A collection of Helm charts for deploying NeuVector product in Kubernetes and Openshift clusters.
This repository contains three Helm charts.
| Chart | Description |
|---|---|
| core | Deploy NeuVector container security core services. chart |
| crd | Deploy CRD services before installing NeuVector container security platform. chart |
| monitor | Deploy monitoring services, such as Prometheus exporter. chart |
IMPORTANT - Each chart has a set of configuration values, especially for the 'core' chart. Review the Helm chart configuration values here and make any required changes to the values.yaml file for your deployment.
$ helm repo add neuvector https://neuvector.github.io/neuvector-helm/
$ helm search repo neuvector/coreHelm charts for officially released product are published from the release branch of the repository. The main branch is used for the charts of the product in the development. Typically, the charts in the main branch are published with the alpha, beta or rc tag. They can be discovered with --devel option.
$ helm search repo neuvector/core -l
NAME CHART VERSION APP VERSION DESCRIPTION
neuvector/core 2.2.2 5.0.2 Helm chart for NeuVector's core services
neuvector/core 2.2.1 5.0.1 Helm chart for NeuVector's core services
neuvector/core 2.2.0 5.0.0 Helm chart for NeuVector's core services
neuvector/core 1.9.2 4.4.4-s2 Helm chart for NeuVector's core services
neuvector/core 1.9.1 4.4.4 Helm chart for NeuVector's core services
...
...
$ helm search repo neuvector/core --devel
NAME CHART VERSION APP VERSION DESCRIPTION
neuvector/core 2.2.0-b1 5.0.0-b1 Helm chart for NeuVector's core services
neuvector/core 1.9.2 4.4.4-s2 Helm chart for NeuVector's core services
neuvector/core 1.9.1 4.4.4 Helm chart for NeuVector's core services
neuvector/core 1.9.0 4.4.4 Helm chart for NeuVector's core services
neuvector/core 1.8.9 4.4.3 Helm chart for NeuVector's core services
...
...To install the chart with the release name neuvector:
- Create the NeuVector namespace. You can use namespace name other than "neuvector".
$ kubectl create namespace neuvector- Label the NeuVector namespace with privileged profile for deploying on PSA enabled cluster.
$ kubectl label namespace neuvector "pod-security.kubernetes.io/enforce=privileged"- Configure Kubernetes to pull from the NeuVector container registry.
$ helm install neuvector --namespace neuvector --create-namespace neuvector/coreYou can find a list of all config options in the README of the core chart.
- Create a new project.
$ oc new-project neuvector- Create a new service account if you don't want to use the 'default'. Specify the service account name in charts' values.yaml file. Note: This step is only for OpenShift 3.x.
$ oc create serviceaccount neuvector -n neuvector- Grant Service Account Access to the Privileged SCC. Please replace the service account name that you plan to use. Note: This step is only for OpenShift 3.x.
$ oc -n neuvector adm policy add-scc-to-user privileged -z default- Privileged SCC is added to Service Account specified in the values.yaml by Helm chart version 2.0.0 and above in new Helm install on OpenShift 4.x. In case of upgrading NeuVector chart from previous version to 2.0.0, please delete Privileged SCC before upgrading.
$ oc delete rolebinding -n neuvector system:openshift:scc:privilegedTo install the chart with the release name neuvector:
$ helm install neuvector --namespace neuvector neuvector/core --set openshift=true,crio.enabled=true$ helm upgrade neuvector --set tag=5.0.2 neuvector/coreTo uninstall/delete the neuvector deployment:
$ helm delete neuvectorThe command removes all the Kubernetes components associated with the chart and deletes the release.
If you are using a private registry, you need pull NeuVector images of the specified version to your own registry and add registry name when installing the chart.
$ helm install neuvector --namespace neuvector neuvector/core --set registry=your-private-registryIf your registry needs authentication, create a secret with the authentication information:
$ kubectl create secret docker-registry regsecret -n neuvector --docker-server=https://your-private-registry/ --docker-username=your-name --docker-password=your-password --docker-email=your-emailor for OpenShift:
$ oc create secret docker-registry regsecret -n neuvector --docker-server=https://your-private-registry/ --docker-username=your-name --docker-password=your-password --docker-email=your-emailAnd install the helm chart with at least these values:
$ helm install neuvector --namespace neuvector neuvector/core --set imagePullSecrets=regsecret,registry=your-private-registryTo keep the vulnerability database up-to-date, you want to create a script, run it as a cronjob to pull the updater and scanner images periodically to your own registry.
$ docker login docker.io
$ docker pull docker.io/neuvector/updater
$ docker logout docker.io
$ oc login -u <user_name>
# this user_name is the one when you install neuvector
$ docker login -u <user_name> -p `oc whoami -t` docker-registry.default.svc:5000
$ docker tag docker.io/neuvector/updater docker-registry.default.svc:5000/neuvector/updater
$ docker push docker-registry.default.svc:5000/neuvector/updater
$ docker logout docker-registry.default.svc:5000If you are using the previous way to install charts from the source directly, after adding the Helm repo, you can upgrade the current installation by given the same chart name.
helm upgrade my-release neuvector/core --namespace neuvector --set tag=4.1.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent