Available with limitations in: CSE Pro (1.67)
Available without limitations in: EE
Experimental version. The functionality may undergo significant changes. Compatibility with future versions is not guaranteed.
Enabling NeuVector
To enable the module, use the web interface or the following command:
d8 platform module enable neuvector
Authentication
Authentication depends on the configuration:
-
If the user-authn module is enabled, NeuVector uses the centralized authentication system of Deckhouse Kubernetes Platform and supports all configured OAuth providers.
-
If the
user-authnmodule is disabled, local NeuVector authentication is used. In this case, only the built-inadminuser is valid, whose password can be obtained using the command:d8 k -n d8-neuvector get secret admin -o jsonpath='{.data.password}' | base64 -d
parameters
Schema version: 1
-
-
objectsettings.controller
Configuration for the NeuVector controller component.
The controller manages policies, orchestrates scanning, and provides the REST API.
-
objectsettings.controller.nodeSelector
The same as in the pods’
spec.nodeSelectorparameter in Kubernetes.If the parameter is omitted, it will be determined automatically.
Example:
disktype: ssd -
settings.controller.storageClass
The name of StorageClass that will be used in the cluster by default.
If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.
The global
storageClassparameter is only considered when the module is enabled. Changing the globalstorageClassparameter while the module is enabled will not trigger disk re-provisioning.Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.
If
falseis specified,emptyDirwill be forced to be used.Examples:
storageClass: falsestorageClass: nfs-storage-class -
array of objectssettings.controller.tolerations
The same as in the Pods’
spec.tolerationsparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.-
stringsettings.controller.tolerations.effect
-
stringsettings.controller.tolerations.key
-
stringsettings.controller.tolerations.operator
-
integersettings.controller.tolerations.tolerationSeconds
-
stringsettings.controller.tolerations.value
-
-
-
booleansettings.highAvailability
Manually enable the high availability mode.
By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.
Example:
highAvailability: true -
objectsettings.https
What certificate type to use with the neuvector.
This parameter completely overrides the
global.modules.httpssettings.Examples:
customCertificate: secretName: foobar mode: CustomCertificatecertManager: clusterIssuerName: letsencrypt mode: CertManager-
objectsettings.https.certManager
-
stringsettings.https.certManager.clusterIssuerNameWhat ClusterIssuer to use for the neuvector. Currently,
letsencrypt,letsencrypt-staging,selfsignedare available; also, you can define your own.Default:
letsencrypt
-
-
objectsettings.https.customCertificate
-
stringsettings.https.customCertificate.secretNameThe name of the Secret in the
d8-systemnamespace to use with the neuvector (this Secret must have the kubernetes.io/tls format).Default:
false
-
-
stringsettings.https.mode
The HTTPS usage mode:
CertManager— the neuvector will use HTTPS and get a certificate from the ClusterIssuer defined in thecertManager.clusterIssuerNameparameter;CustomCertificate— the neuvector will use the certificate from thed8-systemnamespace for HTTPS;Disabled— neuvector will not work in this mode;OnlyInURI— the neuvector will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.
Allowed values:
Disabled,CertManager,CustomCertificate,OnlyInURI
-
-
objectsettings.manager
Configuration for the NeuVector manager (web UI) component.
The manager provides the web-based user interface for NeuVector.
-
objectsettings.manager.nodeSelector
The same as in the pods’
spec.nodeSelectorparameter in Kubernetes.If the parameter is omitted, it will be determined automatically.
Example:
disktype: ssd -
array of objectssettings.manager.tolerations
The same as in the Pods’
spec.tolerationsparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.-
stringsettings.manager.tolerations.effect
-
stringsettings.manager.tolerations.key
-
stringsettings.manager.tolerations.operator
-
integersettings.manager.tolerations.tolerationSeconds
-
stringsettings.manager.tolerations.value
-
-
-
objectsettings.scanner
Configuration for the NeuVector scanner component.
The scanner performs vulnerability scanning of container images and registries.
-
objectsettings.scanner.nodeSelectorNode selector for scanner pods.
Example:
disktype: ssd -
array of objectssettings.scanner.tolerations
The same as in the Pods’
spec.tolerationsparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.-
stringsettings.scanner.tolerations.effect
-
stringsettings.scanner.tolerations.key
-
stringsettings.scanner.tolerations.operator
-
integersettings.scanner.tolerations.tolerationSeconds
-
stringsettings.scanner.tolerations.value
-
-
-