Security, Cloud, Kubernetes, technical

Deploying NeuVector Open Source

In October, 2021, SUSE announced that it had acquired NeuVector. This was yet another instance of SUSE bolstering its container management portfolio, and makes a great complement to Rancher.

The new application stack

Kubernetes gives developers and operators the tools they need to build environments around their applications. By deploying applications like Istio, Prometheus, (NeuVector), Kubecost, and others alongside our applications, as developers, we no longer need to be as concerned about building complex logic into our application stacks for things like logging, monitoring, certificate management, RBAC, networking and service discovery, storage management, etc etc.

If you need to dig in deeper, Krumware helps companies adopt the tools and methodologies necessary to effectively build, manage and enhance their digital portfolios in hybrid cloud environments. Contact us to understand how you can include NeuVector as part of your kubernetes security strategy.

Why NeuVector

Developers and operators need a tool to fill the security void within their application stacks, not just tools that surround them. Kubernetes is a new type of cloud environment that gives us a huge amount of flexibility, but also comes with great responsibility. As we offload orchestration responsibility, we can't possibly monitor all risks discovered for our upstream tools, and we can't possibly deal with unknowns without a tool for discovery, monitoring, and scanning.

NeuVector fills this void, and now has an open source offering to match SUSE's everything-open mission.

Quick shout out: if you need help with vendor risk management and compliance framework implementation, please chat with our friends over at Velocity. They'll help you work through compliance with a host of frameworks, including NIST and MITRE ATT&CK - https://www.velocitysec.com/

How to deploy NeuVector Open Source (October 2022)

(Why the date in the title? Because NeuVector Open Source aligns with their 5.0 release, which was still a release candidate until recently)

Deploying NeuVector Open Source is simple if the operator has basic experience with kubernetes and Helm, and has knowledge of container image tags needed for the 5.0+ components. These components are outlined in the official open documents located here: https://open-docs.neuvector.com/

Preparation:

Head over to the official documentation and familiarize yourself with some of the notices. It is important to note that NeuVector Open Source is for "Preview Version Users". Therefore, when we deploy our helm chart, we need to manually specify the image versions to use for each component.

  • neuvector/manager:5.0.0
  • neuvector/controller:5.0.0
  • neuvector/enforcer:5.0.0
  • neuvector/scanner:latest
  • neuvector/updater:latest

These images are available on DockerHub, so we no longer need to specify imagePullSecrets, but it won't hurt to keep those in place if the credentials are for DockerHub.

Here we can see that the latest version of neuvector/controller matches version 4.4.4-s2, and NOT our desired 5.0.0, so this confirms that we must specify the version in our helm values.
Update: October 2022. The latest images now reflect version ^5.0.x by default, but we're leaving the information in place for those upgrading from older versions.

Visit https://hub.docker.com/r/neuvector/controller/tags to inspect the tags.

latest and 4.4.4-s2 share the same image digest in this example
5.0.0 (or newer) must be used

Now we're armed and ready to prepare our helm values and deploy the helm chart

Step 1: Add the helm repository

Add the helm repo from NeuVector's Github Pages:

helm repo add neuvector https://neuvector.github.io/neuvector-helm/

Step 2: Verify helm chart

Verify the helm repo

helm search repo neuvector

Pro-tip: To list chart versions, including Beta charts, add "-l --devel":

helm search repo neuvector -l --devel

Step 3: Helm install

Compile your helm command with values overrides.

We are going to specify the chart version (October 2022: currently 2.2.4). Use the following which includes the version specified.

helm upgrade --install neuvector neuvector/core --version 2.2.4 \
--set tag=5.0.4 \
--set registry=docker.io \
--create-namespace \
--namespace neuvector

Afterwards, you will see the following output:

Release "neuvector" does not exist. Installing it now.
NAME: neuvector
LAST DEPLOYED: Fri Apr 15 15:38:45 2022
NAMESPACE: neuvector
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Get the NeuVector URL by running these commands:
  NODE_PORT=$(kubectl get --namespace neuvector -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui)
  NODE_IP=$(kubectl get nodes --namespace neuvector -o jsonpath="{.items[0].status.addresses[0].address}")
  echo https://$NODE_IP:$NODE_PORT

Run the commands provided to print the nodeport location of the NeuVector controller

NODE_PORT=$(kubectl get --namespace neuvector -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui) && \
NODE_IP=$(kubectl get nodes --namespace neuvector -o jsonpath="{.items[0].status.addresses[0].address}") && \
echo https://$NODE_IP:$NODE_PORT

Note: This endpoint will not be available to the internet unless you have specifically opened the port on your internet-connected nodes. Use kubectl port-forward or other tool to proxy create an access point for you local machine, then access the Web UI.

Step 4: Access the Web UI

I proxied the connect to my local machine via kubectl port-forward

kubectl port-forward --namespace neuvector service/neuvector-service-webui 8443

Now I can access the Web UI from https://localhost:8443
Tip: Make sure your request is for https and not http.

The default username is admin and default password is admin

Accept the license agreement, and you're off! Happy NeuVectoring!

We will cover the process of locking down and securing our environment in future articles.

You've successfully subscribed to Krumware
Great! Next, complete checkout for full access to Krumware
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.