Bereitstellung mit ConfigMap
Kubernetes ConfigMap
SUSE® Security unterstützt die automatisierte Konfiguration mit der Kubernetes ConfigMap-Funktion. Dies ermöglicht die Bereitstellung von SUSE® Security Containern mit den entsprechenden Konfigurationen, Integrationen und anderen Einstellungen auf automatisierte Weise.
Die Einstellung 'always_reload: true' kann in jede ConfigMap-YAML hinzugefügt werden, um das Neuladen dieser YAML jedes Mal zu erzwingen, wenn der Controller startet (Version 4.3.2+). Andernfalls wird die ConfigMap nur beim ersten Start oder nach einem vollständigen Clusterneustart geladen (siehe Abschnitt über persistente Speicherung unten).
Vollständige Beispiel-ConfigMap SUSE® Security (initcfg.yaml)
Die neueste ConfigMap finden Sie unter folgendem initcfg.yaml.
Das Beispiel ist auch unten dargestellt. Dies enthält alle verfügbaren Einstellungen. Bitte entfernen Sie die nicht benötigten Abschnitte und bearbeiten Sie die benötigten Abschnitte.
|
Wenn Sie ConfigMap in einem Geheimnis verwenden, siehe Abschnitt unten für Formatänderungen. |
apiVersion: v1
data:
fedinitcfg.yaml: |
# ============ this section is used for primary cluster ============ >>>
# Optional. If specified, it overwrites the cluster name specified in the system configuration in the sysinitcfg.yaml file
Cluster_Name: primary.cluster.local
# Required and must be the same on primary cluster and remote clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
Server: 1.2.3.4
Port: 11443
# Optional. Supported value: https
Use_Proxy: ""
# Optional. Whether federal repo scan data deployment is enabled (for primary cluster only)
Deploy_Repo_Scan_Data: false
# <<< ============ this section is used for primary cluster ============
# ============ this section is used for remote cluster ============ >>>
# Optional. If specified, it overwrites the cluster name specified in the system configuration in the sysinitcfg.yaml file
Cluster_Name: remote.cluster.local
# Required and must be the same on primary cluster and remote clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
# The Join_Token specified in the remote cluster's fedinitcfg.yaml needs to be the same as the Join_Token specified in the primary cluster's fedinitcfg.yaml otherwise the auto-joining request will be declined by the primary cluster
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
Server: 1.2.3.4
Port: 11443
# Optional, for remote cluster only. REST server/port of the neuvector-svc-controller-fed-managed service
Managed_Rest_Info:
Server: 4.3.2.1
Port: 10443
# Optional. Supported value: https
Use_Proxy: ""
# <<< ============ this section is used for remote cluster ============
passwordprofileinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
active_profile_name: default
pwd_profiles:
# only default profile is supported.
- name: default
comment: default from configMap
min_len: 6
min_uppercase_count: 0
min_lowercase_count: 0
min_digit_count: 0
min_special_count: 0
enable_block_after_failed_login: false
block_after_failed_login_count: 0
block_minutes: 0
enable_password_expiration: false
password_expire_after_days: 0
enable_password_history: false
password_keep_history_count: 0
# Optional. value between 30 -- 3600 default 300
session_timeout: 300
roleinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
roles:
# Optional.
- Comment: test role
# Mandatory. name can have ^[a-zA-Z0-9]+[.:a-zA-Z0-9_-]*$
Name: testrole
# Mandatory
Permissions:
- id: config
read: true
write: true
- id: rt_scan
read: true
write: true
- id: reg_scan
read: true
write: true
- id: ci_scan
write: true
- id: rt_policy
read: true
write: true
- id: admctrl
read: true
write: true
- id: compliance
read: true
write: true
- id: audit_events
read: true
- id: security_events
read: true
- id: events
read: true
- id: authentication
read: true
write: true
- id: authorization
read: true
write: true
ldapinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
# Mandatory. OpenLDAP or MicrosoftAD
directory: OpenLDAP
# Mandatory.
Hostname: 1.2.3.4
# Optional. the default value is 389
Port: 389
# Optional true or false or empty string(false)
SSL: false
# Mandatory.
base_dn: cn=admin,dc=example,dc=org
# Optional.
bind_dn: dc=example,dc=org
# Optional.
bind_password: password
# Optional. empty string(memberUid for openldap or member for windows ad)
group_member_attr:
# Optional. empty string(cn for openldap or sAMAccountName for windows ad)
username_attr:
# Optional. true or false or empty string(false)
Enable: false
# Optional. admin or reader or empty string(none)
Default_Role: admin
group_mapped_roles:
- group: admin1
global_role: admin
- group: reader1
global_role: reader
- group: cipos1
global_role: ciops
- group: admin2
global_role: admin
- group: reader2
global_role: reader
- group: ciops2
global_role: ciops
- group: ns
global_role:
role_domains:
testrole:
- ns2-ciops1
- ns2-ciops2
reader:
- ns2-reader1
- ns2-reader2
admin:
- ns2-admin1
- ns2-admin2
- group: custom
global_role: testrole
role_domains:
ciops:
- custom-ciops1
- custom-ciops2
reader:
- custom-reader1
- custom-reader2
admin:
- custom-admin1
- custom-admin2
oidcinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
# Mandatory
Issuer: https://...
# Mandatory
Client_ID: f53c56ec...
# Mandatory
Client_Secret: AyAixE3...
# Optional. empty or string(group filter info)
Group_Claim:
# Optional. empty string(openid,profile,email)
Scopes:
- openid
- profile
- email
# Optional. true or false or empty string(false)
Enable: false
# Optional. admin or reader or empty string(none)
Default_Role: admin
group_mapped_roles:
- group: admin1
global_role: admin
- group: reader1
global_role: reader
- group: cipos1
global_role: ciops
- group: admin2
global_role: admin
- group: reader2
global_role: reader
- group: ciops2
global_role: ciops
- group: ns
global_role:
role_domains:
testrole:
- ns2-ciops1
- ns2-ciops2
reader:
- ns2-reader1
- ns2-reader2
admin:
- ns2-admin1
- ns2-admin2
- group: custom
global_role: testrole
role_domains:
ciops:
- custom-ciops1
- custom-ciops2
reader:
- custom-reader1
- custom-reader2
admin:
- custom-admin1
- custom-admin2
group_claim: groups
samlinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
# Mandatory
SSO_URL: https://...
# Mandatory
Issuer: https://...
# Mandatory
X509_Cert: |
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
...
-----END CERTIFICATE-----
x509_cert_extra:
- |
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
...
-----END CERTIFICATE-----
# Optional. empty or string(group filter info)
Group_Claim:
# Optional. true or false or empty string(false)
Enable: false
# Optional. admin or reader or empty string(none)
Default_Role: admin
group_mapped_roles:
- group: admin1
global_role: admin
- group: reader1
global_role: reader
- group: cipos1
global_role: ciops
- group: admin2
global_role: admin
- group: reader2
global_role: reader
- group: ciops2
global_role: ciops
- group: ns
global_role:
role_domains:
testrole:
- ns2-ciops1
- ns2-ciops2
reader:
- ns2-reader1
- ns2-reader2
admin:
- ns2-admin1
- ns2-admin2
- group: custom
global_role: testrole
role_domains:
ciops:
- custom-ciops1
- custom-ciops2
reader:
- custom-reader1
- custom-reader2
admin:
- custom-admin1
- custom-admin2
group_claim: groups
sysinitcfg.yaml: |
# Optional. By default, this parameter is set to false. You can set it to true if you want to allow namespace user with runtime-policy(r) permission to export network policy of the groups
Allow_Ns_User_Export_Net_Policy: false
# Optional. true or false or empty string(false)
always_reload: false
# Optional. Choose between Discover or Monitor or Protect or empty string(Discover)
New_Service_Policy_Mode: Discover
# Optional. zero-drift or basic or empty string(zero-drift)
New_Service_Profile_Baseline: zero-drift
# Optional. input valid ipv4 address or empty string
Syslog_ip: 1.2.3.4
# Optional. input 17, 6 or 66 here for udp, tcp, tcp+tls or empty string(17)
Syslog_IP_Proto: 17
# Optional. it is required when Syslog_IP_Proto is 66 only
Syslog_Server_Cert: |
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
...
-----END CERTIFICATE-----
# Optional. empty string(514)
Syslog_Port: 514
# Optional. chose between Alert/Critical/Error/Warning/Notice/Info/Debug or empty string(Info)
Syslog_Level: Info
# Optional. true or false or empty string(false)
Syslog_status: false
Syslog_Categories:
# Optional. can chose multiple between event/security-event/audit or empty string
- event
- security-event
- audit
# Optional. true or false or empty string(false)
Syslog_in_json: false
Auth_By_Platform: false
single_cve_per_syslog: false
syslog_cve_in_layers: false
# Optional
Webhooks:
- name: myslack
url: http...
type: Slack
enable: true
use_proxy: false
- name: mywebhook
url: http...
enable: true
use_proxy: false
# Optional. empty string
Cluster_Name: cluster.local
# Optional. chose multiple between cpath/mutex/conn/scan/cluster or empty string
Controller_Debug:
- cpath
# Optional. true or false or empty string(true)
Monitor_Service_Mesh: true
# Optional. true or false or empty string(false)
Registry_Http_Proxy_Status: false
# Optional. true or false or empty string(false)
Registry_Https_Proxy_Status: false
# Optional. http/https registry proxy or empty string
Registry_Http_Proxy:
URL: http...
Username: username
Password: password
Registry_Https_Proxy:
URL: https...
Username: username
Password: password
Xff_Enabled: true
Net_Service_Status: false
Net_Service_Policy_Mode: Discover
Disable_Net_Policy: false
Scanner_Autoscale:
# Optional. Choose between immediate or delayed or empty string
Strategy:
Min_Pods: 1
Max_Pods: 3
# Optional. true or false or empty string(false)
No_Telemetry_Report: false
# Optional. Mode Automation Discovery to Monitor. true or false or empty string(false)
Mode_Auto_D2M: false
# Optional. default value is 0. unit is seconds and range is between 3600 and 2592000 (1 hour to 30 days)
Mode_Auto_D2M_Duration: 0
# Optional. Mode Automation Monitor to Protect. true or false or empty string(false)
Mode_Auto_M2P: false
# Optional. default value is 0. unit is seconds and range is between 3600 and 2592000 (1 hour to 30 days)
Mode_Auto_M2P_Duration: 0
Scan_Config:
# Optional. true or false or empty string(false)
Auto_Scan: false
# Optional. default value is 24. unit is hour and range is between 0 and 168
Unused_Group_Aging: 24
userinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
users:
# add multiple users below
-
# this user will be added
# Optional.
EMail: user1@email.com
# Mandatory. username can have ^[a-zA-Z0-9]+[.:a-zA-Z0-9_-]*$
Fullname: user1
# Optional. en or zh_cn or empty string(en)
Locale: en
# Optional. password length minimal 6, don't lead with ]`}*|<>!%
Password: password
# Optional. admin or reader or empty string(none)
Role: reader
# Optional. admin group or reader group or empty string
Role_Domains:
admin:
- admin1
- admin2
reader:
- reader1
- reader2
# Optional. value between 30 -- 3600 default 300
Timeout: 300
-
# this user will overwrite the original admin user
Fullname: admin
Password: password
Role: admin
kind: ConfigMap
metadata:
name: neuvector-init
namespace: neuvectorErstellen Sie dann das ConfigMap-Objekt:
kubectl create -f initcfg.yamlBeispiele für föderierte ConfigMaps (fedinitcfg.yaml)
NeuVector v5.4.0 unterstützt die Automatisierung der Föderation über die ConfigMap. Unten sind Beispielkonfigurationen fedinitcfg.yaml aufgeführt, die je nach Anwendungsfall auf Ihre primären und verwalteten Cluster angewendet werden können.
Beispiel fedinitcfg.yaml für den primären Cluster:
# Optional. If specified, it overwrites the cluster name specified in system configuration
Cluster_Name: cluster-primary-43
# Required and must be the same on primary cluster and managed clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
Server: 10.1.10.43
Port: 30020
# Optional. Supported value: https
Use_Proxy: ""
# Optional. Whether federal repo scan data deployment is enabled (for primary cluster only)
Deploy_Repo_Scan_Data: falseBeispiel fedinitcfg.yaml für verwaltete Cluster:
# Optional. If specified, it overwrites the cluster name specified in system configuration
Cluster_Name: cluster-managed-42
# Required and must be the same on primary cluster and managed clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
Server: 10.1.10.43
Port: 30020
# Optional, for managed cluster only. REST server/port of the neuvector-svc-controller-api service
Managed_Rest_Info:
Server: 10.1.10.42
Port: 30010
# Optional. Supported value: https
Use_Proxy: ""Schützen Sie sensible Daten mit einem Geheimnis
Wenn sensible Daten in einigen Abschnitten der ConfigMap enthalten sein sollen, kann ein Geheimnis für diese Abschnitte mit sensiblen Daten erstellt werden.
Erstellen Sie beispielsweise die ConfigMap für nicht sensible Abschnitte wie passwordProfile und role:
kubectl create configmap neuvector-init --from-file=$HOME/init/passwordprofileinitcfg.yaml --from-file=$HOME/init/roleinitcfg.yaml -n neuvectorErstellen Sie dann ein Geheimnis für Abschnitte mit sensiblen Daten, wie zum Beispiel:
kubectl create secret generic neuvector-init --from-file=$HOME/init/eulainitcfg.yaml --from-file=$HOME/init/ldapinitcfg.yaml --from-file=$HOME/init/oidcinitcfg.yaml --from-file=$HOME/init/samlinitcfg.yaml --from-file=$HOME/init/sysinitcfg.yaml --from-file=$HOME/init/userinitcfg.yaml -n neuvector|
Entfernen Sie das Pipe-Zeichen '|' in jedem Abschnitt, wie unten gezeigt. |
Beachten Sie die Entfernung des Pipe-Zeichens unten, wenn Sie ConfigMap-Abschnitte in einem Geheimnis verwenden, aktiviert auf true, und kommentieren Sie den Abschnitt aus, der im Geheimnis enthalten sein soll.
secret:
# NOTE: files defined here have preferrence over the ones defined in the configmap section
enabled: true
data:
eulainitcfg.yaml:
license_key: 0Bca63Iy2FiXGqjk...
# ...
# ldapinitcfg.yaml:
# directory: OpenLDAP
# ...
# oidcinitcfg.yaml:
# Issuer: https://...
# ...
# samlinitcfg.yaml:
# ...
# sysinitcfg.yaml:
# ...
# userinitcfg.yaml:
# ...Nachdem der Controller bereitgestellt wurde, werden alle Konfigurationsdateien sowohl aus der ConfigMap als auch aus dem Geheimnis im Ordner /etc/config gespeichert.
Beachten Sie, dass das Geheimnis in den Standard-Kubernetes- und OpenShift-Controller Deployment-YAML-Dateien unter Volumes referenziert wird.
ConfigMaps und persistenter Speicher
Sowohl die ConfigMaps als auch die Sicherung des persistenten Speichers werden nur gelesen, wenn ein neuer SUSE® Security Cluster bereitgestellt wird oder der Cluster ausfällt und neu gestartet wird. Sie werden während der Rolling-Upgrades nicht verwendet.
Das Backup der Konfiguration des persistenten Speichers wird zuerst gelesen, dann werden die ConfigMaps angewendet, sodass die Einstellungen der ConfigMaps Vorrang haben. Alle Einstellungen der ConfigMap (z. B. Updates) werden ebenfalls im persistenten Speicher gespeichert.