A collection of Helm charts for deploying NeuVector product in Kubernetes and Openshift clusters.
This repository contains three Helm charts.
Chart | Description |
---|---|
core | Deploy NeuVector container security core services. chart |
crd | Deploy CRD services before installing NeuVector container security platform. chart |
monitor | Deploy monitoring services, such as Prometheus exporter. chart |
IMPORTANT - Each chart has a set of configuration values, especially for the 'core' chart. Review the Helm chart configuration values here and make any required changes to the values.yaml
file for your deployment.
helm repo add neuvector https://neuvector.github.io/neuvector-helm/
helm search repo neuvector/core
Helm charts for officially released product are published from the release branch of the repository. The main branch is used for the charts of the product in the development. Typically, the charts in the main branch are published with the alpha, beta or rc tag. They can be discovered with --devel option.
$ helm search repo neuvector/core -l
NAME CHART VERSION APP VERSION DESCRIPTION
neuvector/core 2.2.2 5.0.2 Helm chart for NeuVector's core services
neuvector/core 2.2.1 5.0.1 Helm chart for NeuVector's core services
neuvector/core 2.2.0 5.0.0 Helm chart for NeuVector's core services
neuvector/core 1.9.2 4.4.4-s2 Helm chart for NeuVector's core services
neuvector/core 1.9.1 4.4.4 Helm chart for NeuVector's core services
...
...
$ helm search repo neuvector/core --devel
NAME CHART VERSION APP VERSION DESCRIPTION
neuvector/core 2.2.0-b1 5.0.0-b1 Helm chart for NeuVector's core services
neuvector/core 1.9.2 4.4.4-s2 Helm chart for NeuVector's core services
neuvector/core 1.9.1 4.4.4 Helm chart for NeuVector's core services
neuvector/core 1.9.0 4.4.4 Helm chart for NeuVector's core services
neuvector/core 1.8.9 4.4.3 Helm chart for NeuVector's core services
...
...
To install the chart with the release name neuvector
:
- Create the NeuVector namespace. You can use namespace name other than "neuvector".
kubectl create namespace neuvector
- Label the NeuVector namespace with privileged profile for deploying on PSA enabled cluster.
kubectl label namespace neuvector "pod-security.kubernetes.io/enforce=privileged"
- Configure Kubernetes to pull from the NeuVector container registry.
helm install neuvector --namespace neuvector --create-namespace neuvector/core
You can find a list of all config options in the README of the core chart.
- Create a new project.
oc new-project neuvector
- Privileged SCC is added to Service Account specified in the values.yaml by Helm chart version 2.0.0 and above in new Helm install on OpenShift 4.x. In case of upgrading NeuVector chart from previous version to 2.0.0, please delete Privileged SCC before upgrading.
oc delete rolebinding -n neuvector system:openshift:scc:privileged
To install the chart with the release name neuvector
:
helm install neuvector --namespace neuvector neuvector/core --set openshift=true,crio.enabled=true
helm upgrade neuvector --set tag=5.0.2 neuvector/core
To uninstall/delete the neuvector
deployment:
helm delete neuvector
The command removes all the Kubernetes components associated with the chart and deletes the release.
If you are using a private registry, you need pull NeuVector images of the specified version to your own registry and add registry name when installing the chart.
helm install neuvector --namespace neuvector neuvector/core --set registry=your-private-registry
If your registry needs authentication, create a secret with the authentication information:
kubectl create secret docker-registry regsecret -n neuvector --docker-server=https://your-private-registry/ --docker-username=your-name --docker-password=your-password --docker-email=your-email
or for OpenShift:
oc create secret docker-registry regsecret -n neuvector --docker-server=https://your-private-registry/ --docker-username=your-name --docker-password=your-password --docker-email=your-email
And install the helm chart with at least these values:
helm install neuvector --namespace neuvector neuvector/core --set imagePullSecrets=regsecret,registry=your-private-registry
To keep the vulnerability database up-to-date, you want to create a script, run it as a cronjob to pull the updater and scanner images periodically to your own registry.
$ docker login docker.io
$ docker pull docker.io/neuvector/updater
$ docker logout docker.io
$ oc login -u <user_name>
# this user_name is the one when you install neuvector
$ docker login -u <user_name> -p `oc whoami -t` docker-registry.default.svc:5000
$ docker tag docker.io/neuvector/updater docker-registry.default.svc:5000/neuvector/updater
$ docker push docker-registry.default.svc:5000/neuvector/updater
$ docker logout docker-registry.default.svc:5000
If you are using the previous way to install charts from the source directly, after adding the Helm repo, you can upgrade the current installation by given the same chart name.
helm upgrade my-release neuvector/core --namespace neuvector --set tag=4.1.0