Protecting Kubernetes and OpenShift Workloads with NeuVector

3 min read

Business is moving to container infrastructures, which has created just as many new challenges as it has opportunities.

This tutorial will guide you through deploying NeuVector on IBM Cloud and leveraging that solution within your Red Hat OpenShift on IBM Cloud cluster. Let’s dive in!

This tutorial will guide you through deploying NeuVector on IBM Cloud and leveraging that solution within your Red Hat OpenShift on IBM Cloud cluster.
This tutorial will guide you through deploying NeuVector on IBM Cloud and leveraging that solution within your Red Hat OpenShift on IBM Cloud cluster.

IBM and Neuvector

IBM partnered with NeuVector to bring their full lifecycle container security — from CI/CD pipeline to production — to the IBM Cloud catalog:

IBM partnered with NeuVector to bring their full lifecycle container security — from CI/CD pipeline to production — to the IBM Cloud catalog:

NeuVector enables enterprises to secure container and Kubernetes environments throughout the full application lifecycle. Deployed as a container firewall, NeuVector delivers the defense-in-depth capabilities to defeat even zero-day attacks and threats with unknown origin. Through behavioral learning, Security-as-Code and continually added capabilities like compliance templates and serverless security, NeuVector identifies vulnerabilities and abnormal behavior to neutralize all threats while automating security throughout the CI/CD pipeline and at run-time. NeuVector’s Kubernetes-native, end-to-end container security solution is now available to IBM Cloud customers through the IBM Cloud Catalog.

NeuVector protects production workloads and hosts

Detects and prevents

  • Vulnerability exploits
  • Zero-day attacks
  • Embedded malware
  • Insider, phishing attacks

Learns, allowlists and blocks

  • Unauthorized network connections
  • Unauthorized processes
  • Unauthorized file access

Deploying your NeuVector instance in IBM Cloud

  1. Log into IBM Cloud.
  2. Navigate to the Catalog and search for NeuVector, clicking on their tile.
  3. You can select a Lite instance (which will provide a free trial for 14 days applicable to 10 nodes) or a Standard Subscription (which provides full run-time security and optionally multi-cluster management). Provide the desired name for this instance. Click Create to proceed:
    You can select a Lite instance (which will provide a free trial for 14 days applicable to 10 nodes) or a Standard Subscription (which provides full run-time security and optionally multi-cluster management). Provide the desired name for this instance. Click Create to proceed:

Using NeuVector with IBM Cloud Kubernetes Service

When deploying NeuVector to IBM Cloud Kubernetes Service, follow the instructions on the landing page that appears once the NeuVector instance is created:

When deploying NeuVector to IBM Cloud Kubernetes Service, follow the instructions on the landing page that appears once the NeuVector instance is created:

Using NeuVector with Red Hat OpenShift on IBM Cloud

  1. When deploying NeuVector to the Managed OpenShift Service, follow the instructions linked lower in the instance landing page.
  2. We’ll use the OpenShift Operator model:
    We’ll use the OpenShift Operator model:
  3. Create the NeuVector project:
    oc new-project neuvector
  4. Back on the NeuVector instance landing page, download the Kubernetes secret manifest and apply that configuration:
    Back on the NeuVector instance landing page, download the Kubernetes secret manifest and apply that configuration:
  5. Now go back to the NeuVector docs page and run the following from the CLI once you are authenticated to the correct server:
    oc login -u system:admin
    
    oc -n neuvector adm policy add-scc-to-user privileged -z default
    Now go back to the NeuVector docs page and run the following from the CLI once you are authenticated to the correct server:
  6. From the IBM Cloud console, navigate to the OpenShift cluster that you have been working on and open the OpenShift console:
    From the IBM Cloud console, navigate to the OpenShift cluster that you have been working on and open the OpenShift console:
  7. Expand Operators > OperatorHub and search for NeuVector. The community version of the operator will use the latest and greatest from NeuVector (i.e., 4.3.0), whereas the certified operator may use an older version (i.e., 4.2.1):
    Expand Operators > OperatorHub and search for NeuVector. The community version of the operator will use the latest and greatest from NeuVector (i.e., 4.3.0), whereas the certified operator may use an older version (i.e., 4.2.1):
  8. We’ll use the certified operator to install the latest. The instruction page includes the same prerequisite steps for installing the operator to your Red Hat OpenShift on IBM Cloud cluster. Click Install after verifying the cluster’s readiness:
    We’ll use the certified operator to install the latest. The instruction page includes the same prerequisite steps for installing the operator to your Red Hat OpenShift on IBM Cloud cluster. Click Install after verifying the cluster’s readiness:
  9. Ensure that you specify the neuvector namespace for installation and then click Install. After completion, select View Operator:
    Ensure that you specify the neuvector namespace for installation and then click Install. After completion, select View Operator:
    Ensure that you specify the neuvector namespace for installation and then click Install. After completion, select View Operator:
  10. On the Details tab, select Create instance:
    On the Details tab, select Create instance:
  11. Update the name of the deployment, if desired. Click Create:
    Update the name of the deployment, if desired. Click Create:
  12. Navigate to Workloads > Pods to validate the NeuVector pods are running:
    Navigate to Workloads > Pods to validate the NeuVector pods are running:
  13. Alternatively, check the pod status from the CLI with oc get pods -n neuvector:
    Alternatively, check the pod status from the CLI with oc get pods -n neuvector:
  14. Check the health under Networking > Services:
    Check the health under Networking > Services:
  15. Then view the NeuVector web UI under Networking > Routes. Click on the link under Location:
    Then view the NeuVector web UI under Networking > Routes. Click on the link under Location:

Configuring NeuVector

  1. Regardless of whether you are using the Kubernetes or OpenShift service, bring up the NeuVector console — logging in with the default admin username and password. Accept the EULA to continue:
    nv20
  2. The first thing I like to do is change the default password under My Profile to something more secure:
    The first thing I like to do is change the default password under My Profile to something more secure:
  3. Once logged back in (and feeling more secure), grab the license key from the IBM Cloud NeuVector instance page and update the NeuVector console:
    Once logged back in (and feeling more secure), grab the license key from the IBM Cloud NeuVector instance page and update the NeuVector console:
    Once logged back in (and feeling more secure), grab the license key from the IBM Cloud NeuVector instance page and update the NeuVector console:

Next time, we’ll dig more into the NeuVector console and capabilities, but if you are as excited as I am, then check out the docs now.

Join the conversation

If you have questions or concerns, engage our team via Slack. You can register here and join the discussion in the #general channel on https://ibm-cloud-success.slack.com/.

Be the first to hear about news, product updates, and innovation from IBM Cloud