RedHat OpenShift
使用 RedHat OpenShift 部署单独的 SUSE® Security 组件
SUSE® Security 与标准 ovs SDN 插件以及其他插件(如 flannel、weave 或 calico)兼容。下面的示例假设使用标准 ovs 插件。这也假设将使用本地 docker 注册表(请参阅最后的说明以创建从 neuvector 或 Docker Hub 动态拉取的密钥)。
SUSE® Security 支持基于 Helm 的部署,使用位于 https://github.com/neuvector/neuvector-helm. 的 Helm 图表。SUSE® Security 操作员也可以用于部署,并基于 Helm 图表。要使用操作员部署最新的 SUSE® Security 容器版本,请使用来自 Operator Hub 的 Red Hat 认证操作员或社区操作员,详细信息请参见 操作员部分。
要手动部署,请首先从 SUSE® Security 注册表中将适当的 SUSE® Security 容器拉取到本地注册表。注意:扫描器镜像应定期拉取以获取来自 SUSE® Security 的 CVE 数据库更新。
SUSE® Security Docker Hub 上的镜像
这些镜像位于 SUSE® Security Docker Hub 注册表中。为管理器、控制器、执行器使用适当的版本标签,并将扫描器和更新器的版本保留为 'latest'。例如:
-
neuvector/manager:5.4.3
-
neuvector/controller:5.4.3
-
neuvector/enforcer:5.4.3
-
neuvector/scanner:latest
-
neuvector/updater:latest
请确保在适当的 yaml 文件中更新镜像引用。
如果使用当前的 SUSE® Security Helm 图表(v1.8.9+),应对 values.yml 进行以下更改:
-
将注册表更新为 docker.io
-
将镜像名称/标签更新为 Docker Hub 上的当前版本,如上所示
-
将 imagePullSecrets 保持为空
在 OpenShift 上部署
docker login docker.io
docker pull docker.io/neuvector/manager:<version>
docker pull docker.io/neuvector/controller:<version>
docker pull docker.io/neuvector/enforcer:<version>
docker pull docker.io/neuvector/scanner
docker pull docker.io/neuvector/updater
docker logout docker.io下面的示例文件将部署一个管理器、三个控制器和两个扫描器 pod。它将在每个节点上作为守护程序集部署一个执行器,包括主节点(如果可调度)。请参阅底部部分以使用节点标签指定专用管理器或控制器节点。注意:不建议在负载均衡器后面部署(扩展)多个管理器,因为可能会出现会话状态问题。如果您计划使用 PersistentVolume 声明来存储 SUSE® Security 配置文件的备份,请参阅 生产部署 概述中的一般备份/持久数据部分。
接下来,按照以下说明设置路由并允许特权 SUSE® Security 容器。默认情况下,OpenShift 不允许特权容器。此外,默认情况下,OpenShift 不会在主节点上调度 Pod。请参阅最后的说明以启用/禁用此功能。
|
有关与 OpenShift 基于角色的访问控制(RBAC)集成的详细信息,请参阅企业集成部分。 |
-
以普通用户身份登录。
oc login -u <user_name> -
创建一个新项目。
如果在创建项目时使用了 — node-selector 参数,这将限制 Pod 的放置,例如将 SUSE® Security 执行器限制到特定节点。
oc new-project neuvector -
将 SUSE® Security 镜像推送到 OpenShift docker 注册表。
对于 OpenShift 4.6 及更高版本,请在以下命令中将 docker-registry.default.svc 更改为 image-registry.openshift-image-registry.svc。
docker login -u <user_name> -p `oc whoami -t` docker-registry.default.svc:5000 docker tag docker.io/neuvector/enforcer:<version> docker-registry.default.svc:5000/neuvector/enforcer:<version> docker tag docker.io/neuvector/controller:<version> docker-registry.default.svc:5000/neuvector/controller:<version> docker tag docker.io/neuvector/manager:<version> docker-registry.default.svc:5000/neuvector/manager:<version> docker tag docker.io/neuvector/scanner docker-registry.default.svc:5000/neuvector/scanner docker tag docker.io/neuvector/updater docker-registry.default.svc:5000/neuvector/updater docker push docker-registry.default.svc:5000/neuvector/enforcer:<version> docker push docker-registry.default.svc:5000/neuvector/controller:<version> docker push docker-registry.default.svc:5000/neuvector/manager:<version> docker push docker-registry.default.svc:5000/neuvector/scanner docker push docker-registry.default.svc:5000/neuvector/updater docker logout docker-registry.default.svc:5000有关在您的注册表中保持最新扫描仪镜像更新的建议,请参阅下面的 CVE 数据库更新部分。
-
以 system:admin 账户登录。
oc login -u system:admin -
创建服务账户并授予对特权 SCC 的访问权限。
oc create sa controller -n neuvector oc create sa enforcer -n neuvector oc create sa basic -n neuvector oc create sa updater -n neuvector oc create sa scanner -n neuvector oc create sa registry-adapter -n neuvector oc create sa cert-upgrader -n neuvector oc -n neuvector adm policy add-scc-to-user privileged -z enforcer以下信息将添加到特权 SCC 用户中:
- system:serviceaccount:neuvector:enforcer通过创建一个文件来为 OpenShift 中的控制器服务账户添加一个新的 neuvector-scc-controller SCC:
allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: neuvector-scc-controller priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - azureFile - projected - secret然后应用。
oc apply -f (filename)然后运行以下命令将控制器服务账户绑定到 neuvector-scc-controller SCC。
oc -n neuvector adm policy add-scc-to-user neuvector-scc-controller -z controller在 OpenShift 4.6+ 中使用以下命令进行检查:
oc get rolebinding system:openshift:scc:privileged -n neuvector -o wideNAME ROLE AGE USERS GROUPS SERVICEACCOUNTS system:openshift:scc:privileged ClusterRole/system:openshift:scc:privileged 9m22s neuvector/enforcer运行此命令以检查 Controller 的 SUSE® Security 服务:
oc get rolebinding system:openshift:scc:neuvector-scc-controller -n neuvector -o wide输出将如下所示
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS System:openshift:scc:neuvector-scc-controller ClusterRole/system:openshift:scc:neuvector-scc-controller 9m22s neuvector/controller -
为 SUSE® Security 安全规则创建自定义资源(CRD)。对于 OpenShift 4.6+(Kubernetes 1.19+):
oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/waf-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/dlp-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/com-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/vul-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/admission-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/5.4.3_group-definition-k8s.yaml -
添加读取权限以访问 Kubernetes API 和 OpenShift RBAC。
标准的 SUSE® Security 5.2+ 部署使用最小权限的服务帐户,而不是默认的服务帐户。如果从 5.2 之前的版本升级到 5.2+,请参见下文。
如果您要升级到 5.3.0+,请根据您当前的版本运行以下命令:
-
版本 5.2.0
-
版本早于 5.2.0
oc delete clusterrole neuvector-binding-nvsecurityrules neuvector-binding-nvadmissioncontrolsecurityrules neuvector-binding-nvdlpsecurityrules neuvector-binding-nvwafsecurityrulesoc delete clusterrolebinding neuvector-binding-app neuvector-binding-rbac neuvector-binding-admission neuvector-binding-customresourcedefinition neuvector-binding-nvsecurityrules neuvector-binding-view neuvector-binding-nvwafsecurityrules neuvector-binding-nvadmissioncontrolsecurityrules neuvector-binding-nvdlpsecurityrules neuvector-binding-co oc delete rolebinding neuvector-admin -n neuvectoroc create clusterrole neuvector-binding-app --verb=get,list,watch,update --resource=nodes,pods,services,namespaces oc create clusterrole neuvector-binding-rbac --verb=get,list,watch --resource=rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,imagestreams.image.openshift.io oc adm policy add-cluster-role-to-user neuvector-binding-app system:serviceaccount:neuvector:controller oc adm policy add-cluster-role-to-user neuvector-binding-rbac system:serviceaccount:neuvector:controller oc create clusterrole neuvector-binding-admission --verb=get,list,watch,create,update,delete --resource=validatingwebhookconfigurations,mutatingwebhookconfigurations oc adm policy add-cluster-role-to-user neuvector-binding-admission system:serviceaccount:neuvector:controller oc create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get,update --resource=customresourcedefinitions oc adm policy add-cluster-role-to-user neuvector-binding-customresourcedefinition system:serviceaccount:neuvector:controller oc create clusterrole neuvector-binding-nvsecurityrules --verb=get,list,delete --resource=nvsecurityrules,nvclustersecurityrules oc create clusterrole neuvector-binding-nvadmissioncontrolsecurityrules --verb=get,list,delete --resource=nvadmissioncontrolsecurityrules oc create clusterrole neuvector-binding-nvdlpsecurityrules --verb=get,list,delete --resource=nvdlpsecurityrules oc create clusterrole neuvector-binding-nvwafsecurityrules --verb=get,list,delete --resource=nvwafsecurityrules oc adm policy add-cluster-role-to-user neuvector-binding-nvsecurityrules system:serviceaccount:neuvector:controller oc adm policy add-cluster-role-to-user view system:serviceaccount:neuvector:controller --rolebinding-name=neuvector-binding-view oc adm policy add-cluster-role-to-user neuvector-binding-nvwafsecurityrules system:serviceaccount:neuvector:controller oc adm policy add-cluster-role-to-user neuvector-binding-nvadmissioncontrolsecurityrules system:serviceaccount:neuvector:controller oc adm policy add-cluster-role-to-user neuvector-binding-nvdlpsecurityrules system:serviceaccount:neuvector:controller oc create role neuvector-binding-scanner --verb=get,patch,update,watch --resource=deployments -n neuvector oc adm policy add-role-to-user neuvector-binding-scanner system:serviceaccount:neuvector:updater system:serviceaccount:neuvector:controller -n neuvector --role-namespace neuvector oc create clusterrole neuvector-binding-co --verb=get,list --resource=clusteroperators oc adm policy add-cluster-role-to-user neuvector-binding-co system:serviceaccount:neuvector:enforcer system:serviceaccount:neuvector:controller oc create role neuvector-binding-secret --verb=get,list,watch --resource=secrets -n neuvector oc adm policy add-role-to-user neuvector-binding-secret system:serviceaccount:neuvector:controller system:serviceaccount:neuvector:enforcer system:serviceaccount:neuvector:scanner system:serviceaccount:neuvector:registry-adapter -n neuvector --role-namespace neuvector oc create clusterrole neuvector-binding-nvcomplianceprofiles --verb=get,list,delete --resource=nvcomplianceprofiles oc create clusterrolebinding neuvector-binding-nvcomplianceprofiles --clusterrole=neuvector-binding-nvcomplianceprofiles --serviceaccount=neuvector:controller oc create clusterrole neuvector-binding-nvvulnerabilityprofiles --verb=get,list,delete --resource=nvvulnerabilityprofiles oc create clusterrolebinding neuvector-binding-nvvulnerabilityprofiles --clusterrole=neuvector-binding-nvvulnerabilityprofiles --serviceaccount=neuvector:controller oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/neuvector-roles-k8s.yaml oc create role neuvector-binding-lease --verb=create,get,update --resource=leases -n neuvector oc adm policy add-role-to-user neuvector-binding-cert-upgrader system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector oc adm policy add-role-to-user neuvector-binding-job-creation system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector oc adm policy add-role-to-user neuvector-binding-lease system:serviceaccount:neuvector:controller system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector oc create clusterrole neuvector-binding-nvgroupdefinitions --verb=get,list,delete --resource=nvgroupdefinitions oc create clusterrolebinding neuvector-binding-nvgroupdefinitions --clusterrole=neuvector-binding-nvgroupdefinitions --serviceaccount=neuvector:controller -
-
运行以下命令以检查 neuvector/controller、neuvector/enforcer 和 neuvector/updater 服务帐户是否成功添加。
oc get ClusterRoleBinding neuvector-binding-app neuvector-binding-rbac neuvector-binding-admission neuvector-binding-customresourcedefinition neuvector-binding-nvsecurityrules neuvector-binding-view neuvector-binding-nvwafsecurityrules neuvector-binding-nvadmissioncontrolsecurityrules neuvector-binding-nvdlpsecurityrules neuvector-binding-co -o wide示例输出:
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS neuvector-binding-app ClusterRole/neuvector-binding-app 56d neuvector/controller neuvector-binding-rbac ClusterRole/neuvector-binding-rbac 34d neuvector/controller neuvector-binding-admission ClusterRole/neuvector-binding-admission 72d neuvector/controller neuvector-binding-customresourcedefinition ClusterRole/neuvector-binding-customresourcedefinition 72d neuvector/controller neuvector-binding-nvsecurityrules ClusterRole/neuvector-binding-nvsecurityrules 72d neuvector/controller neuvector-binding-view ClusterRole/view 72d neuvector/controller neuvector-binding-nvwafsecurityrules ClusterRole/neuvector-binding-nvwafsecurityrules 72d neuvector/controller neuvector-binding-nvadmissioncontrolsecurityrules ClusterRole/neuvector-binding-nvadmissioncontrolsecurityrules 72d neuvector/controller neuvector-binding-nvdlpsecurityrules ClusterRole/neuvector-binding-nvdlpsecurityrules 72d neuvector/controller neuvector-binding-co ClusterRole/neuvector-binding-co 72d neuvector/enforcer, neuvector/controller以及此命令:
oc get RoleBinding neuvector-binding-scanner neuvector-binding-cert-upgrader neuvector-binding-job-creation neuvector-binding-lease neuvector-binding-secret -n neuvector -o wide示例输出:
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS neuvector-binding-scanner Role/neuvector-binding-scanner 56m neuvector/controller, neuvector/updater neuvector-binding-cert-upgrader Role/neuvector-binding-cert-upgrader 56m neuvector/cert-upgrader neuvector-binding-job-creation Role/neuvector-binding-job-creation 56m neuvector/controller neuvector-binding-lease Role/neuvector-binding-lease 56m neuvector/controller, neuvector/cert-upgrader neuvector-binding-secret Role/neuvector-binding-secret 56m neuvector/controller, neuvector/enforcer, neuvector/scanner, neuvector/registry-adapter -
(可选) 创建联邦主控和/或远程多集群管理服务。如果您计划在 SUSE® Security 中使用多集群管理功能,则一个集群必须部署联邦主控服务,每个远程集群必须具有联邦工作者服务。为了灵活性,您可以选择在每个集群上部署主控和工作者服务,以便任何集群都可以是主控或远程。
联邦管理服务
apiVersion: v1 kind: Service metadata: name: neuvector-service-controller-fed-master namespace: neuvector spec: ports: - port: 11443 name: fed protocol: TCP type: NodePort selector: app: neuvector-controller-pod --- apiVersion: v1 kind: Service metadata: name: neuvector-service-controller-fed-worker namespace: neuvector spec: ports: - port: 10443 name: fed protocol: TCP type: NodePort selector: app: neuvector-controller-pod然后创建适当的服务:
oc create -f nv_master_worker.yaml -
根据下面的示例 YAML 创建 neuvector 服务和 Pod。
在 yaml 文件中替换 manager、controller 和 enforcer 镜像引用的 <version> 标签。还要根据您的部署环境进行任何其他必要的修改。
oc create -f <compose file>
就这些!您应该能够连接到SUSE® Security控制台并使用admin:admin登录,例如`\https://<public-ip>:8443`。
要查看如何访问neuvector-webui服务的控制台:
oc get services -n neuvector如果您创建了自己的命名空间而不是使用"`neuvector`",请在下面的示例yaml文件中将所有"`namespace: neuvector`"和其他命名空间引用替换为您的命名空间。
OpenShift 4.6+ 与 CRI-O 运行时
您的默认 OpenShift 注册表的名称可能已从 docker-registry 更改为 openshift-image-registry。您可能需要在示例 YAML 中更改管理器、控制器和执行器的镜像注册表。
|
类型 NodePort 用于 fed-master 和 fed-worker 服务,而不是 LoadBalancer。您可能需要根据您的部署进行调整。 |
如果使用 CRI-O 运行时,请参见此 CRI-O 示例。
主节点污点和容忍
所有污点信息必须匹配,以便在节点上调度执行器。要检查节点(例如主节点)上的污点信息:
$ oc get node taintnodename -o yaml示例输出:
spec:
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
# there may be an extra info for taint as below
- effect: NoSchedule
key: mykey
value: myvalue如果有额外的污点如上所述,请将这些添加到示例 YAML 的容忍部分:
spec:
template:
spec:
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
# if there is an extra info for taints as above, please add it here. This is required to match all the taint info defined on the taint node. Otherwise, the Enforcer won't deploy on the taint node
- effect: NoSchedule
key: mykey
value: myvalue为管理器和控制器节点使用节点标签
要控制管理器和控制器部署在哪些节点上,请为每个节点打标签。将`<nodename>`替换为适当的节点名称。
oc label nodes <nodename> nvcontroller=true然后在管理器和控制器部署部分的 YAML 文件中添加 nodeSelector。例如:
- mountPath: /host/cgroup
name: cgroup-vol
readOnly: true
nodeSelector:
nvcontroller: "true"
restartPolicy: Always为了防止执行器部署在控制器节点上,如果该节点是专用管理节点(没有需要监控的应用程序容器),请在执行器的 YAML 部分添加 nodeAffinity。例如:
app: neuvector-enforcer-pod
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: nvcontroller
operator: NotIn
values: ["true"]
imagePullSecrets:在 OpenShift 部署中更新 CVE 数据库
最新的扫描器镜像始终包含来自 SUSE® Security 的最新 CVE 数据库更新。因此,在拉取镜像时不建议使用版本标签。然而,更新CVE数据库需要定期拉取最新的扫描器镜像,以便更新程序的cron作业可以重新部署扫描器。 上述示例假设拉取、标记并推送了 SUSE® Security 镜像到本地 OpenShift 注册表。然后从这个注册表进行部署,而不是直接从 neuvector(或 docker hub 上的遗留 SUSE® Security 注册表)进行部署。
为了定期更新CVE数据库,我们建议创建一个脚本/cron作业来拉取最新的SUSE® Security扫描器镜像,并执行标记和推送步骤到本地注册表。这将确保CVE数据库定期更新,并且镜像和容器会扫描新的漏洞。
滚动更新
Kubernetes、RedHat OpenShift和Rancher等编排工具支持具有可配置策略的滚动更新。您可以使用此功能来更新SUSE® Security容器。最重要的是确保至少有一个Allinone/Controller在运行,以便不会丢失策略、日志和连接数据。确保容器更新之间至少有30秒的间隔,以便可以选举出新的领导者并在控制器之间同步数据。
在开始滚动更新之前,请按照本页开头的方式拉取并标记SUSE® Security容器。您可以在没有版本号的情况下拉取最新版本,但要触发滚动更新,您需要用版本标记镜像。
例如,对于控制器(latest):
docker pull neuvector/controller然后标记/推送,如果最新版本是 2.0.1,和本页顶部的步骤 3 相同:
docker login -u <user_name> -p `oc whoami -t` docker-registry.default.svc:5000
docker tag neuvector/controller docker-registry.default.svc:5000/neuvector/controller:2.0.1
docker push docker-registry.default.svc:5000/neuvector/controller:2.0.1您现在可以用这些新版本更新您的 yaml 文件和'`apply’,或者使用'`oc set image …’命令来触发滚动更新。请参阅本生产部分中的 Kubernetes 滚动更新示例,以了解如何启动和监控 SUSE® Security 容器的滚动更新。
提供的示例部署 YAML 文件已经配置了滚动更新策略。如果您通过 SUSE® Security Helm 图表进行更新,请拉取最新的图表以正确配置新功能,例如准入控制,并删除 SUSE® Security 的旧集群角色和集群角色绑定。
启用 REST API
要启用 REST API,必须按如下方式配置端口 10443:
apiVersion: v1
kind: Service
metadata:
name: neuvector-service-controller
namespace: neuvector
spec:
ports:
- port: 10443
name: controller
protocol: TCP
type: NodePort
selector:
app: neuvector-controller-pod在主节点上启用/禁用调度
可以使用以下命令在主节点上启用/禁用调度。
oc adm manage-node nodename --schedulableoc adm manage-node nodename --schedulable=false在非特权模式下的 OpenShift 部署
可以使用以下说明在不使用特权模式容器的情况下部署 SUSE® Security。控制器已经处于非特权模式,且强制器部署应进行更改,具体如下所示的摘录片段。
强制器:
spec:
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/neuvector-enforcer-pod: unconfined
# this line below is required to be added if k8s version is pre-v1.19
# container.seccomp.security.alpha.kubernetes.io/neuvector-enforcer-pod: unconfined
spec:
containers:
securityContext:
# openshift
seLinuxOptions:
type: unconfined_t
# the following two lines are required for k8s v1.19+. pls comment out both lines if version is pre-1.19. Otherwise, a validating data error message will show
seccompProfile:
type: Unconfined
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
- SYS_PTRACE
- IPC_LOCK
- NET_RAW
- SYS_CHROOT
- MKNOD
- AUDIT_WRITE
- SETFCAP以下示例是使用 cri-o 运行时的完整部署参考。对于其他运行时,请对 volumes/volume mounts 进行适当的更改以适应 crio.sock。
点击这里查看详细信息
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-crd-webhook
namespace: neuvector
spec:
ports:
- port: 443
targetPort: 30443
protocol: TCP
name: crd-webhook
type: ClusterIP
selector:
app: neuvector-controller-pod
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-admission-webhook
namespace: neuvector
spec:
ports:
- port: 443
targetPort: 20443
protocol: TCP
name: admission-webhook
type: ClusterIP
selector:
app: neuvector-controller-pod
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-service-webui
namespace: neuvector
spec:
ports:
- port: 8443
name: manager
protocol: TCP
type: ClusterIP
selector:
app: neuvector-manager-pod
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller
namespace: neuvector
spec:
ports:
- port: 18300
protocol: "TCP"
name: "cluster-tcp-18300"
- port: 18301
protocol: "TCP"
name: "cluster-tcp-18301"
- port: 18301
protocol: "UDP"
name: "cluster-udp-18301"
clusterIP: None
selector:
app: neuvector-controller-pod
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: neuvector-route-webui
namespace: neuvector
spec:
to:
kind: Service
name: neuvector-service-webui
port:
targetPort: manager
tls:
termination: passthrough
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: neuvector-manager-pod
namespace: neuvector
spec:
selector:
matchLabels:
app: neuvector-manager-pod
replicas: 1
template:
metadata:
labels:
app: neuvector-manager-pod
spec:
serviceAccountName: basic
serviceAccount: basic
containers:
- name: neuvector-manager-pod
image: image-registry.openshift-image-registry.svc:5000/neuvector/manager:<version>
env:
- name: CTRL_SERVER_IP
value: neuvector-svc-controller.neuvector
restartPolicy: Always
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: neuvector-controller-pod
namespace: neuvector
spec:
selector:
matchLabels:
app: neuvector-controller-pod
minReadySeconds: 60
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
replicas: 3
template:
metadata:
labels:
app: neuvector-controller-pod
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- neuvector-controller-pod
topologyKey: "kubernetes.io/hostname"
serviceAccountName: controller
serviceAccount: controller
containers:
- name: neuvector-controller-pod
image: image-registry.openshift-image-registry.svc:5000/neuvector/controller:<version>
securityContext:
runAsUser: 0
readinessProbe:
exec:
command:
- cat
- /tmp/ready
initialDelaySeconds: 5
periodSeconds: 5
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.neuvector
- name: CLUSTER_ADVERTISED_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: CLUSTER_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
# - name: CTRL_PERSIST_CONFIG
# value: "1"
volumeMounts:
# - mountPath: /var/neuvector
# name: nv-share
# readOnly: false
- mountPath: /etc/config
name: config-volume
readOnly: true
terminationGracePeriodSeconds: 300
restartPolicy: Always
volumes:
# - name: nv-share
# persistentVolumeClaim:
# claimName: neuvector-data
- name: config-volume
projected:
sources:
- configMap:
name: neuvector-init
optional: true
- secret:
name: neuvector-init
optional: true
- secret:
name: neuvector-secret
optional: true
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: neuvector-enforcer-pod
namespace: neuvector
spec:
selector:
matchLabels:
app: neuvector-enforcer-pod
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: neuvector-enforcer-pod
annotations:
container.apparmor.security.beta.kubernetes.io/neuvector-enforcer-pod: unconfined
# Add the following for pre-v1.19
# container.seccomp.security.alpha.kubernetes.io/neuvector-enforcer-pod: unconfined
spec:
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
hostPID: true
serviceAccountName: enforcer
serviceAccount: enforcer
containers:
- name: neuvector-enforcer-pod
image: image-registry.openshift-image-registry.svc:5000/neuvector/enforcer:<version>
securityContext:
# openshift
seLinuxOptions:
type: unconfined_t
# the following two lines are required for k8s v1.19+. pls comment out both lines if version is pre-1.19. Otherwise, a validating data error message will show
seccompProfile:
type: Unconfined
capabilities:
add:
- SYS_ADMIN
- NET_ADMIN
- SYS_PTRACE
- IPC_LOCK
- NET_RAW
- SYS_CHROOT
- MKNOD
- AUDIT_WRITE
- SETFCAP
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.neuvector
- name: CLUSTER_ADVERTISED_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: CLUSTER_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
volumeMounts:
- mountPath: /lib/modules
name: modules-vol
readOnly: true
# - mountPath: /run/runtime.sock
# name: runtime-sock
# readOnly: true
# - mountPath: /host/proc
# name: proc-vol
# readOnly: true
# - mountPath: /host/cgroup
# name: cgroup-vol
# readOnly: true
- mountPath: /var/nv_debug
name: nv-debug
readOnly: false
terminationGracePeriodSeconds: 1200
restartPolicy: Always
volumes:
- name: modules-vol
hostPath:
path: /lib/modules
# - name: runtime-sock
# hostPath:
# path: /var/run/crio/crio.sock
# - name: proc-vol
# hostPath:
# path: /proc
# - name: cgroup-vol
# hostPath:
# path: /sys/fs/cgroup
- name: nv-debug
hostPath:
path: /var/nv_debug
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: neuvector-scanner-pod
namespace: neuvector
spec:
selector:
matchLabels:
app: neuvector-scanner-pod
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
replicas: 2
template:
metadata:
labels:
app: neuvector-scanner-pod
spec:
serviceAccountName: scanner
serviceAccount: scanner
containers:
- name: neuvector-scanner-pod
image: image-registry.openshift-image-registry.svc:5000/neuvector/scanner:<version>
imagePullPolicy: Always
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.neuvector
restartPolicy: Always
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: neuvector-updater-pod
namespace: neuvector
spec:
schedule: "0 0 * * *"
jobTemplate:
spec:
template:
metadata:
labels:
app: neuvector-updater-pod
spec:
serviceAccountName: updater
serviceAccount: updater
containers:
- name: neuvector-updater-pod
image: image-registry.openshift-image-registry.svc:5000/neuvector/updater:<version>
imagePullPolicy: Always
command:
- /bin/sh
- -c
- TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`; /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $TOKEN" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'
restartPolicy: Never