From 452c2ddaa8d477767b331d17514a3495fa525f6b Mon Sep 17 00:00:00 2001 From: Venkatesh Jayagopal Date: Thu, 26 Sep 2024 17:44:07 +0000 Subject: [PATCH] Modified for v5.4.0 pod deployment --- .../02.deploying/04.openshift/04.openshift.md | 42 ++++++++++++------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/versioned_docs/version-5.4/02.deploying/04.openshift/04.openshift.md b/versioned_docs/version-5.4/02.deploying/04.openshift/04.openshift.md index 6941e5d76..a267ea96b 100644 --- a/versioned_docs/version-5.4/02.deploying/04.openshift/04.openshift.md +++ b/versioned_docs/version-5.4/02.deploying/04.openshift/04.openshift.md @@ -16,9 +16,9 @@ To deploy manually, first pull the appropriate NeuVector containers from the Neu #### NeuVector Images on Docker Hub

The images are on the NeuVector Docker Hub registry. Use the appropriate version tag for the manager, controller, enforcer, and leave the version as 'latest' for scanner and updater. For example: -

  • neuvector/manager:5.3.0
  • -
  • neuvector/controller:5.3.0
  • -
  • neuvector/enforcer:5.3.0
  • +
  • neuvector/manager:5.4.0
  • +
  • neuvector/controller:5.4.0
  • +
  • neuvector/enforcer:5.4.0
  • neuvector/scanner:latest
  • neuvector/updater:latest
  • Please be sure to update the image references in appropriate yaml files.

    @@ -103,6 +103,7 @@ oc create sa basic -n neuvector oc create sa updater -n neuvector oc create sa scanner -n neuvector oc create sa registry-adapter -n neuvector +oc create sa cert-upgrader -n neuvector oc -n neuvector adm policy add-scc-to-user privileged -z enforcer ``` @@ -179,7 +180,7 @@ system:openshift:scc:privileged ClusterRole/system:openshift:scc:privileged Run this command to check NeuVector service for Controller: ```shell -oc get rolebinding system:openshift:scc:neuvector-scc-controller n neuvector -o wide +oc get rolebinding system:openshift:scc:neuvector-scc-controller -n neuvector -o wide ``` The output will look like @@ -192,12 +193,12 @@ System:openshift:scc:neuvector-scc-controller ClusterRole/system:openshift:scc 6) Create the custom resources (CRD) for NeuVector security rules. For OpenShift 4.6+ (Kubernetes 1.19+): ```shell -oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/crd-k8s-1.19.yaml -oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/waf-crd-k8s-1.19.yaml -oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/dlp-crd-k8s-1.19.yaml -oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/com-crd-k8s-1.19.yaml -oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/vul-crd-k8s-1.19.yaml -oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/admission-crd-k8s-1.19.yaml +oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/crd-k8s-1.19.yaml +oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/waf-crd-k8s-1.19.yaml +oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/dlp-crd-k8s-1.19.yaml +oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/com-crd-k8s-1.19.yaml +oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/vul-crd-k8s-1.19.yaml +oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/admission-crd-k8s-1.19.yaml ``` 7) Add read permission to access the kubernetes API and OpenShift RBACs. IMPORTANT: The standard NeuVector 5.2+ deployment uses least-privileged service accounts instead of the default. See below if upgrading to 5.2+ from a version prior to 5.2. @@ -242,12 +243,17 @@ oc create role neuvector-binding-scanner --verb=get,patch,update,watch --resourc oc adm policy add-role-to-user neuvector-binding-scanner system:serviceaccount:neuvector:updater system:serviceaccount:neuvector:controller -n neuvector --role-namespace neuvector oc create clusterrole neuvector-binding-co --verb=get,list --resource=clusteroperators oc adm policy add-cluster-role-to-user neuvector-binding-co system:serviceaccount:neuvector:enforcer system:serviceaccount:neuvector:controller -oc create role neuvector-binding-secret --verb=get --resource=secrets -n neuvector -oc adm policy add-role-to-user neuvector-binding-secret system:serviceaccount:neuvector:controller -n neuvector --role-namespace neuvector +oc create role neuvector-binding-secret --verb=get,list,watch --resource=secrets -n neuvector +oc adm policy add-role-to-user neuvector-binding-secret system:serviceaccount:neuvector:controller system:serviceaccount:neuvector:enforcer system:serviceaccount:neuvector:scanner system:serviceaccount:neuvector:registry-adapter -n neuvector --role-namespace neuvector oc create clusterrole neuvector-binding-nvcomplianceprofiles --verb=get,list,delete --resource=nvcomplianceprofiles oc create clusterrolebinding neuvector-binding-nvcomplianceprofiles --clusterrole=neuvector-binding-nvcomplianceprofiles --serviceaccount=neuvector:controller oc create clusterrole neuvector-binding-nvvulnerabilityprofiles --verb=get,list,delete --resource=nvvulnerabilityprofiles oc create clusterrolebinding neuvector-binding-nvvulnerabilityprofiles --clusterrole=neuvector-binding-nvvulnerabilityprofiles --serviceaccount=neuvector:controller +oc apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/neuvector-roles-k8s.yaml +oc create role neuvector-binding-lease --verb=create,get,update --resource=leases -n neuvector +oc adm policy add-role-to-user neuvector-binding-cert-upgrader system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector +oc adm policy add-role-to-user neuvector-binding-job-creation system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector +oc adm policy add-role-to-user neuvector-binding-lease system:serviceaccount:neuvector:controller system:serviceaccount:neuvector:cert-upgrader -n neuvector --role-namespace neuvector ``` 8) Run the following command to check if the neuvector/controller, neuvector/enforcer and neuvector/updater service accounts are added successfully. @@ -275,14 +281,18 @@ neuvector-binding-co ClusterRole/neuvector-bindin And this command: ```shell -oc get RoleBinding neuvector-binding-scanner -n neuvector -o wide +oc get RoleBinding neuvector-binding-scanner neuvector-binding-cert-upgrader neuvector-binding-job-creation neuvector-binding-lease neuvector-binding-secret -n neuvector -o wide ``` Sample output: ```shell -NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS -neuvector-binding-scanner Role/neuvector-binding-scanner 70d neuvector/updater, neuvector/controller +NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS +neuvector-binding-scanner Role/neuvector-binding-scanner 56m neuvector/controller, neuvector/updater +neuvector-binding-cert-upgrader Role/neuvector-binding-cert-upgrader 56m neuvector/cert-upgrader +neuvector-binding-job-creation Role/neuvector-binding-job-creation 56m neuvector/controller +neuvector-binding-lease Role/neuvector-binding-lease 56m neuvector/controller, neuvector/cert-upgrader +neuvector-binding-secret Role/neuvector-binding-secret 56m neuvector/controller, neuvector/enforcer, neuvector/scanner, neuvector/registry-adapter ``` 9) (Optional) Create the Federation Master and/or Remote Multi-Cluster Management Services. If you plan to use the multi-cluster management functions in NeuVector, one cluster must have the Federation Master service deployed, and each remote cluster must have the Federation Worker service. For flexibility, you may choose to deploy both Master and Worker services on each cluster so any cluster can be a master or remote. @@ -351,7 +361,7 @@ The name of your default OpenShift registry might have changed from docker-regis Type NodePort is used for the fed-master and fed-worker services instead of LoadBalancer. You may need to adjust for your deployment. ::: -If using the CRI-O run-time, see this [CRI-O sample](https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.3.0/neuvector-crio-oc.yaml). +If using the CRI-O run-time, see this [CRI-O sample](https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.4.0/neuvector-crio-oc.yaml). **Master Node Taints and Tolerations**