Removing or Resetting NeuVector
Removing NeuVector Deployment / Containers​
To remove the NeuVector deployment on Kubernetes, use the same yaml file for deployment in the delete command.
kubectl delete -f neuvector.yaml
This will remove the services and container deployments of NeuVector. You may also want to delete the neuvector namespace, persistent volume and cluster roles and clusterrolebindings created in the deployment steps.
If you deployed NeuVector using a Helm chart or operator you should delete NeuVector using Helm or the appropriate operator command.
Resetting NeuVector to an Initial State​
In addition to deleting as discussed above and redeploying NeuVector, the following steps can be taken in Kubernetes to reset NeuVector, which will remove learned rules, groups, and other configuration but leave the NeuVector deployment intact.
- Scale the controller deployment to 0.
- (Optional) if a Persistent Volume is used, delete the persistent volume backup and registry folders created.
- Scale the controller deployment to 3.
Resetting the Admin Password​
The admin password is the key to administering the NeuVector deployment and viewing the cluster network activities. It is important to change the password upon install and keep it safely guarded. If you have kubectl
access to the cluster, you can reset the admin password to the default using the following steps.
Starting in v5.4.3, consul CLI access is disabled by default to harden NeuVector pod security. If resetting the admin password, you need to first disable nv_protect
which is tied to the Enforcer where the Controller is running in order to access the consul CLI. The below override.yaml
configuration can be applied by an admin user to disable nv_protect
and allows for running your consul CLI directly in the Controller pods.
If using continuous delivery in your deployment, you can add a temporary admin user by enabling the attribute always_reload: true
noted in the example userinitcfg.yaml
in the ConfigMap and then following the steps below.
enforcer:
env:
- name: ENFORCER_SKIP_NV_PROTECT
value: "1"
-
kubectl exec
into one of the Controllers.kubectl exec -it <controller> -n neuvector -- sh
-
Check that the admin entry exists and save the output JSON somewhere for safe keeping.
consul kv get object/config/user/admin
importantBefore continuing, make sure you've saved the output of command
consul kv get
into a file. -
Take the output from the above
consul kv get
command and replace thepassword_hash
string with the below string.c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec
-
Reset the admin account password back to the default.
warningReplace <UPDATED_consul_kv_get_output_with_new_password_hash> before executing this steps command.
consul kv put object/config/user/admin '<UPDATED_consul_kv_get_output_with_new_password_hash>'
Example below: (Do not execute without replacing with intended
<UPDATED_consul_kv_get_output_with_new_password_hash>
)consul kv put object/config/user/admin '{"fullname":"admin","username":"admin","password_hash":"c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec","pwd_reset_time":"2022-03-24T20:50:15.341074451Z","pwd_hash_history":null,"domain":"","server":"","email":"","role":"admin","role_oride":false,"timeout":300,"locale":"en","role_domains":{},"last_login_at":"2022-03-24T20:49:32.577877044Z","login_count":1,"failed_login_count":0,"block_login_since":"0001-01-01T00:00:00Z"}'
Response:
Success! Data written to: object/config/user/admin
-
Login with admin/admin and change the password.