Experimental version. The functionality may undergo significant changes. Compatibility with future versions is not guaranteed.

Examples of using security policies

  1. The example of a network security policy for a web application allowing incoming HTTP and HTTPS requests and outgoing requests in postgresSQL:

    apiVersion: neuvector.com/v1
    kind: NvSecurityRule
    metadata:
      name: web-app-security
      namespace: production
    spec:
      target:
        policymode: Protect
        selector:
          name: nv.web-app.production
          criteria:
            - key: service
              value: web-app.production
              op: "="
            - key: domain
              value: production
              op: "="
      ingress:
        - action: allow
          name: allow-http
          selector:
            name: ingress-controller
            criteria:
              - key: service
                value: nginx-ingress
                op: "="
          ports: tcp/80,tcp/443
          applications:
            - HTTP
            - SSL
      egress:
        - action: allow
          name: allow-database
          selector:
            name: nv.database.production
            criteria:
              - key: service
                value: database.production
                op: "="
          ports: tcp/5432
          applications:
            - PostgreSQL
    
  2. The example of a global policy that denies SSH access to all containers in a cluster:

    apiVersion: neuvector.com/v1
    kind: NvClusterSecurityRule
    metadata:
      name: global-ssh-restriction
      namespace: neuvector
    spec:
      target:
        selector:
          name: containers
          criteria:
            - key: container
              value: "*"
              op: "="
      ingress:
        - action: deny
          name: deny-external-ssh
          selector:
            name: external
            criteria: []
          ports: tcp/22
          applications:
            - SSH
      process:
        - action: deny
          name: ssh
          path: /bin/ssh
    
  3. The example policy blocking deployment to system namespaces:

    apiVersion: neuvector.com/v1
    kind: NvAdmissionControlSecurityRule
    metadata:
      name: local
      namespace: neuvector
    spec:
      config:
        enable: true
        mode: protect
        client_mode: service
      rules:
        - action: deny
          criteria:
            - name: namespace
              op: containsAny
              path: namespace
              value: "kube-system,kube-public"
          comment: "Blocking deployments to system namespaces"
    
  4. The example of a reusable group, this group can be referenced in policies via target:

    apiVersion: neuvector.com/v1
    kind: NvGroupDefinition
    metadata:
      name: production-web-services
      namespace: neuvector
    spec:
      selector:
        name: nv.web-services.production
        comment: "Production web services group"
        criteria:
          - key: service
            value: web-services.production
            op: "="
          - key: domain
            value: production
            op: "="
    

Additional Resources