/controller docker-registry.default.svc:5000/neuvector/controller
docker tag docker.io/neuvector/manager docker-registry.default.svc:5000/neuvector/manager
docker push docker-registry.default.svc:5000/neuvector/enforcer
docker push docker-registry.default.svc:5000/neuvector/controller
docker push docker-registry.default.svc:5000/neuvector/manager
docker logout docker-registry.default.svc:5000

-- Login as system:admin account

oc login -u system:admin

-- Grant Service Account Access to the Privileged SCC

oc -n neuvector adm policy add-scc-to-user privileged -z default

The following info will be added in the Privileged SCC
users:

- system:serviceaccount:neuvector:default

-- (Optional) Create the NeuVector Pod Security Policy (PSP).
If you have enabled Pod Security Policies in your Kubernetes cluster, add the following for NeuVector (for example, nv_psp.yaml).

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: neuvector-binding-psp
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
  privileged: true
  readOnlyRootFilesystem: false
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - SYS_ADMIN
  - NET_ADMIN
  - SYS_PTRACE
  - IPC_LOCK
  requiredDropCapabilities:
  - ALL
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: neuvector-binding-psp
  namespace: neuvector
rules:
- apiGroups:
  - policy
  - extensions
  resources:
  - podsecuritypolicies
  verbs:
  - use
  resourceNames:
  - neuvector-binding-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: neuvector-binding-psp
  namespace: neuvector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: neuvector-binding-psp
subjects:
- kind: ServiceAccount
  name: default
  namespace: neuvector

Then create the PSP

kubectl create -f nv_psp.yaml

-- Create the NeuVector CRDs
To deploy security policy automatically using customer resource definitions (CRDs), create the required NeuVector CRDs for namespace-scoped and cluster-scoped operation. For example, nvsecurityrules.yaml

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: nvsecurityrules.neuvector.com
spec:
  group: neuvector.com
  names:
    kind: NvSecurityRule
    listKind: NvSecurityRuleList
    plural: nvsecurityrules
    singular: nvsecurityrule
  scope: Namespaced
  version: v1
  versions:
  - name: v1
    served: true
    storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: nvclustersecurityrules.neuvector.com
spec:
  group: neuvector.com
  names:
    kind: NvClusterSecurityRule
    listKind: NvClusterSecurityRuleList
    plural: nvclustersecurityrules
    singular: nvclustersecurityrule
  scope: Cluster
  version: v1
  versions:
  - name: v1
    served: true
    storage: true

Then create the CRDs

oc create -f nvsecurityrules.yaml

-- Add read permission to access the kubernetes API and OpenShift RBACs. Admission control is supported in OpenShift 3.9+.

oc create clusterrole neuvector-binding-app --verb=get,list,watch,update --resource=nodes,pods,services,namespaces
oc create clusterrole neuvector-binding-rbac --verb=get,list,watch --resource=rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,imagestreams.image.openshift.io
oc adm policy add-cluster-role-to-user neuvector-binding-app system:serviceaccount:neuvector:default
oc adm policy add-cluster-role-to-user neuvector-binding-rbac system:serviceaccount:neuvector:default
oc create clusterrole neuvector-binding-admission --verb=get,list,watch,create,update,delete --resource=validatingwebhookconfigurations,mutatingwebhookconfigurations
oc adm policy add-cluster-role-to-user neuvector-binding-admission system:serviceaccount:neuvector:default
oc create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get --resource=customresourcedefinitions
oc adm policy add-cluster-role-to-user neuvector-binding-customresourcedefinition system:serviceaccount:neuvector:default
oc create clusterrole neuvector-binding-nvsecurityrules --verb=list,delete --resource=nvsecurityrules,nvclustersecurityrules
oc adm policy add-cluster-role-to-user neuvector-binding-nvsecurityrules system:serviceaccount:neuvector:default

For OpenShift 4.x, also add the following for platform detection:

oc create clusterrole neuvector-binding-co --verb=get,list --resource=clusteroperators
oc adm policy add-cluster-role-to-user neuvector-binding-co system:serviceaccount:neuvector:default

NOTE: If upgrading from a previous NeuVector deployment, you may need to delete the old bindings:

oc delete clusterrolebinding neuvector-binding
oc delete clusterrole neuvector-binding

-- Run the following command to check if the neuvector/default service account is added successfully

oc get ClusterRoleBinding neuvector-binding-app neuvector-binding-rbac neuvector-binding-admission neuvector-binding-customresourcedefinition neuvector-binding-nvsecurityrules -o wide

Sample output:

NAME                                         ROLE                                          USERS     GROUPS    SERVICE ACCOUNTS    SUBJECTS
neuvector-binding-app                        /neuvector-binding-app                                            neuvector/default
neuvector-binding-rbac                       /neuvector-binding-rbac                                           neuvector/default
neuvector-binding-admission                  /neuvector-binding-admission                                      neuvector/default
neuvector-binding-customresourcedefinition   /neuvector-binding-customresourcedefinition                       neuvector/default
neuvector-binding-nvsecurityrules            /neuvector-binding-nvsecurityrules                                neuvector/default

-- Add support for Admission Control (OpenShift 3.9-3.11 only, this is not required in 4.2+)
Edit the master config

vi /etc/origin/master/master-config.yaml

Add MutatingAdmissionWebhook and ValidatingAdmissionWebhook

admissionConfig:
  pluginConfig:
    MutatingAdmissionWebhook:
      configuration:
        kind: DefaultAdmissionConfig
        apiVersion: v1
        disable: false
    ValidatingAdmissionWebhook:
      configuration:
        kind: DefaultAdmissionConfig
        apiVersion: v1
        disable: false

Restart the Openshift api and controllers services.
This is different for different versions. For example 3.10+

master-restart api
master-restart controllers

/usr/local/bin/master-restart api controllers

Run the following command to check if admissionregistration.k8s.io/v1beta1 is enabled

$ oc api-versions | grep admissionregistration
admissionregistration.k8s.io/v1beta1

-- Create the neuvector services and pods based on the sample yaml which you can obtain from NeuVector.

oc create -f <compose file>

If you have created your own namespace instead of using “neuvector”:

Replace all instances of “namespace: neuvector” with your namespace.
Search for all instances of ”neuvector-svc-allinone.neuvector” in the files below. Then replace the “neuvector” (after the .) with the namespace you use.
OpenShift 4.2+ with CRI-O run-time
The name of your default OpenShift registry might have changed from docker-registry to openshift-image-registry. You may need to change the image registry for the manager, controller, and enforcer in the sample yaml.
If using the CRI-O run-time, change the volumeMounts for controller and enforcer pods in the sample yaml from docker.sock to:

            - mountPath: /var/run/crio/crio.sock
              name: runtime-sock
              readOnly: true

And change the volumes from docker.sock to:

       - name: runtime-sock
          hostPath:
            path: /var/run/crio/crio.sock

NeuVector Full Lifecycle Container Security

NeuVector Full Lifecycle Container Security

Software version

Delivery method

RatingRatings are collected from G2 business software and services reviews. See what users have to say about this product on G2 by clicking reviews below.

Product documentation

Rating