How-tos

Complete run-time container security for production Kubernetes workloads

Share this post:

Introduction

In this blog post we discuss how NeuVector integrates with IBM Cloud Container Service to provide complete run-time container security for your production Kubernetes workloads. We are excited to partner together to demonstrate how quickly and easily users can deploy a Kubernetes cluster in IBM Cloud and then secure those workloads in this new and ever-changing container and microservice world.

 

See it live.

 

About IBM Cloud 

IBM Cloud (formerly IBM Bluemix) was announced in June, providing users with a variety of compute choices as well as over 170 IBM and third party services. IBM Cloud Container Service combines Docker and Kubernetes to deliver powerful tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications all while leveraging Cloud Services including cognitive capabilities from Watson.

About NeuVector

NeuVector is cloud-native container firewall for monitoring and protecting Kubernetes container deployments in production. You can download a container firewall guide here to learn about how a container firewall differs from traditional next generation firewalls (NGFW) and web application firewalls (WAF).  In addition to Layer 7 network firewall protection of Kubernetes pods, the NeuVector security solution provides features for auditing your security settings with Docker Bench and the Kubernetes CIS benchmark as well as scanning containers for vulnerabilities. NeuVector also monitors host and container processes for suspicious activity such as privilege escalations, port scanning, reverse shells and other unusual syscall activity.

The NeuVector solution is comprised of security containers which can be deployed on each node just like you deploy your applications, using Kubernetes. For evaluation purposes, NeuVector makes available an Allinone container and an Enforcer container. These can be pulled from Docker Hub along with documentation by requesting access from info@neuvector.com.

The Allinone container bundles a Manager, Controller, and Enforcer and should be deployed on one node in your cluster. If you have other nodes in your cluster, the Enforcer container will be deployed onto those, and will communicate with the Allinone to receive policy updates and send events.

Setting up a Kubernetes cluster in IBM Cloud

The first step is to create a IBM Cloud account. After you’ve successfully logged in, the left-hand navigation will take you to Containers.

 

Select the Kubernetes Cluster icon. We’re going to create a standard cluster below. You can still deploy NeuVector to a lite (free) cluster.

To create a standard cluster, set the following parameters:

  • Cluster name
  • Kubernetes version
  • Datacenter location
  • Machine type – a flavor with pre-defined resources per worker node in your cluster
  • Number of workers – 1 to n based on capacity requirements, and can be scaled up or down after the cluster is running
  • Private and Public VLAN – choose networks for worker nodes (we’ll create for you if you don’t have any yet)
  • Hardware – clusters and worker nodes are always single-tenant and isolated to you, but you can choose the level of isolation to meet your needs (shared workers have multi-tenant hypervisor and hardware whereas dedicated worker nodes are single-tenant down to the hardware level)

 

See the IBM Cloud documentation for more details on cluster creation.

Once you are satisfied with your selections, click on the Create Cluster button.

To create a cluster from the command line, use the following command:

bx cs cluster-create –name –location –workers 2 –machine-type u1c.2×4 –hardware shared –public-vlan –private-vlan

Deploying NeuVector

Now that the environment is provisioned, you can access it from the IBM Cloud CLI. Download the CLI tool and login to your cluster following the instructions in the Access tab.

 

Create the namespace for NeuVector:

kubectl create namespace neuvector

Create a secret for pulling the NeuVector container from Docker Hub, filling in your ID, password and email:

kubectl create secret docker-registry regsecret -n neuvector –docker-username= –docker-password= –docker-email=

Note: Please contact support@neuvector.com to request that your Docker Hub ID be added to the NeuVector private registry.

Label the node where you want to deploy the Allinone container. Replace nodename with the node name from ‘kubectl get nodes’:

kubectl label nodes nodename nvallinone=true

Note, the Enforcer container will automatically be deployed on other nodes in your cluster.

Create a yaml file for the allinone for deploying NeuVector. You can request a sample yaml file from support@neuvector.com.  Then create the NeuVector service and pod.

kubectl create –f allinone.yaml

Verify that everything is running:

kubectl get all -n neuvector

If you haven’t already deployed some sample applications, now is a good time to do that so that you’ll be able to see application containers running and their connections in NeuVector.

After generating test traffic through your sample apps, log into the NeuVector console. You’ll need to login the public IP address of your cluster / node, using the random port assigned by the Kubernetes NodePort service. To find that port:

kubectl get svc -n neuvector

The output will look like below, and see the highlighted port:

 

You can now login to the NeuVector console using the public IP address and port and ‘admin’ / ‘admin’ to login.

Feel free to browse the console, view Network Activity, the Policy Rules and other Resources.

 

Conclusion

IBM Cloud Container Service makes it easy to set up a Kubernetes cluster to host your containerized applications. When running such applications in production, security is required to ensure that applications are safe and communicating properly. NeuVector provides that run-time security in any cloud environment, providing a layer-7 firewall, host and container processes monitoring, and vulnerability scanning solution.  You can request a demo and access to the download by contacting NeuVector at info@neuvector.com.

Try IBM Cloud Container Service and NeuVector today!!

More How-tos stories

Speed up your WordPress with IBM Cloud

WordPress is one of the most popular content management systems available, but the many websites and blogs that use it experience issues with speed. At IBM Cloud, there are several solutions that can help alleviate some of these issues and allow you to have a better and faster WordPress experience.

Continue reading

Container Native Monitoring Insights with Elastic on IBM Cloud

Introduction to container native monitoring In this blog post, we will discuss how Elastic easily deploys with the IBM Cloud Kubernetes Service (IKS). This provides full visibility of your containerized workloads and operational consistency with container deployments in a multi-cloud architecture. We will deploy a Kubernetes cluster in IBM Cloud and layer in the Elastic […]

Continue reading

Build, Deploy, and Scale Real-World Solutions on IBM Cloud

IBM Cloud Solution Tutorials give you step-by-step instructions to create applications running on virtual servers, Kubernetes, Cloud Foundry, and serverless architectures. The tutorials also cover topics ranging from web and mobile applications, chatbots, IoT, and machine learning and analytics.

Continue reading