ConfigMapを使用してデプロイする
Kubernetes ConfigMap
SUSE® SecurityはKubernetesのConfigMap機能を使用して自動構成をサポートします。これにより、適切な構成、統合、およびその他の設定を持つSUSE® Securityコンテナの自動デプロイが可能になります。
'always_reload: true’設定は、コントローラーが起動するたびにそのyamlを強制的に再読み込みするために、任意のConfigMap yamlに追加できます(バージョン4.3.2以上)。そうでなければ、ConfigMapは初回起動時または完全なクラスター再起動後にのみ読み込まれます(以下の永続ストレージセクションを参照)。
完全なサンプルSUSE® Security ConfigMap(initcfg.yaml)
最新のConfigMapは次の initcfg.yamlで見つけることができます。
サンプルは以下にも示されています。これには利用可能なすべての設定が含まれています。不要なセクションを削除し、必要なセクションを編集してください。
|
シークレット内でConfigMapを使用する場合は、以下のセクションでフォーマットの変更を参照してください。 |
apiVersion: v1
data:
fedinitcfg.yaml: |
# ============ this section is used for primary cluster ============ >>>
# Optional. If specified, it overwrites the cluster name specified in the system configuration in the sysinitcfg.yaml file
Cluster_Name: primary.cluster.local
# Required and must be the same on primary cluster and remote clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
Server: 1.2.3.4
Port: 11443
# Optional. Supported value: https
Use_Proxy: ""
# Optional. Whether federal repo scan data deployment is enabled (for primary cluster only)
Deploy_Repo_Scan_Data: false
# <<< ============ this section is used for primary cluster ============
# ============ this section is used for remote cluster ============ >>>
# Optional. If specified, it overwrites the cluster name specified in the system configuration in the sysinitcfg.yaml file
Cluster_Name: remote.cluster.local
# Required and must be the same on primary cluster and remote clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
# The Join_Token specified in the remote cluster's fedinitcfg.yaml needs to be the same as the Join_Token specified in the primary cluster's fedinitcfg.yaml otherwise the auto-joining request will be declined by the primary cluster
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
Server: 1.2.3.4
Port: 11443
# Optional, for remote cluster only. REST server/port of the neuvector-svc-controller-fed-managed service
Managed_Rest_Info:
Server: 4.3.2.1
Port: 10443
# Optional. Supported value: https
Use_Proxy: ""
# <<< ============ this section is used for remote cluster ============
passwordprofileinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
active_profile_name: default
pwd_profiles:
# only default profile is supported.
- name: default
comment: default from configMap
min_len: 6
min_uppercase_count: 0
min_lowercase_count: 0
min_digit_count: 0
min_special_count: 0
enable_block_after_failed_login: false
block_after_failed_login_count: 0
block_minutes: 0
enable_password_expiration: false
password_expire_after_days: 0
enable_password_history: false
password_keep_history_count: 0
# Optional. value between 30 -- 3600 default 300
session_timeout: 300
roleinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
roles:
# Optional.
- Comment: test role
# Mandatory. name can have ^[a-zA-Z0-9]+[.:a-zA-Z0-9_-]*$
Name: testrole
# Mandatory
Permissions:
- id: config
read: true
write: true
- id: rt_scan
read: true
write: true
- id: reg_scan
read: true
write: true
- id: ci_scan
write: true
- id: rt_policy
read: true
write: true
- id: admctrl
read: true
write: true
- id: compliance
read: true
write: true
- id: audit_events
read: true
- id: security_events
read: true
- id: events
read: true
- id: authentication
read: true
write: true
- id: authorization
read: true
write: true
ldapinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
# Mandatory. OpenLDAP or MicrosoftAD
directory: OpenLDAP
# Mandatory.
Hostname: 1.2.3.4
# Optional. the default value is 389
Port: 389
# Optional true or false or empty string(false)
SSL: false
# Mandatory.
base_dn: cn=admin,dc=example,dc=org
# Optional.
bind_dn: dc=example,dc=org
# Optional.
bind_password: password
# Optional. empty string(memberUid for openldap or member for windows ad)
group_member_attr:
# Optional. empty string(cn for openldap or sAMAccountName for windows ad)
username_attr:
# Optional. true or false or empty string(false)
Enable: false
# Optional. admin or reader or empty string(none)
Default_Role: admin
group_mapped_roles:
- group: admin1
global_role: admin
- group: reader1
global_role: reader
- group: cipos1
global_role: ciops
- group: admin2
global_role: admin
- group: reader2
global_role: reader
- group: ciops2
global_role: ciops
- group: ns
global_role:
role_domains:
testrole:
- ns2-ciops1
- ns2-ciops2
reader:
- ns2-reader1
- ns2-reader2
admin:
- ns2-admin1
- ns2-admin2
- group: custom
global_role: testrole
role_domains:
ciops:
- custom-ciops1
- custom-ciops2
reader:
- custom-reader1
- custom-reader2
admin:
- custom-admin1
- custom-admin2
oidcinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
# Mandatory
Issuer: https://...
# Mandatory
Client_ID: f53c56ec...
# Mandatory
Client_Secret: AyAixE3...
# Optional. empty or string(group filter info)
Group_Claim:
# Optional. empty string(openid,profile,email)
Scopes:
- openid
- profile
- email
# Optional. true or false or empty string(false)
Enable: false
# Optional. admin or reader or empty string(none)
Default_Role: admin
group_mapped_roles:
- group: admin1
global_role: admin
- group: reader1
global_role: reader
- group: cipos1
global_role: ciops
- group: admin2
global_role: admin
- group: reader2
global_role: reader
- group: ciops2
global_role: ciops
- group: ns
global_role:
role_domains:
testrole:
- ns2-ciops1
- ns2-ciops2
reader:
- ns2-reader1
- ns2-reader2
admin:
- ns2-admin1
- ns2-admin2
- group: custom
global_role: testrole
role_domains:
ciops:
- custom-ciops1
- custom-ciops2
reader:
- custom-reader1
- custom-reader2
admin:
- custom-admin1
- custom-admin2
group_claim: groups
samlinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
# Mandatory
SSO_URL: https://...
# Mandatory
Issuer: https://...
# Mandatory
X509_Cert: |
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
...
-----END CERTIFICATE-----
x509_cert_extra:
- |
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
...
-----END CERTIFICATE-----
# Optional. empty or string(group filter info)
Group_Claim:
# Optional. true or false or empty string(false)
Enable: false
# Optional. admin or reader or empty string(none)
Default_Role: admin
group_mapped_roles:
- group: admin1
global_role: admin
- group: reader1
global_role: reader
- group: cipos1
global_role: ciops
- group: admin2
global_role: admin
- group: reader2
global_role: reader
- group: ciops2
global_role: ciops
- group: ns
global_role:
role_domains:
testrole:
- ns2-ciops1
- ns2-ciops2
reader:
- ns2-reader1
- ns2-reader2
admin:
- ns2-admin1
- ns2-admin2
- group: custom
global_role: testrole
role_domains:
ciops:
- custom-ciops1
- custom-ciops2
reader:
- custom-reader1
- custom-reader2
admin:
- custom-admin1
- custom-admin2
group_claim: groups
sysinitcfg.yaml: |
# Optional. By default, this parameter is set to false. You can set it to true if you want to allow namespace user with runtime-policy(r) permission to export network policy of the groups
Allow_Ns_User_Export_Net_Policy: false
# Optional. true or false or empty string(false)
always_reload: false
# Optional. Choose between Discover or Monitor or Protect or empty string(Discover)
New_Service_Policy_Mode: Discover
# Optional. zero-drift or basic or empty string(zero-drift)
New_Service_Profile_Baseline: zero-drift
# Optional. input valid ipv4 address or empty string
Syslog_ip: 1.2.3.4
# Optional. input 17, 6 or 66 here for udp, tcp, tcp+tls or empty string(17)
Syslog_IP_Proto: 17
# Optional. it is required when Syslog_IP_Proto is 66 only
Syslog_Server_Cert: |
-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
...
-----END CERTIFICATE-----
# Optional. empty string(514)
Syslog_Port: 514
# Optional. chose between Alert/Critical/Error/Warning/Notice/Info/Debug or empty string(Info)
Syslog_Level: Info
# Optional. true or false or empty string(false)
Syslog_status: false
Syslog_Categories:
# Optional. can chose multiple between event/security-event/audit or empty string
- event
- security-event
- audit
# Optional. true or false or empty string(false)
Syslog_in_json: false
Auth_By_Platform: false
single_cve_per_syslog: false
syslog_cve_in_layers: false
# Optional
Webhooks:
- name: myslack
url: http...
type: Slack
enable: true
use_proxy: false
- name: mywebhook
url: http...
enable: true
use_proxy: false
# Optional. empty string
Cluster_Name: cluster.local
# Optional. chose multiple between cpath/mutex/conn/scan/cluster or empty string
Controller_Debug:
- cpath
# Optional. true or false or empty string(true)
Monitor_Service_Mesh: true
# Optional. true or false or empty string(false)
Registry_Http_Proxy_Status: false
# Optional. true or false or empty string(false)
Registry_Https_Proxy_Status: false
# Optional. http/https registry proxy or empty string
Registry_Http_Proxy:
URL: http...
Username: username
Password: password
Registry_Https_Proxy:
URL: https...
Username: username
Password: password
Xff_Enabled: true
Net_Service_Status: false
Net_Service_Policy_Mode: Discover
Disable_Net_Policy: false
Scanner_Autoscale:
# Optional. Choose between immediate or delayed or empty string
Strategy:
Min_Pods: 1
Max_Pods: 3
# Optional. true or false or empty string(false)
No_Telemetry_Report: false
# Optional. Mode Automation Discovery to Monitor. true or false or empty string(false)
Mode_Auto_D2M: false
# Optional. default value is 0. unit is seconds and range is between 3600 and 2592000 (1 hour to 30 days)
Mode_Auto_D2M_Duration: 0
# Optional. Mode Automation Monitor to Protect. true or false or empty string(false)
Mode_Auto_M2P: false
# Optional. default value is 0. unit is seconds and range is between 3600 and 2592000 (1 hour to 30 days)
Mode_Auto_M2P_Duration: 0
Scan_Config:
# Optional. true or false or empty string(false)
Auto_Scan: false
# Optional. default value is 24. unit is hour and range is between 0 and 168
Unused_Group_Aging: 24
userinitcfg.yaml: |
# Optional. true or false or empty string(false)
always_reload: false
users:
# add multiple users below
-
# this user will be added
# Optional.
EMail: user1@email.com
# Mandatory. username can have ^[a-zA-Z0-9]+[.:a-zA-Z0-9_-]*$
Fullname: user1
# Optional. en or zh_cn or empty string(en)
Locale: en
# Optional. password length minimal 6, don't lead with ]`}*|<>!%
Password: password
# Optional. admin or reader or empty string(none)
Role: reader
# Optional. admin group or reader group or empty string
Role_Domains:
admin:
- admin1
- admin2
reader:
- reader1
- reader2
# Optional. value between 30 -- 3600 default 300
Timeout: 300
-
# this user will overwrite the original admin user
Fullname: admin
Password: password
Role: admin
kind: ConfigMap
metadata:
name: neuvector-init
namespace: neuvector次に、ConfigMapオブジェクトを作成します:
kubectl create -f initcfg.yaml連携ConfigMapの例(fedinitcfg.yaml)
NeuVector v5.4.0は、ConfigMapを通じて連携自動化をサポートしています。以下は、使用ケースに応じてプライマリおよび管理クラスターに適用できる`fedinitcfg.yaml`構成の例です。
プライマリクラスターの`fedinitcfg.yaml`の例:
# Optional. If specified, it overwrites the cluster name specified in system configuration
Cluster_Name: cluster-primary-43
# Required and must be the same on primary cluster and managed clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
Server: 10.1.10.43
Port: 30020
# Optional. Supported value: https
Use_Proxy: ""
# Optional. Whether federal repo scan data deployment is enabled (for primary cluster only)
Deploy_Repo_Scan_Data: false管理クラスターの`fedinitcfg.yaml`の例:
# Optional. If specified, it overwrites the cluster name specified in system configuration
Cluster_Name: cluster-managed-42
# Required and must be the same on primary cluster and managed clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
Server: 10.1.10.43
Port: 30020
# Optional, for managed cluster only. REST server/port of the neuvector-svc-controller-api service
Managed_Rest_Info:
Server: 10.1.10.42
Port: 30010
# Optional. Supported value: https
Use_Proxy: ""シークレットを使用して機密データを保護する
機密データがConfigMapの一部に含まれる場合、そのセクションのためにシークレットを作成することができます。
例えば、passwordProfileやroleなどの非機密セクションのためにConfigMapを作成します。
kubectl create configmap neuvector-init --from-file=$HOME/init/passwordprofileinitcfg.yaml --from-file=$HOME/init/roleinitcfg.yaml -n neuvector次に、機密データを含むセクションのためにシークレットを作成します。
kubectl create secret generic neuvector-init --from-file=$HOME/init/eulainitcfg.yaml --from-file=$HOME/init/ldapinitcfg.yaml --from-file=$HOME/init/oidcinitcfg.yaml --from-file=$HOME/init/samlinitcfg.yaml --from-file=$HOME/init/sysinitcfg.yaml --from-file=$HOME/init/userinitcfg.yaml -n neuvector|
各セクションからパイプ「|」文字を削除してください。以下に示します。 |
シークレットにConfigMapセクションを使用する場合、パイプ文字の削除に注意してください。enabledをtrueに設定し、シークレットに含めるセクションのコメントを外してください。
secret:
# NOTE: files defined here have preferrence over the ones defined in the configmap section
enabled: true
data:
eulainitcfg.yaml:
license_key: 0Bca63Iy2FiXGqjk...
# ...
# ldapinitcfg.yaml:
# directory: OpenLDAP
# ...
# oidcinitcfg.yaml:
# Issuer: https://...
# ...
# samlinitcfg.yaml:
# ...
# sysinitcfg.yaml:
# ...
# userinitcfg.yaml:
# ...コントローラーがデプロイされた後、ConfigMapとシークレットの両方からのすべての設定ファイルは/etc/configフォルダーに保存されます。
秘密は、標準のKubernetesおよびOpenShiftコントローラーデプロイメント yamlファイルの下のボリュームで参照されることに注意してください。
ConfigMapsと永続ストレージ
ConfigMapsと永続ストレージのバックアップは、新しいSUSE® Securityクラスターがデプロイされるとき、またはクラスターが失敗して再起動されるときにのみ読み取られます。ローリングアップグレード中には使用されません。
永続ストレージの設定のバックアップが最初に読み取られ、その後ConfigMapが適用されるため、ConfigMapの設定が優先されます。すべてのConfigMap設定(例:更新する)は、永続ストレージにも保存されます。