https://github.com/neuvector/neuvector/releases/tag/v5.2.0 <--- release notes

Hi Team, could you please explain how the order of network rules (denials & allowings) would impact the evaluation process?

I have a RKE2 cluster running in AWS, an am trying to connection neuvector to my AWS ECR registry via the Web GUI. I followed the docs at https://open-docs.neuvector.com/scanning/registry/ecr-iam and have the IAM role added to my EC2 worker nodes, as well as annotaing my pods with iam.amazonaws.com/role: <role>. Theoretically this should let me add in an ECR registry without having to specify an access key or secret access key. In the neuvector console, I go to registries -> add registry, pick registry type of "Amazon ECR Registry", fill in all the fields except "access key" and "secret access key"

Then when I click submit, I get the error "Failed to get authorization token by AWS access keys". I also get this error if I do generate an access key and secret access key. Are there any logs being generated by the neuvector pods where I can see more about the error? Also, is there a way to add the registry during startup with a configmap or secret?

Hi, is there any developer documentation available on how to build the various neuvector components from Github repositories? I would like to try to fix a problem and build and test it before creating a pull request.

Hi all, I am trying to use the NeuVector Integration in Rancher, but I get the error "Authentication failed". NeuVector was installed using Terraform and I tried both Versions 5.0.3 and 5.1.2 with Rancher Version 2.6.9. I have also provided the value for

global.cattle.url

as per https://github.com/rancher/rancher/issues/37434, but still get the same error. Does anybody have an idea? Any help would be appreciated!

Hey, are there any special requirements to deploy NeuVector CRDs? I'm trying to add a simple policy

apiVersion: <http://neuvector.com/v1|neuvector.com/v1>
kind: NvAdmissionControlSecurityRule
metadata:
  name: test-deny
spec:
  rules:
  - action: deny
    comment: Deny deployments into default namespace
    criteria:
    - name: namespace
      op: containsAny
      value: default
    rule_mode: protect

But validation webhook blocks it with this error:

Error from server: error when creating "test.yaml": admission webhook "neuvector-validating-crd-webhook.neuvector.svc" denied the request: CREATE denied: CRD resource metadata name(test-deny) is not allowed

Am I missed something 🤔 ?

👋 to anyone on the global meetup webinar talking NeuVector…. 🙂

I deployed nneuvector with helm but the neuvector-controller-pood deployment pofds are not starting up. manager and scanner pods are up though

any idea?

the logs i got from the pod :

2023-08-11T154159.1 |INFO|CTL|main.main: START - version=v5.2.0 2023-08-11T154159.1 |INFO|CTL|main.main: - join=neuvector-svc-controller.neuvector 2023-08-11T154159.101|INFO|CTL|main.main: - advertise=10.244.148.40 2023-08-11T154159.101|INFO|CTL|main.main: - bind=10.244.148.40 2023-08-11T154159.123|INFO|CTL|container.Connect: - endpoint= 2023-08-11T154159.128|INFO|CTL|container._connect: Connecting to docker - endpoint=unix:///var/run/docker.sock 2023-08-11T154159.172|INFO|CTL|container._connect: docker connected - endpoint=unix:///var/run/docker.sock version=&{ApiVersion:1.41 Arch:amd64 GitCommit:a89b842 GoVersion:go1.17.11 KernelVersion:5.4.0-155-generic Os:linux Version:20.10.17} 2023-08-11T154159.22 |INFO|CTL|container._connect: - version=&{ApiVersion:1.41 Arch:amd64 GitCommit:a89b842 GoVersion:go1.17.11 KernelVersion:5.4.0-155-generic Os:linux Version:20.10.17} 2023-08-11T154159.226|ERRO|CTL|container.getContainerSocketPath: Failed to get mounting container socket - endpoint=unix:///var/run/docker.sock error=No such container: e31ac9387c14f88a61df47e9899e9d6b27ee316ff8472cfe274d1a975ef9666b 2023-08-11T154159.4 |ERRO|CTL|main.main: Failed to initialize - error=Container list is empty 2023-08-11T154159|MON|Process ctrl exit status 255, pid=961475 2023-08-11T154159|MON|Start ctrl, pid=961486

command i used: helm upgrade --install neuvector neuvector/core --version 2.6.1 --set tag=5.2.0 --set registry=docker.io --create-namespace --namespace neuvector

are you certain the correct runtime has been selected in the helm chart?

neuvector https://neuvector.github.io/neuvector-helm/

thats what i used

Drill in there to find the core chart. You’ll see all the options on that page and this note about runtime. You can also see the exmples way down in the bottom of the values.yaml. a la

k3s:
  enabled: false
  runtimePath: /run/k3s/containerd/containerd.sock

bottlerocket:
  enabled: false
  runtimePath: /run/dockershim.sock

containerd:
  enabled: false
  path: /var/run/containerd/containerd.sock

crio:
  enabled: false
  path: /var/run/crio/crio.sock

So, I know this is SuSE Rancher slack channel, so please forgive me for asking this... Question on NeuVector deployment on OpenShift 4.12 Following this document: https://www.suse.com/c/container-security-how-to-quickly-install-neuvector-5-on-openshift-4/ I did the install Certified Operator Hub... I have a valid wildcard cert on my cluster; for example:

*.<http://apps.cluster.domain.org|apps.cluster.domain.org>

However, Neuvector is deployed with its own appears to be self-signed cert... Route is like:

<http://neuvector-route-webui-neuvector.apps.cluster.domain.org|neuvector-route-webui-neuvector.apps.cluster.domain.org>

How do I set it so it uses my wild-card cert above instead of self-signed cert? Second question, my openshift deployment is configured with OIDC authentication... Can I use that for authentication for Neuvector also?

I am using CRDs to apply a policy to a workload. The naming convention for policy is "nv.<servicename>.<namespace>. I am running into an issue where the name is exceeding the 63 character limit. Is there a reason that I have to stick with this convention or can I remove the namespace?

having trouble upgrading neuvector on a upgraded to 1.26 cluster, it complains about psp's but i dont see that flag anywhere in the helm chart vars

im not quite sure what neuvector monitor is, looks like its new in rancher 2.7.5? Also looks like it does prometheus exporting but thats all i can tell. Is this something to replace rancher-monitoring eventually?

Yep, it’s Prometheus. But it’s not there to replace anything in Rancher; more for non-Rancher folks

ah ok, that makes sense, just saw it in the cluster tools options when upgrading

yeah, it needs a better note.

I have an issue loading neuvector UI when I'm using containerd runtime. This is my setup: - 2 eks clusters. - One with docker runtime (v1.23) and another with containerd runtime (v1.26). - Same kubernetes yaml files were used to install neuvector. All pods are up and running. No error found in pod logs. Manager can reach controller while tested using wget. - port is listening to all connections confirmed through netstat. I'm able to load the UI of the one with docker runtime. But unable to load the UI from the containerd based cluster. Portforward return "connection reset by peer". I can wget from with in the container after exec into it. But not from another container in the same namespace (Connection get established but it gets hung). To test this I installed rancher desktop. And reproduced the same behavior by changing container run time through settings and deploying through helm (by selecting appropriate run time). I see the same issue here too. -- Works fine when the docker runtime is selected. -- UI doesn't load when k3s containerd is selected (all pods are up and running) Only difference I could find is that the port is bound to ipv4 in case of docker runtime. While it is bound to both in case of containerd setup (same for both rancher and EKS setups). With containerd runtime (UI doesnt load).

$ netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 :::8443                 :::*                    LISTEN      1/qemu-x86_64

With docker runtime (UI loads fine)

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      1/qemu-x86_64

The ports are reachable outside the container. When I do a wget from a different container the netstat shows tcp connection ESTABLISHED. But manager 8443 port doesnt seem to be responding properly. kubectl portforwarding exists as soon as a connection attempt is made. I'm sure I'm missing something very simple but I've been looking in the docs and could not find any config change other than volume mount. Have any one seen this? Any lead or suggestion would be helpful. Thanks here too. -- Works file when the docker runtime is selected. -- UI doesn't load when k3s containerd is selected (all pods up and running.) Only difference I could find is that the port is bound to ipv4 in case of docker runtime. While it is bound to both in case of containerd setup (same for both rancher and EKS setups). I'm sure I'm missing something very simple but I've been looking in the docs and could not find any config change other than volume mount. Have any one seen this? Any lead or suggestion would be helpful. Thanks!

image (3).png

👋 I'm trying to add AWS ECR registry via Management UI and operation fails with -

Failed to get authorization token by AWS keys

Same error if do it in CLI:

admin#neuvector-svc-controller.neuvector> create registry amazon -r <https://1234567890.dkr.ecr.eu-west-1.amazonaws.com> -f 'app1/*:*' app1
Account ID: 1234567890
Region: eu-west-1
Access Key ID []: xxxxx
Access secret []: xxxxx
Error: Request in wrong format: Failed to get authorization token by AWS keys
admin#neuvector-svc-controller.neuvector>

The role assigned to user which credentials I use is

AmazonEC2ContainerRegistryFullAccess

And regular authorization works as usual:

% aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin <http://1234567890.dkr.ecr.eu-west-1.amazonaws.com|1234567890.dkr.ecr.eu-west-1.amazonaws.com>
Login Succeeded
%

Am I missing something?

@thousands-advantage-10804 has left the channel