mirror of https://git.rancher.io/charts
commit
8249d2d753
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -4,7 +4,7 @@ annotations:
|
|||
catalog.cattle.io/namespace: cattle-neuvector-system
|
||||
catalog.cattle.io/release-name: neuvector-crd
|
||||
apiVersion: v1
|
||||
appVersion: 5.1.0
|
||||
appVersion: 5.1.1
|
||||
description: Helm chart for NeuVector's CRD services
|
||||
home: https://neuvector.com
|
||||
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
|
||||
|
@ -13,4 +13,4 @@ maintainers:
|
|||
name: becitsthere
|
||||
name: neuvector-crd
|
||||
type: application
|
||||
version: 101.0.2+up2.4.0
|
||||
version: 102.0.0+up2.4.2
|
|
@ -1,8 +1,8 @@
|
|||
# NeuVector Helm Chart
|
||||
|
||||
Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the contaier applications.
|
||||
Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications.
|
||||
|
||||
Because the CRD poclies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set 'crdwebhook.enabled' to false in the 'core' chart.
|
||||
Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart.
|
||||
|
||||
## Configuration
|
||||
|
||||
|
@ -13,7 +13,3 @@ Parameter | Description | Default | Notes
|
|||
`openshift` | If deploying in OpenShift, set this to true | `false` |
|
||||
`serviceAccount` | Service account name for NeuVector components | `default` |
|
||||
`crdwebhook.type` | crd webhook type | `ClusterIP` |
|
||||
|
||||
---
|
||||
Contact <support@neuvector.com> for access to Docker Hub and docs.
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
### Run-Time Protection Without Compromise
|
||||
|
||||
NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform.
|
||||
|
||||
NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include:
|
||||
|
||||
+ Build phase vulnerability scanning with Jenkins plug-in and registry scanning
|
||||
+ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks
|
||||
+ Complete run-time scanning with network, process, and file system monitoring and protection
|
||||
+ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation
|
||||
+ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures
|
||||
+ Run-time vulnerability scanning and CIS benchmarks
|
||||
|
||||
Additional Notes:
|
||||
+ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447.
|
||||
+ Configure correct container runtime and runtime path under container runtime. Enable only one runtime.
|
||||
+ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0.
|
||||
+ For deploying on hardened RKE cluster, enable PSP from other configuration.
|
|
@ -2,7 +2,7 @@ annotations:
|
|||
catalog.cattle.io/auto-install: neuvector-crd=match
|
||||
catalog.cattle.io/certified: rancher
|
||||
catalog.cattle.io/display-name: NeuVector
|
||||
catalog.cattle.io/kube-version: '>=1.18.0-0 <= 1.25.0-0'
|
||||
catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.27.0-0'
|
||||
catalog.cattle.io/namespace: cattle-neuvector-system
|
||||
catalog.cattle.io/os: linux
|
||||
catalog.cattle.io/permit-os: linux
|
||||
|
@ -10,10 +10,9 @@ annotations:
|
|||
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
|
||||
catalog.cattle.io/release-name: neuvector
|
||||
catalog.cattle.io/type: cluster-tool
|
||||
catalog.cattle.io/ui-component: neuvector
|
||||
catalog.cattle.io/upstream-version: 2.4.0
|
||||
catalog.cattle.io/upstream-version: 2.4.2
|
||||
apiVersion: v1
|
||||
appVersion: 5.1.0
|
||||
appVersion: 5.1.1
|
||||
description: Helm feature chart for NeuVector's core services
|
||||
home: https://neuvector.com
|
||||
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
|
||||
|
@ -25,4 +24,4 @@ maintainers:
|
|||
name: neuvector
|
||||
sources:
|
||||
- https://github.com/neuvector/neuvector
|
||||
version: 101.0.2+up2.4.0
|
||||
version: 102.0.0+up2.4.2
|
|
@ -1,55 +1,12 @@
|
|||
# NeuVector Helm Chart
|
||||
|
||||
Helm chart for NeuVector container security's core services.
|
||||
|
||||
## Preparation if using Helm 2
|
||||
|
||||
- Kubernetes 1.7+
|
||||
- Helm installed and Tiller pod is running
|
||||
- Cluster role `cluster-admin` available, check by:
|
||||
|
||||
```console
|
||||
$ kubectl get clusterrole cluster-admin
|
||||
```
|
||||
|
||||
If nothing returned, then add the `cluster-admin`:
|
||||
|
||||
cluster-admin.yaml
|
||||
```yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cluster-admin
|
||||
rules:
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- nonResourceURLs:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
```
|
||||
|
||||
```console
|
||||
$ kubectl create -f cluster-admin.yaml
|
||||
```
|
||||
|
||||
- If you have not created a service account for tiller, and give it admin abilities on the cluster:
|
||||
|
||||
```console
|
||||
$ kubectl create serviceaccount --namespace kube-system tiller
|
||||
$ kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
|
||||
$ kubectl patch deployment tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}' -n kube-system
|
||||
```
|
||||
|
||||
## CRD
|
||||
Because the CRD (Custom Resource Definition) policies can be deployed before NeuVector's core product, a new 'crd' helm chart is created. The crd template in the 'core' chart is kept for the backward compatibility. Please set 'crdwebhook.enabled' to false, if you use the new 'crd' chart.
|
||||
Because the CRD (Custom Resource Definition) policies can be deployed before NeuVector's core product, a new 'crd' helm chart is created. The crd template in the 'core' chart is kept for the backward compatibility. Please set `crdwebhook.enabled` to false, if you use the new 'crd' chart.
|
||||
|
||||
## Choosing container runtime
|
||||
The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, k3s.enabled and bottlerocket.enabled, respectively.
|
||||
The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively.
|
||||
|
||||
## Configuration
|
||||
|
||||
|
@ -72,7 +29,7 @@ Parameter | Description | Default | Notes
|
|||
`controller.schedulerName` | kubernetes scheduler name | `nil` |
|
||||
`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes |
|
||||
`controller.tolerations` | List of node taints to tolerate | `nil` |
|
||||
`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
|
||||
`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` |
|
||||
`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
|
||||
|
@ -114,7 +71,7 @@ Parameter | Description | Default | Notes
|
|||
`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
|
||||
`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
|
||||
`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
|
||||
`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
|
||||
`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` |
|
||||
`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` |
|
||||
|
@ -130,14 +87,14 @@ Parameter | Description | Default | Notes
|
|||
`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
|
||||
`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
|
||||
`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
|
||||
`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed
|
||||
`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`.
|
||||
`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` |
|
||||
`controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
|
||||
`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
|
||||
`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
|
||||
`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false`
|
||||
`controller.configmap.data` | NeuVector configuration in YAML format | `{}`
|
||||
`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false`
|
||||
|
@ -150,7 +107,7 @@ Parameter | Description | Default | Notes
|
|||
`enforcer.podLabels` | Specify the pod labels. | `{}` |
|
||||
`enforcer.podAnnotations` | Specify the pod annotations. | `{}` |
|
||||
`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`<br>`key: node-role.kubernetes.io/master` | other taints can be added after the default
|
||||
`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`manager.enabled` | If true, create manager | `true` |
|
||||
`manager.image.repository` | manager image repository | `neuvector/manager` |
|
||||
`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
|
||||
|
@ -160,7 +117,7 @@ Parameter | Description | Default | Notes
|
|||
`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` |
|
||||
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
|
||||
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
|
||||
`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
|
||||
`manager.route.host` | Set OpenShift route host for management console service | `nil` |
|
||||
`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` |
|
||||
|
@ -175,10 +132,10 @@ Parameter | Description | Default | Notes
|
|||
`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` |
|
||||
`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
|
||||
`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
|
||||
`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`.
|
||||
`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
|
||||
`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`manager.affinity` | manager affinity rules | `{}` |
|
||||
`manager.tolerations` | List of node taints to tolerate | `nil` |
|
||||
`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
|
||||
|
@ -203,13 +160,13 @@ Parameter | Description | Default | Notes
|
|||
`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` |
|
||||
`cve.scanner.replicas` | external scanner replicas | `3` |
|
||||
`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` |
|
||||
`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) |
|
||||
`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) |
|
||||
`cve.scanner.affinity` | scanner affinity rules | `{}` |
|
||||
`cve.scanner.tolerations` | List of node taints to tolerate | `nil` |
|
||||
`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
|
||||
`cve.scanner.runAsUser` | Specify the run as User ID | `nil` |
|
||||
`docker.path` | docker path | `/var/run/docker.sock` |
|
||||
`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s cluster, set k3s.enabled to true instead
|
||||
`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s and rke clusters, set k3s.enabled to true instead
|
||||
`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` |
|
||||
`crio.enabled` | Set to true, if the container runtime is cri-o | `false` |
|
||||
`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` |
|
||||
|
@ -232,6 +189,3 @@ Alternatively, a YAML file that specifies the values for the above parameters ca
|
|||
```console
|
||||
$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml
|
||||
```
|
||||
|
||||
---
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
### Run-Time Protection Without Compromise
|
||||
|
||||
NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform.
|
||||
|
||||
NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include:
|
||||
|
||||
+ Build phase vulnerability scanning with Jenkins plug-in and registry scanning
|
||||
+ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks
|
||||
+ Complete run-time scanning with network, process, and file system monitoring and protection
|
||||
+ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation
|
||||
+ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures
|
||||
+ Run-time vulnerability scanning and CIS benchmarks
|
||||
|
||||
Additional Notes:
|
||||
+ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447.
|
||||
+ Configure correct container runtime and runtime path under container runtime. Enable only one runtime.
|
||||
+ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0.
|
||||
+ For deploying on hardened RKE cluster, enable PSP from security settings.
|
||||
|
||||
## Upgrading to Kubernetes v1.25+
|
||||
|
||||
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
|
||||
|
||||
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
|
||||
**Note:**
|
||||
In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
|
||||
|
||||
**Note:**
|
||||
If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
|
||||
|
||||
If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
|
||||
|
||||
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
|
||||
|
||||
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
|
|
@ -308,28 +308,29 @@ questions:
|
|||
- "NodePort"
|
||||
- "ClusterIP"
|
||||
- "LoadBalancer"
|
||||
#Other Configuration
|
||||
- variable: psp
|
||||
#Security Settings
|
||||
- variable: global.cattle.psp.enabled
|
||||
default: "false"
|
||||
description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false."
|
||||
label: "Enable PodSecurityPolicies"
|
||||
default: "false"
|
||||
description: NeuVector Pod Security Policy when psp policy is enabled
|
||||
type: boolean
|
||||
label: Pod Security Policy
|
||||
group: "Other Configuration"
|
||||
group: "Security Settings"
|
||||
- variable: manager.runAsUser
|
||||
default: ""
|
||||
description: Specify the run as User ID
|
||||
type: int
|
||||
label: Manager runAsUser ID
|
||||
group: "Other Configuration"
|
||||
group: "Security Settings"
|
||||
- variable: cve.scanner.runAsUser
|
||||
default: ""
|
||||
description: Specify the run as User ID
|
||||
type: int
|
||||
label: Scanner runAsUser ID
|
||||
group: "Other Configuration"
|
||||
group: "Security Settings"
|
||||
- variable: cve.updater.runAsUser
|
||||
default: ""
|
||||
description: Specify the run as User ID
|
||||
type: int
|
||||
label: Updater runAsUser ID
|
||||
group: "Other Configuration"
|
||||
group: "Security Settings"
|
|
@ -139,6 +139,20 @@ spec:
|
|||
name: cert
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.controller.internal.certificate.secret }}
|
||||
- mountPath: /etc/neuvector/certs/internal/cert.key
|
||||
subPath: {{ .Values.controller.internal.certificate.keyFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
- mountPath: /etc/neuvector/certs/internal/cert.pem
|
||||
subPath: {{ .Values.controller.internal.certificate.pemFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
- mountPath: /etc/neuvector/certs/internal/ca.cert
|
||||
subPath: {{ .Values.controller.internal.certificate.caFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 300
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
|
@ -188,9 +202,18 @@ spec:
|
|||
secret:
|
||||
secretName: {{ .Values.controller.certificate.secret }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.internal.certificate.secret }}
|
||||
- name: internal-cert
|
||||
secret:
|
||||
secretName: {{ .Values.controller.internal.certificate.secret }}
|
||||
{{- end }}
|
||||
{{- if gt (int .Values.controller.disruptionbudget) 0 }}
|
||||
---
|
||||
{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
|
||||
apiVersion: policy/v1
|
||||
{{- else }}
|
||||
apiVersion: policy/v1beta1
|
||||
{{- end }}
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: neuvector-controller-pdb
|
|
@ -89,6 +89,20 @@ spec:
|
|||
- mountPath: /lib/modules
|
||||
name: modules-vol
|
||||
readOnly: true
|
||||
{{- if .Values.enforcer.internal.certificate.secret }}
|
||||
- mountPath: /etc/neuvector/certs/internal/cert.key
|
||||
subPath: {{ .Values.enforcer.internal.certificate.keyFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
- mountPath: /etc/neuvector/certs/internal/cert.pem
|
||||
subPath: {{ .Values.enforcer.internal.certificate.pemFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
- mountPath: /etc/neuvector/certs/internal/ca.cert
|
||||
subPath: {{ .Values.enforcer.internal.certificate.caFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 1200
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
|
@ -114,4 +128,9 @@ spec:
|
|||
- name: modules-vol
|
||||
hostPath:
|
||||
path: /lib/modules
|
||||
{{- if .Values.enforcer.internal.certificate.secret }}
|
||||
- name: internal-cert
|
||||
secret:
|
||||
secretName: {{ .Values.enforcer.internal.certificate.secret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -1,4 +1,4 @@
|
|||
{{- if .Values.psp -}}
|
||||
{{- if .Values.global.cattle.psp.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
|
@ -69,5 +69,26 @@ spec:
|
|||
{{- end }}
|
||||
resources:
|
||||
{{ toYaml .Values.cve.scanner.resources | indent 12 }}
|
||||
{{- if .Values.cve.scanner.internal.certificate.secret }}
|
||||
volumeMounts:
|
||||
- mountPath: /etc/neuvector/certs/internal/cert.key
|
||||
subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
- mountPath: /etc/neuvector/certs/internal/cert.pem
|
||||
subPath: {{ .Values.cve.scanner.internal.certificate.pemFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
- mountPath: /etc/neuvector/certs/internal/ca.cert
|
||||
subPath: {{ .Values.cve.scanner.internal.certificate.caFile }}
|
||||
name: internal-cert
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
restartPolicy: Always
|
||||
{{- if .Values.cve.scanner.internal.certificate.secret }}
|
||||
volumes:
|
||||
- name: internal-cert
|
||||
secret:
|
||||
secretName: {{ .Values.cve.scanner.internal.certificate.secret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -70,8 +70,5 @@ spec:
|
|||
- /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod'
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: CLUSTER_JOIN_ADDR
|
||||
value: neuvector-svc-controller.{{ .Release.Namespace }}
|
||||
restartPolicy: Never
|
||||
{{- end }}
|
|
@ -0,0 +1,7 @@
|
|||
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
|
||||
{{- if .Values.global.cattle.psp.enabled }}
|
||||
{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
|
||||
{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -5,12 +5,13 @@
|
|||
global:
|
||||
cattle:
|
||||
systemDefaultRegistry: ""
|
||||
psp:
|
||||
enabled: false # PSP enablement should default to false
|
||||
|
||||
openshift: false
|
||||
|
||||
registry: docker.io
|
||||
oem:
|
||||
psp: false
|
||||
rbac: true
|
||||
serviceAccount: neuvector
|
||||
|
||||
|
@ -25,7 +26,7 @@ controller:
|
|||
maxUnavailable: 0
|
||||
image:
|
||||
repository: rancher/mirrored-neuvector-controller
|
||||
tag: 5.1.0
|
||||
tag: 5.1.1
|
||||
hash:
|
||||
replicas: 3
|
||||
disruptionbudget: 0
|
||||
|
@ -89,6 +90,12 @@ controller:
|
|||
secret:
|
||||
keyFile: tls.key
|
||||
pemFile: tls.pem
|
||||
internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector"
|
||||
certificate:
|
||||
secret:
|
||||
keyFile: cert.key
|
||||
pemFile: cert.pem
|
||||
caFile: ca.cert # must be the same CA for all internal.
|
||||
federation:
|
||||
mastersvc:
|
||||
type:
|
||||
|
@ -213,7 +220,7 @@ enforcer:
|
|||
enabled: true
|
||||
image:
|
||||
repository: rancher/mirrored-neuvector-enforcer
|
||||
tag: 5.1.0
|
||||
tag: 5.1.1
|
||||
hash:
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
|
@ -232,13 +239,19 @@ enforcer:
|
|||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 2280Mi
|
||||
|
||||
internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector"
|
||||
certificate:
|
||||
secret:
|
||||
keyFile: cert.key
|
||||
pemFile: cert.pem
|
||||
caFile: ca.cert # must be the same CA for all internal.
|
||||
|
||||
manager:
|
||||
# If false, manager will not be installed
|
||||
enabled: true
|
||||
image:
|
||||
repository: rancher/mirrored-neuvector-manager
|
||||
tag: 5.1.0
|
||||
tag: 5.1.1
|
||||
hash:
|
||||
priorityClassName:
|
||||
env:
|
||||
|
@ -302,6 +315,7 @@ manager:
|
|||
# key1: value1
|
||||
# key2: value2
|
||||
runAsUser: # MUST be set for Rancher hardened cluster
|
||||
|
||||
cve:
|
||||
updater:
|
||||
# If false, cve updater will not be installed
|
||||
|
@ -348,6 +362,13 @@ cve:
|
|||
# key1: value1
|
||||
# key2: value2
|
||||
runAsUser: # MUST be set for Rancher hardened cluster
|
||||
internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector"
|
||||
certificate:
|
||||
secret:
|
||||
keyFile: cert.key
|
||||
pemFile: cert.pem
|
||||
caFile: ca.cert # must be the same CA for all internal.
|
||||
|
||||
docker:
|
||||
path: /var/run/docker.sock
|
||||
|
25
index.yaml
25
index.yaml
|
@ -2777,7 +2777,7 @@ entries:
|
|||
catalog.cattle.io/auto-install: neuvector-crd=match
|
||||
catalog.cattle.io/certified: rancher
|
||||
catalog.cattle.io/display-name: NeuVector
|
||||
catalog.cattle.io/kube-version: '>=1.18.0-0 <= 1.25.0-0'
|
||||
catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.27.0-0'
|
||||
catalog.cattle.io/namespace: cattle-neuvector-system
|
||||
catalog.cattle.io/os: linux
|
||||
catalog.cattle.io/permit-os: linux
|
||||
|
@ -2785,13 +2785,12 @@ entries:
|
|||
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
|
||||
catalog.cattle.io/release-name: neuvector
|
||||
catalog.cattle.io/type: cluster-tool
|
||||
catalog.cattle.io/ui-component: neuvector
|
||||
catalog.cattle.io/upstream-version: 2.4.0
|
||||
catalog.cattle.io/upstream-version: 2.4.2
|
||||
apiVersion: v1
|
||||
appVersion: 5.1.0
|
||||
created: "2023-01-05T10:19:50.424878644-08:00"
|
||||
appVersion: 5.1.1
|
||||
created: "2023-02-08T12:13:59.783630448-08:00"
|
||||
description: Helm feature chart for NeuVector's core services
|
||||
digest: b456b26ac1cae42adb2edd082dbc1e5a90868d64b33ca7ea0b936af97c7d3162
|
||||
digest: ca252872bbc0d42dfdcbfdfddf3b495432cf604fd9e27e765b3d0d2f87b8f764
|
||||
home: https://neuvector.com
|
||||
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
|
||||
keywords:
|
||||
|
@ -2803,8 +2802,8 @@ entries:
|
|||
sources:
|
||||
- https://github.com/neuvector/neuvector
|
||||
urls:
|
||||
- assets/neuvector/neuvector-101.0.2+up2.4.0.tgz
|
||||
version: 101.0.2+up2.4.0
|
||||
- assets/neuvector/neuvector-102.0.0+up2.4.2.tgz
|
||||
version: 102.0.0+up2.4.2
|
||||
- annotations:
|
||||
catalog.cattle.io/auto-install: neuvector-crd=match
|
||||
catalog.cattle.io/certified: rancher
|
||||
|
@ -2972,10 +2971,10 @@ entries:
|
|||
catalog.cattle.io/namespace: cattle-neuvector-system
|
||||
catalog.cattle.io/release-name: neuvector-crd
|
||||
apiVersion: v1
|
||||
appVersion: 5.1.0
|
||||
created: "2023-01-05T10:19:50.428803712-08:00"
|
||||
appVersion: 5.1.1
|
||||
created: "2023-02-08T12:13:59.787272266-08:00"
|
||||
description: Helm chart for NeuVector's CRD services
|
||||
digest: a2bdb942be1730240229c9f8616a09b887ed1ad3f7459186473ab2f703ede7ab
|
||||
digest: 4cce7d3b01cf5ed6081cab869e17f7d45fe2bc73ed71c003f2eac7891115d61b
|
||||
home: https://neuvector.com
|
||||
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
|
||||
maintainers:
|
||||
|
@ -2984,8 +2983,8 @@ entries:
|
|||
name: neuvector-crd
|
||||
type: application
|
||||
urls:
|
||||
- assets/neuvector-crd/neuvector-crd-101.0.2+up2.4.0.tgz
|
||||
version: 101.0.2+up2.4.0
|
||||
- assets/neuvector-crd/neuvector-crd-102.0.0+up2.4.2.tgz
|
||||
version: 102.0.0+up2.4.2
|
||||
- annotations:
|
||||
catalog.cattle.io/certified: rancher
|
||||
catalog.cattle.io/hidden: "true"
|
||||
|
|
|
@ -15,4 +15,21 @@ Additional Notes:
|
|||
+ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447.
|
||||
+ Configure correct container runtime and runtime path under container runtime. Enable only one runtime.
|
||||
+ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0.
|
||||
+ For deploying on hardened RKE cluster, enable PSP from other configuration.
|
||||
+ For deploying on hardened RKE cluster, enable PSP from security settings.
|
||||
|
||||
## Upgrading to Kubernetes v1.25+
|
||||
|
||||
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
|
||||
|
||||
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
|
||||
**Note:**
|
||||
In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
|
||||
|
||||
**Note:**
|
||||
If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
|
||||
|
||||
If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
|
||||
|
||||
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
|
||||
|
||||
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
|
||||
|
|
|
@ -308,28 +308,29 @@ questions:
|
|||
- "NodePort"
|
||||
- "ClusterIP"
|
||||
- "LoadBalancer"
|
||||
#Other Configuration
|
||||
- variable: psp
|
||||
#Security Settings
|
||||
- variable: global.cattle.psp.enabled
|
||||
default: "false"
|
||||
description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false."
|
||||
label: "Enable PodSecurityPolicies"
|
||||
default: "false"
|
||||
description: NeuVector Pod Security Policy when psp policy is enabled
|
||||
type: boolean
|
||||
label: Pod Security Policy
|
||||
group: "Other Configuration"
|
||||
group: "Security Settings"
|
||||
- variable: manager.runAsUser
|
||||
default: ""
|
||||
description: Specify the run as User ID
|
||||
type: int
|
||||
label: Manager runAsUser ID
|
||||
group: "Other Configuration"
|
||||
group: "Security Settings"
|
||||
- variable: cve.scanner.runAsUser
|
||||
default: ""
|
||||
description: Specify the run as User ID
|
||||
type: int
|
||||
label: Scanner runAsUser ID
|
||||
group: "Other Configuration"
|
||||
group: "Security Settings"
|
||||
- variable: cve.updater.runAsUser
|
||||
default: ""
|
||||
description: Specify the run as User ID
|
||||
type: int
|
||||
label: Updater runAsUser ID
|
||||
group: "Other Configuration"
|
||||
group: "Security Settings"
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
|
||||
{{- if .Values.global.cattle.psp.enabled }}
|
||||
{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
|
||||
{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
|
@ -1,11 +1,11 @@
|
|||
--- charts-original/Chart.yaml
|
||||
+++ charts/Chart.yaml
|
||||
@@ -1,10 +1,28 @@
|
||||
@@ -1,10 +1,27 @@
|
||||
+annotations:
|
||||
+ catalog.cattle.io/auto-install: neuvector-crd=match
|
||||
+ catalog.cattle.io/certified: rancher
|
||||
+ catalog.cattle.io/display-name: NeuVector
|
||||
+ catalog.cattle.io/kube-version: '>=1.18.0-0 <= 1.25.0-0'
|
||||
+ catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.27.0-0'
|
||||
+ catalog.cattle.io/namespace: cattle-neuvector-system
|
||||
+ catalog.cattle.io/os: linux
|
||||
+ catalog.cattle.io/permit-os: linux
|
||||
|
@ -13,10 +13,9 @@
|
|||
+ catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
|
||||
+ catalog.cattle.io/release-name: neuvector
|
||||
+ catalog.cattle.io/type: cluster-tool
|
||||
+ catalog.cattle.io/ui-component: neuvector
|
||||
+ catalog.cattle.io/upstream-version: 2.4.0
|
||||
+ catalog.cattle.io/upstream-version: 2.4.2
|
||||
apiVersion: v1
|
||||
appVersion: 5.1.0
|
||||
appVersion: 5.1.1
|
||||
-description: Helm chart for NeuVector's core services
|
||||
+description: Helm feature chart for NeuVector's core services
|
||||
home: https://neuvector.com
|
||||
|
@ -30,4 +29,4 @@
|
|||
+name: neuvector
|
||||
+sources:
|
||||
+- https://github.com/neuvector/neuvector
|
||||
version: 2.4.0
|
||||
version: 2.4.2
|
||||
|
|
|
@ -1,29 +1,29 @@
|
|||
--- charts-original/README.md
|
||||
+++ charts/README.md
|
||||
@@ -72,7 +72,7 @@
|
||||
@@ -29,7 +29,7 @@
|
||||
`controller.schedulerName` | kubernetes scheduler name | `nil` |
|
||||
`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes |
|
||||
`controller.tolerations` | List of node taints to tolerate | `nil` |
|
||||
-`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml)
|
||||
+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
|
||||
`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` |
|
||||
`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
|
||||
@@ -114,7 +114,7 @@
|
||||
@@ -71,7 +71,7 @@
|
||||
`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
|
||||
`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
|
||||
`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
|
||||
-`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
|
||||
+`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
+`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
|
||||
`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` |
|
||||
`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` |
|
||||
@@ -130,14 +130,14 @@
|
||||
@@ -87,14 +87,14 @@
|
||||
`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
|
||||
`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
|
||||
`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
|
||||
-`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
|
||||
+`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
+`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed
|
||||
`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`.
|
||||
`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` |
|
||||
|
@ -31,53 +31,47 @@
|
|||
`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
|
||||
`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
|
||||
-`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
|
||||
+`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
+`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false`
|
||||
`controller.configmap.data` | NeuVector configuration in YAML format | `{}`
|
||||
`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false`
|
||||
@@ -150,7 +150,7 @@
|
||||
@@ -107,7 +107,7 @@
|
||||
`enforcer.podLabels` | Specify the pod labels. | `{}` |
|
||||
`enforcer.podAnnotations` | Specify the pod annotations. | `{}` |
|
||||
`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`<br>`key: node-role.kubernetes.io/master` | other taints can be added after the default
|
||||
-`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml)
|
||||
+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`manager.enabled` | If true, create manager | `true` |
|
||||
`manager.image.repository` | manager image repository | `neuvector/manager` |
|
||||
`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
|
||||
@@ -160,7 +160,7 @@
|
||||
@@ -117,7 +117,7 @@
|
||||
`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` |
|
||||
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
|
||||
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
|
||||
-`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml)
|
||||
+`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
+`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
|
||||
`manager.route.host` | Set OpenShift route host for management console service | `nil` |
|
||||
`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` |
|
||||
@@ -175,10 +175,10 @@
|
||||
@@ -132,10 +132,10 @@
|
||||
`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` |
|
||||
`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
|
||||
`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
|
||||
-`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
|
||||
+`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
+`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`.
|
||||
`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
|
||||
-`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml)
|
||||
+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml)
|
||||
+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml)
|
||||
`manager.affinity` | manager affinity rules | `{}` |
|
||||
`manager.tolerations` | List of node taints to tolerate | `nil` |
|
||||
`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
|
||||
@@ -203,7 +203,7 @@
|
||||
@@ -160,7 +160,7 @@
|
||||
`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` |
|
||||
`cve.scanner.replicas` | external scanner replicas | `3` |
|
||||
`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` |
|
||||
-`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) |
|
||||
+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) |
|
||||
+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) |
|
||||
`cve.scanner.affinity` | scanner affinity rules | `{}` |
|
||||
`cve.scanner.tolerations` | List of node taints to tolerate | `nil` |
|
||||
`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
|
||||
@@ -234,5 +234,4 @@
|
||||
```
|
||||
|
||||
---
|
||||
-Contact <support@neuvector.com> for access to container registry and docs.
|
||||
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
--- charts-original/templates/psp.yaml
|
||||
+++ charts/templates/psp.yaml
|
||||
@@ -1,4 +1,4 @@
|
||||
-{{- if .Values.psp -}}
|
||||
+{{- if .Values.global.cattle.psp.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
|
@ -1,37 +1,39 @@
|
|||
--- charts-original/values.yaml
|
||||
+++ charts/values.yaml
|
||||
@@ -2,15 +2,17 @@
|
||||
@@ -2,15 +2,18 @@
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into the templates.
|
||||
|
||||
+global:
|
||||
+ cattle:
|
||||
+ systemDefaultRegistry: ""
|
||||
+ psp:
|
||||
+ enabled: false # PSP enablement should default to false
|
||||
+
|
||||
openshift: false
|
||||
|
||||
registry: docker.io
|
||||
-tag: 5.1.0
|
||||
-tag: 5.1.1
|
||||
oem:
|
||||
-imagePullSecrets:
|
||||
psp: false
|
||||
-psp: false
|
||||
rbac: true
|
||||
-serviceAccount: default
|
||||
+serviceAccount: neuvector
|
||||
|
||||
controller:
|
||||
# If false, controller will not be installed
|
||||
@@ -22,7 +24,8 @@
|
||||
@@ -22,7 +25,8 @@
|
||||
maxSurge: 1
|
||||
maxUnavailable: 0
|
||||
image:
|
||||
- repository: neuvector/controller
|
||||
+ repository: rancher/mirrored-neuvector-controller
|
||||
+ tag: 5.1.0
|
||||
+ tag: 5.1.1
|
||||
hash:
|
||||
replicas: 3
|
||||
disruptionbudget: 0
|
||||
@@ -70,7 +73,7 @@
|
||||
@@ -70,7 +74,7 @@
|
||||
# -----BEGIN PRIVATE KEY-----
|
||||
# -----END PRIVATE KEY-----
|
||||
ranchersso:
|
||||
|
@ -40,27 +42,27 @@
|
|||
pvc:
|
||||
enabled: false
|
||||
existingClaim: false
|
||||
@@ -209,7 +212,8 @@
|
||||
@@ -215,7 +219,8 @@
|
||||
# If false, enforcer will not be installed
|
||||
enabled: true
|
||||
image:
|
||||
- repository: neuvector/enforcer
|
||||
+ repository: rancher/mirrored-neuvector-enforcer
|
||||
+ tag: 5.1.0
|
||||
+ tag: 5.1.1
|
||||
hash:
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
@@ -233,7 +237,8 @@
|
||||
@@ -245,7 +250,8 @@
|
||||
# If false, manager will not be installed
|
||||
enabled: true
|
||||
image:
|
||||
- repository: neuvector/manager
|
||||
+ repository: rancher/mirrored-neuvector-manager
|
||||
+ tag: 5.1.0
|
||||
+ tag: 5.1.1
|
||||
hash:
|
||||
priorityClassName:
|
||||
env:
|
||||
@@ -303,7 +308,7 @@
|
||||
@@ -316,7 +322,7 @@
|
||||
enabled: true
|
||||
secure: false
|
||||
image:
|
||||
|
@ -69,7 +71,7 @@
|
|||
tag: latest
|
||||
hash:
|
||||
schedule: "0 0 * * *"
|
||||
@@ -324,7 +329,7 @@
|
||||
@@ -337,7 +343,7 @@
|
||||
maxSurge: 1
|
||||
maxUnavailable: 0
|
||||
image:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
url: https://neuvector.github.io/neuvector-helm/core-2.4.0.tgz
|
||||
version: 101.0.2
|
||||
url: https://neuvector.github.io/neuvector-helm/core-2.4.2.tgz
|
||||
version: 102.0.0
|
||||
additionalCharts:
|
||||
- workingDir: charts-crd
|
||||
crdOptions:
|
||||
|
|
|
@ -4,7 +4,7 @@ annotations:
|
|||
catalog.cattle.io/certified: rancher
|
||||
catalog.cattle.io/hidden: true
|
||||
apiVersion: v1
|
||||
appVersion: 5.1.0
|
||||
appVersion: 5.1.1
|
||||
description: Helm chart for NeuVector's CRD services
|
||||
home: https://neuvector.com
|
||||
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
|
||||
|
@ -12,5 +12,5 @@ maintainers:
|
|||
- email: support@neuvector.com
|
||||
name: becitsthere
|
||||
name: neuvector-crd
|
||||
version: 2.4.0
|
||||
version: 2.4.2
|
||||
type: application
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# NeuVector Helm Chart
|
||||
|
||||
Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the contaier applications.
|
||||
Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications.
|
||||
|
||||
Because the CRD poclies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set 'crdwebhook.enabled' to false in the 'core' chart.
|
||||
Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart.
|
||||
|
||||
## Configuration
|
||||
|
||||
|
@ -13,7 +13,3 @@ Parameter | Description | Default | Notes
|
|||
`openshift` | If deploying in OpenShift, set this to true | `false` |
|
||||
`serviceAccount` | Service account name for NeuVector components | `default` |
|
||||
`crdwebhook.type` | crd webhook type | `ClusterIP` |
|
||||
|
||||
---
|
||||
Contact <support@neuvector.com> for access to Docker Hub and docs.
|
||||
|
||||
|
|
|
@ -13,9 +13,9 @@ longhorn:
|
|||
longhorn-crd:
|
||||
- 101.2.0+up1.4.0
|
||||
neuvector:
|
||||
- 101.0.2+up2.4.0
|
||||
- 102.0.0+up2.4.2
|
||||
neuvector-crd:
|
||||
- 101.0.2+up2.4.0
|
||||
- 102.0.0+up2.4.2
|
||||
prometheus-federator:
|
||||
- 2.0.0+up0.2.0
|
||||
rancher-aks-operator:
|
||||
|
|
Loading…
Reference in New Issue