OCP 4.18 + NeuVector 5.4.1 :::warning Image請用最新的stable版本。 請先push image到客戶指定的registry。 ::: # 1.建立相關的project、account ```shell= oc create sa controller -n neuvector oc create sa enforcer -n neuvector oc create sa basic -n neuvector oc create sa updater -n neuvector oc create sa scanner -n neuvector oc create sa registry-adapter -n neuvector oc create sa cert-upgrader -n neuvector oc -n neuvector adm policy add-scc-to-user privileged -z enforcer serviceaccount/controller created serviceaccount/enforcer created serviceaccount/basic created serviceaccount/updater created serviceaccount/scanner created serviceaccount/registry-adapter created serviceaccount/cert-upgrader created clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "enforcer" ``` # 2.建立NeuVector controller與設定組態。 ```yaml= allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: neuvector-scc-controller priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - azureFile - projected - secret ``` **建立SCC** ```shell= oc apply -f neuvector-scc-controller.yaml securitycontextconstraints.security.openshift.io/neuvector-scc-controller created ``` # 3.設定相關的role ```shell= oc -n neuvector adm policy add-scc-to-user neuvector-scc-controller -z controller clusterrole.rbac.authorization.k8s.io/system:openshift:scc:neuvector-scc-controller added: "controller" oc get rolebinding system:openshift:scc:privileged -n neuvector -o wide NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS system:openshift:scc:privileged ClusterRole/system:openshift:scc:privileged 9m3s neuvector/enforcer oc get rolebinding system:openshift:scc:neuvector-scc-controller -n neuvector -o wide NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS system:openshift:scc:neuvector-scc-controller ClusterRole/system:openshift:scc:neuvector-scc-controller 2m6s neuvector/controller ``` # 4.建立相關的CRD ```shell= # oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/waf-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/dlp-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/com-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/vul-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/admission-crd-k8s-1.19.yaml oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/5.4.3_group-definition-k8s.yaml customresourcedefinition.apiextensions.k8s.io/nvsecurityrules.neuvector.com created customresourcedefinition.apiextensions.k8s.io/nvclustersecurityrules.neuvector.com created customresourcedefinition.apiextensions.k8s.io/nvwafsecurityrules.neuvector.com created customresourcedefinition.apiextensions.k8s.io/nvdlpsecurityrules.neuvector.com created customresourcedefinition.apiextensions.k8s.io/nvcomplianceprofiles.neuvector.com created customresourcedefinition.apiextensions.k8s.io/nvvulnerabilityprofiles.neuvector.com created customresourcedefinition.apiextensions.k8s.io/nvadmissioncontrolsecurityrules.neuvector.com created customresourcedefinition.apiextensions.k8s.io/nvgroupdefinitions.neuvector.com created ``` # 5.建立相關所需帳號與rolebinding...等。 :::info 請注意第28行的檔案，如果有下載定義檔的話請修改路徑。 ::: ```shell= oc create clusterrole neuvector-binding-app --verb=get,list,watch,update --resource=nodes,pods,services,namespaces oc create clusterrole neuvector-binding-rbac --verb=get,list,watch --resource=rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,imagestreams.image.openshift.io oc adm policy add-cluster-role-to-user neuvector-binding-app system:serviceaccount:neuvector:controller oc adm policy add-cluster-role-to-user neuvector-binding-rbac system:serviceaccount:neuvector:controller oc create clusterrole neuvector-binding-admission --verb=get,list,watch,create,update,delete --resource=validatingwebhookconfigurations,mutatingwebhookconfigurations oc adm policy add-cluster-role-to-user neuvector-binding-admission system:serviceaccount:neuvector:controller oc create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get,update --resource=customresourcedefinitions oc adm policy add-cluster-role-to-user neuvector-binding-customresourcedefinition system:serviceaccount:neuvector:controller oc create clusterrole neuvector-binding-nvsecurityrules --verb=get,list,delete --resource=nvsecurityrules,nvclustersecurityrules oc create clusterrole neuvector-binding-nvadmissioncontrolsecurityrules --verb=get,list,delete --resource=nvadmissioncontrolsecurityrules oc create clusterrole neuvector-binding-nvdlpsecurityrules --verb=get,list,delete --resource=nvdlpsecurityrules oc create clusterrole neuvector-binding-nvwafsecurityrules --verb=get,list,delete --resource=nvwafsecurityrules oc adm policy add-cluster-role-to-user neuvector-binding-nvsecurityrules system:serviceaccount:neuvector:controller oc adm policy add-cluster-role-to-user view system:serviceaccount:neuvector:controller --rolebinding-name=neuvector-binding-view oc adm policy add-cluster-role-to-user neuvector-binding-nvwafsecurityrules system:serviceaccount:neuvector:controller oc adm policy add-cluster-role-to-user neuvector-binding-nvadmissioncontrolsecurityrules system:serviceaccount:neuvector:controller oc adm policy add-cluster-role-to-user neuvector-binding-nvdlpsecurityrules system:serviceaccount:neuvector:controller oc create role neuvector-binding-scanner --verb=get,patch,update,watch --resource=deployments -n neuvector oc adm policy add-role-to-user neuvector-binding-scanner system:serviceaccount:neuvector:updater system:serviceaccount:neuvector:controller -n neuvector --role-namespace neuvector oc create clusterrole neuvector-binding-co --verb=get,list --resource=clusteroperators oc adm policy add-cluster-role-to-user neuvector-binding-co system:serviceaccount:neuvector:enforcer system:serviceaccount:neuvector:controller oc create role neuvector-binding-secret --verb=get,list,watch --resource=secrets -n neuvector oc adm policy add-role-to-user neuvector-binding-secret system:serviceaccount:neuvector:controller system:serviceaccount:neuvector:enforcer system:serviceaccount:neuvector:scanner system:serviceaccount:neuvector:registry-adapter -n neuvector --role-namespace neuvector oc create clusterrole neuvector-binding-nvcomplianceprofiles --verb=get,list,delete --resource=nvcomplianceprofiles oc create clusterrolebinding neuvector-binding-nvcomplianceprofiles --clusterrole=neuvector-binding-nvcomplianceprofiles --serviceaccount=neuvector:controller oc create clusterrole neuvector-binding-nvvulnerabilityprofiles --verb=get,list,delete --resource=nvvulnerabilityprofiles oc create clusterrolebinding neuvector-binding-nvvulnerabilityprofiles --clusterrole=neuvector-binding-nvvulnerabilityprofiles --serviceaccount=neuvector:controller oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/neuvector-roles-k8s.yaml oc create role neuvector-binding-lease --verb=create,get,update --resource=leases -n neuvector oc adm policy add-role-to-user neuvector-binding-cert-upgrader system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector oc adm policy add-role-to-user neuvector-binding-job-creation system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector oc adm policy add-role-to-user neuvector-binding-lease system:serviceaccount:neuvector:controller system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector oc create clusterrole neuvector-binding-nvgroupdefinitions --verb=get,list,delete --resource=nvgroupdefinitions oc create clusterrolebinding neuvector-binding-nvgroupdefinitions --clusterrole=neuvector-binding-nvgroupdefinitions --serviceaccount=neuvector:controller clusterrole.rbac.authorization.k8s.io/neuvector-binding-app created clusterrole.rbac.authorization.k8s.io/neuvector-binding-rbac created clusterrole.rbac.authorization.k8s.io/neuvector-binding-app added: "system:serviceaccount:neuvector:controller" clusterrole.rbac.authorization.k8s.io/neuvector-binding-rbac added: "system:serviceaccount:neuvector:controller" clusterrole.rbac.authorization.k8s.io/neuvector-binding-admission created clusterrole.rbac.authorization.k8s.io/neuvector-binding-admission added: "system:serviceaccount:neuvector:controller" clusterrole.rbac.authorization.k8s.io/neuvector-binding-customresourcedefinition created clusterrole.rbac.authorization.k8s.io/neuvector-binding-customresourcedefinition added: "system:serviceaccount:neuvector:controller" clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvsecurityrules created clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvadmissioncontrolsecurityrules created clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvdlpsecurityrules created clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvwafsecurityrules created clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvsecurityrules added: "system:serviceaccount:neuvector:controller" clusterrole.rbac.authorization.k8s.io/view added: "system:serviceaccount:neuvector:controller" clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvwafsecurityrules added: "system:serviceaccount:neuvector:controller" clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvadmissioncontrolsecurityrules added: "system:serviceaccount:neuvector:controller" clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvdlpsecurityrules added: "system:serviceaccount:neuvector:controller" role.rbac.authorization.k8s.io/neuvector-binding-scanner created role.rbac.authorization.k8s.io/neuvector-binding-scanner added: ["system:serviceaccount:neuvector:updater" "system:serviceaccount:neuvector:controller"] clusterrole.rbac.authorization.k8s.io/neuvector-binding-co created clusterrole.rbac.authorization.k8s.io/neuvector-binding-co added: ["system:serviceaccount:neuvector:enforcer" "system:serviceaccount:neuvector:controller"] role.rbac.authorization.k8s.io/neuvector-binding-secret created role.rbac.authorization.k8s.io/neuvector-binding-secret added: ["system:serviceaccount:neuvector:controller" "system:serviceaccount:neuvector:enforcer" "system:serviceaccount:neuvector:scanner" "system:serviceaccount:neuvector:registry-adapter"] clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvcomplianceprofiles created clusterrolebinding.rbac.authorization.k8s.io/neuvector-binding-nvcomplianceprofiles created clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvvulnerabilityprofiles created clusterrolebinding.rbac.authorization.k8s.io/neuvector-binding-nvvulnerabilityprofiles created role.rbac.authorization.k8s.io/neuvector-binding-cert-upgrader created role.rbac.authorization.k8s.io/neuvector-binding-job-creation created role.rbac.authorization.k8s.io/neuvector-binding-lease created role.rbac.authorization.k8s.io/neuvector-binding-cert-upgrader added: "system:serviceaccount:neuvector:cert-upgrader" role.rbac.authorization.k8s.io/neuvector-binding-job-creation added: "system:serviceaccount:neuvector:cert-upgrader" role.rbac.authorization.k8s.io/neuvector-binding-lease added: ["system:serviceaccount:neuvector:controller" "system:serviceaccount:neuvector:cert-upgrader"] clusterrole.rbac.authorization.k8s.io/neuvector-binding-nvgroupdefinitions created clusterrolebinding.rbac.authorization.k8s.io/neuvector-binding-nvgroupdefinitions created ``` # 6.確認相關帳號、角色等等是否已經建立完全。 ```shell= oc get ClusterRoleBinding neuvector-binding-app neuvector-binding-rbac neuvector-binding-admission neuvector-binding-customresourcedefinition neuvector-binding-nvsecurityrules neuvector-binding-view neuvector-binding-nvwafsecurityrules neuvector-binding-nvadmissioncontrolsecurityrules neuvector-binding-nvdlpsecurityrules neuvector-binding-co -o wide NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS neuvector-binding-app ClusterRole/neuvector-binding-app 55s neuvector/controller neuvector-binding-rbac ClusterRole/neuvector-binding-rbac 54s neuvector/controller neuvector-binding-admission ClusterRole/neuvector-binding-admission 54s neuvector/controller neuvector-binding-customresourcedefinition ClusterRole/neuvector-binding-customresourcedefinition 54s neuvector/controller neuvector-binding-nvsecurityrules ClusterRole/neuvector-binding-nvsecurityrules 53s neuvector/controller neuvector-binding-view ClusterRole/view 52s neuvector/controller neuvector-binding-nvwafsecurityrules ClusterRole/neuvector-binding-nvwafsecurityrules 52s neuvector/controller neuvector-binding-nvadmissioncontrolsecurityrules ClusterRole/neuvector-binding-nvadmissioncontrolsecurityrules 52s neuvector/controller neuvector-binding-nvdlpsecurityrules ClusterRole/neuvector-binding-nvdlpsecurityrules 52s neuvector/controller neuvector-binding-co ClusterRole/neuvector-binding-co 51s neuvector/enforcer, neuvector/controller oc get RoleBinding neuvector-binding-scanner neuvector-binding-cert-upgrader neuvector-binding-job-creation neuvector-binding-lease neuvector-binding-secret -n neuvector -o wide NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS neuvector-binding-scanner Role/neuvector-binding-scanner 96s neuvector/updater, neuvector/controller neuvector-binding-cert-upgrader Role/neuvector-binding-cert-upgrader 94s neuvector/cert-upgrader neuvector-binding-job-creation Role/neuvector-binding-job-creation 93s neuvector/cert-upgrader neuvector-binding-lease Role/neuvector-binding-lease 93s neuvector/controller, neuvector/cert-upgrader neuvector-binding-secret Role/neuvector-binding-secret 96s neuvector/controller, neuvector/enforcer, neuvector/scanner, neuvector/registry-adapter ``` # 7.建立federate service(如果有需要的話) ```shell= [root@bastion ~]# vim federate.yaml [root@bastion ~]# oc create -f federate.yaml service/neuvector-service-controller-fed-master created service/neuvector-service-controller-fed-worker created ``` **federate.yaml** ```yaml= apiVersion: v1 kind: Service metadata: name: neuvector-service-controller-fed-master namespace: neuvector spec: ports: - port: 11443 name: fed protocol: TCP type: LoadBalancer selector: app: neuvector-controller-pod --- apiVersion: v1 kind: Service metadata: name: neuvector-service-controller-fed-worker namespace: neuvector spec: ports: - port: 10443 name: fed protocol: TCP type: LoadBalancer selector: app: neuvector-controller-pod ``` # 8.建立NeuVector ```shell= [root@bastion ~]# vim neuvector.yaml [root@bastion ~]# oc create -f neuvector.yaml service/neuvector-svc-crd-webhook created service/neuvector-svc-admission-webhook created service/neuvector-service-webui created service/neuvector-svc-controller created route.route.openshift.io/neuvector-route-webui created deployment.apps/neuvector-manager-pod created deployment.apps/neuvector-controller-pod created Warning: spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/neuvector-enforcer-pod]: deprecated since v1.30; use the "appArmorProfile" field instead daemonset.apps/neuvector-enforcer-pod created deployment.apps/neuvector-scanner-pod created cronjob.batch/neuvector-updater-pod created ``` **neuvector.yaml** :::spoiler ```yaml= apiVersion: v1 kind: Service metadata: name: neuvector-svc-crd-webhook namespace: neuvector spec: ports: - port: 443 targetPort: 30443 protocol: TCP name: crd-webhook type: ClusterIP selector: app: neuvector-controller-pod --- apiVersion: v1 kind: Service metadata: name: neuvector-svc-admission-webhook namespace: neuvector spec: ports: - port: 443 targetPort: 20443 protocol: TCP name: admission-webhook type: ClusterIP selector: app: neuvector-controller-pod --- apiVersion: v1 kind: Service metadata: name: neuvector-service-webui namespace: neuvector spec: ports: - port: 8443 name: manager protocol: TCP type: ClusterIP selector: app: neuvector-manager-pod --- apiVersion: v1 kind: Service metadata: name: neuvector-svc-controller namespace: neuvector spec: ports: - port: 18300 protocol: "TCP" name: "cluster-tcp-18300" - port: 18301 protocol: "TCP" name: "cluster-tcp-18301" - port: 18301 protocol: "UDP" name: "cluster-udp-18301" clusterIP: None selector: app: neuvector-controller-pod --- apiVersion: route.openshift.io/v1 kind: Route metadata: name: neuvector-route-webui namespace: neuvector spec: to: kind: Service name: neuvector-service-webui port: targetPort: manager tls: termination: passthrough --- apiVersion: apps/v1 kind: Deployment metadata: name: neuvector-manager-pod namespace: neuvector spec: selector: matchLabels: app: neuvector-manager-pod replicas: 1 template: metadata: labels: app: neuvector-manager-pod spec: serviceAccountName: basic serviceAccount: basic containers: - name: neuvector-manager-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/manager:<version> env: - name: CTRL_SERVER_IP value: neuvector-svc-controller.neuvector restartPolicy: Always --- apiVersion: apps/v1 kind: Deployment metadata: name: neuvector-controller-pod namespace: neuvector spec: selector: matchLabels: app: neuvector-controller-pod minReadySeconds: 60 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 replicas: 3 template: metadata: labels: app: neuvector-controller-pod spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - neuvector-controller-pod topologyKey: "kubernetes.io/hostname" serviceAccountName: controller serviceAccount: controller containers: - name: neuvector-controller-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/controller:<version> securityContext: runAsUser: 0 readinessProbe: exec: command: - cat - /tmp/ready initialDelaySeconds: 5 periodSeconds: 5 env: - name: CLUSTER_JOIN_ADDR value: neuvector-svc-controller.neuvector - name: CLUSTER_ADVERTISED_ADDR valueFrom: fieldRef: fieldPath: status.podIP - name: CLUSTER_BIND_ADDR valueFrom: fieldRef: fieldPath: status.podIP # - name: CTRL_PERSIST_CONFIG # value: "1" volumeMounts: # - mountPath: /var/neuvector # name: nv-share # readOnly: false - mountPath: /etc/config name: config-volume readOnly: true terminationGracePeriodSeconds: 300 restartPolicy: Always volumes: # - name: nv-share # persistentVolumeClaim: # claimName: neuvector-data - name: config-volume projected: sources: - configMap: name: neuvector-init optional: true - secret: name: neuvector-init optional: true - secret: name: neuvector-secret optional: true --- apiVersion: apps/v1 kind: DaemonSet metadata: name: neuvector-enforcer-pod namespace: neuvector spec: selector: matchLabels: app: neuvector-enforcer-pod updateStrategy: type: RollingUpdate template: metadata: labels: app: neuvector-enforcer-pod annotations: container.apparmor.security.beta.kubernetes.io/neuvector-enforcer-pod: unconfined # Add the following for pre-v1.19 # container.seccomp.security.alpha.kubernetes.io/neuvector-enforcer-pod: unconfined spec: tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane hostPID: true serviceAccountName: enforcer serviceAccount: enforcer containers: - name: neuvector-enforcer-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/enforcer:<version> securityContext: # openshift seLinuxOptions: type: unconfined_t # the following two lines are required for k8s v1.19+. pls comment out both lines if version is pre-1.19. Otherwise, a validating data error message will show seccompProfile: type: Unconfined capabilities: add: - SYS_ADMIN - NET_ADMIN - SYS_PTRACE - IPC_LOCK - NET_RAW - SYS_CHROOT - MKNOD - AUDIT_WRITE - SETFCAP env: - name: CLUSTER_JOIN_ADDR value: neuvector-svc-controller.neuvector - name: CLUSTER_ADVERTISED_ADDR valueFrom: fieldRef: fieldPath: status.podIP - name: CLUSTER_BIND_ADDR valueFrom: fieldRef: fieldPath: status.podIP volumeMounts: - mountPath: /lib/modules name: modules-vol readOnly: true # - mountPath: /run/runtime.sock # name: runtime-sock # readOnly: true # - mountPath: /host/proc # name: proc-vol # readOnly: true # - mountPath: /host/cgroup # name: cgroup-vol # readOnly: true - mountPath: /var/nv_debug name: nv-debug readOnly: false terminationGracePeriodSeconds: 1200 restartPolicy: Always volumes: - name: modules-vol hostPath: path: /lib/modules # - name: runtime-sock # hostPath: # path: /var/run/crio/crio.sock # - name: proc-vol # hostPath: # path: /proc # - name: cgroup-vol # hostPath: # path: /sys/fs/cgroup - name: nv-debug hostPath: path: /var/nv_debug --- apiVersion: apps/v1 kind: Deployment metadata: name: neuvector-scanner-pod namespace: neuvector spec: selector: matchLabels: app: neuvector-scanner-pod strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 replicas: 2 template: metadata: labels: app: neuvector-scanner-pod spec: serviceAccountName: scanner serviceAccount: scanner containers: - name: neuvector-scanner-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/scanner:<version> imagePullPolicy: Always env: - name: CLUSTER_JOIN_ADDR value: neuvector-svc-controller.neuvector restartPolicy: Always --- apiVersion: batch/v1 kind: CronJob metadata: name: neuvector-updater-pod namespace: neuvector spec: schedule: "0 0 * * *" jobTemplate: spec: template: metadata: labels: app: neuvector-updater-pod spec: serviceAccountName: updater serviceAccount: updater containers: - name: neuvector-updater-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/updater:<version> imagePullPolicy: Always command: - /bin/sh - -c - TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`; /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $TOKEN" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod' restartPolicy: Never ``` ::: # 9.確認連線資訊 :::info 連線時請注意您所使用的本機是否有設定正確的hosts指向到NeuVector URL。 ::: ```shell= oc get svc,route -owide NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/neuvector-service-controller-fed-master NodePort 172.30.48.236 <none> 11443:32007/TCP 20h app=neuvector-controller-pod service/neuvector-service-controller-fed-worker NodePort 172.30.196.154 <none> 10443:32455/TCP 20h app=neuvector-controller-pod service/neuvector-service-webui ClusterIP 172.30.146.255 <none> 8443/TCP 20h app=neuvector-manager-pod service/neuvector-svc-admission-webhook ClusterIP 172.30.6.62 <none> 443/TCP 20h app=neuvector-controller-pod service/neuvector-svc-controller ClusterIP None <none> 18300/TCP,18301/TCP,18301/UDP 20h app=neuvector-controller-pod service/neuvector-svc-crd-webhook ClusterIP 172.30.36.152 <none> 443/TCP 20h app=neuvector-controller-pod NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD route.route.openshift.io/neuvector-route-webui neuvector-route-webui-neuvector.apps.container.demo.com neuvector-service-webui manager passthrough None ``` :::info 如果沒有定義預設帳密的話，請用admin / admin登入 ::: # 10.參考資料與注意事項 [1. 官方文件，照做基本上會成功。](https://open-docs.neuvector.com/deploying/openshift) :::info 若node有taint，請把相關的pod加上nodeSelector與node label，不然應該會看到daemonSet沒有pod啟動。 :::