Skip to main content
Version: 5.2

Deploy Using Operators

Operators

Operators take human operational knowledge and encode it into software that is more easily shared with consumers. Operators are pieces of software that ease the operational complexity of running another piece of software. More technically, Operators are a method of packaging, deploying, and managing a Kubernetes application.

NeuVector Operators

The NeuVector Operator is based on the NeuVector Helm chart. The NeuVector RedHat OpenShift Operator runs in the OpenShift container platform to deploy and manage the NeuVector Security cluster components. The NeuVector Operator contains all necessary information to deploy NeuVector using Helm charts. You simply need to install the NeuVector operator from the OpenShift embedded Operator hub and create the NeuVector instance.

To deploy the latest NeuVector container versions, please use either the Red Hat Certified Operator from Operator Hub or the community operator. Documentation for the community operator can be found here.

Note about SCC and Upgrading

Privileged SCC is added to the Service Account specified in the deployment yaml by Operator version 1.3.4 and above in new deployments. In the case of upgrading the NeuVector Operator from a previous version to 1.3.4, please delete Privileged SCC before upgrading.

oc delete rolebinding -n neuvector system:openshift:scc:privileged
important

NeuVector Certified Operator versions are tied to NeuVector product versions, and each new version must go through a certification process with Red Hat before being published. Certified operator version 1.3.9 is tied to NeuVector version 5.2.0. Certified operator version 1.3.7 is tied to NeuVector version 5.1.0. Version 1.3.4 operator version is tied to NeuVector 5.0.0. If you wish to be able to change the version tags of the NeuVector containers deployed, please use the Community version.

Deploy Using Certified Operator

Deploy Using the Red Hat Certified Operator from Operator Hub

important

NeuVector Operator versions are tied to NeuVector product versions, and each new product version must go through a certification process with Red Hat before being published.

Technical notes

  • NeuVector container images are pulled from registry.connect.redhat.com using the RedHat market place image pull secret.
  • The NeuVector manager UI is typically exposed via an OpenShift passthrough route on a domain. For example, on IBM Cloud neuvector-route-webui-neuvector.(cluster_name)-(random_hash)-0000.(region).containers.appdomain.cloud. It can also be exposed as the service neuvector-service-webui through a node port address or public IP.
  • OpenShift version >=4.6.
  1. Create the project neuvector.

    oc new-project neuvector
  2. Apply security context constraint (SCC) to grant default service account in neuvector namespace to run privileged containers.

    oc adm policy add-scc-to-user privileged --serviceaccount default --namespace neuvector
  3. Install the RedHat Certified Operator from the Operator Hub

    • In the OpenShift Console UI, navigate to OperatorHub
    • Search for NeuVector Operator and select the listing without community or marketplace badge
    • Click Install
  4. Configure update channel

    • Current latest channel is beta, but may be moved to stable in the future
    • Select stable if available
  5. Configure installation mode and installed namespace

    • Select specific namespace on the cluster
    • Select neuvector as installed namespace
    • Configure approval strategy
  6. Confirm Install
  7. Prepare the YAML configuration values for the NeuVector installation as shown in the sample screen shot below. The YAML presented in the OpenShift Console provides all available configuration options and their default values.

  8. When the operator is installed and ready for use, a NeuVector instance can be installed.

    • Click View operator (after the operator installation) or select the NeuVector Operator from the Installed operators view
    • Click Create instance
    • Select Configure via YAML View
    • Paste the prepared YAML configuration values
    • Click Create
  9. Verify the installation of the NeuVector instance

    • Navigate to the Operator Details of the NeuVector Operator
    • Open the NeuVector tab
    • Select the neuvector-default instance
    • Open the Resources tab
    • Verify that resources are in status Created or Running

After you have successfully deployed the NeuVector Platform to your cluster, login to the NeuVector console at https://neuvector-route-webui-neuvector.(OC_INGRESS).

  • Login with the initial username admin and password admin.
  • Accept the NeuVector end user license agreement.
  • Change the password of the admin user.

Optionally, you can also create additional users in the Settings -> Users & Roles menu.

Now you are ready to navigate the NeuVector console to start vulnerability scanning, observe running application pods, and apply security protections to containers.

Upgrading NeuVector

Upgrade the NeuVector version by updating the Operator version which is associated with the desired NeuVector version.

Deploy Using Community Operator

Deploy Using the NeuVector Community Operator from Operator Hub

Technical notes

  • NeuVector container images are pulled from Docker Hub from the NeuVector account.
  • NeuVector manager UI is typically exposed via an OpenShift passthrough route on a domain. For example, on IBM Cloud neuvector-route-webui-neuvector.(cluster_name)-(random_hash)-0000.(region).containers.appdomain.cloud. It can also be exposed as the service neuvector-service-webui through a node port address or public IP.
  • OpenShift version 4.6+
  • It is recommendeded to review and modify the NeuVector installation configuration by modifying the yaml values before creating the NeuVector instance. Examples include imagePullSecrets name, tag version, ingress/console access, multi-cluster federation, persistent volume PVC etc. Please refer to the Helm instructions at https://github.com/neuvector/neuvector-helm for the values that can be modified during installation.
  1. Create the project neuvector

    oc new-project neuvector
  2. Apply security context constraint (SCC) to grant default service account in neuvector namespace to run privileged containers.

    oc adm policy add-scc-to-user privileged --serviceaccount default --namespace neuvector
  3. Install the NeuVector Community Operator from the Operator Hub

    • In the OpenShift Console UI, navigate to OperatorHub
    • Search for NeuVector Operator and select the listing with the community badge
    • Click Install
    • Configure update channel. Current latest channel is beta, but may be moved to stable in the future. Select stable if available.
    • Configure installation mode and installed namespace
    • Select specific namespace on the cluster
    • Select neuvector as installed namespace
    • Configure approval strategy
    • Confirm Install
  4. Download the Kubernetes secret manifest which contains the credentials to access the NeuVector container registry. Save the YAML manifest file to ./neuvector-secret-registry.yaml.
  5. Apply the Kubernetes secret manifest containing the registry credentials.

    kubectl apply -n neuvector -f ./neuvector-secret-registry.yaml
  6. Prepare the YAML configuration values for the NeuVector installation starting from the following YAML snippet. Be sure to specify the desired NeuVector version in the 'tag' value. Check the reference of values in the NeuVector Helm chart to get available configuration options. There are other possible Helm values which can be configured in the YAML, such as whether you will configure the cluster to allow multi-cluster management by exposing the Master (Federated Master) or remote (Federated Worker) services.

    apiVersion: apm.neuvector.com/v1alpha1
    kind: Neuvector
    metadata:
    name: neuvector-default
    namespace: neuvector
    spec:
    openshift: true
    tag: 4.3.0
    registry: docker.io
    exporter:
    image:
    repository: prometheus-exporter
    tag: 0.9.0
    manager:
    enabled: true
    env:
    ssl: true
    image:
    repository: manager
    svc:
    type: ClusterIP
    route:
    enabled: true
    termination: passthrough
    enforcer:
    enabled: true
    image:
    repository: enforcer
    cve:
    updater:
    enabled: true
    image:
    repository: updater
    tag: latest
    schedule: 0 0 * * *
    scanner:
    enabled: true
    replicas: 3
    image:
    repository: scanner
    tag: latest
    controller:
    enabled: true
    image:
    repository: controller
    replicas: 3
  7. When the operator is installed and ready for use, a NeuVector instance can be installed.

    • Click View operator (after the operator installation) or select the NeuVector Operator from the Installed operators view
    • Click Create instance
    • Select Configure via YAML View
    • Paste the prepared YAML configuration values
    • Click Create
  8. Verify the installation of the NeuVector instance.

    • Navigate to the Operator Details of the NeuVector Operator
    • Open the NeuVector tab
    • Select the neuvector-default instance
    • Open the Resources tab
    • Verify that resources are in status Created or Running
  9. After you have successfully deployed the NeuVector Platform to your cluster, login to the NeuVector console at https://neuvector-route-webui-neuvector.(INGRESS_DOMAIN).

    • Login with the initial username admin and password admin.
    • Accept the NeuVector end user license agreement.
    • Change the password of the admin user.
    • Optionally, you can also create additional users in the Settings -> Users & Roles menu.

Now you are ready to navigate the NeuVector console to start vulnerability scanning, observe running application pods, and apply security protections to containers.

Upgrading NeuVector

  1. From Operators > Installed Operators > NeuVector Operator

  2. Click on NeuVector to list instances

  3. Click on YAML to edit parameters

  4. Update tag and click Save

Troubleshooting

  • Check the Operator deployment values in the deployed yaml file
  • Verify that security context constraint (SCC) for NeuVector in step 2 was successfully added
  • Review and check the NeuVector Helm chart values
  • Make sure the registry path and version tag is set properly (community operator; certified will use the defaults)
  • Make sure the route to the NeuVector manager service neuvector-route-webui is configured