Manage SUSE NeuVector Using REST API

# Manage SUSE NeuVector Using REST API <style> .indent-title-1{ margin-left: 1em; } .indent-title-2{ margin-left: 2em; } .indent-title-3{ margin-left: 3em; } </style> # Preface <div class="indent-title-1"> 本篇文章會介紹， - 透過 Swagger 給的 API 指令與 Neuvector 溝通可以透過點擊展開以下目錄，選擇想看的內容，跳轉至特定章節 :::warning :::spoiler 文章目錄 [TOC] ::: </div> # Setup Neuvector ## Expose REST API <div class="indent-title-1"> To expose the REST API for access from outside of the Kubernetes cluster, enable port 10443. ```yaml! apiVersion: v1 kind: Service metadata: name: neuvector-service-rest namespace: neuvector spec: ports: - port: 10443 name: controller protocol: TCP type: NodePort selector: app: neuvector-controller-pod ``` 建立 Service ``` $ oc create -f neuvector-service-rest.yaml ``` 檢視服務狀態 ``` $ oc get svc neuvector-service-rest ``` 螢幕輸出 : ```! NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE neuvector-service-rest NodePort 172.30.84.78 <none> 10443:32215/TCP 3h8m ``` </div> </div> # Swagger ## Install Swagger with Podman <div class="indent-title-1"> ```! $ podman run -d -p 80:8080 docker.io/swaggerapi/swagger-ui ``` - `-d`，將 Container 推到背景執行 - `-p`，將 Container 的 8080 Port 對應到 Host 主機的 80 Port </div> ## Access Swagger Web <div class="indent-title-1"> 打開瀏覽器連線至 Podman Host 主機的 80 Port ``` http://192.168.11.211/ ``` ![](https://hackmd.io/_uploads/Hk1hCqe23.png) </div> ## 匯入設定檔 <div class="indent-title-1"> 在上方搜尋欄輸入以下網址，並點選 "Explore" 按鈕 ```! https://raw.githubusercontent.com/neuvector/neuvector/main/controller/api/apis.yaml ``` ![](https://hackmd.io/_uploads/SkrM1og33.png) </div> ## Setup Authentication ### Create an authentication token <div class="indent-title-1"> 在 swagger 的網站找到 `Authentication` 標題底下的 `/v1/auth Login Authentication`，點擊展開後，再點選 `Try it out` 按鈕，就可以對 body 的部分進行修改， ![](https://hackmd.io/_uploads/HyO1Kng33.png) 修改後點 `Execute` 就可以產出 Sample 指令，再根據實際環境進行修改 ![](https://hackmd.io/_uploads/Hkbb53gn2.png) 以下是一個實際範例，執行以下命令，生成身分驗證的 Token ```! curl -s -k -X 'POST' \ 'https://192.168.11.82:32215/v1/auth' \ -H 'accept: application/json' \ -H 'Content-Type: application/json' \ -d '{ "client_ip": "", "password": { "username": "admin", "password": "admin" }, "Token": { "token": "", "state": "", "redirect_endpoint": "" } }' | jq -r '.token.token' > token.json ``` 檢視 `token.json` 檔案內容 ``` $ cat token.json ``` 螢幕輸出 : ```! sUeU1TK648M4Y2RsScwiVceXB3zDuAPtIbzEHO_r++vMUbdriGCkjCVlcvVjZuK2dzV9hLgce_oKhJlhGXexL_4kmdJ0REtiwrTZb94uudgdjXz8QlkyzXsjbGpHVnqjMDhVqQSoJZ7WMQ+mslJOd6oHPiff476Xyl0+vwTj9tPlEkdeZkZcKjKH37aFbtbvrinCUpwIVl9kuJEV72OmL8p5kcjufydHPW0E6auxiLLmVKp46gki4hPt7CjgiSbtMG4vfanNMnOFpibmwRp9tRfDFnb4Q7z8b1iiuAouXqftJ1VMHuv2LKX_wuKTQAmj0e020_jwmR+MVgTwqVDQ5Uu0NmaeouSTuKbj39clCa+HzXWARNv735QsBDOAeoPt4r6BZTu1mPvo2A5ztcroAL77rZvtEpV0s2xTzxlVAYsXAK1Nu5asUDRqrWbtMkRJIbzXVBq6JYJE8w18+txwbo+JazJQU5vOWxIL93aQtzIveper+vmWjYHd5ieBOvHNlfjt4WJEnfxZ0A61RANPFEfb8HCNQCeFnv4heNV8GuAqstm5BxmsZVWIxW3_b+p0TFaqAl3Sfz1LlewbVFERGKoBNsWRYMsOPD5vgwgZP73r+SLJCVJGIyPbr1RugjOyackA_MFVjtjuLJzINR_IBpp6eiIctWF3Oqlj8Z2a_GhAA8HtYvcXFoM49E8V8IyQxN_KLGkSw_7HbI6LY63gKUzrAeisMuD9iBFkvqxURYEjhmu6F0UI6OFMR55S72GV4Q6afHnPRvmMiPDMuQ1h_bfZAvaGmQryhiboOu8mmcXap0mQLkp+FIBHhQgrqNmvcbC0BHkw859cxV4OOWRKdVVfSNC6mr6VG8uPxn29uLSonbmTc985pYhUfC0LAoQ+Y+gmeKfmsN_DebwMW72tVjb9EBbiTlXLTO+tj9BkdzCWb2zH1d9IBOqkaExEaw7JcMOzv44PqN1NBUy_SiO6nb7QXgNCGc7KKxoP7CrqLOSsUbxg1UxNhMQXNU0sdz3trAy8QUHP2kExTFbW_0_GVjA4hClx1b25GMt3nBhaJT1tp0aSnQMj47zsgJGz5ybxa6bAsUVcQEipA4dlA3orrkBZ0gKkQofpvBF1xAz8h2j6I5HLqbHj1RhT ``` </div> ### Keep login session alive <div class="indent-title-1"> ``` $ _token_=$(cat token.json) $ curl -s -k -X 'PATCH' \ 'https://192.168.11.82:32215/v1/auth' \ -H 'accept: application/json' \ -H "X-Auth-Token: $_token_" ``` </div> ### Logout current logged in user <div class="indent-title-1"> ``` $ _token_=$(cat token.json) $ curl -s -k -X 'DELETE' \ 'https://192.168.11.82:32215/v1/auth' \ -H 'accept: application/json' \ -H "X-Auth-Token: $_token_" ``` </div> ## Process ### 檢視特定 Group 的 Process Profile Rules <div class="indent-title-1"> ```! $ _token_=$(cat token.json) $ curl -s -k -X 'GET' \ 'https://192.168.11.82:32215/v1/process_profile/nv.nginx.neuvector' \ -H 'accept: application/json' \ -H "X-Auth-Token: $_token_" ``` 螢幕輸出 : ```json! { "process_profile": { "baseline": "basic", "group": "nv.nginx.neuvector", "mode": "Protect", "process_list": [ { "action": "allow", "allow_update": false, "cfg_type": "user_created", "created_timestamp": 1691398024, "last_modified_timestamp": 1691398024, "name": "bash", "path": "/bin/bash", "uuid": "505a3ce0-c1c0-44a3-89ee-4bc6ed7ef675" }, { "action": "allow", "allow_update": false, "cfg_type": "user_created", "created_timestamp": 1691398143, "last_modified_timestamp": 1691398143, "name": "cat", "path": "/bin/cat", "uuid": "5ff92222-1818-45ed-9b9c-9edcebdb9125" }, { "action": "allow", "allow_update": false, "cfg_type": "user_created", "created_timestamp": 1691398053, "last_modified_timestamp": 1691398191, "name": "ls", "path": "/bin/ls", "uuid": "55380afb-3164-40cb-a830-ca352b9c0a2a" }, { "action": "allow", "allow_update": false, "cfg_type": "learned", "created_timestamp": 1691397615, "last_modified_timestamp": 1691397615, "name": "nginx", "path": "/usr/sbin/nginx", "user": "root", "uuid": "3e286470-aa88-4ae6-adcc-26c60d6446c5" }, { "action": "allow", "allow_update": false, "cfg_type": "user_created", "created_timestamp": 1691398031, "last_modified_timestamp": 1691398031, "name": "sh", "path": "/bin/sh", "uuid": "36de28dc-cf30-4795-920e-afd93b6af790" }, { "action": "allow", "allow_update": false, "cfg_type": "user_created", "created_timestamp": 1691398216, "last_modified_timestamp": 1691398216, "name": "whoami", "path": "/usr/bin/whoami", "uuid": "b1aa8a28-1f28-4247-a4f4-f3540cf41634" } ] } } ``` </div>