Are those groups maybe set for Zero Drift?

Hi - Im trying to install Neuvector from the App catalogue in rancher. I receive the following:

main.main: Container socket connected - endpoint= runtime=docker
2022-06-09T08:12:29.958|INFO|CTL|resource.IsRancherFlavor: resource found - namespace=cattle-system service=cattle-cluster-agent
2022-06-09T08:12:29.958|INFO|CTL|main.main: - flavor=Rancher k8s=1.23.6+rke2r2 oc=
2022-06-09T08:12:29.959|ERRO|CTL|main.main: Failed to get local device information - error=No such container: 6b73a2f18c629276828b30d7c7073149dd0be68208bf6e7e18d456b20e11da79
2022-06-09T08:12:29|MON|Process ctrl exit status 254, pid=7
2022-06-09T08:12:29|MON|Process ctrl exit with non-recoverable return code. Monitor Exit!!
Leave the cluster
Error leaving: Put "<http://127.0.0.1:8500/v1/agent/leave>": dial tcp 127.0.0.1:8500: connect: connection refused

What am i missing?

Hi everyone. I installed Neuvector from the App catalogue in Rancher 2.6.5 with defaults (only changed Container Runtime to containerd because I'm using K3s, and changed PVC to use Longhorn), but SSO is not working. Any recommended log that I can review to check what is happening?

Hi @quiet-fountain-46593 tried another upgrade from rke2 1.21 to 1.22 and checking enforcer and controller logs after restarting pods. The consul agent on enforcer does not start. But a lot of

Failed to get container task - error=no running task found:

is seen in the logs last common logline before these are:

main.parseHostAddrs: - maxMTU=1500

FYI: NeuVector 5.0.2 has been released.

Also running into some issues with a similar setup (v1.22.9). I configured the chart via the catalog to look for the containerd runtime and the cluster is built from Ubuntu nodes hardened CIS level 1 standards via USG. Controller and enforcer pods never come up and I'm seeing this in controller pod logs:

2022-08-03T21:04:20.169|INFO|CTL|container.Connect: - endpoint=
2022-08-03T21:04:20.17 |ERRO|CTL|main.main: Failed to initialize - error=Unknown container runtime

Any assistance would be greatly appreciated because we really like Neuvector!

Hi, I see the CTRL_PERSIST_CONFIG is depending on pvc enabled. this means that running single controller without pvc will not persist data during reboot even though /var/neuvector hostpath is used by default. It would be nice to be able to persist config without pvc. (I know controller.env can be added to achieve this feature)

I’m giving a quick little talk next week.

hello everyone, any using neuvector for create rule block traffic to unmanaged node, im create rule but not work

Join us tomorrow, October 11th, for an educational and interactive workshop. The SUSE NeuVector Container Security Rodeo is designed for those that are new to NeuVector or container security.

Hello! I've recently installed NeuVector to test it out and to my surprise immediately started seeing

SQL.Injection

security events showing up in my logs. The action says

alert

instead of deny even though the pods are in protect mode. The documentation implies this should be denied under the

Built-In Network Dectection

here. How do I know if this is actually being blocked or not?

Does NeuVector support SBOM-Verification? What is the underlying technology of container signature validation?

NeuVector does not support SBOM verification today, but is being considered for the future. Also being added next year is the sigstore/cosign based image signature validation for admission controls. In the meantime, feel free to check out Kubewarden for sigstore integration into admission controls.

okkk got it !!! Hello everyone. I'll test neuvector asap. The last rodeo from rancher france was awesome 🙂

Yeah, those rodeos are pretty good!

Hey ho! I was just trying to get the webhook or syslog integration up and running. Neither of them works, cant see a single message. I checked that both routes should work with a simple Ubuntu pod within the neuvector namespace. Neither the log of the controller nor of the manage seem not to be of any help. I used the rancher app aswell as the helm chart deployment using just the

core

chart. The version running is 5.0.5. Is there anything I'm missing here? For the webhook I'm trying JSON, syslog is configured for all categories in json udp/514 level "info". FYI: I'm using no proxy

Does anyone know what the status of Cilium CNI support in Neuvector is? I have in my notes that it was slated for release 5.1, and I saw this tag (https://github.com/neuvector/neuvector/releases/tag/vcilium.1) in the releases. Does that imply that Cilium support made it into 5.1?

FYI --> NeuVector Rodeo On December 20th (US) if folks would like to come geek out a bit

Hi, been trying the last 5.1.0 i rancher (2.7.0) and have issue with the Network Activity view. The console prints out the error:

main.b1970250c5c711f4.js:1 ERROR SyntaxError: "[object Object]" is not valid JSON
    at JSON.parse (<anonymous>)
    at a.loadBlacklist (397.b2130fb755f52455.js:1:1388116)
    at a.ngOnInit (397.b2130fb755f52455.js:1:1419453)
    at Er (main.b1970250c5c711f4.js:1:7501269)
    at or (main.b1970250c5c711f4.js:1:7501091)
    at ns (main.b1970250c5c711f4.js:1:7500796)
    at Zc (main.b1970250c5c711f4.js:1:7528870)
    at zf (main.b1970250c5c711f4.js:1:7529177)
    at Zc (main.b1970250c5c711f4.js:1:7529204)
    at uh (main.b1970250c5c711f4.js:1:7536265)

Is this a known issue? (Merry Xmas, BTW 🙂 )

2023-01-10T150516.599315653+01:00 stdout F 2023-01-10 140516,598|INFO |MANAGER|com.neu.api.AuthenticationService(apply:826): post path auth 2023-01-10T150606.602041216+01:00 stdout F 2023-01-10 140606,601|WARN |MANAGER|com.neu.api.AuthenticationService(apply:830): Status: 401 Unauthorized 2023-01-10T150606.602072724+01:00 stdout F Body: {"code":3,"error":"Authentication failed","message":"Authentication failed"} 2023-01-10T150606.603123585+01:00 stdout F 2023-01-10 140606,602|INFO |MANAGER|com.neu.api.AuthenticationService(apply:147): saml-g: servername is empty

Can you confirm that all the NeuVector pods are running, please? Thanks. 🙂

Hi i wrote a blog post about NeuVector : https://www.suse.com/c/another-orchestrated-attack-how-do-i-protect-myself/ what do you think about the concept of behavioral-based Zero-Trust?

I’m looking at the Neuvector Gitlab-ci job, https://gitlab.com/neuvector/gitlab-plugin/-/blob/master/scan.yml, and I wondered if anyone had this working without docker-in-docker? We haven’t used dind for our pipelines for a long time now, but would like to integrate with the neuvector scan

A about how to install NeuVector using HELM, if that kind of thing excites you. 🙂

@orange-airplane-98016 has left the channel

Questions regarding the NeuVector Vulnerability Scanner for GitLab: 1. Is it possible change "dind" to kaniko? 2. Is there a reason, why the Pipeline (scan.yml) does not adhere to the GitLab method of integrating scanner pipelines?

Hi, running 5.0.5 in rancher (2.6.9/2.7.0) on docker hosts. Not sure why, but having a web server, after initial discovery,,putting into protect mode, removing the external access rule, the external access rule appears again after testing the webserver. Any hints how to debug further?

🦜 NeuVector 5.1.1 has been released 🦜

Has NeuVector a possibility to control LimitRange? Similar to kyverno's "AddQuota" ClusterPolicy?

Hi, I noticed an issue today. It might be obvious but to me it was troublesome. Im running haproxy (kubernetes-ingress) using hostport. I protected a service (exposing an ingress) and used a group for allowing access from specific subnets. (servers are behind a F5 so forwarded headers are used) client-a: blocked client-b: allowed 1. request from client-a is blocked 2. request from client-b open but running an request from client-a directly after request from client-b is not blocked(!). In haproxy I need to set

http-connection-mode: http-server-close

It seems that keep-alive from ingress to service breaks security. Im not sure if this is an issue with nginx. Appreciate any comments.