# 部屬 Neuvector 5.3.2 ## 使用 Yaml 部屬 1. 建立 NeuVector namespace 和所需的 sa ``` kubectl create namespace neuvector && \ kubectl create sa controller -n neuvector && \ kubectl create sa enforcer -n neuvector && \ kubectl create sa basic -n neuvector && \ kubectl create sa updater -n neuvector && \ kubectl create sa scanner -n neuvector && \ kubectl create sa registry-adapter -n neuvector ``` 2. 對於 Kubernetes 1.25+ 中的 PSA,使用特權設定檔標記 NeuVector 命名空間,以便在啟用 PSA 的叢集上進行部署。 ``` kubectl label namespace neuvector "pod-security.kubernetes.io/enforce=privileged" ``` 3. 對於 Kubernetes 1.19+ 為 NeuVector 安全性規則建立自訂資源 (CRD)。 ``` kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/crd-k8s-1.19.yaml kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/waf-crd-k8s-1.19.yaml kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/dlp-crd-k8s-1.19.yaml kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/com-crd-k8s-1.19.yaml kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/vul-crd-k8s-1.19.yaml kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/admission-crd-k8s-1.19.yaml ``` 4. 建立 clusterrole ``` kubectl create clusterrole neuvector-binding-app --verb=get,list,watch,update --resource=nodes,pods,services,namespaces && \ kubectl create clusterrole neuvector-binding-rbac --verb=get,list,watch --resource=rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io && \ kubectl create clusterrolebinding neuvector-binding-app --clusterrole=neuvector-binding-app --serviceaccount=neuvector:controller && \ kubectl create clusterrolebinding neuvector-binding-rbac --clusterrole=neuvector-binding-rbac --serviceaccount=neuvector:controller && \ kubectl create clusterrole neuvector-binding-admission --verb=get,list,watch,create,update,delete --resource=validatingwebhookconfigurations,mutatingwebhookconfigurations && \ kubectl create clusterrolebinding neuvector-binding-admission --clusterrole=neuvector-binding-admission --serviceaccount=neuvector:controller && \ kubectl create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get,update --resource=customresourcedefinitions && \ kubectl create clusterrolebinding neuvector-binding-customresourcedefinition --clusterrole=neuvector-binding-customresourcedefinition --serviceaccount=neuvector:controller && \ kubectl create clusterrole neuvector-binding-nvsecurityrules --verb=get,list,delete --resource=nvsecurityrules,nvclustersecurityrules && \ kubectl create clusterrole neuvector-binding-nvadmissioncontrolsecurityrules --verb=get,list,delete --resource=nvadmissioncontrolsecurityrules && \ kubectl create clusterrole neuvector-binding-nvdlpsecurityrules --verb=get,list,delete --resource=nvdlpsecurityrules && \ kubectl create clusterrole neuvector-binding-nvwafsecurityrules --verb=get,list,delete --resource=nvwafsecurityrules && \ kubectl create clusterrolebinding neuvector-binding-nvsecurityrules --clusterrole=neuvector-binding-nvsecurityrules --serviceaccount=neuvector:controller && \ kubectl create clusterrolebinding neuvector-binding-view --clusterrole=view --serviceaccount=neuvector:controller && \ kubectl create clusterrolebinding neuvector-binding-nvwafsecurityrules --clusterrole=neuvector-binding-nvwafsecurityrules --serviceaccount=neuvector:controller && \ kubectl create clusterrolebinding neuvector-binding-nvadmissioncontrolsecurityrules --clusterrole=neuvector-binding-nvadmissioncontrolsecurityrules --serviceaccount=neuvector:controller && \ kubectl create clusterrolebinding neuvector-binding-nvdlpsecurityrules --clusterrole=neuvector-binding-nvdlpsecurityrules --serviceaccount=neuvector:controller && \ kubectl create role neuvector-binding-scanner --verb=get,patch,update,watch --resource=deployments -n neuvector && \ kubectl create rolebinding neuvector-binding-scanner --role=neuvector-binding-scanner --serviceaccount=neuvector:updater --serviceaccount=neuvector:controller -n neuvector && \ kubectl create role neuvector-binding-secret --verb=get --resource=secrets -n neuvector && \ kubectl create rolebinding neuvector-binding-secret --role=neuvector-binding-secret --serviceaccount=neuvector:controller -n neuvector && \ kubectl create clusterrole neuvector-binding-nvcomplianceprofiles --verb=get,list,delete --resource=nvcomplianceprofiles && \ kubectl create clusterrolebinding neuvector-binding-nvcomplianceprofiles --clusterrole=neuvector-binding-nvcomplianceprofiles --serviceaccount=neuvector:controller && \ kubectl create clusterrole neuvector-binding-nvvulnerabilityprofiles --verb=get,list,delete --resource=nvvulnerabilityprofiles && \ kubectl create clusterrolebinding neuvector-binding-nvvulnerabilityprofiles --clusterrole=neuvector-binding-nvvulnerabilityprofiles --serviceaccount=neuvector:controller ``` 5. 執行以下指令,檢查 neuvector/controller 和 neuvector/updater 服務帳號是否已新增成功。 ``` kubectl get ClusterRoleBinding neuvector-binding-app neuvector-binding-rbac neuvector-binding-admission neuvector-binding-customresourcedefinition neuvector-binding-nvsecurityrules neuvector-binding-view neuvector-binding-nvwafsecurityrules neuvector-binding-nvadmissioncontrolsecurityrules neuvector-binding-nvdlpsecurityrules -o wide ``` * 螢幕輸出 ``` NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS neuvector-binding-app ClusterRole/neuvector-binding-app 54s neuvector/controller neuvector-binding-rbac ClusterRole/neuvector-binding-rbac 54s neuvector/controller neuvector-binding-admission ClusterRole/neuvector-binding-admission 54s neuvector/controller neuvector-binding-customresourcedefinition ClusterRole/neuvector-binding-customresourcedefinition 53s neuvector/controller neuvector-binding-nvsecurityrules ClusterRole/neuvector-binding-nvsecurityrules 52s neuvector/controller neuvector-binding-view ClusterRole/view 52s neuvector/controller neuvector-binding-nvwafsecurityrules ClusterRole/neuvector-binding-nvwafsecurityrules 52s neuvector/controller neuvector-binding-nvadmissioncontrolsecurityrules ClusterRole/neuvector-binding-nvadmissioncontrolsecurityrules 51s neuvector/controller neuvector-binding-nvdlpsecurityrules ClusterRole/neuvector-binding-nvdlpsecurityrules 51s neuvector/controller ``` * 檢查 ``` kubectl get RoleBinding neuvector-binding-scanner -n neuvector -o wide ``` * 螢幕輸出 ``` NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS neuvector-binding-scanner Role/neuvector-binding-scanner 107s neuvector/updater, neuvector/controller ``` 6. 建立 NeuVector 主要 Service 和 Pod > 注意!此 yaml 的 service 是 LoadBalancer,因此需要可以建立 service type 為 LoadBalancer。 ``` kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/neuvector-k8s.yaml ``` 7. 檢查 Neuvector 環境 ``` kubectl -n neuvector get all ``` * 螢幕輸出 ``` NAME READY STATUS RESTARTS AGE pod/neuvector-controller-pod-574dc86d7b-bxn77 1/1 Running 0 5m20s pod/neuvector-controller-pod-574dc86d7b-tkd5k 1/1 Running 0 5m20s pod/neuvector-controller-pod-574dc86d7b-w6vqq 1/1 Running 0 5m20s pod/neuvector-enforcer-pod-84qdh 1/1 Running 0 5m20s pod/neuvector-enforcer-pod-dhrwp 1/1 Running 0 5m20s pod/neuvector-enforcer-pod-jxs7k 1/1 Running 0 5m20s pod/neuvector-enforcer-pod-rc7lm 1/1 Running 0 5m20s pod/neuvector-manager-pod-76749f57c-wfjt6 1/1 Running 0 5m20s pod/neuvector-scanner-pod-787774b697-7dznh 1/1 Running 0 5m20s pod/neuvector-scanner-pod-787774b697-zpcf9 1/1 Running 0 5m20s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/neuvector-service-webui LoadBalancer 10.43.97.8 192.168.11.146 8443:30923/TCP 5m21s service/neuvector-svc-admission-webhook ClusterIP 10.43.229.118 <none> 443/TCP 5m21s service/neuvector-svc-controller ClusterIP None <none> 18300/TCP,18301/TCP,18301/UDP 5m21s service/neuvector-svc-crd-webhook ClusterIP 10.43.152.38 <none> 443/TCP 5m21s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/neuvector-enforcer-pod 4 4 4 4 4 <none> 5m20s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/neuvector-controller-pod 3/3 3 3 5m20s deployment.apps/neuvector-manager-pod 1/1 1 1 5m20s deployment.apps/neuvector-scanner-pod 2/2 2 2 5m20s NAME DESIRED CURRENT READY AGE replicaset.apps/neuvector-controller-pod-574dc86d7b 3 3 3 5m20s replicaset.apps/neuvector-manager-pod-76749f57c 1 1 1 5m20s replicaset.apps/neuvector-scanner-pod-787774b697 2 2 2 5m20s NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE cronjob.batch/neuvector-updater-pod 0 0 * * * False 0 <none> 5m20s ``` ## 登入 Neuvector * 帳號/密碼:admin/admin * 檢查 service 資訊,使用 `https://192.168.11.146:8443` 登入 ``` kubectl get svc -n neuvector neuvector-service-webui ``` * 螢幕輸出 ``` NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE neuvector-service-webui LoadBalancer 10.43.97.8 192.168.11.146 8443:30923/TCP 6m21s ``` * 登入畫面 ![image](https://hackmd.io/_uploads/SkqQPj54C.png) ## 使用 helm 部屬 * 以下為在 rke2 cluster 上部屬 ``` $ helm repo add neuvector https://neuvector.github.io/neuvector-helm/ $ helm search repo neuvector/core NAME CHART VERSION APP VERSION DESCRIPTION neuvector/core 2.7.6 5.3.2 Helm chart for NeuVector's core services $ helm show values neuvector/core --version 2.7.6 > neuvector-values.yaml $ nano neuvector-values.yaml ...... k3s: enabled: true runtimePath: /run/k3s/containerd/containerd.sock $ kubectl create ns neuvector $ helm install neuvector neuvector/core --version 2.7.6 --namespace neuvector --values neuvector-values.yaml ``` * 環境檢查 ``` $ kubectl -n neuvector get po NAME READY STATUS RESTARTS AGE neuvector-controller-pod-f7b49c6dc-8xzvt 1/1 Running 0 65s neuvector-controller-pod-f7b49c6dc-mv728 1/1 Running 0 65s neuvector-controller-pod-f7b49c6dc-nkvk8 1/1 Running 0 65s neuvector-enforcer-pod-jvgj8 1/1 Running 0 65s neuvector-manager-pod-6945bb7858-4rfxw 1/1 Running 0 65s neuvector-scanner-pod-654b465b64-bzhg8 1/1 Running 0 65s neuvector-scanner-pod-654b465b64-mkmcl 1/1 Running 0 65s neuvector-scanner-pod-654b465b64-vhpzh 1/1 Running 0 65s ``` * 離線安裝,獲取 chart 離線檔 ``` $ helm fetch neuvector/core --version=2.8.6 $ ls -l core* -rw-r--r-- 1 root root 34125 May 20 13:54 core-2.8.6.tgz ``` * 開始部屬 Neuvector ``` $ kubectl create namespace neuvector $ nano neuvector-values.yaml ...... k3s: enabled: true runtimePath: /run/k3s/containerd/containerd.sock $ helm install neuvector core-2.8.6.tgz \ -n neuvector \ -f neuvector-values.yaml ``` ## 參考文件 https://open-docs.neuvector.com/deploying/kubernetes/