Overview

The NeuVector Kubernetes Container Security Platform is integrated with IBM Cloud to provide a smooth onboarding experience to deploy and manage NeuVector for IBM Cloud customers. The integration supports automated usage-based billing to the accounts of IBM Cloud customers for their usage of the NeuVector software. It also supports automated free trials and subscription initiation, as well as authentication to pull the NeuVector containers for deployment on IBM Cloud Kubernetes (IKS) clusters.

Getting Started

To get started, navigate to the NeuVector Container Security Platform in the IBM Global Catalog.

• Review the catalog listing, including Free Trial and Standard pricing plans available to subscribers.
• Select the plan to subscribe to, either to start your trial or to subscribe to NeuVector.
• Once initiated, the subscription will create and present a license key for use on your NeuVector deployment. You need access to the license key as part of the deployment.
• In addition, a login will be created on registry.neuvector.com to enable you to pull the NeuVector containers for deployment. You need access to the registry credentials as part of the deployment.

Note: When subscribing to the Standard pricing plan, billing will not start until you configure the license in a deployed NeuVector platform.

Deploying the NeuVector Platform on an IBM Cloud IKS cluster

This guide describes how to deploy the NeuVector Platform using a trial or standard pricing plan on an existing IBM Cloud IKS cluster.

Pre-Requisites

This guide assumes you have the following prerequisites ready, provisioned and/or configured:

• An IBM Cloud account
• An IBM Cloud Kubernetes Service cluster (IKS)
• A NeuVector Container Security Platform service instance provisioned in your IBM cloud account
• Tools installed on your workstation:
  • IBM Cloud CLI (ibmcloud) with Kubernetes Service plug-in (ibmcloud ks)
  • Kubernetes Client (kubectl)
  • Helm 3 client (helm)

The guide focuses on VPC Gen 2 compute clusters based on Kubernetes version >=1.19. Deployments in other IBM Cloud IKS cluster configurations are supported but may require to adapt to the presented commands and/configurations.

Steps

By following the steps of this guide you will:

• Deploy the NeuVector Platform in a IBM Cloud IKS cluster
• Use the official NeuVector Helm chart for the deployment
• Get access to the web-based NeuVector Console via an ALB based ingress
• Configure the license key obtained from the NeuVector Container Security Platform service instance to the NeuVector Platform deployment

Verify installation of required CLI tools.

ibmcloud version
ibmcloud ks help
kubectl version
helm version

Ensure you are logged in with your IBM Cloud account in the IBM Cloud CLI.

ibmcloud target

Determine the IBM Cloud IKS cluster in which to deploy the NeuVector Platform.

ibmcloud ks cluster ls

# Set IKS cluster id (e.g. c1cd1i4d0neevevj1v6g)
IC_IKS_CLUSTER_ID=[...]

Ensure IKS cluster admin credentials are configured as current kubectl context. Skip this, if you already configured kubectl to access the target IKS cluster.

ibmcloud ks cluster config --admin --cluster $IC_IKS_CLUSTER_ID

Determine the the ingress domain and secret name of the IKS cluster. These values are specific to the IKS cluster in which you intend to deploy the NeuVector Platform.

IC_IKS_INGRESS_DOMAIN=$(ibmcloud ks cluster get --cluster $IC_IKS_CLUSTER_ID --json | python -c "import json,sys;obj=json.load(sys.stdin);print(obj['ingress']['hostname']);")
echo $IC_IKS_INGRESS_DOMAIN

IC_IKS_INGRESS_SECRET_NAME=$(ibmcloud ks cluster get --cluster $IC_IKS_CLUSTER_ID --json | python -c "import json,sys;obj=json.load(sys.stdin);print(obj['ingress']['secretName']);")
echo $IC_IKS_INGRESS_SECRET_NAME

Verify that you can connect to the IKS cluster.

kubectl config current-context
kubectl get pod --all-namespaces

Create a dedicated namespace neuvector for the NeuVector Platform deployment.

kubectl create namespace neuvector
# namespace/neuvector created

From the details/manage view of the NeuVector Container Security Platform service instance provisioned in your IBM Cloud console, download the registry credentials as a Kubernetes secret YAML manifest. Save the file to ./neuvector-secret-nv-registry.yaml.

Apply the Kubernetes secret manifest containing the registry credentials.

kubectl apply -n neuvector -f ./neuvector-secret-nv-registry.yaml
# secret/nv-registry created

Prepare the values for the NeuVector helm installation in the file ./neuvector-helm.yaml according to the following YAML snippet. For a quick start, we recommend to keeping the web-based NeuVector console enabled, i.e. set manager.ingress.enabled: true.

Check the reference of values in the NeuVector Helm chart to get available configuration options. There are other possible Helm values which can be configured in the YAML, such as whether you will configure the cluster to allow multi-cluster management by exposing the Master (Federated Master) or remote (Federated Worker) services.

imagePullSecrets: nv-registry
registry: registry.neuvector.com

controller:
  image:
    repository: controller
  
  apisvc:
    type: ClusterIP

enforcer:
  image:
    repository: enforcer

manager:
  image:
    repository: manager
  
  svc:
    type: ClusterIP

  ingress:
    enabled: true
    tls: true
    # secretName depends on IKS deployment and is set in helm install argument
    # host depends on IKS deployment and is set in helm install argument
    annotations:
      kubernetes.io/ingress.class: public-iks-k8s-nginx
      nginx.ingress.kubernetes.io/backend-protocol: HTTPS

cve:
  updater:
    image:
      repository: updater
  scanner:
    image:
      repository: scanner

# IKS clusters use containerd runtime
containerd:
  enabled: true
  path: /var/run/containerd/containerd.sock

Define the NeuVector version to install. You can find the latest NeuVector version in the release notes.

NV_VERSION=4.2.1

Install the NeuVector platform via Helm. Expect the installation process to take up to 2 minutes. When the helm install command returns successfully, the NeuVector Platform deployment is completed.

helm install \
    'neuvector-core' \
    'core' \
    --repo 'https://neuvector.github.io/neuvector-helm/' \
    --namespace neuvector \
    --values ./neuvector-helm.yaml \
    --set "manager.ingress.host=neuvector.${IC_IKS_INGRESS_DOMAIN}" \
    --set "manager.ingress.secretName=${IC_IKS_INGRESS_SECRET_NAME}" \
    --atomic --wait

After you have successfully deployed the NeuVector Platform to your IKS cluster, login to the NeuVector console at https://neuvector.${IC_IKS_INGRESS_DOMAIN}. The domain of the NeuVector console is specific to your IKS cluster and returned when the helm install command finished.

Login with the initial username admin and password admin.

Accept the NeuVector end user license agreement.

Change the password of the admin user.

Apply the license which you have copied from the details/manage view of the NeuVector Container Security Platform service instance.

Now you are ready to navigate the NeuVector console to start vulnerability scanning, observe running application pods, and apply security protections to containers.

Deploying the NeuVector Platform to other environments/infrastructures

The NeuVector Container Security Platform service instance can be used to deploy and license the NeuVector Platform in any supported environment or infrastructure. For example, you can deploy the NeuVector Platform in an on-premises Kubernetes cluster and billed via your IBM Cloud account.

For further deployment options, refer to the NeuVector documentation.

To access the NeuVector documentation either follow the link in the details/manage view of the NeuVector Container Security Platform service instance or contact [email protected] to request a login to docs.neuvector.com.

Getting Support

To get access to more detailed NeuVector documentation, best practices, or receive support please contact [email protected] and identify yourself as an IBM Cloud integrated billing customer.