Deploy Using Operators

Operators

Operators take human operational knowledge and encode it into software that is more easily shared with consumers. Operators are pieces of software that ease the operational complexity of running another piece of software. More technically, Operators are a method of packaging, deploying, and managing a Kubernetes application.

SUSE® Security Operators

The SUSE® Security Operator is based on the SUSE® Security Helm chart. The SUSE® Security RedHat OpenShift Operator runs in the OpenShift container platform to deploy and manage the SUSE® Security Security cluster components. The SUSE® Security Operator contains all necessary information to deploy SUSE® Security using Helm charts. You simply need to install the SUSE® Security operator from the OpenShift embedded Operator hub and create the SUSE® Security instance.

To deploy the latest SUSE® Security container versions, please use either the https://catalog.redhat.com/search?searchType=software&deployed_as=Operator&partnerName=SUSE® Security&p=1[Red Hat Certified Operator] from Operator Hub or the community operator. Documentation for the community operator can be found here.

Note about SCC and Upgrading

Privileged SCC is added to the Service Account specified in the deployment yaml by Operator version 1.3.4 and above in new deployments. In the case of upgrading the SUSE® Security Operator from a previous version to 1.3.4, please delete Privileged SCC before upgrading.

oc delete rolebinding -n neuvector system:openshift:scc:privileged

SUSE® Security Certified Operator versions are tied to SUSE® Security product versions, and each new version must go through a certification process with Red Hat before being published. Certified operator version for 5.3.x is tied to helm version 2.7.2 and SUSE® Security app version 5.3.2. Certified operator version 1.3.9 is tied to SUSE® Security version 5.2.0. Certified operator version 1.3.7 is tied to SUSE® Security version 5.1.0. Version 1.3.4 operator version is tied to SUSE® Security 5.0.0. If you wish to be able to change the version tags of the SUSE® Security containers deployed, please use the Community version.

Click here for details

Deploy Using the Red Hat Certified Operator from Operator Hub

SUSE® Security Operator versions are tied to SUSE® Security product versions, and each new product version must go through a certification process with Red Hat before being published.

Technical notes

SUSE® Security container images are pulled from registry.connect.redhat.com using the RedHat market place image pull secret.
The SUSE® Security manager UI is typically exposed via an OpenShift passthrough route on a domain. For example, on IBM Cloud neuvector-route-webui-neuvector.(cluster_name)-(random_hash)-0000.(region).containers.appdomain.cloud. It can also be exposed as the service neuvector-service-webui through a node port address or public IP.
OpenShift version >=4.6.
1. Create the project neuvector
  oc new-project neuvector
2. Install the RedHat Certified Operator from the Operator Hub
  - In the OpenShift Console UI, navigate to OperatorHub
  - Search for SUSE® Security Operator and select the listing without community or marketplace badge
  - Click Install
3. Configure update channel
  - Current latest channel is beta, but may be moved to stable in the future
  - Select stable if available
4. Configure installation mode and installed namespace
  - Select specific namespace on the cluster
  - Select neuvector as installed namespace
  - Configure approval strategy
5. Confirm Install
6. Prepare the YAML configuration values for the SUSE® Security installation as shown in the sample screen shot below. The YAML presented in the OpenShift Console provides all available configuration options and their default values.
7. When the operator is installed and ready for use, a SUSE® Security instance can be installed.
  - Click View operator (after the operator installation) or select the SUSE® Security Operator from the Installed operators view
  - Click Create instance
  - Select Configure via YAML View
  - Paste the prepared YAML configuration values
  - Click Create
8. Verify the installation of the SUSE® Security instance
  - Navigate to the Operator Details of the SUSE® Security Operator
  - Open the SUSE® Security tab
  - Select the neuvector-default instance
  - Open the Resources tab
  - Verify that resources are in status Created or Running

After you have successfully deployed the SUSE® Security Platform to your cluster, login to the SUSE® Security console at https://neuvector-route-webui-neuvector.(OC_INGRESS). * Login with the initial username admin and password admin. * Accept the SUSE® Security end user license agreement. * Change the password of the admin user. Optionally, you can also create additional users in the Settings → Users & Roles menu. Now you are ready to navigate the SUSE® Security console to start vulnerability scanning, observe running application pods, and apply security protections to containers.

Upgrading SUSE® Security

Upgrade the SUSE® Security version by updating the Operator version which is associated with the desired SUSE® Security version.

Click here for details

Deploy Using the SUSE® Security Community Operator from Operator Hub

Technical notes

SUSE® Security container images are pulled from Docker Hub from the SUSE® Security account.
SUSE® Security manager UI is typically exposed via an OpenShift passthrough route on a domain. For example, on IBM Cloud neuvector-route-webui-neuvector.(cluster_name)-(random_hash)-0000.(region).containers.appdomain.cloud. It can also be exposed as the service neuvector-service-webui through a node port address or public IP.
OpenShift version 4.6+
It is recommendeded to review and modify the SUSE® Security installation configuration by modifying the yaml values before creating the SUSE® Security instance. Examples include imagePullSecrets name, tag version, ingress/console access, multi-cluster federation, persistent volume PVC etc. Please refer to the Helm instructions at https://github.com/neuvector/neuvector-helm for the values that can be modified during installation.
1. Create the project neuvector
  oc new-project neuvector
2. Install the SUSE® Security Community Operator from the Operator Hub
  - In the OpenShift Console UI, navigate to OperatorHub
  - Search for SUSE® Security Operator and select the listing with the community badge
  - Click Install
  - Configure update channel. Current latest channel is beta, but may be moved to stable in the future. Select stable if available.
  - Configure installation mode and installed namespace
  - Select specific namespace on the cluster
  - Select neuvector as installed namespace
  - Configure approval strategy
  - Confirm Install
3. Download the Kubernetes secret manifest which contains the credentials to access the SUSE® Security container registry. Save the YAML manifest file to ./neuvector-secret-registry.yaml.
4. Apply the Kubernetes secret manifest containing the registry credentials.
  kubectl apply -n neuvector -f ./neuvector-secret-registry.yaml
5. Prepare the YAML configuration values for the SUSE® Security installation starting from the following YAML snippet. Be sure to specify the desired SUSE® Security version in the 'tag' value. Check the reference of values in the SUSE® Security Helm chart to get available configuration options. There are other possible Helm values which can be configured in the YAML, such as whether you will configure the cluster to allow multi-cluster management by exposing the Master (Federated Master) or remote (Federated Worker) services.
  apiVersion: apm.neuvector.com/v1alpha1 kind: Neuvector metadata: name: neuvector-default namespace: neuvector spec: openshift: true tag: 4.3.0 registry: docker.io exporter: image: repository: prometheus-exporter tag: 0.9.0 manager: enabled: true env: ssl: true image: repository: manager svc: type: ClusterIP route: enabled: true termination: passthrough enforcer: enabled: true image: repository: enforcer cve: updater: enabled: true image: repository: updater tag: latest schedule: 0 0 * * * scanner: enabled: true replicas: 3 image: repository: scanner tag: latest controller: enabled: true image: repository: controller replicas: 3
6. When the operator is installed and ready for use, a SUSE® Security instance can be installed.
  - Click View operator (after the operator installation) or select the SUSE® Security Operator from the Installed operators view
  - Click Create instance
  - Select Configure via YAML View
  - Paste the prepared YAML configuration values
  - Click Create
7. Verify the installation of the SUSE® Security instance.
  - Navigate to the Operator Details of the SUSE® Security Operator
  - Open the SUSE® Security tab
  - Select the neuvector-default instance
  - Open the Resources tab
  - Verify that resources are in status Created or Running
8. After you have successfully deployed the SUSE® Security Platform to your cluster, login to the SUSE® Security console at https://neuvector-route-webui-neuvector.(INGRESS_DOMAIN).
  - Login with the initial username admin and password admin.
  - Accept the SUSE® Security end user license agreement.
  - Change the password of the admin user.
  - Optionally, you can also create additional users in the Settings → Users & Roles menu.

Now you are ready to navigate the SUSE® Security console to start vulnerability scanning, observe running application pods, and apply security protections to containers.

Upgrading SUSE® Security

From Operators > Installed Operators > SUSE® Security Operator
Click on SUSE® Security to list instances
Click on YAML to edit parameters
Update tag and click Save

Troubleshooting

Check the Operator deployment values in the deployed yaml file
Verify that security context constraint (SCC) for SUSE® Security in step 2 was successfully added
Review and check the SUSE® Security Helm chart values
Make sure the registry path and version tag is set properly (community operator; certified will use the defaults)
Make sure the route to the SUSE® Security manager service neuvector-route-webui is configured