Modified for v5.4.0 pod deployment

neuvector · Sep 26, 2024 · 452c2dd · 452c2dd
1 parent 7114a7d
commit 452c2dd
Showing 1 changed file with 26 additions and 16 deletions.
diff --git a/versioned_docs/version-5.4/02.deploying/04.openshift/04.openshift.md b/versioned_docs/version-5.4/02.deploying/04.openshift/04.openshift.md
@@ -16,9 +16,9 @@ To deploy manually, first pull the appropriate NeuVector containers from the Neu
 #### NeuVector Images on Docker Hub
 
 <p>The images are on the NeuVector Docker Hub registry. Use the appropriate version tag for the manager, controller, enforcer, and leave the version as 'latest' for scanner and updater. For example:
-<li>neuvector/manager:5.3.0</li>
-<li>neuvector/controller:5.3.0</li>
-<li>neuvector/enforcer:5.3.0</li>
+<li>neuvector/manager:5.4.0</li>
+<li>neuvector/controller:5.4.0</li>
+<li>neuvector/enforcer:5.4.0</li>
 <li>neuvector/scanner:latest</li>
 <li>neuvector/updater:latest</li></p>
 <p>Please be sure to update the image references in appropriate yaml files.</p>
@@ -103,6 +103,7 @@ oc create sa basic -n neuvector
 oc create sa updater -n neuvector
 oc create sa scanner -n neuvector
 oc create sa registry-adapter -n neuvector
+oc create sa cert-upgrader -n neuvector
 oc -n neuvector adm policy add-scc-to-user privileged -z enforcer
 ```
 
@@ -179,7 +180,7 @@ system:openshift:scc:privileged   ClusterRole/system:openshift:scc:privileged
 Run this command to check NeuVector service for Controller:
 
 ```shell
-oc get rolebinding system:openshift:scc:neuvector-scc-controller n neuvector -o wide
+oc get rolebinding system:openshift:scc:neuvector-scc-controller -n neuvector -o wide
 ```
 
 The output will look like
@@ -192,12 +193,12 @@ System:openshift:scc:neuvector-scc-controller   ClusterRole/system:openshift:scc
 6) Create the custom resources (CRD) for NeuVector security rules. For OpenShift 4.6+ (Kubernetes 1.19+):
 
 ```shell
-oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/crd-k8s-1.19.yaml
-oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/waf-crd-k8s-1.19.yaml
-oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/dlp-crd-k8s-1.19.yaml
-oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/com-crd-k8s-1.19.yaml
-oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/vul-crd-k8s-1.19.yaml
-oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/admission-crd-k8s-1.19.yaml
+oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/crd-k8s-1.19.yaml
+oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/waf-crd-k8s-1.19.yaml
+oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/dlp-crd-k8s-1.19.yaml
+oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/com-crd-k8s-1.19.yaml
+oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/vul-crd-k8s-1.19.yaml
+oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/admission-crd-k8s-1.19.yaml
 ```
 
 7) Add read permission to access the kubernetes API and OpenShift RBACs. IMPORTANT: The standard NeuVector 5.2+ deployment uses least-privileged service accounts instead of the default. See below if upgrading to 5.2+ from a version prior to 5.2.
@@ -242,12 +243,17 @@ oc create role neuvector-binding-scanner --verb=get,patch,update,watch --resourc
 oc adm policy add-role-to-user neuvector-binding-scanner system:serviceaccount:neuvector:updater system:serviceaccount:neuvector:controller -n neuvector --role-namespace neuvector
 oc create clusterrole neuvector-binding-co --verb=get,list --resource=clusteroperators
 oc adm policy add-cluster-role-to-user neuvector-binding-co system:serviceaccount:neuvector:enforcer system:serviceaccount:neuvector:controller
-oc create role neuvector-binding-secret --verb=get --resource=secrets -n neuvector
-oc adm policy add-role-to-user neuvector-binding-secret system:serviceaccount:neuvector:controller -n neuvector --role-namespace neuvector
+oc create role neuvector-binding-secret --verb=get,list,watch --resource=secrets -n neuvector
+oc adm policy add-role-to-user neuvector-binding-secret system:serviceaccount:neuvector:controller system:serviceaccount:neuvector:enforcer system:serviceaccount:neuvector:scanner system:serviceaccount:neuvector:registry-adapter -n neuvector --role-namespace neuvector
 oc create clusterrole neuvector-binding-nvcomplianceprofiles --verb=get,list,delete --resource=nvcomplianceprofiles
 oc create clusterrolebinding neuvector-binding-nvcomplianceprofiles --clusterrole=neuvector-binding-nvcomplianceprofiles --serviceaccount=neuvector:controller
 oc create clusterrole neuvector-binding-nvvulnerabilityprofiles --verb=get,list,delete --resource=nvvulnerabilityprofiles
 oc create clusterrolebinding neuvector-binding-nvvulnerabilityprofiles --clusterrole=neuvector-binding-nvvulnerabilityprofiles --serviceaccount=neuvector:controller
+oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/neuvector-roles-k8s.yaml
+oc create role neuvector-binding-lease --verb=create,get,update --resource=leases -n neuvector
+oc adm policy add-role-to-user neuvector-binding-cert-upgrader system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector
+oc adm policy add-role-to-user neuvector-binding-job-creation system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector
+oc adm policy add-role-to-user neuvector-binding-lease system:serviceaccount:neuvector:controller system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector
 ```
 
 8) Run the following command to check if the neuvector/controller, neuvector/enforcer and neuvector/updater service accounts are added successfully.
@@ -275,14 +281,18 @@ neuvector-binding-co                                ClusterRole/neuvector-bindin
 And this command:
 
 ```shell
-oc get RoleBinding neuvector-binding-scanner -n neuvector -o wide
+oc get RoleBinding neuvector-binding-scanner neuvector-binding-cert-upgrader neuvector-binding-job-creation neuvector-binding-lease neuvector-binding-secret -n neuvector -o wide
 ```
 
 Sample output:
 
 ```shell
-NAME                        ROLE                             AGE   USERS   GROUPS   SERVICEACCOUNTS
-neuvector-binding-scanner   Role/neuvector-binding-scanner   70d                    neuvector/updater, neuvector/controller
+NAME                              ROLE                                   AGE   USERS   GROUPS   SERVICEACCOUNTS
+neuvector-binding-scanner         Role/neuvector-binding-scanner         56m                    neuvector/controller, neuvector/updater
+neuvector-binding-cert-upgrader   Role/neuvector-binding-cert-upgrader   56m                    neuvector/cert-upgrader
+neuvector-binding-job-creation    Role/neuvector-binding-job-creation    56m                    neuvector/controller
+neuvector-binding-lease           Role/neuvector-binding-lease           56m                    neuvector/controller, neuvector/cert-upgrader
+neuvector-binding-secret          Role/neuvector-binding-secret          56m                    neuvector/controller, neuvector/enforcer, neuvector/scanner, neuvector/registry-adapter
 ```
 
 9) (<strong>Optional</strong>) Create the Federation Master and/or Remote Multi-Cluster Management Services. If you plan to use the multi-cluster management functions in NeuVector, one cluster must have the Federation Master service deployed, and each remote cluster must have the Federation Worker service. For flexibility, you may choose to deploy both Master and Worker services on each cluster so any cluster can be a master or remote.
@@ -351,7 +361,7 @@ The name of your default OpenShift registry might have changed from docker-regis
 Type NodePort is used for the fed-master and fed-worker services instead of LoadBalancer. You may need to adjust for your deployment.
 :::
 
-If using the CRI-O run-time, see this [CRI-O sample](https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/neuvector-crio-oc.yaml).
+If using the CRI-O run-time, see this [CRI-O sample](https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/neuvector-crio-oc.yaml).
 
 **Master Node Taints and Tolerations**