[dev-v2.9] Forward port neuvector 102.1.0+up2.7.7 from dev-v2.7 (#4094)

pull/4100/head
Nicholas openSUSE Software Engineer 2024-06-17 17:16:01 -03:00 committed by GitHub
parent ab416b5f7a
commit 694eeea693
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
65 changed files with 8468 additions and 0 deletions

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,16 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-neuvector-system
catalog.cattle.io/release-name: neuvector-crd
apiVersion: v1
appVersion: 5.3.3
description: Helm chart for NeuVector's CRD services
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector-crd
type: application
version: 102.1.0+up2.7.7

View File

@ -0,0 +1,14 @@
# NeuVector Helm Chart
Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications.
Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart.
## Configuration
The following table lists the configurable parameters of the NeuVector chart and their default values.
Parameter | Description | Default | Notes
--------- | ----------- | ------- | -----
`openshift` | If deploying in OpenShift, set this to true | `false` |
`crdwebhook.type` | crd webhook type | `ClusterIP` |

View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "neuvector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "neuvector.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "neuvector.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

View File

@ -0,0 +1,975 @@
{{- if .Values.crdwebhook.enabled -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvsecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
group: neuvector.com
names:
kind: NvSecurityRule
listKind: NvSecurityRuleList
plural: nvsecurityrules
singular: nvsecurityrule
scope: Namespaced
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
egress:
items:
properties:
action:
enum:
- allow
- deny
type: string
applications:
items:
type: string
type: array
name:
type: string
ports:
type: string
priority:
type: integer
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
type: object
required:
- action
- name
- selector
type: object
type: array
file:
items:
properties:
app:
items:
type: string
type: array
behavior:
enum:
- monitor_change
- block_access
type: string
filter:
type: string
recursive:
type: boolean
required:
- behavior
- filter
type: object
type: array
ingress:
items:
properties:
action:
enum:
- allow
- deny
type: string
applications:
items:
type: string
type: array
name:
type: string
ports:
type: string
priority:
type: integer
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
type: object
required:
- action
- name
- selector
type: object
type: array
process:
items:
properties:
action:
enum:
- allow
- deny
type: string
allow_update:
type: boolean
name:
type: string
path:
type: string
required:
- action
type: object
type: array
process_profile:
properties:
baseline:
enum:
- default
- shield
- basic
- zero-drift
type: string
type: object
target:
properties:
policymode:
enum:
- Discover
- Monitor
- Protect
- N/A
type: string
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
type: object
required:
- selector
type: object
dlp:
properties:
settings:
items:
properties:
action:
enum:
- allow
- deny
type: string
name:
type: string
required:
- name
- action
type: object
type: array
status:
type: boolean
type: object
waf:
properties:
settings:
items:
properties:
action:
enum:
- allow
- deny
type: string
name:
type: string
required:
- name
- action
type: object
type: array
status:
type: boolean
type: object
required:
- target
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvclustersecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
group: neuvector.com
names:
kind: NvClusterSecurityRule
listKind: NvClusterSecurityRuleList
plural: nvclustersecurityrules
singular: nvclustersecurityrule
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
egress:
items:
properties:
action:
enum:
- allow
- deny
type: string
applications:
items:
type: string
type: array
name:
type: string
ports:
type: string
priority:
type: integer
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
type: object
required:
- action
- name
- selector
type: object
type: array
file:
items:
properties:
app:
items:
type: string
type: array
behavior:
enum:
- monitor_change
- block_access
type: string
filter:
type: string
recursive:
type: boolean
required:
- behavior
- filter
type: object
type: array
ingress:
items:
properties:
action:
enum:
- allow
- deny
type: string
applications:
items:
type: string
type: array
name:
type: string
ports:
type: string
priority:
type: integer
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
type: object
required:
- action
- name
- selector
type: object
type: array
process:
items:
properties:
action:
enum:
- allow
- deny
type: string
allow_update:
type: boolean
name:
type: string
path:
type: string
required:
- action
type: object
type: array
process_profile:
properties:
baseline:
enum:
- default
- shield
- basic
- zero-drift
type: string
type: object
target:
properties:
policymode:
enum:
- Discover
- Monitor
- Protect
- N/A
type: string
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
type: object
required:
- selector
type: object
dlp:
properties:
settings:
items:
properties:
action:
enum:
- allow
- deny
type: string
name:
type: string
required:
- name
- action
type: object
type: array
status:
type: boolean
type: object
waf:
properties:
settings:
items:
properties:
action:
enum:
- allow
- deny
type: string
name:
type: string
required:
- name
- action
type: object
type: array
status:
type: boolean
type: object
required:
- target
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvdlpsecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
group: neuvector.com
names:
kind: NvDlpSecurityRule
listKind: NvDlpSecurityRuleList
plural: nvdlpsecurityrules
singular: nvdlpsecurityrule
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
sensor:
properties:
comment:
type: string
name:
type: string
rules:
items:
properties:
name:
type: string
patterns:
items:
properties:
context:
enum:
- url
- header
- body
- packet
type: string
key:
enum:
- pattern
type: string
op:
enum:
- regex
- '!regex'
type: string
value:
type: string
required:
- key
- op
- value
- context
type: object
type: array
required:
- name
- patterns
type: object
type: array
required:
- name
type: object
required:
- sensor
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvadmissioncontrolsecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
group: neuvector.com
names:
kind: NvAdmissionControlSecurityRule
listKind: NvAdmissionControlSecurityRuleList
plural: nvadmissioncontrolsecurityrules
singular: nvadmissioncontrolsecurityrule
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
config:
properties:
client_mode:
enum:
- service
- url
type: string
enable:
type: boolean
mode:
enum:
- monitor
- protect
type: string
required:
- enable
- mode
- client_mode
type: object
rules:
items:
properties:
action:
enum:
- allow
- deny
type: string
comment:
type: string
criteria:
items:
properties:
name:
type: string
op:
type: string
path:
type: string
sub_criteria:
items:
properties:
name:
type: string
op:
type: string
value:
type: string
required:
- name
- op
- value
type: object
type: array
template_kind:
type: string
type:
type: string
value:
type: string
value_type:
type: string
required:
- name
- op
- value
type: object
type: array
disabled:
type: boolean
id:
type: integer
rule_mode:
enum:
- ""
- monitor
- protect
type: string
containers:
items:
enum:
- containers
- init_containers
- ephemeral_containers
type: string
type: array
required:
- action
- criteria
type: object
type: array
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvwafsecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
group: neuvector.com
names:
kind: NvWafSecurityRule
listKind: NvWafSecurityRuleList
plural: nvwafsecurityrules
singular: nvwafsecurityrule
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
sensor:
properties:
comment:
type: string
name:
type: string
rules:
items:
properties:
name:
type: string
patterns:
items:
properties:
context:
enum:
- url
- header
- body
- packet
type: string
key:
enum:
- pattern
type: string
op:
enum:
- regex
- '!regex'
type: string
value:
type: string
required:
- key
- op
- value
- context
type: object
type: array
required:
- name
- patterns
type: object
type: array
required:
- name
type: object
required:
- sensor
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvcomplianceprofiles.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
group: neuvector.com
names:
kind: NvComplianceProfile
listKind: NvComplianceProfileList
plural: nvcomplianceprofiles
singular: nvcomplianceprofile
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
templates:
properties:
disable_system:
type: boolean
entries:
items:
properties:
tags:
items:
type: string
type: array
test_number:
type: string
required:
- test_number
type: object
type: array
required:
- entries
type: object
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvvulnerabilityprofiles.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
group: neuvector.com
names:
kind: NvVulnerabilityProfile
listKind: NvVulnerabilityProfileList
plural: nvvulnerabilityprofiles
singular: nvvulnerabilityprofile
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
profile:
properties:
entries:
items:
properties:
comment:
type: string
days:
type: integer
domains:
items:
type: string
type: array
images:
items:
type: string
type: array
name:
type: string
required:
- name
type: object
type: array
required:
- entries
type: object
required:
- profile
type: object
type: object
{{- end }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-crd-webhook
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
ports:
- port: 443
targetPort: 30443
protocol: TCP
name: crd-webhook
type: {{ .Values.crdwebhook.type }}
selector:
app: neuvector-controller-pod
{{- end }}

View File

@ -0,0 +1,9 @@
# Default values for neuvector.
# This is a YAML-formatted file.
# Declare variables to be passed into the templates.
openshift: false
crdwebhook:
type: ClusterIP
enabled: true

View File

@ -0,0 +1,27 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: NeuVector Monitor
catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.31.0-0'
catalog.cattle.io/namespace: cattle-neuvector-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux
catalog.cattle.io/provides-gvr: neuvector.com/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: neuvector-monitor
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/upstream-version: 2.7.7
apiVersion: v1
appVersion: 1-1.0.0
description: Helm feature chart (optional) add-on to NeuVector for monitoring with
Prometheus/Grafana.
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
keywords:
- security
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector-monitor
sources:
- https://github.com/neuvector/neuvector
version: 102.1.0+up2.7.7

View File

@ -0,0 +1,22 @@
# NeuVector Helm Chart
Helm chart for NeuVector's monitoring services.
## Configuration
The following table lists the configurable parameters of the NeuVector chart and their default values.
Parameter | Description | Default | Notes
--------- | ----------- | ------- | -----
`registry` | NeuVector container registry | `registry.neuvector.com` |
`oem` | OEM release name | `nil` |
`leastPrivilege` | Assume monitor chart is always installed after the core chart, so service accounts created by the core chart will be used. Keep this value as same as in the core chart. | `false` |
`exporter.enabled` | If true, create Prometheus exporter | `false` |
`exporter.image.repository` | exporter image name | `neuvector/prometheus-exporter` |
`exporter.image.tag` | exporter image tag | `latest` |
`exporter.ctrlSecretName` | existing secret that have CTRL_USERNAME and CTRL_PASSWORD fields to login to the controller. | `nil` | if parameter exists then `exporter.CTRL_USERNAME` & `exporter.CTRL_PASSWORD` will be skipped
`exporter.CTRL_USERNAME` | Username to login to the controller. Suggest to replace the default admin user to a read-only user | `admin` |
`exporter.CTRL_PASSWORD` | Password to login to the controller. | `admin` |
`exporter.enforcerStats.enabled` | If true, enable the Enforcers stats | `false` | For the performance reason, by default the exporter does NOT pull CPU/memory usage from enforcers.
---

View File

@ -0,0 +1,5 @@
### Run-Time Protection Without Compromise
NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform.
Helm chart for NeuVector's monitoring services. Please make sure REST API service for controller in core chart is enabled.

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,27 @@
questions:
#monitor configurations
- variable: exporter.image.repository
default: "neuvector/prometheus-exporter"
description: exporter image repository
type: string
label: Exporter Image Path
group: "Container Images"
- variable: exporter.image.tag
default: ""
description: image tag for exporter
type: string
label: exporter Image Tag
group: "Container Images"
#controller crendential configuration
- variable: exporter.CTRL_USERNAME
default: "admin"
description: Controller Username
type: string
label: Controller Username
group: "Controller Crendential"
- variable: exporter.CTRL_PASSWORD
default: "admin"
description: Controller Password
type: string
label: Controller Password
group: "Controller Crendential"

View File

@ -0,0 +1,40 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "neuvector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "neuvector.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "neuvector.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

View File

@ -0,0 +1,19 @@
{{- if .Values.exporter.grafanaDashboard.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: nv-grafana-dashboard
namespace: {{ .Values.exporter.grafanaDashboard.namespace | default .Release.Namespace }}
labels:
grafana_dashboard: "1"
{{- if .Values.exporter.grafanaDashboard.labels }}
{{- toYaml .Values.exporter.grafanaDashboard.labels | nindent 4}}
{{- end }}
{{- if .Values.exporter.grafanaDashboard.annotations }}
annotations:
{{- toYaml .Values.exporter.grafanaDashboard.annotations | nindent 4}}
{{- end }}
data:
nv_dashboard.json: |
{{ .Files.Get "dashboards/nv_dashboard.json" | indent 4 }}
{{- end }}

View File

@ -0,0 +1,75 @@
{{- if .Values.exporter.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: neuvector-prometheus-exporter-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: 1
selector:
matchLabels:
app: neuvector-prometheus-exporter-pod
template:
metadata:
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "8068"
prometheus.io/scrape: "true"
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
labels:
app: neuvector-prometheus-exporter-pod
release: {{ .Release.Name }}
{{- with .Values.exporter.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.leastPrivilege }}
serviceAccountName: basic
serviceAccount: basic
{{- end }}
{{- with .Values.exporter.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: neuvector-prometheus-exporter-pod
{{ if eq .Values.registry "registry.neuvector.com" }}
{{ if .Values.oem }}
image: "{{ .Values.registry }}/{{ .Values.oem }}/prometheus-exporter:{{ .Values.exporter.image.tag }}"
{{- else }}
image: "{{ .Values.registry }}/prometheus-exporter:{{ .Values.exporter.image.tag }}"
{{- end }}
{{- else }}
image: {{ template "system_default_registry" . }}{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}
{{- end }}
imagePullPolicy: Always
{{- with .Values.exporter.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: CTRL_API_SERVICE
value: {{ .Values.exporter.apiSvc }}
- name: EXPORTER_PORT
value: "8068"
{{- if .Values.exporter.enforcerStats.enabled }}
- name: ENFORCER_STATS
value: "{{.Values.exporter.enforcerStats.enabled | default "false"}}"
{{- end }}
envFrom:
- secretRef:
{{- if .Values.exporter.ctrlSecretName }}
name: {{ .Values.exporter.ctrlSecretName }}
{{ else }}
name: neuvector-prometheus-exporter-pod-secret
{{- end }}
restartPolicy: Always
{{- end }}

View File

@ -0,0 +1,29 @@
{{- if and .Values.exporter.enabled .Values.exporter.svc.enabled }}
apiVersion: v1
kind: Service
metadata:
name: neuvector-prometheus-exporter
namespace: {{ .Release.Namespace }}
{{- with .Values.exporter.svc.annotations }}
annotations:
{{ toYaml . | nindent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
app: neuvector-prometheus-exporter
spec:
type: {{ .Values.exporter.svc.type }}
{{- if and .Values.exporter.svc.loadBalancerIP (eq .Values.exporter.svc.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.exporter.svc.loadBalancerIP }}
{{- end }}
ports:
- port: 8068
name: metrics
targetPort: 8068
protocol: TCP
appProtocol: http
selector:
app: neuvector-prometheus-exporter-pod
{{- end }}

View File

@ -0,0 +1,39 @@
{{- if .Values.exporter.serviceMonitor.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: neuvector-prometheus-exporter
namespace: {{ .Release.Namespace }}
{{- with .Values.exporter.serviceMonitor.annotations }}
annotations:
{{ toYaml . | nindent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.exporter.serviceMonitor.labels }}
{{- toYaml .Values.exporter.serviceMonitor.labels | nindent 4}}
{{- end }}
spec:
selector:
matchLabels:
app: neuvector-prometheus-exporter
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
endpoints:
- port: metrics
{{- if .Values.exporter.serviceMonitor.interval }}
interval: {{ .Values.exporter.serviceMonitor.interval }}
{{- end }}
path: "/metrics"
{{- if .Values.exporter.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.exporter.serviceMonitor.metricRelabelings | nindent 6 }}
{{- end }}
{{- if .Values.exporter.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.exporter.serviceMonitor.relabelings | nindent 6 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,15 @@
{{- if and (.Values.exporter.enabled) (not .Values.exporter.ctrlSecretName) -}}
apiVersion: v1
kind: Secret
metadata:
name: neuvector-prometheus-exporter-pod-secret
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: Opaque
data:
CTRL_USERNAME: {{ .Values.exporter.CTRL_USERNAME | b64enc | quote }}
CTRL_PASSWORD: {{ .Values.exporter.CTRL_PASSWORD | b64enc | quote }}
{{- end }}

View File

@ -0,0 +1,59 @@
# Default values for neuvector.
# This is a YAML-formatted file.
# Declare variables to be passed into the templates.
global:
cattle:
systemDefaultRegistry: ""
registry: docker.io
oem: ''
leastPrivilege: false
exporter:
# If false, exporter will not be installed
enabled: true
image:
repository: rancher/mirrored-neuvector-prometheus-exporter
tag: 1-1.0.0
# changes this to a readonly user !
CTRL_USERNAME: admin
CTRL_PASSWORD: admin
ctrlSercretName: ''
enforcerStats:
enabled: false
ctrlSecretName: ''
apiSvc: neuvector-svc-controller-api:10443
podLabels: {}
securityContext: {}
containerSecurityContext: {}
svc:
enabled: true
type: ClusterIP
loadBalancerIP: ''
annotations: {}
# service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
grafanaDashboard:
enabled: false
namespace: "" # Release namespace, if empty
labels: {}
# annotations: {}
# k8s-sidecar-target-directory: /tmp/dashboards/neuvector
serviceMonitor:
enabled: false
# labels for the ServiceMonitor.
labels: {}
# annotations for the ServiceMonitor.
annotations: {}
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval: ""
# MetricRelabelConfigs to apply to samples after scraping, but before ingestion.
# ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
metricRelabelings: []
# RelabelConfigs to apply to samples before scraping
# ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
relabelings: []

View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

View File

@ -0,0 +1,27 @@
annotations:
catalog.cattle.io/auto-install: neuvector-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: NeuVector
catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.31.0-0'
catalog.cattle.io/namespace: cattle-neuvector-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux
catalog.cattle.io/provides-gvr: neuvector.com/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: neuvector
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/upstream-version: 2.7.7
apiVersion: v1
appVersion: 5.3.3
description: Helm feature chart for NeuVector container security platform.
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
keywords:
- security
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector
sources:
- https://github.com/neuvector/neuvector
version: 102.1.0+up2.7.7

View File

@ -0,0 +1,289 @@
# NeuVector Helm Chart
Helm chart for NeuVector container security's core services.
## Choosing container runtime
Prior to 5.3 release, the user has to specify the correct container runtime type and its socket path. In 5.3.0 release, the enforcer is able to automatically detect the container runtime at its default socket location. The settings of docker/containerd/crio/k8s/bottlerocket become deprecated. If the container runtime socket is not at the default location, please specify it using 'runtimePath' field. In the meantime, the controller does not require the runtime socket to be mounted any more.
## Configuration
The following table lists the configurable parameters of the NeuVector chart and their default values.
Parameter | Description | Default | Notes
--------- | ----------- | ------- | -----
`openshift` | If deploying in OpenShift, set this to true | `false` |
`registry` | NeuVector container registry | `docker.io` |
`tag` | image tag for controller enforcer manager | `latest` |
`oem` | OEM release name | `nil` |
`imagePullSecrets` | image pull secret | `nil` |
`rbac` | NeuVector RBAC Manifests are installed when RBAC is enabled | `true` | Required for Rancher Authentication. |
`psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` |
`serviceAccount` | Service account name for NeuVector components | `default` |
`leastPrivilege` | Use least privileged service account | `false` |
`autoGenerateCert` | Automatically generate certificate or not | `true` |
`internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` |
`internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` |
`defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` |
`global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https://<Rancher_URL>/` |
`global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment.
`global.aws.accountNumber` | AWS Account Number | `nil` | Follow AWS subscription instruction
`global.aws.roleName` | AWS Role name for billing | `nil` | Follow AWS subscription instruction
`global.aws.serviceAccount` | Service account name for csp adapter | `csp` | Follow AWS subscription instruction
`global.aws.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow AWS subscription instruction
`global.aws.image.repository` | csp adapter image repository | `neuvector/neuvector-csp-adapter` | Follow AWS subscription instruction
`global.aws.image.tag` | csp adapter image tag | `latest` | Follow AWS subscription instruction
`global.aws.image.digest` | csp adapter image digest | `nil` | Follow AWS subscription instruction
`global.aws.image.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow AWS subscription instruction
`global.azure.enabled` | If true, install Azure billing csp adapter | `false` | **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment.
`global.azure.serviceAccount` | Service account name for csp adapter | `csp` | Follow Azure subscription instruction
`global.azure.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow Azure subscription instruction
`global.azure.images.neuvector_csp_pod.registry` | csp adapter image registry | `susellcforazuremarketplace.azurecr.io` | Follow Azure subscription instruction
`global.azure.images.neuvector_csp_pod.image` | csp adapter image repository | `neuvector-billing-azure-by-suse-llc` | Follow Azure subscription instruction
`global.azure.images.neuvector_csp_pod.digest` | csp adapter image digest | `nil` | Follow Azure subscription instruction
`global.azure.images.neuvector_csp_pod.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow Azure subscription instruction
`controller.enabled` | If true, create controller | `true` |
`controller.image.repository` | controller image repository | `neuvector/controller` |
`controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
`controller.replicas` | controller replicas | `3` |
`controller.schedulerName` | kubernetes scheduler name | `nil` |
`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes |
`controller.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` |
`controller.tolerations` | List of node taints to tolerate | `nil` |
`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` |
`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`controller.podLabels` | Specify the pod labels. | `{}` |
`controller.podAnnotations` | Specify the pod annotations. | `{}` |
`controller.env` | User-defined environment variables for controller. | `[]` |
`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. |
`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi
`controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` |
`controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` |
`controller.pvc.storageClass` | Storage Class to be used | `default` |
`controller.pvc.capacity` | Storage capacity | `1Gi` |
`controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` |
`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` |
`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` |
`controller.apisvc.type` | Controller REST API service type | `nil` |
`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` |
`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` |
`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` |
`controller.apisvc.route.host` | Set controller REST API service hostname | `nil` |
`controller.apisvc.route.tls.key` | Set controller REST API service PEM format key file | `nil` |
`controller.apisvc.route.tls.certificate` | Set controller REST API service PEM format certificate file | `nil` |
`controller.apisvc.route.tls.caCertificate` | Set controller REST API service CA certificate may be required to establish a certificate chain for validation | `nil` |
`controller.apisvc.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate | `nil` |
`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` |
`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` |
`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` |
`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
`controller.federation.mastersvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` |
`controller.federation.mastersvc.clusterIP` | Set clusterIP to be used for mastersvc | `nil` |
`controller.federation.mastersvc.nodePort` | Define a nodePort for mastersvc | `nil` | Must be a valid NodePort (30000-32767)
`controller.federation.mastersvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for mastersvc | `nil` |
`controller.federation.mastersvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for mastersvc | `nil` |
`controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` |
`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` |
`controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` |
`controller.federation.mastersvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, edge, reencrypt | `passthrough` |
`controller.federation.mastersvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster primary cluster service | `nil` |
`controller.federation.mastersvc.route.tls.certificate` | Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service | `nil` |
`controller.federation.mastersvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service | `nil` |
`controller.federation.mastersvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service | `nil` |
`controller.federation.mastersvc.ingress.enabled` | If true, create ingress for federation master service, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.federation.mastersvc.ingress.tls` | If true, TLS is enabled for controller federation master ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`.
`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
`controller.federation.managedsvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` |
`controller.federation.managedsvc.clusterIP` | Set clusterIP to be used for managedsvc | `nil` |
`controller.federation.managedsvc.nodePort` | Define a nodePort for managedsvc | `nil` | Must be a valid NodePort (30000-32767)
`controller.federation.managedsvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for managedsvc | `nil` |
`controller.federation.managedsvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for managedsvc | `nil` |
`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` |
`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` |
`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` |
`controller.federation.managedsvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, edge, reencrypt | `passthrough` |
`controller.federation.managedsvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster managed cluster service | `nil` |
`controller.federation.managedsvc.route.tls.certificate` | Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service | `nil` |
`controller.federation.managedsvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service | `nil` |
`controller.federation.managedsvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service | `nil` |
`controller.federation.managedsvc.ingress.enabled` | If true, create ingress for federation managed service, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.federation.managedsvc.ingress.tls` | If true, TLS is enabled for controller federation managed ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.managedsvc.ingress.host`.
`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`.
`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false`
`controller.configmap.data` | NeuVector configuration in YAML format | `{}`
`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false`
`controller.secret.data` | NeuVector configuration in key/value pair format | `{}`
`controller.internal.certificate.secret` | Secret name to be used for custom controller internal certificate | `nil` |
`controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` |
`controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` |
`controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` |
`enforcer.enabled` | If true, create enforcer | `true` |
`enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` |
`enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
`enforcer.updateStrategy.type` | enforcer update strategy type. | `RollingUpdate` |
`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`enforcer.podLabels` | Specify the pod labels. | `{}` |
`enforcer.podAnnotations` | Specify the pod annotations. | `{}` |
`enforcer.env` | User-defined environment variables for enforcers. | `[]` |
`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`<br>`key: node-role.kubernetes.io/master` | other taints can be added after the default
`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`enforcer.internal.certificate.secret` | Secret name to be used for custom enforcer internal certificate | `nil` |
`enforcer.internal.certificate.keyFile` | Set PEM format key file for custom enforcer internal certificate | `tls.key` |
`enforcer.internal.certificate.pemFile` | Set PEM format certificate file for custom enforcer internal certificate | `tls.crt` |
`enforcer.internal.certificate.caFile` | Set CA certificate file for enforcer custom internal certificate | `ca.crt` |
`manager.enabled` | If true, create manager | `true` |
`manager.image.repository` | manager image repository | `neuvector/manager` |
`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
`manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`manager.podLabels` | Specify the pod labels. | `{}` |
`manager.podAnnotations` | Specify the pod annotations. | `{}` |
`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` |
`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` |
` CUSTOM_LOGIN_LOGO` | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. |
` CUSTOM_EULA_POLICY` | HTML or TEXT encoded in base64. |
` CUSTOM_PAGE_HEADER_CONTENT` | max. 120 characters, base64 encoded. |
` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) |
` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. |
` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) |
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
`manager.route.host` | Set OpenShift route host for management console service | `nil` |
`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` |
`manager.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` |
`manager.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` |
`manager.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` |
`manager.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` |
`manager.certificate.secret` | Replace manager UI certificate using secret if secret name is specified | `nil` |
`manager.certificate.keyFile` | Replace manager UI certificate key file | `tls.key` |
`manager.certificate.pemFile` | Replace manager UI certificate pem file | `tls.pem` |
`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed
`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`.
`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`manager.affinity` | manager affinity rules | `{}` |
`manager.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` |
`manager.tolerations` | List of node taints to tolerate | `nil` |
`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`manager.runAsUser` | Specify the run as User ID | `nil` |
`cve.adapter.enabled` | If true, create registry adapter | `true` |
`cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` |
`cve.adapter.image.tag` | registry adapter image tag | |
`cve.adapter.image.hash` | registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
`cve.adapter.priorityClassName` | registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`cve.adapter.podLabels` | Specify the pod labels. | `{}` |
`cve.adapter.podAnnotations` | Specify the pod annotations. | `{}` |
`cve.adapter.env` | User-defined environment variables for adapter. | `[]` |
`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` |
`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | |
`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
`cve.adapter.route.host` | Set OpenShift route host for management console service | `nil` |
`cve.adapter.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` |
`cve.adapter.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` |
`cve.adapter.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` |
`cve.adapter.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` |
`cve.adapter.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` |
`cve.adapter.certificate.secret` | Replace registry adapter certificate using secret if secret name is specified | `nil` |
`cve.adapter.certificate.keyFile` | Replace registry adapter certificate key file | `tls.key` |
`cve.adapter.certificate.pemFile` | Replace registry adapter certificate crt file | `tls.crt` |
`cve.adapter.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed
`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`.
`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`cve.adapter.affinity` | registry adapter affinity rules | `{}` |
`cve.adapter.tolerations` | List of node taints to tolerate | `nil` |
`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`cve.adapter.runAsUser` | Specify the run as User ID | `nil` |
`cve.adapter.internal.certificate.secret` | Secret name to be used for custom registry adapter internal certificate | `nil` |
`cve.adapter.internal.certificate.keyFile` | Set PEM format key file for custom registry adapter internal certificate | `tls.key` |
`cve.adapter.internal.certificate.pemFile` | Set PEM format certificate file for custom registry adapter internal certificate | `tls.crt` |
`cve.adapter.internal.certificate.caFile` | Set CA certificate file for registry adapter custom internal certificate | `ca.crt` |
`cve.updater.enabled` | If true, create cve updater | `true` |
`cve.updater.secure` | If true, API server's certificate is validated | `false` |
`cve.updater.cacert` | If set, use this ca file to validate API server's certificate | `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` |
`cve.updater.image.registry` | cve updater image registry to overwrite global registry | |
`cve.updater.image.repository` | cve updater image repository | `neuvector/updater` |
`cve.updater.image.tag` | image tag for cve updater | `latest` |
`cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
`cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`cve.updater.resources` | Add resources requests and limits to updater cronjob | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml)
`cve.updater.podLabels` | Specify the pod labels. | `{}` |
`cve.updater.podAnnotations` | Specify the pod annotations. | `{}` |
`cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` |
`cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`cve.updater.runAsUser` | Specify the run as User ID | `nil` |
`cve.scanner.enabled` | If true, cve scanners will be deployed | `true` |
`cve.scanner.image.registry` | cve scanner image registry to overwrite global registry | |
`cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` |
`cve.scanner.image.tag` | cve scanner image tag | `latest` |
`cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`cve.scanner.podLabels` | Specify the pod labels. | `{}` |
`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` |
`cve.scanner.env` | User-defined environment variables for scanner. | `[]` |
`cve.scanner.replicas` | external scanner replicas | `3` |
`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` |
`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.7/charts/core/values.yaml) |
`cve.scanner.affinity` | scanner affinity rules | `{}` |
`cve.scanner.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` |
`cve.scanner.tolerations` | List of node taints to tolerate | `nil` |
`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`cve.scanner.runAsUser` | Specify the run as User ID | `nil` |
`cve.scanner.internal.certificate.secret` | Secret name to be used for custom scanner internal certificate | `nil` |
`cve.scanner.internal.certificate.keyFile` | Set PEM format key file for custom scanner internal certificate | `tls.key` |
`cve.scanner.internal.certificate.pemFile` | Set PEM format certificate file for custom scanner internal certificate | `tls.crt` |
`cve.scanner.internal.certificate.caFile` | Set CA certificate file for scanner custom internal certificate | `ca.crt` |
`runtimePath` | container runtime socket path, if it's not at the default location. | `` |
`docker.path` | docker path | `/var/run/docker.sock` | Deprecated in 5.3.0
`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | Deprecated in 5.3.0. Prior to 5.3.0, for k3s and rke clusters, set k3s.enabled to true instead
`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | Deprecated in 5.3.0.
`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | Deprecated in 5.3.0.
`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | Deprecated in 5.3.0.
`k3s.enabled` | Set to true for k3s or rke2 | `false` | Deprecated in 5.3.0.
`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | Deprecated in 5.3.0.
`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | Deprecated in 5.3.0.
`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | Deprecated in 5.3.0.
`admissionwebhook.type` | admission webhook type | `ClusterIP` |
`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` |
`crdwebhook.type` | crd webhook type | `ClusterIP` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release --namespace neuvector ./neuvector-helm/ --set manager.env.ssl=off
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml
```

View File

@ -0,0 +1,35 @@
### Run-Time Protection Without Compromise
NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform.
NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include:
+ Build phase vulnerability scanning with Jenkins plug-in and registry scanning
+ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks
+ Complete run-time scanning with network, process, and file system monitoring and protection
+ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation
+ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures
+ Run-time vulnerability scanning and CIS benchmarks
Additional Notes:
+ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447.
+ Container runtime and runtime path are auto detected in NeuVector 5.3.0 version. If the socket path is not at the default location, use runtimePath in values.yaml to specify the location.
+ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0.
+ For deploying on hardened RKE cluster, enable PSP from security settings.
## Upgrading to Kubernetes v1.25+
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
**Note:**
In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
**Note:**
If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "neuvector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "neuvector.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "neuvector.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

View File

@ -0,0 +1,283 @@
questions:
#image configurations
- variable: controller.image.repository
default: "neuvector/controller"
description: controller image repository
type: string
label: Controller Image Path
group: "Container Images"
- variable: controller.image.tag
default: ""
description: image tag for controller
type: string
label: Controller Image Tag
group: "Container Images"
- variable: manager.image.repository
default: "neuvector/manager"
description: manager image repository
type: string
label: Manager Image Path
group: "Container Images"
- variable: manager.image.tag
default: ""
description: image tag for manager
type: string
label: Manager Image Tag
group: "Container Images"
- variable: enforcer.image.repository
default: "neuvector/enforcer"
description: enforcer image repository
type: string
label: Enforcer Image Path
group: "Container Images"
- variable: enforcer.image.tag
default: ""
description: image tag for enforcer
type: string
label: Enforcer Image Tag
group: "Container Images"
- variable: cve.scanner.image.repository
default: "neuvector/scanner"
description: scanner image repository
type: string
label: Scanner Image Path
group: "Container Images"
- variable: cve.scanner.image.tag
default: ""
description: image tag for scanner
type: string
label: Scanner Image Tag
group: "Container Images"
- variable: cve.updater.image.repository
default: "neuvector/updater"
description: cve updater image repository
type: string
label: CVE Updater Image Path
group: "Container Images"
- variable: cve.updater.image.tag
default: ""
description: image tag for updater
type: string
label: Updater Image Tag
group: "Container Images"
#storage configurations
- variable: controller.pvc.enabled
default: false
description: If true, enable persistence for controller using PVC. PVC should support ReadWriteMany(RWX)
type: boolean
label: PVC Status
group: "PVC Configuration"
- variable: controller.pvc.storageClass
default: ""
description: Storage Class to be used
type: string
label: Storage Class Name
group: "PVC Configuration"
#ingress configurations
- variable: manager.ingress.enabled
default: false
description: If true, create ingress, must also set ingress host value
type: boolean
label: Manager Ingress Status
group: "Ingress Configuration"
show_subquestion_if: true
subquestions:
- variable: manager.ingress.host
default: ""
description: Must set this host value if ingress is enabled
type: string
label: Manager Ingress Host
group: "Ingress Configuration"
- variable: manager.ingress.path
default: "/"
description: Set ingress path
type: string
label: Manager Ingress Path
group: "Ingress Configuration"
- variable: manager.ingress.annotations
default: "{}"
description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation
type: string
label: Manager Ingress Annotations
group: "Ingress Configuration"
- variable: controller.ingress.enabled
default: false
description: If true, create ingress for rest api, must also set ingress host value
type: boolean
label: Controller Ingress Status
group: "Ingress Configuration"
show_subquestion_if: true
subquestions:
- variable: controller.ingress.host
default: ""
description: Must set this host value if ingress is enabled
type: string
label: Controller Ingress Host
group: "Ingress Configuration"
- variable: controller.ingress.path
default: "/"
description: Set ingress path
type: string
label: Controller Ingress Path
group: "Ingress Configuration"
- variable: controller.ingress.annotations
default: "{}"
description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation
type: string
label: Controller Ingress Annotations
group: "Ingress Configuration"
- variable: controller.federation.mastersvc.ingress.enabled
default: false
description: If true, create ingress for rest api, must also set ingress host value
type: boolean
label: Controller Federation Master Service Ingress Status
group: "Ingress Configuration"
show_subquestion_if: true
subquestions:
- variable: controller.federation.mastersvc.ingress.tls
default: false
description: If true, TLS is enabled for controller federation master ingress service
type: boolean
label: Controller Federation Master Service Ingress TLS Status
group: "Ingress Configuration"
- variable: controller.federation.mastersvc.ingress.host
default: ""
description: Must set this host value if ingress is enabled
type: string
label: Controller Federation Master Service Ingress Host
group: "Ingress Configuration"
- variable: controller.federation.mastersvc.ingress.path
default: "/"
description: Set ingress path
type: string
label: Controller Federation Master Service Ingress Path
group: "Ingress Configuration"
- variable: controller.federation.mastersvc.ingress.ingressClassName
default: ""
description: To be used instead of the ingress.class annotation if an IngressClass is provisioned
type: string
label: Controller Federation Master Service Ingress IngressClassName
group: "Ingress Configuration"
- variable: controller.federation.mastersvc.ingress.secretName
default: ""
description: Name of the secret to be used for TLS-encryption
type: string
label: Controller Federation Master Service Ingress SecretName
group: "Ingress Configuration"
- variable: controller.federation.mastersvc.ingress.annotations
default: "{}"
description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation
type: string
label: Controller Federation Master Service Ingress Annotations
group: "Ingress Configuration"
- variable: controller.federation.managedsvc.ingress.enabled
default: false
description: If true, create ingress for rest api, must also set ingress host value
type: boolean
label: Controller Federation Managed Service Ingress Status
group: "Ingress Configuration"
show_subquestion_if: true
subquestions:
- variable: controller.federation.managedsvc.ingress.tls
default: false
description: If true, TLS is enabled for controller federation managed ingress service
type: boolean
label: Controller Federation Managed Service Ingress TLS Status
group: "Ingress Configuration"
- variable: controller.federation.managedsvc.ingress.host
default: ""
description: Must set this host value if ingress is enabled
type: string
label: Controller Federation Managed Service Ingress Host
group: "Ingress Configuration"
- variable: controller.federation.managedsvc.ingress.path
default: "/"
description: Set ingress path
type: string
label: Controller Federation Managed Service Ingress Path
group: "Ingress Configuration"
- variable: controller.federation.managedsvc.ingress.ingressClassName
default: ""
description: To be used instead of the ingress.class annotation if an IngressClass is provisioned
type: string
label: Controller Federation Managed Service Ingress IngressClassName
group: "Ingress Configuration"
- variable: controller.federation.managedsvc.ingress.secretName
default: ""
description: Name of the secret to be used for TLS-encryption
type: string
label: Controller Federation Managed Service Ingress SecretName
group: "Ingress Configuration"
- variable: controller.federation.managedsvc.ingress.annotations
default: "{}"
description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation
type: string
label: Controller Federation Managed Service Ingress Annotations
group: "Ingress Configuration"
#service configurations
- variable: manager.svc.type
default: "NodePort"
description: Set manager service type for native Kubernetes
type: enum
label: Manager Service Type
group: "Service Configuration"
options:
- "NodePort"
- "ClusterIP"
- "LoadBalancer"
- variable: controller.federation.mastersvc.type
default: ""
description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP
type: enum
label: Fed Master Service Type
group: "Service Configuration"
options:
- "NodePort"
- "ClusterIP"
- "LoadBalancer"
- variable: controller.federation.managedsvc.type
default: ""
description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and ClusterIP
type: enum
label: Fed Managed Service Type
group: "Service Configuration"
options:
- "NodePort"
- "ClusterIP"
- "LoadBalancer"
- variable: controller.apisvc.type
default: "NodePort"
description: Controller REST API service type
type: enum
label: Controller REST API Service Type
group: "Service Configuration"
options:
- "NodePort"
- "ClusterIP"
- "LoadBalancer"
#Security Settings
- variable: global.cattle.psp.enabled
default: "false"
description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false."
label: "Enable PodSecurityPolicies"
default: "false"
type: boolean
group: "Security Settings"
- variable: manager.runAsUser
default: ""
description: Specify the run as User ID
type: int
label: Manager runAsUser ID
group: "Security Settings"
- variable: cve.scanner.runAsUser
default: ""
description: Specify the run as User ID
type: int
label: Scanner runAsUser ID
group: "Security Settings"
- variable: cve.updater.runAsUser
default: ""
description: Specify the run as User ID
type: int
label: Updater runAsUser ID
group: "Security Settings"

View File

@ -0,0 +1,23 @@
{{- if and .Values.manager.enabled .Values.manager.ingress.enabled }}
From outside the cluster, the NeuVector URL is:
http://{{ .Values.manager.ingress.host }}
{{- else if and .Values.manager.enabled .Values.manager.ingress.enabled .Values.manager.ingress.tls}}
From outside the cluster, the NeuVector URL is:
https://{{ .Values.manager.ingress.host }}
{{- else if not .Values.openshift }}
Get the NeuVector URL by running these commands:
{{- if contains "NodePort" .Values.manager.svc.type }}
NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui)
NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo https://$NODE_IP:$NODE_PORT
{{- else if contains "ClusterIP" .Values.manager.svc.type }}
CLUSTER_IP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.clusterIP}" services neuvector-service-webui)
echo https://$CLUSTER_IP:8443
{{- else if contains "LoadBalancer" .Values.manager.svc.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w neuvector-service-webui'
SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
echo https://$SERVICE_IP:8443
{{- end }}
{{- end }}

View File

@ -0,0 +1,55 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "neuvector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "neuvector.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "neuvector.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Lookup secret.
*/}}
{{- define "neuvector.secrets.lookup" -}}
{{- $value := "" -}}
{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}}
{{- if and $secretData (hasKey $secretData .key) -}}
{{- $value = index $secretData .key -}}
{{- else if .defaultValue -}}
{{- $value = .defaultValue | toString | b64enc -}}
{{- end -}}
{{- if $value -}}
{{- printf "%s" $value -}}
{{- end -}}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-admission-webhook
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
ports:
- port: 443
targetPort: 20443
protocol: TCP
name: admission-webhook
type: {{ .Values.admissionwebhook.type }}
selector:
app: neuvector-controller-pod

View File

@ -0,0 +1,33 @@
{{- if .Values.internal.certmanager.enabled }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ .Values.internal.certmanager.secretname }}
namespace: {{ .Release.Namespace }}
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.internal.certmanager.secretname }}
namespace: {{ .Release.Namespace }}
spec:
duration: 17520h # 2 years
subject:
organizations:
- NeuVector
isCA: true
commonName: neuvector.internal
dnsNames:
- neuvector.internal
- NeuVector
secretName: {{ .Values.internal.certmanager.secretname }}
usages:
- digital signature
- key encipherment
issuerRef:
group: cert-manager.io
kind: Issuer
name: {{ .Values.internal.certmanager.secretname }}
{{- end }}

View File

@ -0,0 +1,121 @@
{{- if .Values.rbac -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-app
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
- services
- namespaces
verbs:
- get
- list
- watch
- update
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-rbac
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
{{- if .Values.openshift }}
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
{{- end }}
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
- clusterrolebindings
- clusterroles
verbs:
- get
- list
- watch
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-admission
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- delete
---
{{- if $oc4 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: neuvector-binding-co
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- config.openshift.io
resources:
- clusteroperators
verbs:
- get
- list
{{- end }}
{{- end }}

View File

@ -0,0 +1,150 @@
{{- if and .Values.rbac .Values.leastPrivilege -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-app
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-app
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-rbac
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-rbac
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-admission
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-admission
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-view
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: view
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
{{- if $oc4 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-co
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: neuvector-binding-co
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: enforcer
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,147 @@
{{- if and .Values.rbac (not .Values.leastPrivilege) -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-app
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-app
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-rbac
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-rbac
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-admission
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-admission
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-view
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: view
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc4 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-co
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: neuvector-binding-co
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,279 @@
{{- $pre530 := false -}}
{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}
{{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}}
{{- end }}
{{- if .Values.controller.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Deployment
metadata:
name: neuvector-controller-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
{{- with .Values.controller.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.controller.replicas }}
minReadySeconds: 60
strategy:
{{ toYaml .Values.controller.strategy | indent 4 }}
selector:
matchLabels:
app: neuvector-controller-pod
template:
metadata:
labels:
app: neuvector-controller-pod
release: {{ .Release.Name }}
{{- with .Values.controller.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.controller.secret.enabled .Values.controller.configmap.enabled .Values.controller.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }}
annotations:
{{- if .Values.controller.secret.enabled }}
checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.controller.configmap.enabled }}
checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }}
{{- end }}
{{- if eq "true" (toString .Values.autoGenerateCert) }}
checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
{{- toYaml .Values.controller.podAnnotations | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.controller.affinity }}
affinity:
{{ toYaml .Values.controller.affinity | indent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
tolerations:
{{ toYaml .Values.controller.tolerations | indent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }}
{{- end }}
{{- if .Values.controller.nodeSelector }}
nodeSelector:
{{ toYaml .Values.controller.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.controller.schedulerName }}
schedulerName: {{ .Values.controller.schedulerName }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.leastPrivilege }}
serviceAccountName: controller
serviceAccount: controller
{{- else }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
containers:
- name: neuvector-controller-pod
image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
{{- if $pre530 }}
securityContext:
privileged: true
{{- else }}
securityContext:
runAsUser: 0
{{- end }}
resources:
{{- if .Values.controller.resources }}
{{ toYaml .Values.controller.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.resources | indent 12 }}
{{- end }}
readinessProbe:
exec:
command:
- cat
- /tmp/ready
initialDelaySeconds: 5
periodSeconds: 5
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
- name: CLUSTER_ADVERTISED_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: CLUSTER_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if .Values.controller.ranchersso.enabled }}
- name: RANCHER_SSO
value: "1"
- name: RANCHER_EP
value: "{{ .Values.global.cattle.url }}"
{{- end }}
{{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }}
- name: CTRL_PERSIST_CONFIG
value: "1"
{{- end }}
{{- with .Values.controller.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }}
- mountPath: /var/neuvector
name: nv-share
readOnly: false
{{- end }}
{{- if $pre530 }}
{{- if .Values.containerd.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.k3s.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.bottlerocket.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.crio.enabled }}
- mountPath: /var/run/crio/crio.sock
{{- else }}
- mountPath: /var/run/docker.sock
{{- end }}
name: runtime-sock
readOnly: true
- mountPath: /host/proc
name: proc-vol
readOnly: true
- mountPath: /host/cgroup
name: cgroup-vol
readOnly: true
{{- end }}
- mountPath: /etc/config
name: config-volume
readOnly: true
{{- if .Values.controller.certificate.secret }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: {{ .Values.controller.certificate.keyFile }}
name: usercert
readOnly: true
- mountPath: /etc/neuvector/certs/ssl-cert.pem
subPath: {{ .Values.controller.certificate.pemFile }}
name: usercert
readOnly: true
{{- else if eq "true" (toString .Values.autoGenerateCert) }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: ssl-cert.key
name: cert
readOnly: true
- mountPath: /etc/neuvector/certs/ssl-cert.pem
subPath: ssl-cert.pem
name: cert
readOnly: true
{{- else }}
{{- end }}
{{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }}
- mountPath: /etc/neuvector/certs/internal/cert.key
subPath: {{ .Values.controller.internal.certificate.keyFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/cert.pem
subPath: {{ .Values.controller.internal.certificate.pemFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/ca.cert
subPath: {{ .Values.controller.internal.certificate.caFile }}
name: internal-cert
readOnly: true
{{- end }}
terminationGracePeriodSeconds: 300
restartPolicy: Always
volumes:
{{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }}
- name: nv-share
{{- if .Values.controller.pvc.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.controller.pvc.existingClaim | default "neuvector-data" }}
{{- else if .Values.controller.azureFileShare.enabled }}
azureFile:
secretName: {{ .Values.controller.azureFileShare.secretName }}
shareName: {{ .Values.controller.azureFileShare.shareName }}
readOnly: false
{{- end }}
{{- end }}
{{- if $pre530 }}
- name: runtime-sock
hostPath:
{{- if .Values.containerd.enabled }}
path: {{ .Values.containerd.path }}
{{- else if .Values.crio.enabled }}
path: {{ .Values.crio.path }}
{{- else if .Values.k3s.enabled }}
path: {{ .Values.k3s.runtimePath }}
{{- else if .Values.bottlerocket.enabled }}
path: {{ .Values.bottlerocket.runtimePath }}
{{- else }}
path: {{ .Values.docker.path }}
{{- end }}
- name: proc-vol
hostPath:
path: /proc
- name: cgroup-vol
hostPath:
path: /sys/fs/cgroup
{{- end }}
- name: config-volume
projected:
sources:
- configMap:
name: neuvector-init
optional: true
- secret:
name: neuvector-init
optional: true
- secret:
name: neuvector-secret
optional: true
{{- if eq "true" (toString .Values.autoGenerateCert) }}
- name: cert
secret:
secretName: neuvector-controller-secret
{{- end }}
{{- if .Values.controller.certificate.secret }}
- name: usercert
secret:
secretName: {{ .Values.controller.certificate.secret }}
{{- end }}
{{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }}
- name: internal-cert
secret:
secretName: {{ .Values.controller.internal.certificate.secret }}
{{- end }}
{{- if gt (int .Values.controller.disruptionbudget) 0 }}
---
{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: neuvector-controller-pdb
namespace: {{ .Release.Namespace }}
spec:
minAvailable: {{ .Values.controller.disruptionbudget }}
selector:
matchLabels:
app: neuvector-controller-pod
{{- end }}
{{- end }}

View File

@ -0,0 +1,219 @@
{{- if .Values.controller.enabled }}
{{- if .Values.controller.ingress.enabled }}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-restapi-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.ingress.ingressClassName }}
ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }}
{{ end }}
{{- if .Values.controller.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.ingress.host }}
{{- if .Values.controller.ingress.secretName }}
secretName: {{ .Values.controller.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.ingress.host }}
http:
paths:
- path: {{ .Values.controller.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-svc-controller-api
port:
number: 10443
{{- else }}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-restapi-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.ingress.host }}
{{- if .Values.controller.ingress.secretName }}
secretName: {{ .Values.controller.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.ingress.host }}
http:
paths:
- path: {{ .Values.controller.ingress.path }}
backend:
serviceName: neuvector-svc-controller-api
servicePort: 10443
{{- end }}
{{- end }}
{{- if .Values.controller.federation.mastersvc.ingress.enabled }}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-mastersvc-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.mastersvc.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }}
ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }}
{{ end }}
{{- if .Values.controller.federation.mastersvc.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.federation.mastersvc.ingress.host }}
{{- if .Values.controller.federation.mastersvc.ingress.secretName }}
secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.federation.mastersvc.ingress.host }}
http:
paths:
- path: {{ .Values.controller.federation.mastersvc.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-svc-controller-fed-master
port:
number: 11443
{{- else }}
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-mastersvc-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.mastersvc.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.federation.mastersvc.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.federation.mastersvc.ingress.host }}
{{- if .Values.controller.federation.mastersvc.ingress.secretName }}
secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.federation.mastersvc.ingress.host }}
http:
paths:
- path: {{ .Values.controller.federation.mastersvc.ingress.path }}
backend:
serviceName: neuvector-svc-controller-fed-master
servicePort: 11443
{{- end }}
{{- end }}
{{- if .Values.controller.federation.managedsvc.ingress.enabled }}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-managedsvc-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.managedsvc.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }}
ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }}
{{ end }}
{{- if .Values.controller.federation.managedsvc.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.federation.managedsvc.ingress.host }}
{{- if .Values.controller.federation.managedsvc.ingress.secretName }}
secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.federation.managedsvc.ingress.host }}
http:
paths:
- path: {{ .Values.controller.federation.managedsvc.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-svc-controller-fed-managed
port:
number: 10443
{{- else }}
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-managedsvc-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.managedsvc.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.federation.managedsvc.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.federation.managedsvc.ingress.host }}
{{- if .Values.controller.federation.managedsvc.ingress.secretName }}
secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.federation.managedsvc.ingress.host }}
http:
paths:
- path: {{ .Values.controller.federation.managedsvc.ingress.path }}
backend:
serviceName: neuvector-svc-controller-fed-managed
servicePort: 10443
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,98 @@
{{- if .Values.openshift -}}
{{- if .Values.controller.apisvc.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-api
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.apisvc.route.host }}
host: {{ .Values.controller.apisvc.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-svc-controller-api
port:
targetPort: controller-api
tls:
termination: {{ .Values.controller.apisvc.route.termination }}
{{- if or (eq .Values.controller.apisvc.route.termination "reencrypt") (eq .Values.controller.apisvc.route.termination "edge") }}
{{- with .Values.controller.apisvc.route.tls }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
---
{{ end -}}
{{- if .Values.controller.federation.mastersvc.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-fed-master
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.federation.mastersvc.route.host }}
host: {{ .Values.controller.federation.mastersvc.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-svc-controller-fed-master
port:
targetPort: fed
tls:
termination: {{ .Values.controller.federation.mastersvc.route.termination }}
{{- if or (eq .Values.controller.federation.mastersvc.route.termination "reencrypt") (eq .Values.controller.federation.mastersvc.route.termination "edge") }}
{{- with .Values.controller.federation.mastersvc.route.tls }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
---
{{ end -}}
{{- if .Values.controller.federation.managedsvc.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-fed-managed
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.controller.federation.managedsvc.route.host }}
host: {{ .Values.controller.federation.managedsvc.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-svc-controller-fed-managed
port:
targetPort: fed
tls:
termination: {{ .Values.controller.federation.managedsvc.route.termination }}
{{- if or (eq .Values.controller.federation.managedsvc.route.termination "reencrypt") (eq .Values.controller.federation.managedsvc.route.termination "edge") }}
{{- with .Values.controller.federation.managedsvc.route.tls }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
{{ end -}}
{{- end -}}

View File

@ -0,0 +1,20 @@
{{- if .Values.controller.enabled -}}
{{- if eq "true" (toString .Values.autoGenerateCert) }}
{{- $cn := "neuvector" }}
{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}}
apiVersion: v1
kind: Secret
metadata:
name: neuvector-controller-secret
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
type: Opaque
data:
ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }}
ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }}
---
{{- end}}
{{- end}}

View File

@ -0,0 +1,130 @@
{{- if .Values.controller.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
clusterIP: None
ports:
- port: 18300
protocol: "TCP"
name: "cluster-tcp-18300"
- port: 18301
protocol: "TCP"
name: "cluster-tcp-18301"
- port: 18301
protocol: "UDP"
name: "cluster-udp-18301"
selector:
app: neuvector-controller-pod
{{- if .Values.controller.apisvc.type }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller-api
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.apisvc.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
type: {{ .Values.controller.apisvc.type }}
ports:
- port: 10443
protocol: "TCP"
name: "controller-api"
appProtocol: HTTPS
selector:
app: neuvector-controller-pod
{{ end -}}
{{- if .Values.controller.federation.mastersvc.type }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller-fed-master
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.mastersvc.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
type: {{ .Values.controller.federation.mastersvc.type }}
{{- if and .Values.controller.federation.mastersvc.loadBalancerIP (eq .Values.controller.federation.mastersvc.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.controller.federation.mastersvc.loadBalancerIP }}
{{- end }}
{{- if .Values.controller.federation.mastersvc.clusterIP }}
clusterIP: {{ .Values.controller.federation.mastersvc.clusterIP }}
{{- end }}
{{- if .Values.controller.federation.mastersvc.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.federation.mastersvc.externalTrafficPolicy }}
{{- end }}
{{- if .Values.controller.federation.mastersvc.internalTrafficPolicy }}
internalTrafficPolicy: {{ .Values.controller.federation.mastersvc.internalTrafficPolicy }}
{{- end }}
ports:
- port: 11443
name: fed
protocol: TCP
appProtocol: HTTPS
{{- if .Values.controller.federation.mastersvc.nodePort }}
nodePort: {{ .Values.controller.federation.mastersvc.nodePort }}
{{- end }}
selector:
app: neuvector-controller-pod
{{ end -}}
{{- if .Values.controller.federation.managedsvc.type }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller-fed-managed
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.managedsvc.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
type: {{ .Values.controller.federation.managedsvc.type }}
{{- if and .Values.controller.federation.managedsvc.loadBalancerIP (eq .Values.controller.federation.managedsvc.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.controller.federation.managedsvc.loadBalancerIP }}
{{- end }}
{{- if .Values.controller.federation.managedsvc.clusterIP }}
clusterIP: {{ .Values.controller.federation.managedsvc.clusterIP }}
{{- end }}
{{- if .Values.controller.federation.managedsvc.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.controller.federation.managedsvc.externalTrafficPolicy }}
{{- end }}
{{- if .Values.controller.federation.managedsvc.internalTrafficPolicy }}
internalTrafficPolicy: {{ .Values.controller.federation.managedsvc.internalTrafficPolicy }}
{{- end }}
ports:
- port: 10443
name: fed
protocol: TCP
appProtocol: HTTPS
{{- if .Values.controller.federation.managedsvc.nodePort }}
nodePort: {{ .Values.controller.federation.managedsvc.nodePort }}
{{- end }}
selector:
app: neuvector-controller-pod
{{ end -}}
{{- end -}}

View File

@ -0,0 +1,417 @@
{{- if .Values.leastPrivilege -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
# ClusterRole for NeuVector to operate CRD
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-customresourcedefinition
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- update
- watch
- create
- get
---
# ClusterRoleBinding for NeuVector to operate CRD
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-customresourcedefinition
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-customresourcedefinition
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
# ClusterRole for NeuVector to manage network/process CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvsecurityrules
- nvclustersecurityrules
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage network/process CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvsecurityrules
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
# ClusterRole for NeuVector to manage dlp CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvdlpsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvdlpsecurityrules
verbs:
- get
- list
- delete
---
# ClusterRole for NeuVector to manage admission control CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvadmissioncontrolsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvadmissioncontrolsecurityrules
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage admission control CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvdlpsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvdlpsecurityrules
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
# ClusterRoleBinding for NeuVector to manage admission control CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvadmissioncontrolsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvadmissioncontrolsecurityrules
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
# ClusterRole for NeuVector to manage waf CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvwafsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvwafsecurityrules
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage waf CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvwafsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvwafsecurityrules
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
# ClusterRole for NeuVector to manage compliance CRD profiles
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvcomplianceprofiles
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvcomplianceprofiles
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage compliance CRD profiles
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvcomplianceprofiles
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvcomplianceprofiles
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
# ClusterRole for NeuVector to manage vulnerability CRD profiles
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvvulnerabilityprofiles
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvvulnerabilityprofiles
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage vulnerability CRD profiles
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvvulnerabilityprofiles
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvvulnerabilityprofiles
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
{{- end }}

View File

@ -0,0 +1,417 @@
{{- if not .Values.leastPrivilege -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
# ClusterRole for NeuVector to operate CRD
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-customresourcedefinition
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- update
- watch
- create
- get
---
# ClusterRoleBinding for NeuVector to operate CRD
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-customresourcedefinition
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-customresourcedefinition
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRole for NeuVector to manage network/process CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvsecurityrules
- nvclustersecurityrules
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage network/process CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvsecurityrules
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRole for NeuVector to manage dlp CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvdlpsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvdlpsecurityrules
verbs:
- get
- list
- delete
---
# ClusterRole for NeuVector to manage admission control CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvadmissioncontrolsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvadmissioncontrolsecurityrules
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage admission control CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvdlpsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvdlpsecurityrules
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRoleBinding for NeuVector to manage admission control CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvadmissioncontrolsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvadmissioncontrolsecurityrules
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRole for NeuVector to manage waf CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvwafsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvwafsecurityrules
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage waf CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvwafsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvwafsecurityrules
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRole for NeuVector to manage compliance CRD profiles
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvcomplianceprofiles
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvcomplianceprofiles
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage compliance CRD profiles
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvcomplianceprofiles
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvcomplianceprofiles
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRole for NeuVector to manage vulnerability CRD profiles
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvvulnerabilityprofiles
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- neuvector.com
resources:
- nvvulnerabilityprofiles
verbs:
- get
- list
- delete
---
# ClusterRoleBinding for NeuVector to manage vulnerability CRD profiles
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvvulnerabilityprofiles
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvvulnerabilityprofiles
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,180 @@
{{- $pre530 := false -}}
{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}
{{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}}
{{- end }}
{{- $runtimePath := "" -}}
{{- if .Values.runtimePath }}
{{- $runtimePath = .Values.runtimePath -}}
{{- else if and .Values.k3s.enabled (ne .Values.k3s.runtimePath "/run/k3s/containerd/containerd.sock") }}
{{- $runtimePath = .Values.k3s.runtimePath -}}
{{- else if and .Values.bottlerocket.enabled (ne .Values.bottlerocket.runtimePath "/run/dockershim.sock") }}
{{- $runtimePath = .Values.bottlerocket.runtimePath -}}
{{- else if and .Values.containerd.enabled (ne .Values.containerd.path "/var/run/containerd/containerd.sock") }}
{{- $runtimePath = .Values.containerd.path -}}
{{- else if and .Values.crio.enabled (ne .Values.crio.path "/var/run/crio/crio.sock") }}
{{- $runtimePath = .Values.crio.path -}}
{{- else if ne .Values.docker.path "/var/run/docker.sock" }}
{{- $runtimePath = .Values.docker.path -}}
{{- end }}
{{- if .Values.enforcer.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: DaemonSet
metadata:
name: neuvector-enforcer-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: Helm
release: {{ .Release.Name }}
spec:
updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }}
selector:
matchLabels:
app: neuvector-enforcer-pod
template:
metadata:
labels:
app: neuvector-enforcer-pod
release: {{ .Release.Name }}
{{- with .Values.enforcer.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.enforcer.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.enforcer.tolerations }}
tolerations:
{{ toYaml .Values.enforcer.tolerations | indent 8 }}
{{- end }}
hostPID: true
{{- if .Values.enforcer.priorityClassName }}
priorityClassName: {{ .Values.enforcer.priorityClassName }}
{{- end }}
{{- if .Values.leastPrivilege }}
serviceAccountName: enforcer
serviceAccount: enforcer
{{- else }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
containers:
- name: neuvector-enforcer-pod
image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }}
securityContext:
privileged: true
resources:
{{- if .Values.enforcer.resources }}
{{ toYaml .Values.enforcer.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.resources | indent 12 }}
{{- end }}
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
- name: CLUSTER_ADVERTISED_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: CLUSTER_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- with .Values.enforcer.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- if $pre530 }}
{{- if .Values.containerd.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.k3s.enabled }}
- mountPath: /run/containerd/containerd.sock
{{- else if .Values.bottlerocket.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.crio.enabled }}
- mountPath: /var/run/crio/crio.sock
{{- else }}
- mountPath: /var/run/docker.sock
{{- end }}
name: runtime-sock
readOnly: true
- mountPath: /host/proc
name: proc-vol
readOnly: true
- mountPath: /host/cgroup
name: cgroup-vol
readOnly: true
{{- else if $runtimePath }}
- mountPath: /run/runtime.sock
name: runtime-sock
readOnly: true
{{- end }}
- mountPath: /lib/modules
name: modules-vol
readOnly: true
- mountPath: /var/nv_debug
name: nv-debug
readOnly: false
{{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }}
- mountPath: /etc/neuvector/certs/internal/cert.key
subPath: {{ .Values.enforcer.internal.certificate.keyFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/cert.pem
subPath: {{ .Values.enforcer.internal.certificate.pemFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/ca.cert
subPath: {{ .Values.enforcer.internal.certificate.caFile }}
name: internal-cert
readOnly: true
{{- end }}
terminationGracePeriodSeconds: 1200
restartPolicy: Always
volumes:
{{- if $pre530 }}
- name: runtime-sock
hostPath:
{{- if .Values.containerd.enabled }}
path: {{ .Values.containerd.path }}
{{- else if .Values.crio.enabled }}
path: {{ .Values.crio.path }}
{{- else if .Values.k3s.enabled }}
path: {{ .Values.k3s.runtimePath }}
{{- else if .Values.bottlerocket.enabled }}
path: {{ .Values.bottlerocket.runtimePath }}
{{- else }}
path: {{ .Values.docker.path }}
{{- end }}
- name: proc-vol
hostPath:
path: /proc
- name: cgroup-vol
hostPath:
path: /sys/fs/cgroup
{{- else if $runtimePath }}
- name: runtime-sock
hostPath:
path: {{ $runtimePath }}
{{- end }}
- name: modules-vol
hostPath:
path: /lib/modules
- name: nv-debug
hostPath:
path: /var/nv_debug
{{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }}
- name: internal-cert
secret:
secretName: {{ .Values.enforcer.internal.certificate.secret }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,13 @@
{{- if .Values.controller.configmap.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: neuvector-init
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
data:
{{ toYaml .Values.controller.configmap.data | indent 2 }}
{{- end }}

View File

@ -0,0 +1,15 @@
{{- if .Values.controller.secret.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: neuvector-init
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
data:
{{- range $key, $val := .Values.controller.secret.data }}
{{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,126 @@
{{- if .Values.manager.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Deployment
metadata:
name: neuvector-manager-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
replicas: 1
selector:
matchLabels:
app: neuvector-manager-pod
template:
metadata:
labels:
app: neuvector-manager-pod
release: {{ .Release.Name }}
{{- with .Values.manager.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.manager.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }}
annotations:
{{- if eq "true" (toString .Values.autoGenerateCert) }}
checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.manager.podAnnotations }}
{{- toYaml .Values.manager.podAnnotations | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.manager.affinity }}
affinity:
{{ toYaml .Values.manager.affinity | indent 8 }}
{{- end }}
{{- if .Values.manager.tolerations }}
tolerations:
{{ toYaml .Values.manager.tolerations | indent 8 }}
{{- end }}
{{- if .Values.manager.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.manager.topologySpreadConstraints | indent 8 }}
{{- end }}
{{- if .Values.manager.nodeSelector }}
nodeSelector:
{{ toYaml .Values.manager.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.manager.priorityClassName }}
priorityClassName: {{ .Values.manager.priorityClassName }}
{{- end }}
{{- if .Values.leastPrivilege }}
serviceAccountName: basic
serviceAccount: basic
{{- else }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
{{- if .Values.manager.runAsUser }}
securityContext:
runAsUser: {{ .Values.manager.runAsUser }}
{{- end }}
containers:
- name: neuvector-manager-pod
image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }}
ports:
- name: http
containerPort: 8443
protocol: TCP
env:
- name: CTRL_SERVER_IP
value: neuvector-svc-controller.{{ .Release.Namespace }}
{{- if not .Values.manager.env.ssl }}
- name: MANAGER_SSL
value: "off"
{{- end }}
{{- with .Values.manager.env.envs }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.manager.certificate.secret }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: {{ .Values.manager.certificate.keyFile }}
name: cert
readOnly: true
- mountPath: /etc/neuvector/certs/ssl-cert.pem
subPath: {{ .Values.manager.certificate.pemFile }}
name: cert
readOnly: true
{{- else if eq "true" (toString .Values.autoGenerateCert) }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: ssl-cert.key
name: cert
readOnly: true
- mountPath: /etc/neuvector/certs/ssl-cert.pem
subPath: ssl-cert.pem
name: cert
readOnly: true
{{- end }}
resources:
{{- if .Values.manager.resources }}
{{ toYaml .Values.manager.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.resources | indent 12 }}
{{- end }}
restartPolicy: Always
volumes:
{{- if .Values.manager.certificate.secret }}
- name: cert
secret:
secretName: {{ .Values.manager.certificate.secret }}
{{- else if eq "true" (toString .Values.autoGenerateCert) }}
- name: cert
secret:
secretName: neuvector-manager-secret
{{- end }}
{{- end }}

View File

@ -0,0 +1,71 @@
{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-webui-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.manager.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.manager.ingress.ingressClassName }}
ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }}
{{ end }}
{{- if .Values.manager.ingress.tls }}
tls:
- hosts:
- {{ .Values.manager.ingress.host }}
{{- if .Values.manager.ingress.secretName }}
secretName: {{ .Values.manager.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.manager.ingress.host }}
http:
paths:
- path: {{ .Values.manager.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-service-webui
port:
number: 8443
{{- else }}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-webui-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.manager.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.manager.ingress.tls }}
tls:
- hosts:
- {{ .Values.manager.ingress.host }}
{{- if .Values.manager.ingress.secretName }}
secretName: {{ .Values.manager.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.manager.ingress.host }}
http:
paths:
- path: {{ .Values.manager.ingress.path }}
backend:
serviceName: neuvector-service-webui
servicePort: 8443
{{- end }}
{{- end -}}

View File

@ -0,0 +1,33 @@
{{- if .Values.openshift -}}
{{- if .Values.manager.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-webui
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.manager.route.host }}
host: {{ .Values.manager.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-service-webui
port:
targetPort: manager
tls:
termination: {{ .Values.manager.route.termination }}
{{- if or (eq .Values.manager.route.termination "reencrypt") (eq .Values.manager.route.termination "edge") }}
{{- with .Values.manager.route.tls }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,20 @@
{{- if .Values.manager.enabled -}}
{{- if eq "true" (toString .Values.autoGenerateCert) }}
{{- $cn := "neuvector" }}
{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}}
apiVersion: v1
kind: Secret
metadata:
name: neuvector-manager-secret
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
type: Opaque
data:
ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }}
ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }}
---
{{- end }}
{{- end }}

View File

@ -0,0 +1,31 @@
{{- if .Values.manager.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: neuvector-service-webui
namespace: {{ .Release.Namespace }}
{{- with .Values.manager.svc.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
type: {{ .Values.manager.svc.type }}
{{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.manager.svc.loadBalancerIP }}
{{- end }}
ports:
- port: 8443
name: manager
protocol: TCP
{{- if .Values.manager.env.ssl }}
appProtocol: HTTPS
{{- else }}
appProtocol: HTTP
{{- end }}
selector:
app: neuvector-manager-pod
{{- end }}

View File

@ -0,0 +1,160 @@
{{- if and .Values.global.cattle.psp.enabled (semverCompare "<1.25-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: neuvector-binding-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
chart: {{ template "neuvector.chart" . }}
heritage: Helm
release: {{ .Release.Name }}
spec:
privileged: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
allowedCapabilities:
- SYS_ADMIN
- NET_ADMIN
- SYS_PTRACE
- IPC_LOCK
requiredDropCapabilities:
- ALL
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: neuvector-binding-psp
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: Helm
release: {{ .Release.Name }}
rules:
- apiGroups:
- policy
- extensions
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- neuvector-binding-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: neuvector-binding-psp
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: Helm
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: neuvector-binding-psp
subjects:
{{- if .Values.leastPrivilege }}
- kind: ServiceAccount
name: enforcer
namespace: {{ .Release.Namespace }}
{{- else }}
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- if .Values.leastPrivilege }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: neuvector-binding-psp-controller
labels:
chart: {{ template "neuvector.chart" . }}
heritage: Helm
release: {{ .Release.Name }}
spec:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
allowedCapabilities: null
requiredDropCapabilities:
- ALL
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- azureFile
- projected
- secret
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: neuvector-binding-psp-controller
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: Helm
release: {{ .Release.Name }}
rules:
- apiGroups:
- policy
- extensions
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- neuvector-binding-psp-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: neuvector-binding-psp-controller
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: Helm
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: neuvector-binding-psp-controller
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,27 @@
{{- if not .Values.controller.pvc.existingClaim -}}
{{- if and .Values.controller.enabled .Values.controller.pvc.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: neuvector-data
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
accessModes:
{{ toYaml .Values.controller.pvc.accessModes | indent 4 }}
volumeMode: Filesystem
{{- if .Values.controller.pvc.storageClass }}
storageClassName: {{ .Values.controller.pvc.storageClass }}
{{- end }}
resources:
requests:
{{- if .Values.controller.pvc.capacity }}
storage: {{ .Values.controller.pvc.capacity }}
{{- else }}
storage: 1Gi
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,109 @@
{{- if .Values.cve.adapter.enabled -}}
{{- if .Values.cve.adapter.ingress.enabled }}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-registry-adapter-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.cve.adapter.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.cve.adapter.ingress.ingressClassName }}
ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }}
{{ end }}
{{- if .Values.cve.adapter.ingress.tls }}
tls:
- hosts:
- {{ .Values.cve.adapter.ingress.host }}
{{- if .Values.cve.adapter.ingress.secretName }}
secretName: {{ .Values.cve.adapter.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.cve.adapter.ingress.host }}
http:
paths:
- path: {{ .Values.cve.adapter.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-service-registry-adapter
port:
number: 9443
{{- else }}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-registry-adapter-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.cve.adapter.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.cve.adapter.ingress.tls }}
tls:
- hosts:
- {{ .Values.cve.adapter.ingress.host }}
{{- if .Values.cve.adapter.ingress.secretName }}
secretName: {{ .Values.cve.adapter.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.cve.adapter.ingress.host }}
http:
paths:
- path: {{ .Values.cve.adapter.ingress.path }}
backend:
serviceName: neuvector-service-webui
servicePort: 9443
{{- end }}
{{- end }}
---
{{- if and .Values.openshift .Values.cve.adapter.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-registry-adapter
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
{{- if .Values.cve.adapter.route.host }}
host: {{ .Values.cve.adapter.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-service-registry-adapter
port:
targetPort: registry-adapter
tls:
termination: {{ .Values.cve.adapter.route.termination }}
{{- if or (eq .Values.cve.adapter.route.termination "reencrypt") (eq .Values.cve.adapter.route.termination "edge") }}
{{- with .Values.cve.adapter.route.tls }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,15 @@
{{- if .Values.cve.adapter.enabled -}}
{{- if eq "true" (toString .Values.autoGenerateCert) }}
{{- $cn := "neuvector" }}
{{- $cert := genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}}
apiVersion: v1
kind: Secret
metadata:
name: neuvector-registry-adapter-secret
type: Opaque
data:
ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }}
ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }}
---
{{- end }}
{{- end }}

View File

@ -0,0 +1,194 @@
{{- if .Values.cve.adapter.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Deployment
metadata:
name: neuvector-registry-adapter-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
replicas: 1
selector:
matchLabels:
app: neuvector-registry-adapter-pod
template:
metadata:
labels:
app: neuvector-registry-adapter-pod
release: {{ .Release.Name }}
{{- with .Values.cve.adapter.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.cve.adapter.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }}
annotations:
{{- if eq "true" (toString .Values.autoGenerateCert) }}
checksum/registry-adapter-secret: {{ include (print $.Template.BasePath "/registry-adapter-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.cve.adapter.podAnnotations }}
{{- toYaml .Values.cve.adapter.podAnnotations | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- if .Values.cve.adapter.affinity }}
affinity:
{{ toYaml .Values.cve.adapter.affinity | indent 8 }}
{{- end }}
{{- if .Values.cve.adapter.tolerations }}
tolerations:
{{ toYaml .Values.cve.adapter.tolerations | indent 8 }}
{{- end }}
{{- if .Values.cve.adapter.nodeSelector }}
nodeSelector:
{{ toYaml .Values.cve.adapter.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.cve.adapter.priorityClassName }}
priorityClassName: {{ .Values.cve.adapter.priorityClassName }}
{{- end }}
{{- if .Values.leastPrivilege }}
serviceAccountName: registry-adapter
serviceAccount: registry-adapter
{{- else }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
{{- if .Values.cve.adapter.runAsUser }}
securityContext:
runAsUser: {{ .Values.cve.adapter.runAsUser }}
{{- end }}
containers:
- name: neuvector-registry-adapter-pod
{{- if eq .Values.registry "registry.neuvector.com" }}
{{- if .Values.oem }}
image: "{{ .Values.registry }}/{{ .Values.oem }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}"
{{- else }}
image: "{{ .Values.registry }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}"
{{- end }}
{{- else }}
{{- if .Values.cve.adapter.image.hash }}
image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}@{{ .Values.cve.adapter.image.hash }}"
{{- else }}
image: {{ template "system_default_registry" . }}{{ .Values.cve.adapter.image.repository }}:{{ .Values.cve.adapter.image.tag }}
{{- end }}
{{- end }}
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
- name: HARBOR_SERVER_PROTO
value: {{ .Values.cve.adapter.harbor.protocol }}
{{- if .Values.cve.adapter.harbor.secretName }}
- name: HARBOR_BASIC_AUTH_USERNAME
valueFrom:
secretKeyRef:
name: {{ .Values.cve.adapter.harbor.secretName }}
key: username
- name: HARBOR_BASIC_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.cve.adapter.harbor.secretName }}
key: password
{{- end }}
{{- with .Values.cve.adapter.env }}
{{- toYaml . | nindent 14 }}
{{- end }}
volumeMounts:
{{- if .Values.cve.adapter.certificate.secret }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: {{ .Values.cve.adapter.certificate.keyFile }}
name: cert
readOnly: true
- mountPath: /etc/neuvector/certs/ssl-cert.pem
subPath: {{ .Values.cve.adapter.certificate.pemFile }}
name: cert
readOnly: true
{{- else if eq "true" (toString .Values.autoGenerateCert) }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: ssl-cert.key
name: cert
readOnly: true
- mountPath: /etc/neuvector/certs/ssl-cert.pem
subPath: ssl-cert.pem
name: cert
readOnly: true
{{- end }}
resources:
{{- if .Values.cve.adapter.resources }}
{{ toYaml .Values.cve.adapter.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.resources | indent 12 }}
{{- end }}
{{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }}
volumeMounts:
- mountPath: /etc/neuvector/certs/internal/cert.key
subPath: {{ .Values.cve.adapter.internal.certificate.keyFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/cert.pem
subPath: {{ .Values.cve.adapter.internal.certificate.pemFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/ca.cert
subPath: {{ .Values.cve.adapter.internal.certificate.caFile }}
name: internal-cert
readOnly: true
{{- end }}
restartPolicy: Always
volumes:
{{- if .Values.cve.adapter.certificate.secret }}
- name: cert
secret:
secretName: {{ .Values.cve.adapter.certificate.secret }}
{{- else if eq "true" (toString .Values.autoGenerateCert) }}
- name: cert
secret:
secretName: neuvector-registry-adapter-secret
{{- end }}
{{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }}
- name: internal-cert
secret:
secretName: {{ .Values.cve.adapter.internal.certificate.secret }}
{{- end }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-service-registry-adapter
namespace: {{ .Release.Namespace }}
{{- with .Values.cve.adapter.svc.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
type: {{ .Values.cve.adapter.svc.type }}
{{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.cve.adapter.svc.loadBalancerIP }}
{{- end }}
ports:
- name: registry-adapter
{{- if (eq .Values.cve.adapter.harbor.protocol "https") }}
port: 9443
appProtocol: HTTPS
{{- else }}
port: 8090
appProtocol: HTTP
{{- end }}
protocol: TCP
selector:
app: neuvector-registry-adapter-pod
{{- end }}

View File

@ -0,0 +1,29 @@
{{- if and .Values.rbac .Values.leastPrivilege -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Role
metadata:
name: neuvector-binding-scanner
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- watch
- patch
- update
{{- end }}

View File

@ -0,0 +1,24 @@
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Role
metadata:
name: neuvector-binding-secret
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get

View File

@ -0,0 +1,169 @@
{{- if and .Values.rbac .Values.leastPrivilege -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: RoleBinding
metadata:
name: neuvector-binding-scanner
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: Role
{{- end }}
name: neuvector-binding-scanner
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
- kind: ServiceAccount
name: updater
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: RoleBinding
metadata:
name: neuvector-binding-secret
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: Role
{{- end }}
name: neuvector-binding-secret
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:controller
{{- end }}
---
{{- if $oc4 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:privileged
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:privileged
subjects:
- kind: ServiceAccount
name: enforcer
namespace: {{ .Release.Namespace }}
---
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
name: neuvector-scc-controller
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- azureFile
- projected
- secret
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:openshift:scc:neuvector-scc-controller
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- neuvector-scc-controller
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:neuvector-scc-controller
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:neuvector-scc-controller
subjects:
- kind: ServiceAccount
name: controller
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,88 @@
{{- if and .Values.rbac (not .Values.leastPrivilege) -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: RoleBinding
metadata:
name: neuvector-admin
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: admin
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: RoleBinding
metadata:
name: neuvector-binding-secret
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: Role
{{- end }}
name: neuvector-binding-secret
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc4 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:privileged
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:privileged
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,106 @@
{{- if .Values.cve.scanner.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Deployment
metadata:
name: neuvector-scanner-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: Helm
release: {{ .Release.Name }}
spec:
strategy:
{{ toYaml .Values.cve.scanner.strategy | indent 4 }}
replicas: {{ .Values.cve.scanner.replicas }}
selector:
matchLabels:
app: neuvector-scanner-pod
template:
metadata:
labels:
app: neuvector-scanner-pod
{{- with .Values.cve.scanner.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cve.scanner.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.cve.scanner.affinity }}
affinity:
{{ toYaml .Values.cve.scanner.affinity | indent 8 }}
{{- end }}
{{- if .Values.cve.scanner.tolerations }}
tolerations:
{{ toYaml .Values.cve.scanner.tolerations | indent 8 }}
{{- end }}
{{- if .Values.cve.scanner.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.cve.scanner.topologySpreadConstraints | indent 8 }}
{{- end }}
{{- if .Values.cve.scanner.nodeSelector }}
nodeSelector:
{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.cve.scanner.priorityClassName }}
priorityClassName: {{ .Values.cve.scanner.priorityClassName }}
{{- end }}
{{- if .Values.leastPrivilege }}
serviceAccountName: scanner
serviceAccount: scanner
{{- else }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
{{- if .Values.cve.scanner.runAsUser }}
securityContext:
runAsUser: {{ .Values.cve.scanner.runAsUser }}
{{- end }}
containers:
- name: neuvector-scanner-pod
image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}
imagePullPolicy: Always
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
{{- if .Values.cve.scanner.dockerPath }}
- name: SCANNER_DOCKER_URL
value: {{ .Values.cve.scanner.dockerPath }}
{{- end }}
{{- with .Values.cve.scanner.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{ toYaml .Values.cve.scanner.resources | indent 12 }}
{{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }}
volumeMounts:
- mountPath: /etc/neuvector/certs/internal/cert.key
subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/cert.pem
subPath: {{ .Values.cve.scanner.internal.certificate.pemFile }}
name: internal-cert
readOnly: true
- mountPath: /etc/neuvector/certs/internal/ca.cert
subPath: {{ .Values.cve.scanner.internal.certificate.caFile }}
name: internal-cert
readOnly: true
{{- end }}
restartPolicy: Always
{{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }}
volumes:
- name: internal-cert
secret:
secretName: {{ .Values.cve.scanner.internal.certificate.secret }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,72 @@
{{- if .Values.leastPrivilege }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: basic
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: controller
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: enforcer
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: scanner
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: updater
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: registry-adapter
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
{{- end }}

View File

@ -0,0 +1,13 @@
{{- if not .Values.leastPrivilege }}
{{- if ne .Values.serviceAccount "default"}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
{{- end }}
{{- end }}

View File

@ -0,0 +1,81 @@
{{- if .Values.cve.updater.enabled -}}
{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: batch/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: batch/v1beta1
{{- else }}
apiVersion: batch/v2alpha1
{{- end }}
kind: CronJob
metadata:
name: neuvector-updater-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: Helm
spec:
schedule: {{ .Values.cve.updater.schedule | quote }}
jobTemplate:
spec:
template:
metadata:
labels:
app: neuvector-updater-pod
release: {{ .Release.Name }}
{{- with .Values.cve.updater.podLabels }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cve.updater.podAnnotations }}
annotations:
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.cve.updater.nodeSelector }}
nodeSelector:
{{ toYaml .Values.cve.updater.nodeSelector | indent 12 }}
{{- end }}
{{- if .Values.cve.updater.priorityClassName }}
priorityClassName: {{ .Values.cve.updater.priorityClassName }}
{{- end }}
{{- if .Values.leastPrivilege }}
serviceAccountName: updater
serviceAccount: updater
{{- else }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
{{- end }}
{{- if .Values.cve.updater.runAsUser }}
securityContext:
runAsUser: {{ .Values.cve.updater.runAsUser }}
{{- end }}
containers:
- name: neuvector-updater-pod
image: {{ template "system_default_registry" . }}{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}
imagePullPolicy: Always
resources:
{{ toYaml .Values.cve.updater.resources | indent 16 }}
{{- if .Values.cve.scanner.enabled }}
command:
- /bin/sh
- -c
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
{{- if .Values.cve.updater.secure }}
{{- if .Values.cve.updater.cacert }}
- /usr/bin/curl -v --cacert {{ .Values.cve.updater.cacert }} -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod'
{{- else }}
- /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod'
{{- end }}
{{- else }}
- /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod'
{{- end }}
{{- else }}
- /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod'
{{- end }}
{{- end }}
restartPolicy: Never
{{- end }}

View File

@ -0,0 +1,7 @@
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
{{- if .Values.global.cattle.psp.enabled }}
{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,547 @@
# Default values for neuvector.
# This is a YAML-formatted file.
# Declare variables to be passed into the templates.
openshift: false
registry: docker.io
tag: 5.3.3
oem:
rbac: true # required for rancher authentication
serviceAccount: neuvector
leastPrivilege: false
global: # required for rancher authentication (https://<Rancher_URL>/)
cattle:
url:
systemDefaultRegistry: ""
psp:
enabled: false # PSP enablement should default to false
autoGenerateCert: true
defaultValidityPeriod: 365
internal: # enable when cert-manager is installed for the internal certificates
certmanager:
enabled: false
secretname: neuvector-internal
controller:
# If false, controller will not be installed
enabled: true
annotations: {}
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
image:
repository: rancher/mirrored-neuvector-controller
tag: 5.3.3
hash:
replicas: 3
disruptionbudget: 0
schedulerName:
priorityClassName:
podLabels: {}
podAnnotations: {}
env: []
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- neuvector-controller-pod
topologyKey: "kubernetes.io/hostname"
tolerations: []
topologySpreadConstraints: []
nodeSelector:
{}
# key1: value1
# key2: value2
apisvc:
type:
annotations: {}
# OpenShift Route configuration
# Controller supports HTTPS only, so edge termination not supported
route:
enabled: false
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
ranchersso: # required for rancher authentication
enabled: true
pvc:
enabled: false
existingClaim: false
accessModes:
- ReadWriteMany
storageClass:
capacity:
azureFileShare:
enabled: false
secretName:
shareName:
certificate:
secret: ""
keyFile: tls.key
pemFile: tls.pem
internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)
certificate:
secret: ""
keyFile: tls.key
pemFile: tls.crt
caFile: ca.crt # must be the same CA for all internal.
federation:
mastersvc:
type:
loadBalancerIP:
clusterIP:
nodePort: # Must be a valid NodePort: 30000-32767
externalTrafficPolicy:
internalTrafficPolicy:
# Federation Master Ingress
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
annotations: {}
# OpenShift Route configuration
# Controller supports HTTPS only, so edge termination not supported
route:
enabled: false
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
managedsvc:
type:
loadBalancerIP:
clusterIP:
nodePort: # Must be a valid NodePort: 30000-32767
externalTrafficPolicy:
internalTrafficPolicy:
# Federation Managed Ingress
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
annotations: {}
# OpenShift Route configuration
# Controller supports HTTPS only, so edge termination not supported
route:
enabled: false
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
resources:
{}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
configmap:
enabled: false
data:
# passwordprofileinitcfg.yaml: |
# ...
# roleinitcfg.yaml: |
# ...
# ldapinitcfg.yaml: |
# ...
# oidcinitcfg.yaml: |
# ...
# samlinitcfg.yaml: |
# ...
# sysinitcfg.yaml: |
# ...
# userinitcfg.yaml: |
# ...
secret:
# NOTE: files defined here have preferrence over the ones defined in the configmap section
enabled: false
data:
# passwordprofileinitcfg.yaml:
# ...
# roleinitcfg.yaml:
# ...
# ldapinitcfg.yaml:
# directory: OpenLDAP
# ...
# oidcinitcfg.yaml:
# Issuer: https://...
# ...
# samlinitcfg.yaml:
# ...
# sysinitcfg.yaml:
# ...
userinitcfg.yaml:
users:
- Fullname: admin
Password:
Role: admin
enforcer:
# If false, enforcer will not be installed
enabled: true
image:
repository: rancher/mirrored-neuvector-enforcer
tag: 5.3.3
hash:
updateStrategy:
type: RollingUpdate
priorityClassName:
podLabels: {}
podAnnotations: {}
env: []
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
resources:
{}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)
certificate:
secret: ""
keyFile: tls.key
pemFile: tls.crt
caFile: ca.crt # must be the same CA for all internal.
manager:
# If false, manager will not be installed
enabled: true
image:
repository: rancher/mirrored-neuvector-manager
tag: 5.3.3
hash:
priorityClassName:
env:
ssl: true
envs: []
# - name: CUSTOM_PAGE_HEADER_COLOR
# value: "#FFFFFF"
# - name: CUSTOM_PAGE_FOOTER_COLOR
# value: "#FFFFFF"
svc:
type: NodePort # should be set to - ClusterIP
loadBalancerIP:
annotations:
{}
# azure
# service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
# OpenShift Route configuration
# Make sure manager env ssl is false for edge termination
route:
enabled: true
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
certificate:
secret: ""
keyFile: tls.key
pemFile: tls.pem
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# kubernetes.io/ingress.class: my-nginx
# nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1"
# nginx.ingress.kubernetes.io/rewrite-target: /
# nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
# only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert
tls: false
secretName: # my-tls-secret
resources:
{}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
topologySpreadConstraints: []
affinity: {}
podLabels: {}
podAnnotations: {}
tolerations: []
nodeSelector:
{}
# key1: value1
# key2: value2
runAsUser: # MUST be set for Rancher hardened cluster
cve:
adapter:
enabled: false
image:
repository: rancher/mirrored-neuvector-registry-adapter
tag: 0.1.2
hash:
priorityClassName:
resources:
{}
# limits:
# cpu: 400m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 1024Mi
affinity: {}
podLabels: {}
podAnnotations: {}
env: []
tolerations: []
nodeSelector:
{}
# key1: value1
# key2: value2
runAsUser: # MUST be set for Rancher hardened cluster
## TLS cert/key. If absent, TLS cert/key automatically generated will be used.
##
## default: (none)
certificate:
secret: ""
keyFile: tls.key
pemFile: tls.crt
harbor:
protocol: https
secretName:
svc:
type: NodePort # should be set to - ClusterIP
loadBalancerIP:
annotations:
{}
# azure
# service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
# OpenShift Route configuration
route:
enabled: true
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# kubernetes.io/ingress.class: my-nginx
# nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1"
# nginx.ingress.kubernetes.io/rewrite-target: /
# nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
# only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert
tls: false
secretName: # my-tls-secret
internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)
certificate:
secret: ""
keyFile: tls.key
pemFile: tls.crt
caFile: ca.crt # must be the same CA for all internal.
updater:
# If false, cve updater will not be installed
enabled: true
secure: false
cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
image:
registry: ""
repository: rancher/mirrored-neuvector-updater
tag: latest
hash:
schedule: "0 0 * * *"
priorityClassName:
resources:
{}
# limits:
# cpu: 100m
# memory: 256Mi
# requests:
# cpu: 100m
# memory: 256Mi
podLabels: {}
podAnnotations: {}
nodeSelector:
{}
# key1: value1
# key2: value2
runAsUser: # MUST be set for Rancher hardened cluster
scanner:
enabled: true
replicas: 3
dockerPath: ""
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
image:
registry: ""
repository: rancher/mirrored-neuvector-scanner
tag: latest
hash:
priorityClassName:
resources:
{}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
topologySpreadConstraints: []
affinity: {}
podLabels: {}
podAnnotations: {}
env: []
tolerations: []
nodeSelector:
{}
# key1: value1
# key2: value2
runAsUser: # MUST be set for Rancher hardened cluster
internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)
certificate:
secret: ""
keyFile: tls.key
pemFile: tls.crt
caFile: ca.crt # must be the same CA for all internal.
resources:
{}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
runtimePath:
# The following runtime type and socket location are deprecated after 5.3.0.
# If the socket path is not at the default location, use above 'runtimePath' to specify the location.
docker:
path: /var/run/docker.sock
k3s:
enabled: false
runtimePath: /run/k3s/containerd/containerd.sock
bottlerocket:
enabled: false
runtimePath: /run/dockershim.sock
containerd:
enabled: false
path: /var/run/containerd/containerd.sock
crio:
enabled: false
path: /var/run/crio/crio.sock
admissionwebhook:
type: ClusterIP
crdwebhook:
enabled: true
type: ClusterIP

View File

@ -5488,6 +5488,37 @@ entries:
urls:
- assets/neuvector/neuvector-103.0.0+up2.6.4.tgz
version: 103.0.0+up2.6.4
- annotations:
catalog.cattle.io/auto-install: neuvector-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: NeuVector
catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.31.0-0'
catalog.cattle.io/namespace: cattle-neuvector-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux
catalog.cattle.io/provides-gvr: neuvector.com/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: neuvector
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/upstream-version: 2.7.7
apiVersion: v1
appVersion: 5.3.3
created: "2024-06-14T14:19:43.051288035-03:00"
description: Helm feature chart for NeuVector container security platform.
digest: a1369c1f9df373a43cc891afe407123603640d8dc66d65e6a6afe936ecb15aec
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
keywords:
- security
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector
sources:
- https://github.com/neuvector/neuvector
urls:
- assets/neuvector/neuvector-102.1.0+up2.7.7.tgz
version: 102.1.0+up2.7.7
- annotations:
catalog.cattle.io/auto-install: neuvector-crd=match
catalog.cattle.io/certified: rancher
@ -6102,6 +6133,26 @@ entries:
urls:
- assets/neuvector-crd/neuvector-crd-103.0.0+up2.6.4.tgz
version: 103.0.0+up2.6.4
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-neuvector-system
catalog.cattle.io/release-name: neuvector-crd
apiVersion: v1
appVersion: 5.3.3
created: "2024-06-14T14:20:54.945068089-03:00"
description: Helm chart for NeuVector's CRD services
digest: ab4661cabbc0242dddd959fb9a0c2c712f41d6ab756fdc23b4697faaad5551ce
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector-crd
type: application
urls:
- assets/neuvector-crd/neuvector-crd-102.1.0+up2.7.7.tgz
version: 102.1.0+up2.7.7
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
@ -6566,6 +6617,37 @@ entries:
urls:
- assets/neuvector-monitor/neuvector-monitor-103.0.0+up2.6.4.tgz
version: 103.0.0+up2.6.4
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: NeuVector Monitor
catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.31.0-0'
catalog.cattle.io/namespace: cattle-neuvector-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux
catalog.cattle.io/provides-gvr: neuvector.com/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: neuvector-monitor
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/upstream-version: 2.7.7
apiVersion: v1
appVersion: 1-1.0.0
created: "2024-06-14T14:21:19.060161403-03:00"
description: Helm feature chart (optional) add-on to NeuVector for monitoring
with Prometheus/Grafana.
digest: 7d151245cf6d05d7c521a6c8db6544eea06749cd4b8cf3a6e5068196f4133f5e
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
keywords:
- security
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector-monitor
sources:
- https://github.com/neuvector/neuvector
urls:
- assets/neuvector-monitor/neuvector-monitor-102.1.0+up2.7.7.tgz
version: 102.1.0+up2.7.7
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: NeuVector Monitor

View File

@ -64,6 +64,7 @@ neuvector:
- 102.0.8+up2.7.3
- 102.0.9+up2.7.6
- 103.0.3+up2.7.6
- 102.1.0+up2.7.7
neuvector-crd:
- 102.0.6+up2.6.6
- 103.0.1+up2.7.1
@ -72,6 +73,7 @@ neuvector-crd:
- 102.0.8+up2.7.3
- 102.0.9+up2.7.6
- 103.0.3+up2.7.6
- 102.1.0+up2.7.7
neuvector-monitor:
- 102.0.6+up2.6.6
- 103.0.1+up2.7.1
@ -79,6 +81,7 @@ neuvector-monitor:
- 102.0.8+up2.7.3
- 102.0.9+up2.7.6
- 103.0.3+up2.7.6
- 102.1.0+up2.7.7
prometheus-federator:
- 103.0.1+up0.4.1
- 104.0.0-rc1+up0.4.0