Posted onFeb 29, 2024

Deploying NeuVector via Helm on minikube

#minikube #suse #tutorial #lab

Summary

The following will walk through the necessary steps to deploy NueVector via Helm. This can be done locally or on a virtual machine. I am using minikube to test on, but K3S/MicroK8s or any other distros will work. Since this is going to be scaled down, we will also limit the replicas.

I'm going to leveragemultipass during this to spin up the necessary resource, but any other solution should work.

Prerequisites

Required:

A Virtual Machine
- I will usemultipass, which can launch an instance with minikube already installed.

That is really about it for this to get started.

Set up Virtual Machine

Since I have multipass installed, I will launch a new vm using the existing minikube image.

multipass launch -c 8 -m 16G -n demo minikube

multipass launch -c 8 -m 16G -n demo minikube                                                Waiting for initialization to complete \

Once completed, you should get a launched.

multipass launch -c 8 -m 16G -n demo minikube                                    Launched: demo

Running amultipass list, will output all the launched virtual machines.

demo                    Running           192.168.64.20    Ubuntu 22.04 LTS                                          172.17.0.1                                          192.168.49.1

NeuVector Setup

Connect to the virtual machine, in my case, it ismultipass shell minikube.

Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-92-generic aarch64) * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/pro  System information as of Thu Feb 29 09:16:40 EST 2024  System load:                      1.5546875  Usage of /:                       13.2% of 38.59GB  Memory usage:                     6%  Swap usage:                       0%  Processes:                        199  Users logged in:                  0  IPv4 address for br-1746f5f95e03: 192.168.49.1  IPv4 address for docker0:         172.17.0.1  IPv4 address for enp0s1:          192.168.64.20  IPv6 address for enp0s1:          fd3c:28b:5cc5:4064:5054:ff:fe87:5be

NeuVector Setup - minikube

minikube is already started on the new instance; however, I am going to bump up CPUs and Memory for it.

If needing to install minikube, check out thedocumentation.

First, stop minikube:

ubuntu@demo:~$minikube stop✋  Stopping node "minikube"  ...🛑  Powering off "minikube" via SSH ...🛑  1 node stopped.

Update CPUs:

ubuntu@demo:~$ minikube config set cpus 4❗  These changes will take effect upon a minikube delete and then a minikube start

Update Memory:

ubuntu@demo:~$minikube configsetmemory 8192❗  These changes will take effect upon a minikube delete and then a minikube start

Delete exiting minikube:

ubuntu@demo:~$ minikube delete🔥  Deleting "minikube" in docker ...🔥  Deleting container "minikube" ...🔥  Removing /home/ubuntu/.minikube/machines/minikube ...💀  Removed all traces of the "minikube" cluster.

Start up new minikube:

ubuntu@demo:~$ minikube start😄  minikube v1.32.0 on Ubuntu 22.04 (arm64)✨  Automatically selected the docker driver. Other choices: ssh, none📌  Using Docker driver with root privileges👍  Starting control plane node minikube in cluster minikube🚜  Pulling base image ...🔥  Creating docker container (CPUs=4, Memory=8192MB) ...🐳  Preparing Kubernetes v1.28.3 on Docker 24.0.7 ...    ▪ Generating certificates and keys ...    ▪ Booting up control plane ...    ▪ Configuring RBAC rules ...🔗  Configuring bridge CNI (Container Networking Interface) ...    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5🔎  Verifying Kubernetes components...🌟  Enabled addons: storage-provisioner, default-storageclass🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

minikube should be up running, once connected.

You can check with the following command:

minikube status

ubuntu@demo:~$minikube statusminikubetype: Control Planehost: Runningkubelet: Runningapiserver: Runningkubeconfig: Configured

If looking to play with minikube more, there are additional add-ons which can be installed, in this case, we will leave the defaults, but metrics-server and dashboard are typical.

NeuVector Setup - kubectl

This image also comes with kubectl setup:

ubuntu@demo:~$kubectl versionClient Version: v1.28.7Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3Server Version: v1.28.3

NeuVector Setup - helm

Helm is not installed, but can be quickly set up:

ubuntu@demo:~$helm versionCommand 'helm' not found, but can be installed with:sudo snap install helm

To install helm on this Ubuntu instancesudo snap install helm --classic.

ubuntu@demo:~$sudosnapinstallhelm--classicDownload snap "core22" (1125) from channel "stable"

Once install is complete, you can check the version:

ubuntu@demo:~$helm versionversion.BuildInfo{Version:"v3.14.2", GitCommit:"c309b6f0ff63856811846ce18f3bdc93d2b4d54b", GitTreeState:"clean", GoVersion:"go1.21.7"}

NeuVector Setup - Helm Install

Add the helm repo:

helm repo add neuvector https://neuvector.github.io/neuvector-helm/

For this, I'm going to use the latest version, but other older versions and development version can be listed:

helm search repo neuvector --devel -l

This is the latest as of 29 February 2024 -- Leap Day!:

ubuntu@demo:~$helm search repo neuvectorNAME                CHART VERSION   APP VERSION DESCRIPTIONneuvector/core      2.7.3           5.3.0       Helm chart for NeuVector's core servicesneuvector/crd       2.7.3           5.3.0       Helm chart for NeuVector's CRD servicesneuvector/monitor   2.7.3           5.3.0       Helm chart for NeuVector monitor services

Helm Install:

For setting up NeuVector, it is simple enough that I will keep most of the default values. I am updating the controller and scanner replicas, if leaving the defaults it will nuke your system since minikube is running a single node. This is fine for local and development environments.

helm upgrade --install neuvector neuvector/core --version 2.7.3 \--set tag=5.3.0 \--set controller.replicas=1 \--set cve.scanner.replicas=1 \--create-namespace \--namespace neuvector

The readme for the repository will provide additional configuration options:

NeuVector Helm Chart

When running:

ubuntu@demo:~$helm upgrade--install neuvector neuvector/core--version 2.7.3\--set tag=5.3.0 \--set controller.replicas=1 \--set cve.scanner.replicas=1 \--create-namespace \--namespace neuvectorRelease "neuvector" does not exist. Installing it now.NAME: neuvectorLAST DEPLOYED: Thu Feb 29 09:34:30 2024NAMESPACE: neuvectorSTATUS: deployedREVISION: 1TEST SUITE: NoneNOTES:Get the NeuVector URL by running these commands:  NODE_PORT=$(kubectl get--namespace neuvector-ojsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui)  NODE_IP=$(kubectl get nodes--namespace neuvector-ojsonpath="{.items[0].status.addresses[0].address}")  echo https://$NODE_IP:$NODE_PORT

Accessing the NeuVector User Interface

I am going to port-forward this and access it from my local browser. On the virtual machine, run the following command.

kubectl port-forward --address 0.0.0.0 --namespace neuvector service/neuvector-service-webui 8443

ubuntu@demo:~$kubectl port-forward--address 0.0.0.0--namespace neuvector service/neuvector-service-webui 8443Forwarding from 0.0.0.0:8443 ->8443

This will listen on port 8443 on all addresses (0.0.0.0) and forward to the service : neuvector-service-webui.

Accessing Locally

*On my local browser: *

Note the IP Address I pulled is the virtual machine's private IP address. This can be checked again usingmultipass list.

Since this is a self-signed certificate, you can ignore the warnings and proceed.

By default, username and password are admin:admin.

Check off on the EULA and you can login.

And voila, update admin password if you plan will continue to use this and you are done.

Additional Steps - Set up mysql container

If looking to test NeuVector a bit more, we will add a MySQL service and run scans on containers and nodes with the NeuVector console.

Add the bitnami repo:

helm repo add bitnami https://charts.bitnami.com/bitnami

Install:

helm install bitnami/mysql --generate-name

In NeuVector Interface

Go to Assets in the navigation pane on the left and select the dropdown. From the dropdown, select containers.

Turn on Auto Scan or perform a manual scan:

Auto Scanning:

Scans will schedule and return back results on completed. Depending on the amount of resources, both scanners and containers, it could take time. Since this is a new cluster, it is relatively quick.

You can filter and view the vulnerabilities which are found:

Go to the Nodes page:

You can see the nodes are also scanned as well for vulnerabilities.

Conclusion

That is about it, a quick and easy way to test out NeuVector. This is really just scratching the surface when it comes to what features and solutions it offers.

Top comments(4)

Comment deleted

lykins

A dad.

Location
Lake Erie
Joined
Sep 28, 2023

• Mar 14 '24

Copy link

For me, it was the following.

minikube stopminikube config set cpus 4minikube config set memory 8192minikube deleteminikube start

When it starts up, you should see the configured resources.

minikube start😄  minikube v1.32.0 on Ubuntu 22.04 (arm64)✨  Automatically selected the docker driver. Other choices: ssh, none📌  Using Docker driver with root privileges👍  Starting control plane node minikube in cluster minikube🚜  Pulling base image ...🔥  **Creating docker container (CPUs=4, Memory=8192MB) ...**

Katarina

Joined
Mar 14, 2024

• Mar 15 '24• Edited onMar 15• Edited

Copy link

Thank you very much. Just two more questions, I am a begginer in DevOps, so I would like to learn more and I need a help by side, do you teach someone private or something like that? Maybe, can you tell me is there any group of people who work DevOps to communicate to each other about solutions and things that are related to DevOps?