Complete run-time container security for production Kubernetes workloads
In this blog post we discuss how NeuVector integrates with IBM Cloud Container Service to provide complete run-time container security for your production Kubernetes workloads. We are excited to partner together to demonstrate how quickly and easily users can deploy a Kubernetes cluster in IBM Cloud and then secure those workloads in this new and ever-changing container and microservice world.
About IBM Cloud
IBM Cloud (formerly IBM Bluemix) was announced in June, providing users with a variety of compute choices as well as over 170 IBM and third party services. IBM Cloud Container Service combines Docker and Kubernetes to deliver powerful tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications all while leveraging Cloud Services including cognitive capabilities from Watson.
NeuVector is cloud-native container firewall for monitoring and protecting Kubernetes container deployments in production. You can download a container firewall guide here to learn about how a container firewall differs from traditional next generation firewalls (NGFW) and web application firewalls (WAF). In addition to Layer 7 network firewall protection of Kubernetes pods, the NeuVector security solution provides features for auditing your security settings with Docker Bench and the Kubernetes CIS benchmark as well as scanning containers for vulnerabilities. NeuVector also monitors host and container processes for suspicious activity such as privilege escalations, port scanning, reverse shells and other unusual syscall activity.
The NeuVector solution is comprised of security containers which can be deployed on each node just like you deploy your applications, using Kubernetes. For evaluation purposes, NeuVector makes available an Allinone container and an Enforcer container. These can be pulled from Docker Hub along with documentation by requesting access from email@example.com.
The Allinone container bundles a Manager, Controller, and Enforcer and should be deployed on one node in your cluster. If you have other nodes in your cluster, the Enforcer container will be deployed onto those, and will communicate with the Allinone to receive policy updates and send events.
Setting up a Kubernetes cluster in IBM Cloud
The first step is to create a IBM Cloud account. After you’ve successfully logged in, the left-hand navigation will take you to Containers.
Select the Kubernetes Cluster icon. We’re going to create a standard cluster below. You can still deploy NeuVector to a lite (free) cluster.
To create a standard cluster, set the following parameters:
Machine type – a flavor with pre-defined resources per worker node in your cluster
Number of workers – 1 to n based on capacity requirements, and can be scaled up or down after the cluster is running
Private and Public VLAN – choose networks for worker nodes (we’ll create for you if you don’t have any yet)
Hardware – clusters and worker nodes are always single-tenant and isolated to you, but you can choose the level of isolation to meet your needs (shared workers have multi-tenant hypervisor and hardware whereas dedicated worker nodes are single-tenant down to the hardware level)
See the IBM Cloud documentation for more details on cluster creation.
Once you are satisfied with your selections, click on the Create Cluster button.
To create a cluster from the command line, use the following command:
bx cs cluster-create –name –location –workers 2 –machine-type u1c.2×4 –hardware shared –public-vlan –private-vlan
Now that the environment is provisioned, you can access it from the IBM Cloud CLI. Download the CLI tool and login to your cluster following the instructions in the Access tab.
Create the namespace for NeuVector:
kubectl create namespace neuvector
Create a secret for pulling the NeuVector container from Docker Hub, filling in your ID, password and email:
kubectl create secret docker-registry regsecret -n neuvector –docker-username= –docker-password= –docker-email=
Note: Please contact firstname.lastname@example.org to request that your Docker Hub ID be added to the NeuVector private registry.
Label the node where you want to deploy the Allinone container. Replace nodename with the node name from ‘kubectl get nodes’:
kubectl label nodes nodename nvallinone=true
Note, the Enforcer container will automatically be deployed on other nodes in your cluster.
Create a yaml file for the allinone for deploying NeuVector. You can request a sample yaml file from email@example.com. Then create the NeuVector service and pod.
kubectl create –f allinone.yaml
Verify that everything is running:
kubectl get all -n neuvector
If you haven’t already deployed some sample applications, now is a good time to do that so that you’ll be able to see application containers running and their connections in NeuVector.
After generating test traffic through your sample apps, log into the NeuVector console. You’ll need to login the public IP address of your cluster / node, using the random port assigned by the Kubernetes NodePort service. To find that port:
kubectl get svc -n neuvector
The output will look like below, and see the highlighted port:
You can now login to the NeuVector console using the public IP address and port and ‘admin’ / ‘admin’ to login.
Feel free to browse the console, view Network Activity, the Policy Rules and other Resources.
IBM Cloud Container Service makes it easy to set up a Kubernetes cluster to host your containerized applications. When running such applications in production, security is required to ensure that applications are safe and communicating properly. NeuVector provides that run-time security in any cloud environment, providing a layer-7 firewall, host and container processes monitoring, and vulnerability scanning solution. You can request a demo and access to the download by contacting NeuVector at firstname.lastname@example.org.