polite-piano-74233
07/08/2023, 3:27 AMquaint-candle-18606
07/10/2023, 3:28 PMfull-lawyer-94872
07/20/2023, 8:53 AMdry-evening-20251
07/21/2023, 8:32 PMdry-evening-20251
07/21/2023, 8:33 PMmodern-australia-88129
07/24/2023, 1:56 PMstale-exabyte-79566
07/24/2023, 4:39 PMglobal.cattle.url
as per https://github.com/rancher/rancher/issues/37434, but still get the same error. Does anybody have an idea? Any help would be appreciated!clean-postman-21544
08/01/2023, 6:17 AMapiVersion: <http://neuvector.com/v1|neuvector.com/v1>
kind: NvAdmissionControlSecurityRule
metadata:
name: test-deny
spec:
rules:
- action: deny
comment: Deny deployments into default namespace
criteria:
- name: namespace
op: containsAny
value: default
rule_mode: protect
But validation webhook blocks it with this error:
Error from server: error when creating "test.yaml": admission webhook "neuvector-validating-crd-webhook.neuvector.svc" denied the request: CREATE denied: CRD resource metadata name(test-deny) is not allowed
Am I missed something 🤔 ?acoustic-sugar-94270
08/09/2023, 3:15 PMbrash-monitor-41966
08/11/2023, 3:41 PMbrash-monitor-41966
08/11/2023, 3:41 PMbrash-monitor-41966
08/11/2023, 3:42 PMbrash-monitor-41966
08/11/2023, 3:43 PMbrash-monitor-41966
08/11/2023, 3:44 PMquaint-candle-18606
08/11/2023, 3:49 PMbrash-monitor-41966
08/11/2023, 8:02 PMbrash-monitor-41966
08/11/2023, 8:02 PMquaint-candle-18606
08/12/2023, 6:58 PMk3s:
enabled: false
runtimePath: /run/k3s/containerd/containerd.sock
bottlerocket:
enabled: false
runtimePath: /run/dockershim.sock
containerd:
enabled: false
path: /var/run/containerd/containerd.sock
crio:
enabled: false
path: /var/run/crio/crio.sock
hundreds-evening-84071
08/18/2023, 9:44 PM*.<http://apps.cluster.domain.org|apps.cluster.domain.org>
However, Neuvector is deployed with its own appears to be self-signed cert...
Route is like: <http://neuvector-route-webui-neuvector.apps.cluster.domain.org|neuvector-route-webui-neuvector.apps.cluster.domain.org>
How do I set it so it uses my wild-card cert above instead of self-signed cert?
Second question, my openshift deployment is configured with OIDC authentication...
Can I use that for authentication for Neuvector also?crooked-terabyte-91046
08/22/2023, 5:29 PMpolite-piano-74233
08/29/2023, 6:07 PMpolite-piano-74233
08/29/2023, 7:52 PMquaint-candle-18606
08/29/2023, 7:54 PMpolite-piano-74233
08/29/2023, 7:56 PMquaint-candle-18606
08/29/2023, 7:56 PMrapid-tailor-25200
09/18/2023, 1:58 PMrapid-tailor-25200
09/18/2023, 2:25 PM$ netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::8443 :::* LISTEN 1/qemu-x86_64
With docker runtime (UI loads fine)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 1/qemu-x86_64
The ports are reachable outside the container. When I do a wget from a different container the netstat shows tcp connection ESTABLISHED. But manager 8443 port doesnt seem to be responding properly. kubectl portforwarding exists as soon as a connection attempt is made.
I'm sure I'm missing something very simple but I've been looking in the docs and could not find any config change other than volume mount.
Have any one seen this? Any lead or suggestion would be helpful.
Thanks
here too.
-- Works file when the docker runtime is selected.
-- UI doesn't load when k3s containerd is selected (all pods up and running.)
Only difference I could find is that the port is bound to ipv4 in case of docker runtime. While it is bound to both in case of containerd setup (same for both rancher and EKS setups).
I'm sure I'm missing something very simple but I've been looking in the docs and could not find any config change other than volume mount.
Have any one seen this? Any lead or suggestion would be helpful.
Thanks!bright-painting-5437
09/19/2023, 2:46 AMclean-postman-21544
09/20/2023, 8:49 AMFailed to get authorization token by AWS keys
Same error if do it in CLI:
admin#neuvector-svc-controller.neuvector> create registry amazon -r <https://1234567890.dkr.ecr.eu-west-1.amazonaws.com> -f 'app1/*:*' app1
Account ID: 1234567890
Region: eu-west-1
Access Key ID []: xxxxx
Access secret []: xxxxx
Error: Request in wrong format: Failed to get authorization token by AWS keys
admin#neuvector-svc-controller.neuvector>
The role assigned to user which credentials I use is AmazonEC2ContainerRegistryFullAccess
And regular authorization works as usual:
% aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin <http://1234567890.dkr.ecr.eu-west-1.amazonaws.com|1234567890.dkr.ecr.eu-west-1.amazonaws.com>
Login Succeeded
%
Am I missing something?thousands-advantage-10804
09/20/2023, 10:58 AM