NeuVector 安装

  1. NeuVector 安装
  1. 本文重点介绍安装部署,具体功能将在后续文章中深入介绍。
  2. NeuVector 安装
  3. 安装环境
    软件版本:
    OS:Ubuntu18.04
    Kubernetes:1.20.14
    Rancher:2.5.12
    Docker:19.03.15
    NeuVector:5.0.0-preview.1
  4. 2.1. 快速部署
  5. 创建 namespace
  6. kubectl create namespace neuvector
  7. 部署 CRD( Kubernetes 1.19+ 版本)
  8. kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/crd-k8s-1.19.yaml
  9. 部署 CRD(Kubernetes 1.18或更低版本)
  10. kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/crd-k8s-1.16.yaml
  11. 配置 RBAC
  12. kubectl create clusterrole neuvector-binding-app --verb=get,list,watch,update --resource=nodes,pods,services,namespaces
kubectl create clusterrole neuvector-binding-rbac --verb=get,list,watch --resource=rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io
kubectl create clusterrolebinding neuvector-binding-app --clusterrole=neuvector-binding-app --serviceaccount=neuvector:default
kubectl create clusterrolebinding neuvector-binding-rbac --clusterrole=neuvector-binding-rbac --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-admission --verb=get,list,watch,create,update,delete --resource=validatingwebhookconfigurations,mutatingwebhookconfigurations
kubectl create clusterrolebinding neuvector-binding-admission --clusterrole=neuvector-binding-admission --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get --resource=customresourcedefinitions
kubectl create clusterrolebinding  neuvector-binding-customresourcedefinition --clusterrole=neuvector-binding-customresourcedefinition --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvsecurityrules --verb=list,delete --resource=nvsecurityrules,nvclustersecurityrules
kubectl create clusterrolebinding neuvector-binding-nvsecurityrules --clusterrole=neuvector-binding-nvsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrolebinding neuvector-binding-view --clusterrole=view --serviceaccount=neuvector:default
kubectl create rolebinding neuvector-admin --clusterrole=admin --serviceaccount=neuvector:default -n neuvector
  13. 检查是否有以下 RBAC 对象
  14. kubectl get clusterrolebinding  | grep neuvector
kubectl get rolebinding -n neuvector | grep neuvector

kubectl get clusterrolebinding  | grep neuvector

neuvector-binding-admission                            ClusterRole/neuvector-binding-admission                            44h
neuvector-binding-app                                  ClusterRole/neuvector-binding-app                                  44h
neuvector-binding-customresourcedefinition             ClusterRole/neuvector-binding-customresourcedefinition             44h
neuvector-binding-nvadmissioncontrolsecurityrules      ClusterRole/neuvector-binding-nvadmissioncontrolsecurityrules      44h
neuvector-binding-nvsecurityrules                      ClusterRole/neuvector-binding-nvsecurityrules                      44h
neuvector-binding-nvwafsecurityrules                   ClusterRole/neuvector-binding-nvwafsecurityrules                   44h
neuvector-binding-rbac                                 ClusterRole/neuvector-binding-rbac                                 44h
neuvector-binding-view                                 ClusterRole/view                                                   44h
  15. kubectl get rolebinding -n neuvector | grep neuvector
neuvector-admin         ClusterRole/admin            44h
neuvector-binding-psp   Role/neuvector-binding-psp   44h
  16. 部署 NeuVector
  17. 底层 Runtime 为 Docker
  18. kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/neuvector-docker-k8s.yaml
  19. 底层 Runtime 为 Containerd(对于 k3s 和 rke2 可以使用此 yaml 文件)
  20. kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/neuvector-containerd-k8s.yaml
  21. 1.21 以下的 Kubernetes 版本会提示以下错误,将 yaml 文件下载将 batch/v1 修改为 batch/v1beta1
  22. error: unable to recognize "https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/neuvector-docker-k8s.yaml": no matches for kind "CronJob" in version "batch/v1"
  23. 1.20.x cronjob 还处于 beta 阶段,1.21 版本开始 cronjob 才正式 GA 。
  24. 默认部署web-ui使用的是loadblance类型的Service,为了方便访问修改为NodePort,也可以通过 Ingress 对外提供服务
  25. kubectl patch  svc neuvector-service-webui  -n neuvector --type='json' -p '[{"op":"replace","path":"/spec/type","value":"NodePort"},{"op":"add","path":"/spec/ports/0/nodePort","value":30888}]'
  26. 访问 https://node_ip:30888
    默认密码为 admin/admin
posted @   panlifeng  阅读(268)  评论(0编辑  收藏  举报
相关博文:
· NeuVector安装和部署
· Takin实践笔记
· Kubernetes安装-kubeadm方式
· NeuVector 会是下一个爆款云原生安全神器吗?
· 2-2、kubernetes安装
阅读排行:
· Obsidian + DeepSeek:免费 AI 助力你的知识管理,让你的笔记飞起来!
· 分享4款.NET开源、免费、实用的商城系统
· 解决跨域问题的这6种方案,真香!
· 一套基于 Material Design 规范实现的 Blazor 和 Razor 通用组件库
· 5. Nginx 负载均衡配置案例(附有详细截图说明++)
点击右上角即可分享
微信分享提示