A walkthrough for federating Neuvector
Neuvector is a software security tool that can be installed alongside Rancher. When Neuvector is installed into multiple Kubernetes clusters, each Neuvector instance can be federated to manage policies and scan results, as well as present an overall view in the Neuvector Manager UI. This repo walks through how to setup federation and configure other capabilities in Neuvector.
- Neuvector can be installed via a Helm chart from the Rancher Marketplace.
- On the cluster that you want to be the federation master, expose the
neuvector-svc-controller-fed-masterservice externally. - Login to the Neuvector Manager UI and click on the User account drop down -> Multiple Clusters
- Click Promote
- Enter the endpoint that you exposed in step 2 and click Submit. (Note: Your Primary Cluster Port will be
443if you exposed via Ingress) - After the page reloads, go back in to Multiple Clusters and you should now see the cluster listed in the table. Under the Actions column, click Generate Token and copy the displayed token to your clipboard for future use.
- On all downstream Neuvector instances, Neuvector can be installed via a Helm chart from the Rancher Marketplace.
- On these clusters you will need to expose the
neuvector-svc-controller-fed-managedservice externally. - Login to the Neuvector Manager UI and click on the User account drop down -> Multiple Clusters.
- Click Join
- For the controller server, enter the endpoint that you exposed in step 3. (Note: Your controller port will
443if you exposed via Ingress) Enter the token you copied in step 6 of Master section and the remaining fields will be populated. - Click Submit.
Harbor supports using Neuvector as an external image scanner.
- Enable the registry adapter pod by setting
cve.adapter.enabled=true - By default, the registry adapter pod is configured for HTTPS and you need to provide a TLS certificate via
cve.adapter.certificate(Note: If you use this, setcve.adapter.certificate.pemFile=tls.crt) example certificate - If Harbor is running external to cluster, you will need to expose the registry adapter pod externally. Ingress can be configured with
cve.adapter.ingress - A secret of the form basic-auth will need to be created and set via
cve.adapter.harbor.secretNameexample secret - After those resources are created, log into Harbor and navigate to Administration -> Interrogation Services -> New Scanner
- In the dialog box, enter the exposed
neuevector-registry-adapterendpoint, the credentials found in the secret referenced bycve.adapter.harbor.secretName, then click Add. - You should now have a Neuvector scanner configured in Harbor.