赞
踩
NeuVector业界首个端到端的开源容器安全平台,唯一为容器化工作负载提供企业级零信任安全的解决方案。NeuVector 是业界领先的安全和合规解决方案,已被全球知名企业广泛采用;其代码库的开源不仅使 NeuVector 成为开源社区的首选技术,还为受严格监管的客户(包括政企、金融)提供了更可靠的保证。
NeuVector开源容器镜像可以安装在任何Kubernetes集群上。支持包括红帽OpenShift、VMWare Tanzu、Google GKE、Amazon EKS、Microsoft Azure AKS等在内的众多企业级容器管理平台。
NeuVector 将驱动 SUSE 旗舰 Kubernetes 管理平台——SUSE Rancher 的容器安全创新,此举将有助于推动Kubernetes安全领域的重大生态系统革新,此前这一领域通常由闭源的专有解决方案主导。
NeuVector 本身包含 Controller、Enforcer、Manager、Scanner 和 Updater 模块。
Controller :整个 NeuVector 的控制模块,API 入口,包括配置下发,高可用主要考虑 Controller 的 HA ,通常建议部署 3 个 Controller 模块组成集群。
Enforcer :主要用于安全策略部署下发和执行,DaemonSet 类型会在每个节点部署。
Manager:提供 web-UI(仅HTTPS) 和 CLI 控制台,供用户管理 NeuVector 。
Scanner :对节点、容器、Kubernetes 、镜像进行 CVE 漏洞扫描
Updater :cronjob ,用于定期更新 CVE 漏洞库
helm repo add neuvector https://neuvector.github.io/neuvector-helm/
helm search repo neuvector/core
$ helm search repo neuvector/core -l NAME CHART VERSION APP VERSION DESCRIPTION neuvector/core 2.2.2 5.0.2 Helm chart for NeuVector's core services neuvector/core 2.2.1 5.0.1 Helm chart for NeuVector's core services neuvector/core 2.2.0 5.0.0 Helm chart for NeuVector's core services neuvector/core 1.9.2 4.4.4-s2 Helm chart for NeuVector's core services neuvector/core 1.9.1 4.4.4 Helm chart for NeuVector's core services ... ... $ helm search repo neuvector/core --devel NAME CHART VERSION APP VERSION DESCRIPTION neuvector/core 2.2.0-b1 5.0.0-b1 Helm chart for NeuVector's core services neuvector/core 1.9.2 4.4.4-s2 Helm chart for NeuVector's core services neuvector/core 1.9.1 4.4.4 Helm chart for NeuVector's core services neuvector/core 1.9.0 4.4.4 Helm chart for NeuVector's core services neuvector/core 1.8.9 4.4.3 Helm chart for NeuVector's core services ... ...
To install the chart with the release name neuvector:
kubectl create namespace neuvector
kubectl label namespace neuvector "pod-security.kubernetes.io/enforce=privileged"
helm install neuvector --namespace neuvector --create-namespace neuvector/core
helm upgrade neuvector --set tag=5.0.2 neuvector/core
软件版本:
kubectl create namespace neuvector
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/crd-k8s-1.19.yaml
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/crd-k8s-1.16.yaml
配置 RBAC
kubectl create clusterrole neuvector-binding-app --verb=get,list,watch,update --resource=nodes,pods,services,namespaces
kubectl create clusterrole neuvector-binding-rbac --verb=get,list,watch --resource=rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io
kubectl create clusterrolebinding neuvector-binding-app --clusterrole=neuvector-binding-app --serviceaccount=neuvector:default
kubectl create clusterrolebinding neuvector-binding-rbac --clusterrole=neuvector-binding-rbac --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-admission --verb=get,list,watch,create,update,delete --resource=validatingwebhookconfigurations,mutatingwebhookconfigurations
kubectl create clusterrolebinding neuvector-binding-admission --clusterrole=neuvector-binding-admission --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get --resource=customresourcedefinitions
kubectl create clusterrolebinding neuvector-binding-customresourcedefinition --clusterrole=neuvector-binding-customresourcedefinition --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvsecurityrules --verb=list,delete --resource=nvsecurityrules,nvclustersecurityrules
kubectl create clusterrolebinding neuvector-binding-nvsecurityrules --clusterrole=neuvector-binding-nvsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrolebinding neuvector-binding-view --clusterrole=view --serviceaccount=neuvector:default
kubectl create rolebinding neuvector-admin --clusterrole=admin --serviceaccount=neuvector:default -n neuvector
kubectl get clusterrolebinding | grep neuvector
kubectl get rolebinding -n neuvector | grep neuvector
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/neuvector-docker-k8s.yaml
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/neuvector-containerd-k8s.yaml
error: unable to recognize "https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/neuvector-docker-k8s.yaml": no matches for kind "CronJob" in version "batch/v1"
kubectl patch svc neuvector-service-webui -n neuvector --type='json' -p '[{"op":"replace","path":"/spec/type","value":"NodePort"},{"op":"add","path":"/spec/ports/0/nodePort","value":30888}]'
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。