The module lifecycle stage: Experimental
Available with limitations in: CSE Pro (1.67)
Available without limitations in: EE
Enabling NeuVector
To enable the module, use the web interface or the following command:
d8 platform module enable neuvector
Authentication
Authentication depends on the configuration:
-
If the user-authn module is enabled, NeuVector uses the centralized authentication system of Deckhouse Kubernetes Platform and supports all configured OAuth providers.
-
If the
user-authnmodule is disabled, local NeuVector authentication is used. In this case, only the built-inadminuser is valid, whose password can be obtained using the command:d8 k -n d8-neuvector get secret admin -o jsonpath='{.data.password}' | base64 -d
How to explicitly enable the module…
You may explicitly enable or disable the module in one of the following ways:
-
Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the
neuvectormodule and enable (or disable) the “Module enabled” toggle. Save changes.Example:
-
Via Deckhouse CLI (d8).
Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).
Example of enabling the module:
d8 system module enable neuvector -
Using ModuleConfig
neuvector.Set
spec.enabledtotrueorfalsein ModuleConfigneuvector(create it if necessary);Example of a manifest to enable module
neuvector:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: neuvector spec: enabled: true
You can configure the module in one of the following ways:
-
Via Deckhouse web UI.
In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the
neuvectormodule and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.Example:
You can also edit the ModuleConfig object
neuvectoron the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the moduleneuvector) by specifying the schema version in thespec.versionparameter and the necessary module parameters in thespec.settingssection. -
Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).
Edit the existing ModuleConfig
neuvector(for more details on configuring Deckhouse, see the documentation) by executing the following command:d8 k edit mc neuvectorMake the necessary changes in the
spec.settingssection. If necessary, specify the schema version in thespec.versionparameter. Save the changes.You can also create a file with manifest for ModuleConfig
neuvectorusing the example below. Fill in thespec.settingssection with the required module parameters. If necessary, specify the schema version in thespec.versionparameter.Apply the manifest using the following command (indicate the manifest file name):
d8 k apply -f <FILENAME>Example of a manifest for ModuleConfig
neuvector:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: neuvector spec: version: 1 enabled: true settings: # Module parameters from the "Parameters" section below.
Requirements
To the Deckhouse version: 1.68 and above.
Parameters
Schema version: 1
-
-
objectsettings.controller
Configuration for the NeuVector controller component.
The controller manages policies, orchestrates scanning, and provides the REST API.
-
objectsettings.controller.nodeSelector
The same as in the pods’
spec.nodeSelectorparameter in Kubernetes.If the parameter is omitted, it will be determined automatically.
Example:
disktype: ssd -
settings.controller.storageClass
The name of StorageClass that will be used in the cluster by default.
If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.
The global
storageClassparameter is only considered when the module is enabled. Changing the globalstorageClassparameter while the module is enabled will not trigger disk re-provisioning.Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.
If
falseis specified,emptyDirwill be forced to be used.Examples:
storageClass: falsestorageClass: nfs-storage-class -
array of objectssettings.controller.tolerations
The same as in the Pods’
spec.tolerationsparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.-
stringsettings.controller.tolerations.effect
-
stringsettings.controller.tolerations.key
-
stringsettings.controller.tolerations.operator
-
integersettings.controller.tolerations.tolerationSeconds
-
stringsettings.controller.tolerations.value
-
-
-
booleansettings.highAvailability
Manually enable the high availability mode.
By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.
Example:
highAvailability: true -
objectsettings.https
What certificate type to use with the neuvector.
This parameter completely overrides the
global.modules.httpssettings.Examples:
customCertificate: secretName: foobar mode: CustomCertificatecertManager: clusterIssuerName: letsencrypt mode: CertManager-
objectsettings.https.certManager
-
stringsettings.https.certManager.clusterIssuerNameWhat ClusterIssuer to use for the neuvector. Currently,
letsencrypt,letsencrypt-staging,selfsignedare available; also, you can define your own.Default:
letsencrypt
-
-
objectsettings.https.customCertificate
-
stringsettings.https.customCertificate.secretNameThe name of the Secret in the
d8-systemnamespace to use with the neuvector (this Secret must have the kubernetes.io/tls format).Default:
false
-
-
stringsettings.https.mode
The HTTPS usage mode:
CertManager— the neuvector will use HTTPS and get a certificate from the ClusterIssuer defined in thecertManager.clusterIssuerNameparameter;CustomCertificate— the neuvector will use the certificate from thed8-systemnamespace for HTTPS;Disabled— neuvector will not work in this mode;OnlyInURI— the neuvector will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.
Allowed values:
Disabled,CertManager,CustomCertificate,OnlyInURI
-
-
objectsettings.manager
Configuration for the NeuVector manager (web UI) component.
The manager provides the web-based user interface for NeuVector.
-
objectsettings.manager.nodeSelector
The same as in the pods’
spec.nodeSelectorparameter in Kubernetes.If the parameter is omitted, it will be determined automatically.
Example:
disktype: ssd -
array of objectssettings.manager.tolerations
The same as in the Pods’
spec.tolerationsparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.-
stringsettings.manager.tolerations.effect
-
stringsettings.manager.tolerations.key
-
stringsettings.manager.tolerations.operator
-
integersettings.manager.tolerations.tolerationSeconds
-
stringsettings.manager.tolerations.value
-
-
-
objectsettings.scanner
Configuration for the NeuVector scanner component.
The scanner performs vulnerability scanning of container images and registries.
-
objectsettings.scanner.nodeSelectorNode selector for scanner pods.
Example:
disktype: ssd -
array of objectssettings.scanner.tolerations
The same as in the Pods’
spec.tolerationsparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.-
stringsettings.scanner.tolerations.effect
-
stringsettings.scanner.tolerations.key
-
stringsettings.scanner.tolerations.operator
-
integersettings.scanner.tolerations.tolerationSeconds
-
stringsettings.scanner.tolerations.value
-
-
-