NeuVector
NeuVector delivers Full Lifecycle Container Security with the only cloud-native, Kubernetes security platform providing end-to-end vulnerability management, automated CI/CD pipeline security, and complete run-time security including the industry’s only container firewall to protect your infrastructure from zero days and insider threats.
Links: neuvector.com, docs, repository
Content
Features
-
Automated Behavioral-Based Zero-Trust modes
- Discover
- Monitor
- Protect
-
Continuously watches every packet
- Layer 3
- Layer 4
- Layer 7
-
Network traffic to the source of truth
-
Security-as-Code for replicating Zero-Trust Segmentation
-
Protect data with Data Loss Prevention (DLP)
-
Service Mesh integration
-
Automation
Trainings
-
NeuVector Rodeo
-
- NeuVector - 101 (Fall 2021)
- NeuVector Minute - Installing NeuVector on Rancher - Nov 12, 2020
- Zero-Trust Security for Kubernetes and Container Workloads - March 29, 2022
Versions
v5.3.0
v5
- New scanning targets
- Zero-drift process and file protection
- Split policy mode
- Web app firewall rule detection
- CRD updates
- Enhanced Rancher Integration
- Automated promotion of group nodes
Scanning
GitLab
Installation
Rancher App
- In Rancher, from your cluster, go to Apps > Charts and look for NeuVector and click on Install
- In Step 2 > Edit Options
- In Container Runtime, make sure you select the right runtime (containerd for instance with AKS)
- In Ingress Configuration, check the Manager Ingress Status box, fill Manager Ingress Host (neuvector.demo for example)
- In Step 2 > Edit YAML, edit the content to add ingressClassName
manager:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
enabled: true
host: neuvector.demo
ingressClassName: nginx
path: /
secretName: null
tls: false
- Click on Install and review the overall installation process
- Once installed correctly (all pods running fine), go to Service Discovery > Ingresses
- In
cattle-neuvector-systemnamespace, click on the target link - Log in with admin/admin and update immediatly the password
- In
Q&A
| Question | Answer |
|---|---|
| It is possible to export reports and scans in pdf and automate the creation sending them via email for example? | Yes, this could be done by leveraging the API |
| Tt is possible to customize login UI? | The name can be changed but no other customization for the moment (a feature request has been created to cover this part) |
| Must NeuVector be installed into each working cluster or is it possible to have one central NeuVector cluster and route to it from each downstream cluster? | The components such as the scanner, enforcer, etc. must be installed in each cluster but you can federate clusters together so there's a single UI to manage multiple clusters |
| Can we "ignore/silence" a vulnerability so it doesn't show in the reporting? | You can "accept" vulnerabilities that negate them coming up in reports/alerts, reports can also filter out vulnerabilities with (for example) a low CVE score, No fix, etc. so you could generate a list of all known CVE's in your environment, filter by no fix and then bulk accept those |
| How much of a performance overhead is the enforcer? | This is documented in the FAQ at point 2 |
Known issues
- Timeout while on the web interface
- Refresh the page and authenticate again
Articles
- Enhancing Kubernetes Application Security with NeuVector - September 15th, 2023
- FAQ
Alternatives
Recipes
How to scan control plane nodes
By default, only worker nodes are scanned. You can change this by adapting the tolerations of the enforcer when installing NeuVector. The default can be seen in values.yaml (enforcer / tolerations). Depending on the Kubernetes distribution, the taints may be different on non-worker nodes.
To tolerate all possible taints, a config would be: