Kubernetes Container Security with NeuVector on IBM Cloud Container Service

Share this post:


In this blog post we discuss how NeuVector integrates with IBM Cloud Container Service to provide complete run-time container security for your production Kubernetes workloads. We are excited to partner together to demonstrate how quickly and easily users can deploy a Kubernetes cluster in IBM Cloud and then secure those workloads in this new and ever-changing container and microservice world.

About IBM Cloud 

IBM Cloud (formerly IBM Bluemix) was announced in June, providing users with a variety of compute choices as well as over 170 IBM and third party services. IBM Cloud Container Service combines Docker and Kubernetes to deliver powerful tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications all while leveraging Cloud Services including cognitive capabilities from Watson.

About NeuVector

NeuVector is cloud-native container firewall for monitoring and protecting Kubernetes container deployments in production. You can download a container firewall guide here to learn about how a container firewall differs from traditional next generation firewalls (NGFW) and web application firewalls (WAF).  In addition to Layer 7 network firewall protection of Kubernetes pods, the NeuVector security solution provides features for auditing your security settings with Docker Bench and the Kubernetes CIS benchmark as well as scanning containers for vulnerabilities. NeuVector also monitors host and container processes for suspicious activity such as privilege escalations, port scanning, reverse shells and other unusual syscall activity.

The NeuVector solution is comprised of security containers which can be deployed on each node just like you deploy your applications, using Kubernetes. For evaluation purposes, NeuVector makes available an Allinone container and an Enforcer container. These can be pulled from Docker Hub along with documentation by requesting access from

The Allinone container bundles a Manager, Controller, and Enforcer and should be deployed on one node in your cluster. If you have other nodes in your cluster, the Enforcer container will be deployed onto those, and will communicate with the Allinone to receive policy updates and send events.

Setting up a Kubernetes cluster in IBM Cloud

The first step is to create a IBM Cloud account. After you’ve successfully logged in, the left-hand navigation will take you to Containers.


Select the Kubernetes Cluster icon. We’re going to create a standard cluster below. You can still deploy NeuVector to a lite (free) cluster.

To create a standard cluster, set the following parameters:

  • Cluster name
  • Kubernetes version
  • Datacenter location
  • Machine type – a flavor with pre-defined resources per worker node in your cluster
  • Number of workers – 1 to n based on capacity requirements, and can be scaled up or down after the cluster is running
  • Private and Public VLAN – choose networks for worker nodes (we’ll create for you if you don’t have any yet)
  • Hardware – clusters and worker nodes are always single-tenant and isolated to you, but you can choose the level of isolation to meet your needs (shared workers have multi-tenant hypervisor and hardware whereas dedicated worker nodes are single-tenant down to the hardware level)


See the IBM Cloud documentation for more details on cluster creation.

Once you are satisfied with your selections, click on the Create Cluster button.

To create a cluster from the command line, use the following command:

bx cs cluster-create –name –location –workers 2 –machine-type u1c.2×4 –hardware shared –public-vlan –private-vlan

Deploying NeuVector

Now that the environment is provisioned, you can access it from the IBM Cloud CLI. Download the CLI tool and login to your cluster following the instructions in the Access tab.


Create the namespace for NeuVector:

kubectl create namespace neuvector

Create a secret for pulling the NeuVector container from Docker Hub, filling in your ID, password and email:

kubectl create secret docker-registry regsecret -n neuvector –docker-username= –docker-password= –docker-email=

Note: Please contact to request that your Docker Hub ID be added to the NeuVector private registry.

Label the node where you want to deploy the Allinone container. Replace nodename with the node name from ‘kubectl get nodes’:

kubectl label nodes nodename nvallinone=true

Note, the Enforcer container will automatically be deployed on other nodes in your cluster.

Create a yaml file for the allinone for deploying NeuVector. You can request a sample yaml file from  Then create the NeuVector service and pod.

kubectl create –f allinone.yaml

Verify that everything is running:

kubectl get all -n neuvector

If you haven’t already deployed some sample applications, now is a good time to do that so that you’ll be able to see application containers running and their connections in NeuVector.

After generating test traffic through your sample apps, log into the NeuVector console. You’ll need to login the public IP address of your cluster / node, using the random port assigned by the Kubernetes NodePort service. To find that port:

kubectl get svc -n neuvector

The output will look like below, and see the highlighted port:


You can now login to the NeuVector console using the public IP address and port and ‘admin’ / ‘admin’ to login.

Feel free to browse the console, view Network Activity, the Policy Rules and other Resources.



IBM Cloud Container Service makes it easy to set up a Kubernetes cluster to host your containerized applications. When running such applications in production, security is required to ensure that applications are safe and communicating properly. NeuVector provides that run-time security in any cloud environment, providing a layer-7 firewall, host and container processes monitoring, and vulnerability scanning solution.  You can request a demo and access to the download by contacting NeuVector at

Try IBM Cloud Container Service and NeuVector today!!

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Security stories

Getting started with TradeIt’s SDK and API

By integrating TradeIt’s core products - TradingTicket and PortfolioView - developers can bring portfolio management and order management tools to their end users. RIA and Wealth Management platforms that integrate our SDK or standardized API have higher engagement and a simplified workflow to manage across a clients portfolio and have the ability to place orders seamlessly through the same safe, secure API connections to the underlying broker. TradeIt understood that consumers were increasingly engaged on apps and social networks for the business of their lives. TradeIt brings the top Financial Institutions’ customer journey - account opening, account management and securities trading - to the apps where the action happens in a safe, secure and compliant way.

Continue reading

Cloud Functions: Easy Database Setup the Serverless Way

A tutorial I wrote, featuring a database-backed Slack chatbot, is now live. It uses Db2 as database system to store event data. The client accessing the database is written in Node.js and is implement with IBM Cloud Functions in a serverless way. During the development of that tutorial I faced the question on how to perform the database setup. Should I guide users through the user interface to create a table and insert data? Should they install a Db2 client and execute a script locally? I solved the problem in a serverless fashion. Here are the details.

Continue reading

Using App ID to secure Docker and Kubernetes applications

So, you have a server side Java application and you need to be able to authenticate your users without the hassle? Then App ID is for you. There's no easier way to create a scalable app than to use the nimble IBM WebSphere Liberty application server in a Docker image and run it with IBM Cloud Container Service.

Continue reading