Skip to main content
Version: 5.3

Connect to Manager, REST API server

Connect to UIโ€‹

Open a browser window, connect to the manager using HTTPS. After accepting the EULA, the user is able to access the UI.


Depending of the deployment method you chose, the manager address will be as follow



You can manage NeuVector from the Console or by using the REST API.


See below for cases where your corporate firewall blocks 8443.


If your Chrome browser blocks the NeuVector self-signed certificate, see the next section on Chrome Certificate Upload.

Connect to REST API Serverโ€‹

All operations in NeuVector can be invoked through the REST API instead of the console. The REST API server is part of the Controller/Allinone container. For details on the REST API, please see the section on Workflow and Automation.

Default username and passwordโ€‹


After successful login, the admin user should update the account with a more secure password.

Creating Additional Usersโ€‹

New users can be added from the Settings -> Users & Roles menu. There are predefined global roles in NeuVector:

  • Admin. Able to perform all actions except Federated policies.
  • Federated Admin. Able to perform all actions, including setting up Master/Remote clusters and Federated policies (rules). Only visible if Multi-cluster is enabled.
  • View Only (reader). No actions allowed, just viewing.
  • CI Integration (ciops). Able to perform CI/CD scanning integration tasks such as image scanning. This user role is recommended for use in build-phase scanning plug-ins such as Jenkins, Bamboo etc and for use in the REST API calls. It is limited to scanning functions and will not be able to do any actions in the console.

Users can be restricted to one or more namespaces using the Advanced Settings.

See the section Users & Roles for advanced user management and creation of custom roles.

Connection Timeout Settingโ€‹

You can set the number of seconds which the console will timeout in the upper right of the console in My Profile -> Session timeout. The default is 5 minutes and the maximum is 3600 seconds (1 hour).

Enabling HTTP for Managerโ€‹

To disable HTTPS and enable HTTP access, add this to the Manager or Allinone yaml section in the environment variables section. For example, in Kubernetes:

value: โ€œoffโ€

For OpenShift, also remove this setting from the Route section of the yaml:

termination: passthrough

This is useful if putting the manager behind a load balancer.

Enabling Access from Corporate Network Which Blocks 8443โ€‹

If your corporate network does not allow access on port 8443 to the Manager console, you can create an ingress service to map it and allow access.


The NeuVector UI console is running as non-root user in the container, so it cannot listen on a port less than 1024. This is why it can't be changed to 443.

If you are trying to access the console from your corporate network. Here is the way to use the ClusterIP service and ingress HTTPS redirect to achieve that.

First, create a certificate for HTTPS termination. Here is an example,

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/"
kubectl create secret tls neuvector-ingress-tls -n neuvector --key="tls.key" --cert="tls.crt"

Then, use the following yaml file to expose the 443 port that redirects the HTTPS connection to the manager.

apiVersion: v1
kind: Service
name: neuvector-cluster-webui
namespace: neuvector
- port: 443
targetPort: 8443
protocol: TCP
type: ClusterIP
app: neuvector-manager-pod


apiVersion: extensions/v1beta1
kind: Ingress
name: neuvector-ingress-webui
namespace: neuvector
annotations: ssl-service=neuvector-cluster-webui
- hosts:
secretName: neuvector-ingress-tls
- host:
- path:
serviceName: neuvector-cluster-webui
servicePort: 443

You will need to change the annotation for the ingress address from to your appropriate address.

This example uses the URL After the ingress service is created, you can find it's external IP. You then can configure the hosts file to point to that IP. After that, you should be able to browse to (the url you choose to use).

Using SSL Passthrough Instead of Redirectโ€‹

To use TLS/SSL passthrough instead of the redirect example above (supported on some ingress controllers such as nginx), make sure the ingress controller is configured appropriated for passthrough, and the appropriate annotation is added to the ingress. For example,

  annotations: "true"

Replacing the NeuVector Self-signed Certificatesโ€‹

Please see the next section Replacing the Self-Signed Certificates for details. The certificate must be replaced in both the Manager and Controller/Allinone yamls.

Configuring AWS ALB with Certificate ARNโ€‹

Here is a sample ingress configuration using the AWS load balancer with the certificate ARN (actual ARN obfuscated).

apiVersion: extensions/v1beta1
kind: Ingress
# HTTPS arn:aws:acm:us-west-2:596810101010:certificate/380b6abc-1234-408d-axyz-651710101010 / HTTPS '[{"HTTPS":443}]' internet-facing "301" instance alb
app: neuvector-webui-ingress
name: neuvector-webui-ingress
namespace: neuvector
- hosts:
- http:
- backend:
serviceName: neuvector-service-webui
servicePort: 8443
path: /*