NeuVector
Overview
As part of the Structsure Collaboration platform, NeuVector is used for platform container security. NeuVector is an end-to-end container security platform that performs various tasks, such as Threat Detection, Run-Time Vulnerability Scanning, and much more. It uses Big Bang's upstream chart to pull and deploy its images from Registry One with the latest CVE definitions.
Components
NeuVector consists of four core components: the Controller, Enforcer, Manager, and Scanner pods. For production deployments, the Structsure platform runs NeuVector in High Availability mode which deploys three Controller pods to manage the Enforcer pod cluster. The Enforcer is a DaemonSet that runs on each node in the cluster and enforces the cluster's security policies. The Manager provides a UI that the cluster operator can use to view and manage NeuVector operations. The Scanner scans the images, containers, and nodes for vulnerability and compliance.
NeuVector Console Features
NeuVector is deployed with a frontend web interface that presents a variety of menus and features. When logging into the console, you will first be greeted with the NeuVector dashboard. Here, you will see your various risk scores, as well as provided charts for security events and threats.
Additional menus for Network Activity, Resources, Policy, Security Risks, and Notifications are also available to provide even more information for the user.
A full overview and deep dive of Console features can be found here
Registry One and Scanning Container Image
The Big Bang NeuVector deployment uses hardened images and containers from Platform One's Registry One. These are contained in the Structsure Zarf package when either installing or upgrading your Structsure NeuVector deployment. The available NeuVector container images are:
:: note A Platform One account is required to view the above IronBank links. ::
On each image's IronBank page, there is a command you can copy and use locally, if needed, to pull the chosen image from Registry One. For each container, there is no latest tag, the containers have updated versions that function as the latest tag for each container. For example, the NeuVector Scanner container has available versions of v4 and v5, with v5 being the latest.
CVE Database
To view the current CVE database version, you can either view it in the Console under the Platforms, Registries, Vulnerabilities tab, or through curling it using the following:
kubectl exec <scanner pod> -n neuvector -- scanner -v -d /etc/neuvector/db/
In a traditional NeuVector deployment, the CVE database is updated through the Internet-connected Scanner pod. The Scanner pod pulls updated CVE database definitions on a schedule to ensure that it is up to date.
If you are wanting to perform a manual update of the CVE database, a file can be created that will run the database update job.
kubectl create -f neuvector-manual-updater.yaml
apiVersion: v1
kind: Pod
metadata:
name: neuvector-updater-pod
namespace: neuvector
spec:
containers:
- name: neuvector-updater-pod
image: neuvector/updater
imagePullPolicy: Always
command:
- /bin/sh
- -c
- TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`; /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $TOKEN" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'
restartPolicy: Never
Upgrading
Backing Up NeuVector Configuration
Prior to upgrading NeuVector, it is strongly recommended to backup any NeuVector configurations you may have. This ensures that if any issues arise, you won't lose your configuration.
A manual backup and restore of the system should only be done as a last resort.
In the NeuVector Console, navigate to Settings and within Configuration. Here, you can choose either full configuration backup or a policy-only backup.
Upgrading NeuVector
Most often, you will be upgrading your deployment of NeuVector alongside a full Structsure upgrade. The Structsure upgrade package will contain the upgraded NeuVector charts, images, and CVE databases.
Instructions for upgrading Structsure can be found here.
Airgap
Structsure supports an airgapped deployment of NeuVector with its platform. This allows for cluster monitoring and scanning even in an airgapped environment.
NeuVector will deploy in the normal way with Manager, Controller, Enforcer, and Scanner pods. The NeuVector Console will also still be available for system management.
In this instance, the deployment of NeuVector will not automatically update the CVE database as part of the Scanner's cron job. This is due to the job needing to be Internet connected and will be unable to reach out to the necessary endpoints.
The updating of the CVE database is done through Structsure package upgrades. If there are updated Scanner images for NeuVector from Platform One, they will be rolled out as part of the upgrade. This allows you to stay up to date with the latest vulnerability definitions, even in a disconnected environment.
In the event of an urgent update to the Scanner image outside of the normal Structsure upgrade, it is possible to upload your desired Scanner image to your local Zarf registry and update your NeuVector configuration to point to your new image.
Links to Upstream NeuVector Documentation
If futher reading and more granual information outside of the scope of Structsure is desired, the upstream NeuVector docs can be found here.