Merge pull request #110 from nunix/remote-export

Added Remote Repository Configuration

docs/04.navigation/01.navigation/01.navigation.md

@@ -5,18 +5,18 @@ taxonomy:
 slug: /navigation/navigation
 ---
 
-### Console Access
+## Console Access
 
 The default user and password are admin.
 
 Please see the first section Basics -> Connect to Manager for configuration options such as turning off https, accessing the console through a corporate firewall which does not allow port 8443, or replacing the self-signed certificate.
 
-### Menus and Navigation
+## Menus and Navigation
 
 Use the left side menu to navigate in your NeuVector console. Note that there are additional settings in upper right for User Profile and Multi-Cluster configuration.
 ![Navigation](4-3_Network_Activity.png)
 
-#### Dashboard
+### Dashboard
 
 The Dashboard shows a summary of risk scores, security events, and application protocols detected by NeuVector. It also shows details for some of these security events. PDF reports can be generated from the Dashboard which contain detailed charts and explanations.
 
@@ -40,7 +40,7 @@ This chart summarizes the application protocols detected in live connections in
 + Application Coverage is the number of unique pod to pod conversations detected between application services. For example if service pod A connects to service pod B using HTTP that is one unique HTTP ‘conversation’, but all connections between A and B count as one conversation.
 + Application Volume is the network activity measured in Gbytes for all services using that protocol.
 
-#### Network Activity
+### Network Activity
 
 This provides a graphical map of your containers and the conversations between containers. It also shows connections with other local and external resources. In Monitor and Protect modes, violations are displayed with red or yellow lines to indicate that a violation has been detected.
 
@@ -82,7 +82,7 @@ The data in the map may take a few seconds after network activity to be displaye
 
 See the explanation of the Legend icons at the bottom of this page.
 
-#### Assets
+### Assets
 
 Assets displays information about Platforms, Nodes, Containers, Registries, Sigstore Verifiers (used in Admission Control rules), and System Components (NeuVector Controllers, Scanners, and Enforcers).
 
@@ -94,53 +94,55 @@ Note that the Status of all containers is shown in Assets -> Containers, which i
 
 Please see the section Scanning & Compliance for additional details, including how to use the Jenkins plug-in NeuVector Vulnerability Scanner.
 
-#### Policy
+### Policy
 
 This displays and manages the run-time Security Policy which determines what container networking, process, and file system application behavior is ALLOWED and DENIED. Any conversations and activities  which are not explicitly allowed are logged as violations by NeuVector. This is also where Admission Control rules can be created.
 
 Please see the Security Policy section of these docs for a detailed explanation of the behavior of the rules and how to edit or create rules.
 
-#### Security Risks
+### Security Risks
 
 This enables customizable Vulnerability and Compliance management investigation, triage, and reporting. Easily research image vulnerabilities and find out which nodes or containers contain those vulnerabilities. Advanced filtering makes reviewing scan and compliance check results and provides customized reporting.
 
 These menu's combine results from registry (image), node, and container vulnerability scans and compliance checks to enable end-to-end vulnerability management and reporting.
 
-#### Notifications
+### Notifications
 
 This is where you can see the logs for Security Events, Risk Reports (e.g. Scanning) and general Events. NeuVector also supports SYSLOG for integration with tools such as SPLUNK as well as webhook notifications.
 
-<strong>Security Events</strong>
+#### Security Events
 
 Use the search or Advanced Filter to locate specific events. The timeline widget at the top can also be adjusted using the left and right circles to change the time window. You can also easily add rules (Security Policy) to allow or deny the detected event by selecting the Review Rule button and deploying a new rule.
 
 NeuVector continuously monitors all containers for know attacks such as DNS, DDoS, HTTP-smuggling, tunneling etc. When an attack is detected it is logged here and blocked (if container/service is set to protect), and the packet is automatically captured. You can view the packet details, for example:
 ![Capture](ping-capture.png)
 
-<strong>Implicit Deny Rule is Violated</strong>
+#### Implicit Deny Rule is Violated
 
 Violations are connections that violate the whitelist Rules or match a blacklist Rule. Violations detailed are captured and source IPs can be investigated further.
 
 Other security events include privilege escalations, suspicious processes, or abnormal file system activity detected on containers or hosts.
 
-<strong>Risk Reports</strong>
+#### Risk Reports
 
 Registry scanning, run-time scanning, admission control events will be shown here. Also, CIS benchmarks and compliance checks results will be shown.
 
 Please see the Reporting section for additional details and limits of the event displays in the console.
 
-#### Settings
+### Settings
 
-##### Settings -> Users & Roles
+#### Settings -> Users & Roles
 
 Add other users here. Users can be assigned an Admin role, a Read-only role, or custom role. In Kubernetes, users can be assigned one or more namespaces to access. Custom roles can also be configured here for users and Groups (e.g. LDAP/AD) to be mapped to the roles. See the [users](/configuration/users) section for configuration details.
 
-##### Settings -> Configuration
+#### Settings -> Configuration
 
 Configure a unique cluster name, new services mode, and other settings here.
 
 If deploying on a Rancher or OpenShift cluster, authentication can be enabled such that Rancher users or OpenShift users can log into the NeuVector console with the associated RBACs. For Rancher users, a connecting button/link from the Rancher console allows Rancher admin's to open and access the NeuVector console directly.
 
+##### Policy Configuration
+
 The [New Service Mode](/policy/modes#new-service-mode) sets which protection mode any new services (applications) previously unknown or undefined in NeuVector will by default be set to. For production environments, it is not recommended to set this to Discover. 
 
 The [Network Service Policy Mode](/policy/modes#network-service-policy-mode), if enabled, applies the selected policy mode globally to the network rules for all groups, and each Group’s individual policy mode will only apply to process and file rules.
@@ -151,19 +153,54 @@ The Auto-Deletion of Unused Groups is useful for automated 'clean-up' of the dis
 
 The X-FORWARDED-FOR enables/disables use of these headers in enforcing NeuVector network rules. This is useful to retain the original source IP of an ingress connection so it can be used for network rules enforcement. Enable means the source IP will be retained. See below for a detailed explanation.
 
+##### Notification Configuration
+
+Configure SIEM integration through [SYSLOG](/reporting/reporting#siem-and-syslog), including types of events, port etc. You can also choose to send events to the controller pod logs instead of or in addition to syslog. Note that these events will only be sent to the lead controller pod's log (not all controller pod logs in a multi-controller deployment).
+
 Multiple webhooks can be configured to be used in [Response Rules](/policy/responserules) for customized notifications. Webhook format choices include Slack, JSON, and key-value pairs.
 
-A Registry Proxy can be configured if your registry scanning connection between the controller and the registry must go through a proxy.
+##### General Configuration
 
-Configure SIEM integration through [SYSLOG](/reporting/reporting#siem-and-syslog), including types of events, port etc. You can also choose to send events to the controller pod logs instead of or in addition to syslog. Note that these events will only be sent to the lead controller pod's log (not all controller pod logs in a multi-controller deployment).
+A Registry Proxy can be configured if your registry scanning connection between the controller and the registry must go through a proxy.
 
 An integration with [IBM Security Advisor](/integration/ibmsa) and [QRadar](/integration/ibmqr) can be established.
 
-Import/Export the Security Policy file. You can configure SSO for SAML and LDAP/AD here as well. See the Enterprise Integration section for configuration details. ***Important!*** Be careful when importing the configuration file. Importing will overwrite the existing settings. If you import a ‘policy only’ file, the Groups and Rules of the Policy will be overwritten. If you import a file with ‘all’ settings, then the Policy, Users, and Configurations will be overwritten. Note that the original ‘admin’ user’s password of your current Controller will also be overwritten with the original admin’s password in the imported file.
+##### Remote Repository Configuration
+
+Configure a remote GitHub repository that can be used when exporting CRD files.
+
+In order to setup the remote repository, you need to provide the following information:
+
+| Field | Type | Description |
+| --- | --- | --- |
+| Repository Provider | Mandatory | Select the repository provider. Currently, only GitHub is supported. |
+| Owner User Name | Mandatory | The repository owner's GitHub username. |
+| Branch Name | Optional | The specific branch within the repository that contains the CRD files. The default branch is 'main'. |
+| Committer Name | Optional | The name of the committer associated with the personal access token. |
+| Comment | Optional | The comment associated with the commit. |
+| Repository Name | Mandatory | The repository name. |
+| Personal Access Token | Mandatory | Grant the "repo" scope to the token. Obtain it from https://github.com/settings/tokens. |
+| Email | Optional | The email address associated with the committer. |
+
+![Example of a remote repository configuration](remote_repository_configuration.png)
+
+Once the information is provided, click on the 'Submit' button to save the configuration.
+
+The "export to remote repository" feature is available from the following locations:
+
++ Policy -> [Admissions Control](../policy/admission)
++ Policy -> [DLP Sensors](../policy/dlp)
++ Policy -> [WAF Sensors](../policy/dlp)
++ Security Risks -> [Vulnerability Profile](../scanning/scanning/vulnerabilities)
++ Security Risks -> [Compliance Profile](../scanning/scanning/compliance)
+
+##### Export/Import
+
+You can configure SSO for SAML and LDAP/AD here as well. See the Enterprise Integration section for configuration details. ***Important!*** Be careful when importing the configuration file. Importing will overwrite the existing settings. If you import a ‘policy only’ file, the Groups and Rules of the Policy will be overwritten. If you import a file with ‘all’ settings, then the Policy, Users, and Configurations will be overwritten. Note that the original ‘admin’ user’s password of your current Controller will also be overwritten with the original admin’s password in the imported file.
 
 The Usage Report and Collect Log exports may be requested by your NeuVector support team.
 
-###### X-FORWARDED-FOR Behavior Details
+##### X-FORWARDED-FOR Behavior Details
 
 In a Kubernetes cluster, an application can be exposed to the outside of the cluster by a NodePort, LoadBalancer or Ingress services. These services typically replace the source IP while doing the Source NAT (SNAT) on the packets. As the original source IP is masqueraded, this prevents NeuVector from recognizing the connection is actually from the 'external'.
 
@@ -179,81 +216,81 @@ This improvement created some unexpected issues in some setup. If the above line
 
 A switch is available to disable this feature. Disabling it tells NeuVector not to identify that the connection is from "external" using X-FORWARDED-FOR headers. By default this is enabled, and the X-FORWARDED-FOR header is used in policy enforcement. To disable it, go to Settings -> Configuration, and disable the "X-Forwarded-For based policy match" setting.
 
-##### Settings -> LDAP/AD, SAML, and OpenID Connect
+#### Settings -> LDAP/AD, SAML, and OpenID Connect
 
 NeuVector supports integration with LDAP/AD, SAML, and OpenID Connect for SSO and user group mapping. See the [Enterprise Integration](/integration/integration) section for configuration details.
 
-##### Multiple Cluster Management
+#### Multiple Cluster Management
 
 You can manage [multiple NeuVector clusters](/navigation/multicluster) (e.g. multiple Kubernetes clusters running NeuVector on different clouds or on premise) by selecting a Master cluster, and joining remote clusters to them. Each remote cluster can also be individually managed. Security rules can be propagated to multiple clusters through use of Federated Policy settings.
 
-#####  My Profile
+####  My Profile
 
 You can increase the browser timeout setting, change your password and do other administrative profile edits.
 
-#### Icon Descriptions in Legend > Network Activity
+### Icon Descriptions in Legend > Network Activity
 
 You can toggle the Legend on/off in the tools box of the Network Activity map.
 ![Legend](4-3_NA_Legend.png)
 
 Here is what the icons mean:
 
-##### External network
+#### External network
 
 This is any network outside the NeuVector cluster. This could include internet public access or other internal networks.
 
-##### Namespace
+#### Namespace
 
 Namespace in Kubernetes or Project in OpenShift
 
-##### Group/Container/Service Mesh in discovery
+#### Group/Container/Service Mesh in discovery
 
 This container is in Discover mode, where connections to/from it are learned and whitelist rules will automatically be created.
 
-##### Group/Container/Service Mesh being monitored
+#### Group/Container/Service Mesh being monitored
 
 This container is in Monitor mode, where violations will be logged but not blocked.
 
-##### Group/Container/Service Mesh being protected
+#### Group/Container/Service Mesh being protected
 
 This container is in Protect mode, where violations will be blocked.
 
-##### Container Group
+#### Container Group
 
 This represent a group of containers in a service. Use this to provide a more abstract view if there are many container instances for a service/application (i.e. from the same image).
 
-##### Un-managed node
+#### Un-managed node
 
 This node has been detected but does not have a NeuVector enforcer on it.
 
-##### Un-managed container
+#### Un-managed container
 
 This container has been detected but is not on a node with a NeuVector enforcer on it. This could also represent some system services.
 
-##### Exited Container
+#### Exited Container
 
 This container is not running but in an 'exited' state.
 
-##### IP group
+#### IP group
 
 This is a group of IP Addresses.
 
 ##### Normal Conversation
 
 Allowed, whitelisted connections are displayed in blue.
 
-##### Internal Conversation
+#### Internal Conversation
 
 A connection within a service is shown in light gray.
 
-##### Conversation with warning
+#### Conversation with warning
 
 A connection which has generated a violation alert is shown in lighter red.
 
-##### Conversation being blocked
+#### Conversation being blocked
 
 If a connection is a violation, as shown in red, and has been blocked by NeuVector, the arrow will have an ‘x’ in it.
 
-##### Quarantined container
+#### Quarantined container
 
 Containers with a red circle around them have been quarantined. To un-quarantine, right-click on the container and select the un-quarantine button.

docs/05.policy/14.namespaceboundary/14.namespaceboundary.md

@@ -20,9 +20,9 @@ with namespace boundary enforcement only pod1 can talk to pod2 but not pod1 to p
 <strong>Use label to enable/disable namespace boundary enforcement</strong>
 
 + **Add label to enable NBE**
-> kubectl label namespace <namespace> NeuvectorNamespaceBoundary=enabled
+> kubectl label namespace `<namespace>` NeuvectorNamespaceBoundary=enabled
 
 + **Remove or change label to disable NBE**
-> kubectl label namespace <namespace> NeuvectorNamespaceBoundary-
+> kubectl label namespace `<namespace>` NeuvectorNamespaceBoundary-
 or
-kubectl label namespace <namespace> NeuvectorNamespaceBoundary=disabled
+kubectl label namespace `<namespace>` NeuvectorNamespaceBoundary=disabled