Deploy Using ConfigMap

Kubernetes ConfigMap

SUSE® Security supports automated configuration using the Kubernetes ConfigMap feature. This enables deployment of SUSE® Security containers with the appropriate configurations, integrations, and other settings in an automated way.

The 'always_reload: true' setting can be added in any ConfigMap yaml to force reload of that yaml every time the controller starts (version 4.3.2+). Otherwise, the ConfigMap will only be loaded at initial startup or after complete cluster restart (see persistent storage section below).

Complete Sample SUSE® Security ConfigMap (initcfg.yaml)

The latest ConfigMap can be found here.

The sample is also shown below. This contains all the settings available. Please remove the sections not needed and edit the sections needed.

If using configmap in a secret, see section below for formatting changes.

apiVersion: v1
data:
  fedinitcfg.yaml: |
    # ============ this section is used for primary cluster ============ >>>
    # Optional. If specified, it overwrites the cluster name specified in the system configuration in the sysinitcfg.yaml file
    Cluster_Name: primary.cluster.local
    # Required and must be the same on primary cluster and remote clusters
    # It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
    Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
    # Required: REST server/port of the neuvector-svc-controller-fed-master service
    Primary_Rest_Info:
      Server: 1.2.3.4
      Port: 11443
    # Optional. Supported value: https
    Use_Proxy: ""
    # Optional. Whether federal repo scan data deployment is enabled (for primary cluster only)
    Deploy_Repo_Scan_Data: false
    # <<< ============ this section is used for primary cluster ============
    # ============ this section is used for remote cluster ============ >>>
    # Optional. If specified, it overwrites the cluster name specified in the system configuration in the sysinitcfg.yaml file
    Cluster_Name: remote.cluster.local
    # Required and must be the same on primary cluster and remote clusters
    # It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
    # The Join_Token specified in the remote cluster's fedinitcfg.yaml needs to be the same as the Join_Token specified in the primary cluster's fedinitcfg.yaml otherwise the auto-joining request will be declined by the primary cluster
    Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
    # Required: REST server/port of the neuvector-svc-controller-fed-master service
    Primary_Rest_Info:
      Server: 1.2.3.4
      Port: 11443
    # Optional, for remote cluster only. REST server/port of the neuvector-svc-controller-fed-managed service
    Managed_Rest_Info:
      Server: 4.3.2.1
      Port: 10443
    # Optional. Supported value: https
    Use_Proxy: ""
    # <<< ============ this section is used for remote cluster ============
  passwordprofileinitcfg.yaml: |
    # Optional. true or false or empty string(false)
    always_reload: false
    active_profile_name: default
    pwd_profiles:
    # only default profile is supported.
    - name: default
      comment: default from configMap
      min_len: 6
      min_uppercase_count: 0
      min_lowercase_count: 0
      min_digit_count: 0
      min_special_count: 0
      enable_block_after_failed_login: false
      block_after_failed_login_count: 0
      block_minutes: 0
      enable_password_expiration: false
      password_expire_after_days: 0
      enable_password_history: false
      password_keep_history_count: 0
      # Optional. value between 30 -- 3600  default 300
      session_timeout: 300
  roleinitcfg.yaml: |
    # Optional. true or false or empty string(false)
    always_reload: false
    roles:
    # Optional.
    - Comment: test role
    # Mandatory. name can have ^[a-zA-Z0-9]+[.:a-zA-Z0-9_-]*$
      Name: testrole
    # Mandatory
      Permissions:
        - id: config
          read: true
          write: true
        - id: rt_scan
          read: true
          write: true
        - id: reg_scan
          read: true
          write: true
        - id: ci_scan
          write: true
        - id: rt_policy
          read: true
          write: true
        - id: admctrl
          read: true
          write: true
        - id: compliance
          read: true
          write: true
        - id: audit_events
          read: true
        - id: security_events
          read: true
        - id: events
          read: true
        - id: authentication
          read: true
          write: true
        - id: authorization
          read: true
          write: true
  ldapinitcfg.yaml: |
    # Optional. true or false or empty string(false)
    always_reload: false
    # Mandatory. OpenLDAP or MicrosoftAD
    directory: OpenLDAP
    # Mandatory.
    Hostname: 1.2.3.4
    # Optional. the default value is 389
    Port: 389
    # Optional true or false or empty string(false)
    SSL: false
    # Mandatory.
    base_dn: cn=admin,dc=example,dc=org
    # Optional.
    bind_dn: dc=example,dc=org
    # Optional.
    bind_password: password
    # Optional. empty string(memberUid for openldap or member for windows ad)
    group_member_attr:
    # Optional. empty string(cn for openldap or sAMAccountName for windows ad)
    username_attr:
    # Optional. true or false or empty string(false)
    Enable: false
    # Optional. admin or reader or empty string(none)
    Default_Role: admin
    group_mapped_roles:
      - group: admin1
        global_role: admin
      - group: reader1
        global_role: reader
      - group: cipos1
        global_role: ciops
      - group: admin2
        global_role: admin
      - group: reader2
        global_role: reader
      - group: ciops2
        global_role: ciops
      - group: ns
        global_role:
        role_domains:
          testrole:
            - ns2-ciops1
            - ns2-ciops2
          reader:
            - ns2-reader1
            - ns2-reader2
          admin:
            - ns2-admin1
            - ns2-admin2
      - group: custom
        global_role: testrole
        role_domains:
          ciops:
            - custom-ciops1
            - custom-ciops2
          reader:
            - custom-reader1
            - custom-reader2
          admin:
            - custom-admin1
            - custom-admin2
  oidcinitcfg.yaml: |
    # Optional. true or false or empty string(false)
    always_reload: false
    # Mandatory
    Issuer: https://...
    # Mandatory
    Client_ID: f53c56ec...
    # Mandatory
    Client_Secret: AyAixE3...
    # Optional. empty or string(group filter info)
    GroupClaim:
    # Optional. empty string(openid,profile,email)
    Scopes:
      - openid
      - profile
      - email
    # Optional. true or false or empty string(false)
    Enable: false
    # Optional. admin or reader or empty string(none)
    Default_Role: admin
    group_mapped_roles:
      - group: admin1
        global_role: admin
      - group: reader1
        global_role: reader
      - group: cipos1
        global_role: ciops
      - group: admin2
        global_role: admin
      - group: reader2
        global_role: reader
      - group: ciops2
        global_role: ciops
      - group: ns
        global_role:
        role_domains:
          testrole:
            - ns2-ciops1
            - ns2-ciops2
          reader:
            - ns2-reader1
            - ns2-reader2
          admin:
            - ns2-admin1
            - ns2-admin2
      - group: custom
        global_role: testrole
        role_domains:
          ciops:
            - custom-ciops1
            - custom-ciops2
          reader:
            - custom-reader1
            - custom-reader2
          admin:
            - custom-admin1
            - custom-admin2
    group_claim: groups
  samlinitcfg.yaml: |
    # Optional. true or false or empty string(false)
    always_reload: false
    # Mandatory
    SSO_URL: https://...
    # Mandatory
    Issuer: https://...
    # Mandatory
    X509_Cert: |
      -----BEGIN CERTIFICATE-----
      MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
      ...
      -----END CERTIFICATE-----
    x509_cert_extra:
      - |
        -----BEGIN CERTIFICATE-----
        MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
        ...
        -----END CERTIFICATE-----
    # Optional. empty or string(group filter info)
    GroupClaim:
    # Optional. true or false or empty string(false)
    Enable: false
    # Optional. admin or reader or empty string(none)
    Default_Role: admin
    group_mapped_roles:
      - group: admin1
        global_role: admin
      - group: reader1
        global_role: reader
      - group: cipos1
        global_role: ciops
      - group: admin2
        global_role: admin
      - group: reader2
        global_role: reader
      - group: ciops2
        global_role: ciops
      - group: ns
        global_role:
        role_domains:
          testrole:
            - ns2-ciops1
            - ns2-ciops2
          reader:
            - ns2-reader1
            - ns2-reader2
          admin:
            - ns2-admin1
            - ns2-admin2
      - group: custom
        global_role: testrole
        role_domains:
          ciops:
            - custom-ciops1
            - custom-ciops2
          reader:
            - custom-reader1
            - custom-reader2
          admin:
            - custom-admin1
            - custom-admin2
    group_claim: groups
  sysinitcfg.yaml: |
    # Optional. true or false or empty string(false)
    always_reload: false
    # Optional. Choose between  Discover or Monitor or Protect or empty string(Discover)
    New_Service_Policy_Mode: Discover
    # Optional. zero-drift or basic or empty string(zero-drift)
    New_Service_Profile_Baseline: zero-drift
    # Optional. input valid ipv4 address or empty string
    Syslog_ip: 1.2.3.4
    # Optional. input 17, 6 or 66 here for udp, tcp, tcp+tls or empty string(17)
    Syslog_IP_Proto: 17
    # Optional. it is required when Syslog_IP_Proto is 66 only
    Syslog_Server_Cert: |
      -----BEGIN CERTIFICATE-----
      MIIC8DCCAdigAwIBAgIQSMNDFv5HI7RPgF0uHW8YJDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
      ...
      -----END CERTIFICATE-----
    # Optional. empty string(514)
    Syslog_Port: 514
    # Optional. chose between Alert/Critical/Error/Warning/Notice/Info/Debug or empty string(Info)
    Syslog_Level: Info
    # Optional. true or false or empty string(false)
    Syslog_status: false
    Syslog_Categories:
    # Optional. can chose multiple between event/security-event/audit or empty string
      - event
      - security-event
      - audit
    # Optional. true or false or empty string(false)
    Syslog_in_json: false
    Auth_By_Platform: false
    single_cve_per_syslog: false
    syslog_cve_in_layers: false
    # Optional
    Webhooks:
      - name: myslack
        url: http...
        type: Slack
        enable: true
        use_proxy: false
      - name: mywebhook
        url: http...
        enable: true
        use_proxy: false
    # Optional. empty string
    Cluster_Name: cluster.local
    # Optional. chose multiple between cpath/mutex/conn/scan/cluster or empty string
    Controller_Debug:
      - cpath
    # Optional. true or false or empty string(true)
    Monitor_Service_Mesh: true
    # Optional. true or false or empty string(false)
    Registry_Http_Proxy_Status: false
    # Optional.  true or false or empty string(false)
    Registry_Https_Proxy_Status: false
    # Optional. http/https registry proxy or empty string
    Registry_Http_Proxy:
      URL: http...
      Username: username
      Password: password
    Registry_Https_Proxy:
      URL: https...
      Username: username
      Password: password
    Xff_Enabled: true
    Net_Service_Status: false
    Net_Service_Policy_Mode: Discover
    Disable_Net_Policy: false
    Scanner_Autoscale:
    # Optional. Choose between immediate or delayed or empty string
      Strategy:
      Min_Pods: 1
      Max_Pods: 3
    # Optional. true or false or empty string(false)
    No_Telemetry_Report: false
    # Optional. Mode Automation Discovery to Monitor. true or false or empty string(false)
    Mode_Auto_D2M: false
    # Optional. default value is 0. unit is seconds and range is between 3600 and 2592000 (1 hour to 30 days)
    Mode_Auto_D2M_Duration: 0
    # Optional. Mode Automation Monitor to Protect. true or false or empty string(false)
    Mode_Auto_M2P: false
    # Optional. default value is 0. unit is seconds and range is between 3600 and 2592000 (1 hour to 30 days)
    Mode_Auto_M2P_Duration: 0
    Scan_Config:
      # Optional. true or false or empty string(false)
      Auto_Scan: false
    # Optional. default value is 24. unit is hour and range is between 0 and 168
    Unused_Group_Aging: 24
  userinitcfg.yaml: |
    # Optional. true or false or empty string(false)
    always_reload: false
    users:
    # add multiple users below
    -
    # this user will be added
    # Optional.
      EMail: user1@email.com
    # Mandatory. username can have ^[a-zA-Z0-9]+[.:a-zA-Z0-9_-]*$
      Fullname: user1
    # Optional. en or zh_cn or empty string(en)
      Locale: en
    # Optional. password length minimal 6, don't lead with ]`}*|<>!%
      Password: password
    # Optional. admin or reader or empty string(none)
      Role: reader
    # Optional. admin group or reader group or empty string
      Role_Domains:
        admin:
          - admin1
          - admin2
        reader:
          - reader1
          - reader2
    # Optional. value between 30 -- 3600  default 300
      Timeout: 300
    -
    # this user will overwrite the original admin user
      Fullname: admin
      Password: password
      Role: admin
kind: ConfigMap
metadata:
  name: neuvector-init
  namespace: neuvector

Then create the ConfigMap object:

kubectl create -f initcfg.yaml

Federated ConfigMap Examples (fedinitcfg.yaml)

NeuVector v5.4.0 supports Federation automation through the ConfigMap. Below are example fedinitcfg.yaml configurations that can be applied to your primary and managed clusters depending on your use case.

Example fedinitcfg.yaml for the primary cluster:

# Optional. If specified, it overwrites the cluster name specified in system configuration
Cluster_Name: cluster-primary-43
# Required and must be the same on primary cluster and managed clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
    Server: 10.1.10.43
    Port: 30020
# Optional. Supported value: https
Use_Proxy: ""
# Optional. Whether federal repo scan data deployment is enabled (for primary cluster only)
Deploy_Repo_Scan_Data: false

Example fedinitcfg.yaml for managed clusters:

# Optional. If specified, it overwrites the cluster name specified in system configuration
Cluster_Name: cluster-managed-42
# Required and must be the same on primary cluster and managed clusters
# It must be 36 characters long, i.e., 32 hex characters grouped as 8-4-4-4-12 and separated by four hyphens
Join_Token: 2be93d8f-d42a-44fc-9d33-7c1a6153066b
# Required: REST server/port of the neuvector-svc-controller-fed-master service
Primary_Rest_Info:
    Server: 10.1.10.43
    Port: 30020
# Optional, for managed cluster only. REST server/port of the neuvector-svc-controller-api service
Managed_Rest_Info:
    Server: 10.1.10.42
    Port: 30010
# Optional. Supported value: https
Use_Proxy: ""

Protect Sensitive Data Using a Secret

If sensitive data is to be included in some sections of the configmap, a secret can be created for those sections with sensitive data.

For example, create the configMap for NON-sensitive sections such as passwordProfile and role:

kubectl create configmap neuvector-init --from-file=$HOME/init/passwordprofileinitcfg.yaml --from-file=$HOME/init/roleinitcfg.yaml -n neuvector

Then create a secret for sections with sensitive data, such as:

kubectl create secret generic neuvector-init --from-file=$HOME/init/eulainitcfg.yaml --from-file=$HOME/init/ldapinitcfg.yaml --from-file=$HOME/init/oidcinitcfg.yaml --from-file=$HOME/init/samlinitcfg.yaml --from-file=$HOME/init/sysinitcfg.yaml --from-file=$HOME/init/userinitcfg.yaml -n neuvector

Remove the the pipe '|' character in each section, as shown below.

Note the removal of the pipe character below if using configmap sections in a secret, enabled set to true, and uncomment out the section to be included in the secret.

secret:
    # NOTE: files defined here have preferrence over the ones defined in the configmap section
    enabled: true
    data:
      eulainitcfg.yaml:
        license_key: 0Bca63Iy2FiXGqjk...
      #   ...
      # ldapinitcfg.yaml:
      #   directory: OpenLDAP
      #   ...
      # oidcinitcfg.yaml:
      #   Issuer: https://...
      #   ...
      # samlinitcfg.yaml:
      #   ...
      # sysinitcfg.yaml:
      #   ...
      # userinitcfg.yaml:
      #   ...

After controller is deployed, all the configuration files from both configmap and secret will be stored in /etc/config folder.

Note that the secret is referred to in the standard Kubernetes and OpenShift Controller deployment yaml files under Volumes.

ConfigMaps and Persistent Storage

Both the ConfigMaps and the persistent storage backup are only read when a new SUSE® Security cluster is deployed, or the cluster fails and is restarted. They are not used during rolling upgrades.

The persistent storage configuration backup is read first, then the ConfigMaps are applied, so ConfigMap settings take precedence. All ConfigMap settings (e.g. updates) will also be saved into persistent storage.