NeuVector Operator logo

NeuVector Full Lifecycle Container Security

NeuVector Operator logo
NeuVector Operator logo

NeuVector Full Lifecycle Container Security

By NeuVector

Certified enterprise ready

Offers the only cloud-native Kubernetes security platform delivering uncompromising end-to-end protection from DevOps vulnerability protection to automated run-time security, and featuring a true Layer 7 container firewall.

Software version

3

Type

Operator

Rating

No reviews

Read me

###This repository contains the NeuVector operator container image, which can deploy and manage the NeuVector security cluster components on the OpenShift container platform. Follow Operator installation instructions on https://docs.openshift.com/container-platform/4.2/operators/olm-adding-operators-to-cluster.html .
The NeuVector Container Security platform can be deployed and configured on OpenShift and Kubernetes. For example,

-- Login as a normal user

oc login -u <user_name>

-- Create a new project
Note: If the --node-selector argument is used when creating a project this will restrict pod placement such as for the Neuvector enforcer to specific nodes.

oc new-project neuvector

-- Push NeuVector images to OpenShift docker registry
Note: For OpenShift 4.2+, you may need to change default docker-registry from docker-registry.default.svc:5000 to image-registry.openshift-image-registry.svc:5000 in the commands below

docker login -u <user_name> -p `oc whoami -t` docker-registry.default.svc:5000
docker tag docker.io/neuvector/enforcer docker-registry.default.svc:5000/neuvector/enforcer
docker tag docker.io/neuvector/controller docker-registry.default.svc:5000/neuvector/controller
docker tag docker.io/neuvector/manager docker-registry.default.svc:5000/neuvector/manager
docker push docker-registry.default.svc:5000/neuvector/enforcer
docker push docker-registry.default.svc:5000/neuvector/controller
docker push docker-registry.default.svc:5000/neuvector/manager
docker logout docker-registry.default.svc:5000

-- Login as system:admin account

oc login -u system:admin

-- Grant Service Account Access to the Privileged SCC

oc -n neuvector adm policy add-scc-to-user privileged -z default

The following info will be added in the Privileged SCC
users:

- system:serviceaccount:neuvector:default

-- (Optional) Create the NeuVector Pod Security Policy (PSP).
If you have enabled Pod Security Policies in your Kubernetes cluster, add the following for NeuVector (for example, nv_psp.yaml).

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: neuvector-binding-psp
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
  privileged: true
  readOnlyRootFilesystem: false
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - SYS_ADMIN
  - NET_ADMIN
  - SYS_PTRACE
  - IPC_LOCK
  requiredDropCapabilities:
  - ALL
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: neuvector-binding-psp
  namespace: neuvector
rules:
- apiGroups:
  - policy
  - extensions
  resources:
  - podsecuritypolicies
  verbs:
  - use
  resourceNames:
  - neuvector-binding-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: neuvector-binding-psp
  namespace: neuvector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: neuvector-binding-psp
subjects:
- kind: ServiceAccount
  name: default
  namespace: neuvector

Then create the PSP

kubectl create -f nv_psp.yaml

-- Create the NeuVector CRDs
To deploy security policy automatically using customer resource definitions (CRDs), create the required NeuVector CRDs for namespace-scoped and cluster-scoped operation. For example, nvsecurityrules.yaml

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: nvsecurityrules.neuvector.com
spec:
  group: neuvector.com
  names:
    kind: NvSecurityRule
    listKind: NvSecurityRuleList
    plural: nvsecurityrules
    singular: nvsecurityrule
  scope: Namespaced
  version: v1
  versions:
  - name: v1
    served: true
    storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: nvclustersecurityrules.neuvector.com
spec:
  group: neuvector.com
  names:
    kind: NvClusterSecurityRule
    listKind: NvClusterSecurityRuleList
    plural: nvclustersecurityrules
    singular: nvclustersecurityrule
  scope: Cluster
  version: v1
  versions:
  - name: v1
    served: true
    storage: true

Then create the CRDs

oc create -f nvsecurityrules.yaml

-- Add read permission to access the kubernetes API and OpenShift RBACs. Admission control is supported in OpenShift 3.9+.

oc create clusterrole neuvector-binding-app --verb=get,list,watch,update --resource=nodes,pods,services,namespaces
oc create clusterrole neuvector-binding-rbac --verb=get,list,watch --resource=rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,imagestreams.image.openshift.io
oc adm policy add-cluster-role-to-user neuvector-binding-app system:serviceaccount:neuvector:default
oc adm policy add-cluster-role-to-user neuvector-binding-rbac system:serviceaccount:neuvector:default
oc create clusterrole neuvector-binding-admission --verb=get,list,watch,create,update,delete --resource=validatingwebhookconfigurations,mutatingwebhookconfigurations
oc adm policy add-cluster-role-to-user neuvector-binding-admission system:serviceaccount:neuvector:default
oc create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get --resource=customresourcedefinitions
oc adm policy add-cluster-role-to-user neuvector-binding-customresourcedefinition system:serviceaccount:neuvector:default
oc create clusterrole neuvector-binding-nvsecurityrules --verb=list,delete --resource=nvsecurityrules,nvclustersecurityrules
oc adm policy add-cluster-role-to-user neuvector-binding-nvsecurityrules system:serviceaccount:neuvector:default

For OpenShift 4.x, also add the following for platform detection:

oc create clusterrole neuvector-binding-co --verb=get,list --resource=clusteroperators
oc adm policy add-cluster-role-to-user neuvector-binding-co system:serviceaccount:neuvector:default

NOTE: If upgrading from a previous NeuVector deployment, you may need to delete the old bindings:

oc delete clusterrolebinding neuvector-binding
oc delete clusterrole neuvector-binding

-- Run the following command to check if the neuvector/default service account is added successfully

oc get ClusterRoleBinding neuvector-binding-app neuvector-binding-rbac neuvector-binding-admission neuvector-binding-customresourcedefinition neuvector-binding-nvsecurityrules -o wide

Sample output:

NAME                                         ROLE                                          USERS     GROUPS    SERVICE ACCOUNTS    SUBJECTS
neuvector-binding-app                        /neuvector-binding-app                                            neuvector/default
neuvector-binding-rbac                       /neuvector-binding-rbac                                           neuvector/default
neuvector-binding-admission                  /neuvector-binding-admission                                      neuvector/default
neuvector-binding-customresourcedefinition   /neuvector-binding-customresourcedefinition                       neuvector/default
neuvector-binding-nvsecurityrules            /neuvector-binding-nvsecurityrules                                neuvector/default

-- Add support for Admission Control (OpenShift 3.9-3.11 only, this is not required in 4.2+)
Edit the master config

vi /etc/origin/master/master-config.yaml

Add MutatingAdmissionWebhook and ValidatingAdmissionWebhook

admissionConfig:
  pluginConfig:
    MutatingAdmissionWebhook:
      configuration:
        kind: DefaultAdmissionConfig
        apiVersion: v1
        disable: false
    ValidatingAdmissionWebhook:
      configuration:
        kind: DefaultAdmissionConfig
        apiVersion: v1
        disable: false

Restart the Openshift api and controllers services.
This is different for different versions. For example 3.10+

master-restart api
master-restart controllers

Or

/usr/local/bin/master-restart api controllers

Run the following command to check if admissionregistration.k8s.io/v1beta1 is enabled

$ oc api-versions | grep admissionregistration
admissionregistration.k8s.io/v1beta1

-- Create the neuvector services and pods based on the sample yaml which you can obtain from NeuVector.

oc create -f <compose file>

If you have created your own namespace instead of using “neuvector”:

  1. Replace all instances of “namespace: neuvector” with your namespace.
  2. Search for all instances of ”neuvector-svc-allinone.neuvector” in the files below. Then replace the “neuvector” (after the .) with the namespace you use.
    OpenShift 4.2+ with CRI-O run-time
    The name of your default OpenShift registry might have changed from docker-registry to openshift-image-registry. You may need to change the image registry for the manager, controller, and enforcer in the sample yaml.
    If using the CRI-O run-time, change the volumeMounts for controller and enforcer pods in the sample yaml from docker.sock to:
            - mountPath: /var/run/crio/crio.sock
              name: runtime-sock
              readOnly: true

And change the volumes from docker.sock to:

       - name: runtime-sock
          hostPath:
            path: /var/run/crio/crio.sock