NeuVector
    https://github.com/neuvector/neuvector-helm
    https://github.com/neuvector/neuvector
    https://open-docs.neuvector.com/basics/overview

    设置中文
    image.png
    image.png
    image.png
    image.png
    image.png

    NeuVector-开源容器安全平台 - 图6

    NeuVector-开源容器安全平台 - 图7
    NeuVector-开源容器安全平台 - 图8

    image.png

    image.png

    image.png

    安装部署

    1. helm repo add neuvector https://neuvector.github.io/neuvector-helm/
    2. helm search repo neuvector/core
    1. kubectl create namespace neuvector
    1. [root@UR-20210425NAMA ~]# helm install neuvector --namespace neuvector neuvector/core
    2. NAME: neuvector
    3. LAST DEPLOYED: Tue Feb 22 15:10:14 2022
    4. NAMESPACE: neuvector
    5. STATUS: deployed
    6. REVISION: 1
    7. TEST SUITE: None
    8. NOTES:
    9. Get the NeuVector URL by running these commands:
    10.   NODE_PORT=$(kubectl get --namespace neuvector -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui)
    11.   NODE_IP=$(kubectl get nodes --namespace neuvector -o jsonpath="{.items[0].status.addresses[0].address}")
    12.   echo https://$NODE_IP:$NODE_PORT
    13. [root@UR-20210425NAMA ~]#
    1. kubectl set image deployment.apps/neuvector-controller-pod *=neuvector/controller.preview:5.0.0-preview.2 -n neuvector
    2. kubectl set image deployment.apps/neuvector-manager-pod *=neuvector/manager.preview:5.0.0-preview.2 -n neuvector
    3. kubectl set image deployment.apps/neuvector-scanner-pod *=neuvector/scanner.preview:latest -n neuvector
    4. kubectl set image daemonset.apps/neuvector-enforcer-pod *=neuvector/enforcer.preview:5.0.0-preview.2 -n neuvector
    5. kubectl get cronjob/neuvector-updater-pod -n neuvector -o yaml | sed 's#image: registry.neuvector.com/updater:latest#image: neuvector/updater.preview:latest#' | kubectl replace -f -

    修改镜像版本

    1. [root@UR-20210425NAMA ~]# ls -l core-1.9.1.tgz
    2. -rw-r--r-- 1 root root 14393 Mar  3 10:21 core-1.9.1.tgz
    3. [root@UR-20210425NAMA ~]# tar xf core-1.9.1.tgz
    4. [root@UR-20210425NAMA ~]# cd core/
    5. [root@UR-20210425NAMA core]# ls -l
    6. total 32
    7. -rwxr-xr-x 1 root root   285 Feb 19 15:43 Chart.yaml
    8. -rwxr-xr-x 1 root root 16378 Feb 19 15:43 README.md
    9. drwxr-xr-x 1 root root  4096 Mar  3 10:22 templates
    10. -rwxr-xr-x 1 root root  6550 Feb 19 15:43 values.yaml
    11. [root@UR-20210425NAMA core]# cat values.yaml
    12. # Default values for neuvector.
    13. # This is a YAML-formatted file.
    14. # Declare variables to be passed into the templates.
    16. openshift: false
    18. registry: registry.neuvector.com
    19. tag: 4.4.4
    20. oem:
    21. imagePullSecrets:
    22. psp: false
    23. serviceAccount: default
    25. controller:
    26.   # If false, controller will not be installed
    27.   enabled: true
    28.   strategy:
    29.     type: RollingUpdate
    30.     rollingUpdate:
    31.       maxSurge: 1
    32.       maxUnavailable: 0
    33.   image:
    34.     repository: neuvector/controller
    35.     hash:
    36.   replicas: 3
    37.   disruptionbudget: 0
    38.   schedulerName:
    39.   priorityClassName:
    40.   env: []
    41.   affinity:
    42.     podAntiAffinity:
    43.       preferredDuringSchedulingIgnoredDuringExecution:
    44.       - weight: 100
    45.         podAffinityTerm:
    46.           labelSelector:
    47.             matchExpressions:
    48.             - key: app
    49.               operator: In
    50.               values:
    51.               - neuvector-controller-pod
    52.           topologyKey: "kubernetes.io/hostname"
    53.   tolerations: []
    54.   nodeSelector: {}
    55.     # key1: value1
    56.     # key2: value2
    57.   apisvc:
    58.     type:
    59.     annotations: {}
    60.     # OpenShift Route configuration
    61.     route:
    62.       enabled: false
    63.       termination: passthrough
    64.       host:
    65.   pvc:
    66.     enabled: false
    67.     accessModes:
    68.       - ReadWriteMany
    69.     storageClass:
    70.     capacity:
    71.   azureFileShare:
    72.     enabled: false
    73.     secretName:
    74.     shareName:
    75.   certificate:
    76.     secret:
    77.     keyFile: tls.key
    78.     pemFile: tls.pem
    79.   federation:
    80.     mastersvc:
    81.       type:
    82.       # Federation Master Ingress
    83.       ingress:
    84.         enabled: false
    85.         host:  # MUST be set, if ingress is enabled
    86.         path: "/"  # or this could be "/api", but might need "rewrite-target" annotation
    87.         annotations:
    88.           ingress.kubernetes.io/protocol: https
    89.           # ingress.kubernetes.io/rewrite-target: /
    90.         tls: false
    91.         secretName:
    92.       # OpenShift Route configuration
    93.       route:
    94.         enabled: false
    95.         termination: passthrough
    96.         host:
    97.     managedsvc:
    98.       type:
    99.       # Federation Managed Ingress
    100.       ingress:
    101.         enabled: false
    102.         host:  # MUST be set, if ingress is enabled
    103.         path: "/"  # or this could be "/api", but might need "rewrite-target" annotation
    104.         annotations:
    105.           ingress.kubernetes.io/protocol: https
    106.           # ingress.kubernetes.io/rewrite-target: /
    107.         tls: false
    108.         secretName:
    109.       # OpenShift Route configuration
    110.       route:
    111.         enabled: false
    112.         termination: passthrough
    113.         host:
    114.   ingress:
    115.     enabled: false
    116.     host:  # MUST be set, if ingress is enabled
    117.     path: "/"  # or this could be "/api", but might need "rewrite-target" annotation
    118.     annotations:
    119.       ingress.kubernetes.io/protocol: https
    120.       # ingress.kubernetes.io/rewrite-target: /
    121.     tls: false
    122.     secretName:
    123.   resources: {}
    124.     # limits:
    125.     #   cpu: 400m
    126.     #   memory: 2792Mi
    127.     # requests:
    128.     #   cpu: 100m
    129.     #   memory: 2280Mi
    130.   configmap:
    131.     enabled: false
    132.     data:
    133.       # eulainitcfg.yaml: |
    134.       #  ...
    135.       # ldapinitcfg.yaml: |
    136.       #  ...
    137.       # oidcinitcfg.yaml: |
    138.       # ...
    139.       # samlinitcfg.yaml: |
    140.       # ...
    141.       # sysinitcfg.yaml: |
    142.       # ...
    143.       # userinitcfg.yaml: |
    144.       # ...
    145.   secret:
    146.     # NOTE: files defined here have preferrence over the ones defined in the configmap section
    147.     enabled: false
    148.     data: {}
    149.       # eulainitcfg.yaml:
    150.       #   license_key: 0Bca63Iy2FiXGqjk...
    151.       #   ...
    152.       # ldapinitcfg.yaml:
    153.       #   directory: OpenLDAP
    154.       #   ...
    155.       # oidcinitcfg.yaml:
    156.       #   Issuer: https://...
    157.       #   ...
    158.       # samlinitcfg.yaml:
    159.       #   ...
    160.       # sysinitcfg.yaml:
    161.       #   ...
    162.       # userinitcfg.yaml:
    163.       #   ...
    165. enforcer:
    166.   # If false, enforcer will not be installed
    167.   enabled: true
    168.   image:
    169.     repository: neuvector/enforcer
    170.     hash:
    171.   priorityClassName:
    172.   tolerations:
    173.     - effect: NoSchedule
    174.       key: node-role.kubernetes.io/master
    175.   resources: {}
    176.     # limits:
    177.     #   cpu: 400m
    178.     #   memory: 2792Mi
    179.     # requests:
    180.     #   cpu: 100m
    181.     #   memory: 2280Mi
    183. manager:
    184.   # If false, manager will not be installed
    185.   enabled: true
    186.   image:
    187.     repository: neuvector/manager
    188.     hash:
    189.   priorityClassName:
    190.   env:
    191.     ssl: true
    192.   svc:
    193.     type: NodePort
    194.     loadBalancerIP:
    195.     annotations: {}
    196.       # azure
    197.       # service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    198.       # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
    199.   # OpenShift Route configuration
    200.   route:
    201.     enabled: true
    202.     termination: passthrough
    203.     host:
    204.   certificate:
    205.     secret:
    206.     keyFile: tls.key
    207.     pemFile: tls.pem
    208.   ingress:
    209.     enabled: false
    210.     host:  # MUST be set, if ingress is enabled
    211.     path: "/"
    212.     annotations: {}
    213.       # kubernetes.io/ingress.class: my-nginx
    214.       # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1"
    215.       # nginx.ingress.kubernetes.io/rewrite-target: /
    216.       # nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
    217.       # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert
    218.       # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    219.     tls: false
    220.     secretName:  # my-tls-secret
    221.   resources: {}
    222.     # limits:
    223.     #   cpu: 400m
    224.     #   memory: 2792Mi
    225.     # requests:
    226.     #   cpu: 100m
    227.     #   memory: 2280Mi
    228.   affinity: {}
    229.   tolerations: []
    230.   nodeSelector: {}
    231.     # key1: value1
    232.     # key2: value2
    234. cve:
    235.   updater:
    236.     # If false, cve updater will not be installed
    237.     enabled: true
    238.     secure: false
    239.     image:
    240.       repository: neuvector/updater
    241.       tag: latest
    242.       hash:
    243.     schedule: "0 0 * * *"
    244.     priorityClassName:
    245.   scanner:
    246.     enabled: true
    247.     replicas: 3
    248.     dockerPath: ""
    249.     strategy:
    250.       type: RollingUpdate
    251.       rollingUpdate:
    252.         maxSurge: 1
    253.         maxUnavailable: 0
    254.     image:
    255.       repository: neuvector/scanner
    256.       tag: latest
    257.       hash:
    258.     priorityClassName:
    259.     resources: {}
    260.       # limits:
    261.       #   cpu: 400m
    262.       #   memory: 2792Mi
    263.       # requests:
    264.       #   cpu: 100m
    265.       #   memory: 2280Mi
    266.     affinity: {}
    267.     tolerations: []
    268.     nodeSelector: {}
    269.       # key1: value1
    270.       # key2: value2
    271. docker:
    272.   path: /var/run/docker.sock
    274. resources: {}
    275.   # limits:
    276.   #   cpu: 400m
    277.   #   memory: 2792Mi
    278.   # requests:
    279.   #   cpu: 100m
    280.   #   memory: 2280Mi
    282. k3s:
    283.   enabled: false
    284.   runtimePath: /run/k3s/containerd/containerd.sock
    286. bottlerocket:
    287.   enabled: false
    288.   runtimePath: /run/dockershim.sock
    290. containerd:
    291.   enabled: false
    292.   path: /var/run/containerd/containerd.sock
    294. crio:
    295.   enabled: false
    296.   path: /var/run/crio/crio.sock
    298. admissionwebhook:
    299.   type: ClusterIP
    301. crdwebhook:
    302.   enabled: true
    303.   type: ClusterIP
    304. [root@UR-20210425NAMA core]#
    1. [root@ur-scm-master01 ~]# helm install neuvector --namespace neuvector neuvector/core
    2. Error: rendered manifests contain a resource that already exists. Unable to continue with install: CustomResourceDefinition "nvadmissioncontrolsecurityrules.neuvector.com" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "neuvector"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "neuvector"
    3. [root@ur-scm-master01 ~]# 
    4. [root@ur-scm-master01 ~]# 
    5. [root@ur-scm-master01 ~]# helm -n neuvector list
    6. NAME    NAMESPACE    REVISION    UPDATED    STATUS    CHART    APP VERSION
    7. [root@ur-scm-master01 ~]# 
    8. [root@ur-scm-master01 ~]# 
    9. [root@ur-scm-master01 ~]# kubectl get crd | grep nvad
    10. nvadmissioncontrolsecurityrules.neuvector.com         2022-01-19T05:23:50Z
    11. [root@ur-scm-master01 ~]# 
    12. [root@ur-scm-master01 ~]# 
    13. [root@ur-scm-master01 ~]# 
    14. [root@ur-scm-master01 ~]# kubectl delete crd nvadmissioncontrolsecurityrules.neuvector.com 
    15. customresourcedefinition.apiextensions.k8s.io "nvadmissioncontrolsecurityrules.neuvector.com" deleted
    16. [root@ur-scm-master01 ~]# 
    17. [root@ur-scm-master01 ~]# 
    18. [root@ur-scm-master01 ~]# helm install neuvector --namespace neuvector neuvector/core
    19. Error: rendered manifests contain a resource that already exists. Unable to continue with install: CustomResourceDefinition "nvwafsecurityrules.neuvector.com" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "neuvector"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "neuvector"
    20. [root@ur-scm-master01 ~]# kubectl get crd | grep neuvector
    21. nvwafsecurityrules.neuvector.com                      2022-01-19T05:23:50Z
    22. [root@ur-scm-master01 ~]# 
    23. [root@ur-scm-master01 ~]# 
    24. [root@ur-scm-master01 ~]# kubectl delete crd nvwafsecurityrules.neuvector.com 
    25. customresourcedefinition.apiextensions.k8s.io "nvwafsecurityrules.neuvector.com" deleted
    26. [root@ur-scm-master01 ~]# helm install neuvector --namespace neuvector neuvector/core
    27. NAME: neuvector
    28. LAST DEPLOYED: Thu Mar  3 10:06:43 2022
    29. NAMESPACE: neuvector
    30. STATUS: deployed
    31. REVISION: 1
    32. TEST SUITE: None
    33. NOTES:
    34. Get the NeuVector URL by running these commands:
    35.   NODE_PORT=$(kubectl get --namespace neuvector -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui)
    36.   NODE_IP=$(kubectl get nodes --namespace neuvector -o jsonpath="{.items[0].status.addresses[0].address}")
    37.   echo https://$NODE_IP:$NODE_PORT
    38. [root@ur-scm-master01 ~]#[root@ur-scm-master01 ~]# helm install neuvector --namespace neuvector neuvector/core
    39. Error: rendered manifests contain a resource that already exists. Unable to continue with install: CustomResourceDefinition "nvadmissioncontrolsecurityrules.neuvector.com" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "neuvector"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "neuvector"
    40. [root@ur-scm-master01 ~]# 
    41. [root@ur-scm-master01 ~]# 
    42. [root@ur-scm-master01 ~]# helm -n neuvector list
    43. NAME    NAMESPACE    REVISION    UPDATED    STATUS    CHART    APP VERSION
    44. [root@ur-scm-master01 ~]# 
    45. [root@ur-scm-master01 ~]# 
    46. [root@ur-scm-master01 ~]# kubectl get crd | grep nvad
    47. nvadmissioncontrolsecurityrules.neuvector.com         2022-01-19T05:23:50Z
    48. [root@ur-scm-master01 ~]# 
    49. [root@ur-scm-master01 ~]# 
    50. [root@ur-scm-master01 ~]# 
    51. [root@ur-scm-master01 ~]# kubectl delete crd nvadmissioncontrolsecurityrules.neuvector.com 
    52. customresourcedefinition.apiextensions.k8s.io "nvadmissioncontrolsecurityrules.neuvector.com" deleted
    53. [root@ur-scm-master01 ~]# 
    54. [root@ur-scm-master01 ~]# 
    55. [root@ur-scm-master01 ~]# helm install neuvector --namespace neuvector neuvector/core
    56. Error: rendered manifests contain a resource that already exists. Unable to continue with install: CustomResourceDefinition "nvwafsecurityrules.neuvector.com" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "neuvector"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "neuvector"
    57. [root@ur-scm-master01 ~]# kubectl get crd | grep neuvector
    58. nvwafsecurityrules.neuvector.com                      2022-01-19T05:23:50Z
    59. [root@ur-scm-master01 ~]# 
    60. [root@ur-scm-master01 ~]# 
    61. [root@ur-scm-master01 ~]# kubectl delete crd nvwafsecurityrules.neuvector.com 
    62. customresourcedefinition.apiextensions.k8s.io "nvwafsecurityrules.neuvector.com" deleted
    63. [root@ur-scm-master01 ~]# helm install neuvector --namespace neuvector neuvector/core
    64. NAME: neuvector
    65. LAST DEPLOYED: Thu Mar  3 10:06:43 2022
    66. NAMESPACE: neuvector
    67. STATUS: deployed
    68. REVISION: 1
    69. TEST SUITE: None
    70. NOTES:
    71. Get the NeuVector URL by running these commands:
    72.   NODE_PORT=$(kubectl get --namespace neuvector -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui)
    73.   NODE_IP=$(kubectl get nodes --namespace neuvector -o jsonpath="{.items[0].status.addresses[0].address}")
    74.   echo https://$NODE_IP:$NODE_PORT
    75. [root@ur-scm-master01 ~]#