Try   HackMD

Manage SUSE NeuVector Using REST API

Preface

Setup Neuvector

Expose REST API

To expose the REST API for access from outside of the Kubernetes cluster, enable port 10443.

apiVersion: v1
kind: Service
metadata:
  name: neuvector-service-rest
  namespace: neuvector
spec:
  ports:
    - port: 10443
      name: controller
      protocol: TCP
  type: NodePort
  selector:
    app: neuvector-controller-pod

建立 Service

$ oc create -f  neuvector-service-rest.yaml

檢視服務狀態

$ oc get svc neuvector-service-rest

螢幕輸出 :

NAME                     TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)           AGE
neuvector-service-rest   NodePort   172.30.84.78   <none>        10443:32215/TCP   3h8m

Swagger

Install Swagger with Podman

$ podman run -d -p 80:8080 docker.io/swaggerapi/swagger-ui
  • -d,將 Container 推到背景執行
  • -p,將 Container 的 8080 Port 對應到 Host 主機的 80 Port

Access Swagger Web

打開瀏覽器連線至 Podman Host 主機的 80 Port

http://192.168.11.211/

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

匯入設定檔

在上方搜尋欄輸入以下網址,並點選 "Explore" 按鈕

https://raw.githubusercontent.com/neuvector/neuvector/main/controller/api/apis.yaml

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Setup Authentication

Create an authentication token

在 swagger 的網站找到 Authentication 標題底下的 /v1/auth Login Authentication,點擊展開後,再點選 Try it out 按鈕,就可以對 body 的部分進行修改,

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

修改後點 Execute 就可以產出 Sample 指令,再根據實際環境進行修改

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

以下是一個實際範例,執行以下命令,生成身分驗證的 Token

curl -s -k -X 'POST' \
  'https://192.168.11.82:32215/v1/auth' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "client_ip": "",
  "password": {
    "username": "admin",
    "password": "admin"
  },
  "Token": {
    "token": "",
    "state": "",
    "redirect_endpoint": ""
  }
}' | jq -r '.token.token' > token.json

檢視 token.json 檔案內容

$ cat token.json

螢幕輸出 :

sUeU1TK648M4Y2RsScwiVceXB3zDuAPtIbzEHO_r++vMUbdriGCkjCVlcvVjZuK2dzV9hLgce_oKhJlhGXexL_4kmdJ0REtiwrTZb94uudgdjXz8QlkyzXsjbGpHVnqjMDhVqQSoJZ7WMQ+mslJOd6oHPiff476Xyl0+vwTj9tPlEkdeZkZcKjKH37aFbtbvrinCUpwIVl9kuJEV72OmL8p5kcjufydHPW0E6auxiLLmVKp46gki4hPt7CjgiSbtMG4vfanNMnOFpibmwRp9tRfDFnb4Q7z8b1iiuAouXqftJ1VMHuv2LKX_wuKTQAmj0e020_jwmR+MVgTwqVDQ5Uu0NmaeouSTuKbj39clCa+HzXWARNv735QsBDOAeoPt4r6BZTu1mPvo2A5ztcroAL77rZvtEpV0s2xTzxlVAYsXAK1Nu5asUDRqrWbtMkRJIbzXVBq6JYJE8w18+txwbo+JazJQU5vOWxIL93aQtzIveper+vmWjYHd5ieBOvHNlfjt4WJEnfxZ0A61RANPFEfb8HCNQCeFnv4heNV8GuAqstm5BxmsZVWIxW3_b+p0TFaqAl3Sfz1LlewbVFERGKoBNsWRYMsOPD5vgwgZP73r+SLJCVJGIyPbr1RugjOyackA_MFVjtjuLJzINR_IBpp6eiIctWF3Oqlj8Z2a_GhAA8HtYvcXFoM49E8V8IyQxN_KLGkSw_7HbI6LY63gKUzrAeisMuD9iBFkvqxURYEjhmu6F0UI6OFMR55S72GV4Q6afHnPRvmMiPDMuQ1h_bfZAvaGmQryhiboOu8mmcXap0mQLkp+FIBHhQgrqNmvcbC0BHkw859cxV4OOWRKdVVfSNC6mr6VG8uPxn29uLSonbmTc985pYhUfC0LAoQ+Y+gmeKfmsN_DebwMW72tVjb9EBbiTlXLTO+tj9BkdzCWb2zH1d9IBOqkaExEaw7JcMOzv44PqN1NBUy_SiO6nb7QXgNCGc7KKxoP7CrqLOSsUbxg1UxNhMQXNU0sdz3trAy8QUHP2kExTFbW_0_GVjA4hClx1b25GMt3nBhaJT1tp0aSnQMj47zsgJGz5ybxa6bAsUVcQEipA4dlA3orrkBZ0gKkQofpvBF1xAz8h2j6I5HLqbHj1RhT

Keep login session alive

$ _token_=$(cat token.json)

$ curl -s -k -X 'PATCH' \
  'https://192.168.11.82:32215/v1/auth' \
  -H 'accept: application/json' \
  -H "X-Auth-Token: $_token_"

Logout current logged in user

$ _token_=$(cat token.json)

$ curl -s -k -X 'DELETE' \
  'https://192.168.11.82:32215/v1/auth' \
  -H 'accept: application/json' \
  -H "X-Auth-Token: $_token_"

Process

檢視特定 Group 的 Process Profile Rules

$ _token_=$(cat token.json)

$ curl -s -k -X 'GET' \
  'https://192.168.11.82:32215/v1/process_profile/nv.nginx.neuvector' \
  -H 'accept: application/json' \
  -H "X-Auth-Token: $_token_"

螢幕輸出 :

{
  "process_profile": {
    "baseline": "basic",
    "group": "nv.nginx.neuvector",
    "mode": "Protect",
    "process_list": [
      {
        "action": "allow",
        "allow_update": false,
        "cfg_type": "user_created",
        "created_timestamp": 1691398024,
        "last_modified_timestamp": 1691398024,
        "name": "bash",
        "path": "/bin/bash",
        "uuid": "505a3ce0-c1c0-44a3-89ee-4bc6ed7ef675"
      },
      {
        "action": "allow",
        "allow_update": false,
        "cfg_type": "user_created",
        "created_timestamp": 1691398143,
        "last_modified_timestamp": 1691398143,
        "name": "cat",
        "path": "/bin/cat",
        "uuid": "5ff92222-1818-45ed-9b9c-9edcebdb9125"
      },
      {
        "action": "allow",
        "allow_update": false,
        "cfg_type": "user_created",
        "created_timestamp": 1691398053,
        "last_modified_timestamp": 1691398191,
        "name": "ls",
        "path": "/bin/ls",
        "uuid": "55380afb-3164-40cb-a830-ca352b9c0a2a"
      },
      {
        "action": "allow",
        "allow_update": false,
        "cfg_type": "learned",
        "created_timestamp": 1691397615,
        "last_modified_timestamp": 1691397615,
        "name": "nginx",
        "path": "/usr/sbin/nginx",
        "user": "root",
        "uuid": "3e286470-aa88-4ae6-adcc-26c60d6446c5"
      },
      {
        "action": "allow",
        "allow_update": false,
        "cfg_type": "user_created",
        "created_timestamp": 1691398031,
        "last_modified_timestamp": 1691398031,
        "name": "sh",
        "path": "/bin/sh",
        "uuid": "36de28dc-cf30-4795-920e-afd93b6af790"
      },
      {
        "action": "allow",
        "allow_update": false,
        "cfg_type": "user_created",
        "created_timestamp": 1691398216,
        "last_modified_timestamp": 1691398216,
        "name": "whoami",
        "path": "/usr/bin/whoami",
        "uuid": "b1aa8a28-1f28-4247-a4f4-f3540cf41634"
      }
    ]
  }
}