https://rancher.com/ logo
Docs
Join the conversationJoin Slack
Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Powered by Linen
neuvector-security
  • f

    full-lawyer-94872

    03/05/2023, 3:01 AM
    Hello Team, found some confusions while checking some workloads in monitor mode.
  • f

    full-lawyer-94872

    03/05/2023, 3:01 AM
    Scenario 1:
  • f

    full-lawyer-94872

    03/05/2023, 3:01 AM
    Check network rule id: 27 in below screenshot
  • f

    full-lawyer-94872

    03/05/2023, 3:02 AM
    Screenshot 2023-03-05 at 05.50.46.png
  • f

    full-lawyer-94872

    03/05/2023, 3:03 AM
    It was first reported as a violation in security events while running in monitor mode and as it's a valid connections, I just added it as a rule.
  • f

    full-lawyer-94872

    03/05/2023, 3:04 AM
    However when checking the rest of the rules, you can also notice that there was already a rule for this connection by id: 25444.
  • f

    full-lawyer-94872

    03/05/2023, 3:05 AM
    id: 27 is more specific than id: 25444, but still how could this be detected as a violation when the connection is already in allow list?
  • f

    full-lawyer-94872

    03/05/2023, 3:06 AM
    =========================
  • f

    full-lawyer-94872

    03/05/2023, 3:06 AM
    Scenario 2:
  • f

    full-lawyer-94872

    03/05/2023, 3:08 AM
    Check network rule id: 25 in below screenshot.
  • f

    full-lawyer-94872

    03/05/2023, 3:08 AM
    Screenshot 2023-03-05 at 05.58.32.png
  • f

    full-lawyer-94872

    03/05/2023, 3:09 AM
    It was first reported as a violation in security events while running in monitor mode and as it's a valid connections, I just added it as a rule. However when checking the rest of the rules, you can also notice that there was already a rule for this connection by id: 2.
    k
    q
    • 3
    • 21
  • f

    full-lawyer-94872

    03/05/2023, 3:10 AM
    How could this too be detected as a violation when the connection is already in allow list?
  • f

    full-lawyer-94872

    03/07/2023, 10:48 AM
    BTW, I would also like to know who exactly does this rule check, is it the enforcer ?
  • q

    quaint-candle-18606

    03/07/2023, 8:31 PM
    Yes, Enforcers
    👍 1
  • f

    full-lawyer-94872

    03/07/2023, 11:16 PM
    BTW, there have been some controller memory pressure issues in the cluster for sometime now,
  • f

    full-lawyer-94872

    03/07/2023, 11:16 PM
    Could that lead to this type of issue?
  • f

    full-lawyer-94872

    03/07/2023, 11:27 PM
    Screenshot 2023-03-08 at 04.54.56.png
    q
    • 2
    • 14
  • k

    kind-church-47495

    03/08/2023, 1:32 PM
    Anyone able to help explain the delta in vulnerabilities reported under Assets -> Nodes and Security Risks -> Vulnerabilities? I show the count for the first page at 1811 high/ 1393 mediums and then there's only 200 highs / 145 mediums for the same node under security risks. the count also jumped up by like 400 after running an update... so that was strange as well.
    q
    • 2
    • 4
  • f

    full-lawyer-94872

    03/13/2023, 3:32 PM
    Folks, just seeing this confusion in between network rules and the graph on K8s api server connections.
  • f

    full-lawyer-94872

    03/13/2023, 3:32 PM
    Screenshot 2023-03-13 at 05.24.13.png
  • f

    full-lawyer-94872

    03/13/2023, 3:34 PM
    In above screenshot, you could see that there is only one network rule detected for K8s api server connections where as if I check the network graph at the same time, you could observe the following.
  • f

    full-lawyer-94872

    03/13/2023, 3:35 PM
    Screenshot 2023-03-13 at 05.20.52.png
  • f

    full-lawyer-94872

    03/13/2023, 3:36 PM
    The graph shows multiple K8s api server connections than the one that appear under network rules.
  • f

    full-lawyer-94872

    03/13/2023, 3:36 PM
    Is this a bug?
  • f

    full-lawyer-94872

    03/13/2023, 3:37 PM
    BTW, the version I am currently on is V5.1.1
  • f

    full-lawyer-94872

    03/14/2023, 2:21 PM
    Also the action seems to be 'open' instead of the usual 'allow' action and the connection does not seem to hold a rule id too
  • f

    full-lawyer-94872

    03/14/2023, 2:21 PM
    Screenshot 2023-03-14 at 19.45.16.png
  • f

    full-lawyer-94872

    03/14/2023, 2:25 PM
    Is this expected and are K8s api server connections actually allowed and open by default?
  • f

    full-lawyer-94872

    03/22/2023, 4:06 AM
    Hi Team, for a K8s cluster with ~20 nodes, each running ~100 pods, how should we plan on scaling the controller pods? Also is it ok to set up an HPA for this instead of going into a set of statically scaled up controllers?
Powered by Linen
Title
f

full-lawyer-94872

03/22/2023, 4:06 AM
Hi Team, for a K8s cluster with ~20 nodes, each running ~100 pods, how should we plan on scaling the controller pods? Also is it ok to set up an HPA for this instead of going into a set of statically scaled up controllers?
View count: 1