Best Practices
Policy Organization
-
Use NvGroupDefinition for reusable groups:
# Define once apiVersion: neuvector.com/v1 kind: NvGroupDefinition metadata: name: web-tier spec: selector: name: nv.web-tier.production -
Leverage namespace-scoped rules for application policies:
# Application-specific in namespace apiVersion: neuvector.com/v1 kind: NvSecurityRule metadata: name: app-security namespace: production -
Use cluster-scoped rules for global policies:
# Global baseline security apiVersion: neuvector.com/v1 kind: NvClusterSecurityRule metadata: name: baseline-security
Naming Conventions
- Use descriptive rule names:
web-to-database-access - Follow consistent group naming:
nv.service.namespace - Avoid reserved prefixes:
fed.,nv.ip.,host:,workload:
Policy Validation
# Valid group name pattern
name: "^[a-zA-Z0-9]+[.:a-zA-Z0-9_-]*$"
# Service format for discovered groups
name: "nv.service-name.namespace"
Migration Strategy
-
Export from staging:
kubectl get nvsecurityrule -o yaml > staging-policies.yaml -
Modify for production:
# Change policy mode target: policymode: Protect # was: Monitor -
Apply to production:
kubectl apply -f production-policies.yaml
RBAC Integration
NeuVector CRDs integrate with Kubernetes RBAC:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: neuvector-policy-manager
rules:
- apiGroups: ["neuvector.com"]
resources: ["nvsecurityrules", "nvclustersecurityrules"]
verbs: ["get", "list", "create", "update", "delete"]
Namespace-scoped RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-team-policies
namespace: development
subjects:
- kind: User
name: dev-team-lead
roleRef:
kind: ClusterRole
name: neuvector-policy-manager
Troubleshooting
Common Issues
1. Policy import rejection:
Error: group criteria mismatch
Solution: Ensure group criteria match between source and destination.
2. Namespace boundary violations:
Error: cross-namespace policy creation denied
Solution: Use NvClusterSecurityRule for cross-namespace policies.
3. Invalid group names:
Error: invalid group name format
Solution: Follow naming convention: ^[a-zA-Z0-9]+[.:a-zA-Z0-9_-]*$
Validation Commands
# Validate CRD syntax
kubectl apply --dry-run=client -f policy.yaml
# Check policy status
kubectl get nvsecurityrule -n production
# View policy details
kubectl describe nvsecurityrule web-app-security -n production
# Check events for errors
kubectl get events -n neuvector | grep NeuVector
Debugging Policy Application
-
Check controller logs:
kubectl logs -n neuvector deployment/neuvector-controller-pod -
Verify group creation:
# In NeuVector console: Policy -> Groups -
Review policy mode:
# Ensure target group is in correct mode (Discover/Monitor/Protect)
Performance Considerations
- Limit the number of concurrent CRD applications
- Use batch operations for multiple policy updates
- Monitor controller resource usage during policy updates
- Implement gradual rollout for large policy changes
Integration Examples
GitOps Workflow
# .github/workflows/security-policies.yml
name: Deploy Security Policies
on:
push:
paths: ['policies/**']
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Deploy policies
run: kubectl apply -f policies/
CI/CD Pipeline Integration
# !/bin/bash
# validate-policies.sh
set -e
echo "Validating NeuVector policies..."
for policy in policies/*.yaml; do
kubectl apply --dry-run=client -f "$policy"
done
echo "Applying policies to staging..."
kubectl apply -f policies/ --namespace=staging
echo "Running security tests..."
./run-security-tests.sh
echo "Promoting to production..."
kubectl apply -f policies/ --namespace=production