https://rancher.com/ logo
Join the conversationJoin Slack
Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Powered by Linen
neuvector-security
  • f

    full-lawyer-94872

    03/13/2023, 3:36 PM
    Is this a bug?
  • f

    full-lawyer-94872

    03/13/2023, 3:37 PM
    BTW, the version I am currently on is V5.1.1
  • f

    full-lawyer-94872

    03/14/2023, 2:21 PM
    Also the action seems to be 'open' instead of the usual 'allow' action and the connection does not seem to hold a rule id too
  • f

    full-lawyer-94872

    03/14/2023, 2:21 PM
    Screenshot 2023-03-14 at 19.45.16.png
  • f

    full-lawyer-94872

    03/14/2023, 2:25 PM
    Is this expected and are K8s api server connections actually allowed and open by default?
  • f

    full-lawyer-94872

    03/22/2023, 4:06 AM
    Hi Team, for a K8s cluster with ~20 nodes, each running ~100 pods, how should we plan on scaling the controller pods? Also is it ok to set up an HPA for this instead of going into a set of statically scaled up controllers?
    q
    • 2
    • 16
  • s

    silly-airline-38945

    03/26/2023, 8:06 PM
    Hi, is validating image signatur in neuvector admission Controller supported. Or would this be better to do using kubewarden (which i belive supports this)
  • p

    polite-piano-74233

    03/27/2023, 2:44 AM
    does neuvector support arm64?
    q
    • 2
    • 4
  • f

    full-lawyer-94872

    03/30/2023, 12:55 PM
    Hello Team, let me know what would you think of this scenario. Pls check the following screenshot with the two network connections marked with red and blue underlines.
  • f

    full-lawyer-94872

    03/30/2023, 12:55 PM
    Screenshot 2023-03-30 at 18.13.47.png
  • f

    full-lawyer-94872

    03/30/2023, 12:57 PM
    First one is a SSL connection initiated from api-server to auth-server.
  • f

    full-lawyer-94872

    03/30/2023, 12:57 PM
    Second one is a SSL connection initiated from auth-server to profile-server.
  • f

    full-lawyer-94872

    03/30/2023, 12:59 PM
    These are in the allow list of network rules and following is a set of network violations reported for these workload groups.
  • f

    full-lawyer-94872

    03/30/2023, 12:59 PM
    Screenshot 2023-03-30 at 18.08.43.png
  • f

    full-lawyer-94872

    03/30/2023, 1:02 PM
    You can see that these are connections initiated in the opposite direction of above connections with changing port numbers.
  • f

    full-lawyer-94872

    03/30/2023, 1:07 PM
    I suspect these connections reported as violations to be in fact the responses for the aforementioned allowed connections and not separate connections. And if that's the case, isn't that a bug?
  • q

    quaint-candle-18606

    03/30/2023, 1:26 PM
    Are the violations the result of the connections not being (or at least not being identified as) SSL?
  • q

    quaint-candle-18606

    03/30/2023, 1:27 PM
    Click that
    Review Rule
    button to see what kind of new rule would be created.
  • q

    quaint-candle-18606

    03/30/2023, 1:29 PM
    NeuVector generally thinks of things in terms of from
    foo group
    to
    bar group
    via
    xxx Protocol
    as explicit allow rules
  • q

    quaint-candle-18606

    03/30/2023, 1:30 PM
    … with an implied deny (a la
    deny any:any
    in old school firewall vernacular) for everything else
  • q

    quaint-candle-18606

    03/30/2023, 1:33 PM
    In a case like you’ve so very well outlined above, once in either Monitor or Protect mode, NeuVector will log those connections that don’t have an explicit allow with a “Implicit deny rule was violated” alert. One then gets the option to react to any of those deemed “false positives” by using the
    Review Rule
    button to add the connection parameters to the list of explicit allow rules.
  • f

    full-lawyer-94872

    03/31/2023, 12:29 AM
    Are the violations the result of the connections not being (or at least not being identified as) SSL? - Not necessarily because it is anyway a connection initiated in the opposite direction of the allowed connection. So, in theory it has to be identified as a violation @quaint-candle-18606
  • f

    full-lawyer-94872

    03/31/2023, 12:30 AM
    Also, this is a view of the review rule
  • f

    full-lawyer-94872

    03/31/2023, 12:30 AM
    Screenshot 2023-03-31 at 05.56.39.png
  • f

    full-lawyer-94872

    03/31/2023, 12:30 AM
    Protocol is not somehow identified
  • f

    full-lawyer-94872

    03/31/2023, 12:32 AM
    and even if I allow this connection (assuming that it's expected), the problem is this would keep getting violated as the next call will be to a different port.
  • f

    full-lawyer-94872

    03/31/2023, 12:50 AM
    BTW, this is also something I noticed: all these curious calls point to a server image that goes by the name: mcr.microsoft.com/oss/kubernetes/pause:3.6
  • f

    full-lawyer-94872

    03/31/2023, 12:51 AM
    Screenshot 2023-03-31 at 06.03.57.png
  • f

    full-lawyer-94872

    03/31/2023, 12:51 AM
    Not exactly sure on the internals of this yet...
  • p

    polite-piano-74233

    03/31/2023, 1:37 AM
    pause is a normal container process fwiw
    🎯 1
Powered by Linen
Title
p

polite-piano-74233

03/31/2023, 1:37 AM
pause is a normal container process fwiw
🎯 1
View count: 2