This article was written by Hridyesh Singh Bisht, Technical Writer on the SUSE Documentation Team.

Modern Kubernetes environments evolve rapidly, containers start and stop within seconds, workloads scale dynamically, and network connections shift constantly. Traditional firewalls and intrusion prevention systems aren’t designed for this.

NeuVector, the open-source, Kubernetes-native container security platform that powers SUSE Security, automates defense across dynamic environments. It enforces a Zero Trust model at the container level and integrates directly into your DevSecOps pipeline.

This article explains how NewVector helps you manage vulnerability and compliance across the entire container lifecycle, from image build to runtime. It focuses on how NeuVector integrates with your CI/CD pipeline, continuously updates its vulnerability database using the Updater component, and enforces compliance through admission control and CIS benchmark checks.

Containerized apps with NeuVector

Containerized applications introduce challenges that can’t be solved by traditional endpoint or network security:

• Containers communicate over ephemeral internal networks.
• Images from public registries might include known vulnerabilities.
• Runtime behavior is dynamic, threats can hide in normal-looking traffic.
• Compliance checks are often manual and disconnected from pipelines.

Securing the container lifecycle

NeuVector aligns with the three main phases of DevSecOps: build, deploy, and run.

How NeuVector helps containerized solutions

CI/CD integrations

• CI plugins: The Jenkins plugin supports triggering image scans locally on the Jenkins machine or remotely against a registry (Controller & Scanner mode). Similarly, extensions exist for Azure DevOps, GitLab, and GitHub Actions to fail builds if vulnerability thresholds are exceeded.
• Policy as Code (CRD): Security policies can be exported from NeuVector as Kubernetes Custom Resource Definition (CRD) YAML files.
• Fleet and GitOps: You can automate policy propagation between clusters using Rancher Fleet.

Architecture & components

Components of NeuVector architecture

The following table describes the components of the NeuVector architecture.

Multi-Cluster / Federation

In addition, NeuVector’s Federation model supports centralized management across clusters.

• Centralized Policy Management: The Primary cluster can define and push Federated Rules down to all joined Remote clusters.
• Distributed Scanning Efficiency: The Primary cluster can scan centralized registries (designated as Federated Registries). The resulting scan data (vulnerabilities) is then automatically synchronized to all Remote clusters.
• Deployment Note: There must be network connectivity between the Controllers in each cluster on the required ports for federation to function.

Planning & deployment

The recommended deployment method for Kubernetes environments is using the NeuVector Helm chart. This supports platforms like standard Kubernetes, RKE2, and K3s. In essence, Helm not only allows you to declaratively manage configurations, but also to apply upgrades and customize component placement through values.yaml.

Node placement and scheduling

Proper scheduling ensures NeuVector’s stability, performance, and resilience across your Kubernetes environment. Thus, careful placement using Kubernetes scheduling features is crucial for stability and resource management.

• Enforcer Placement: Deploy the Enforcer via a DaemonSet on every host/node where application containers are running, including master or infra nodes if they host workloads to be monitored.
• Controller Placement (HA): Deploy three Controllers (an odd number is required for leader election) for High Availability (HA). Controllers are critical, and customers often place them on dedicated management nodes or master nodes using Taints and Tolerations.
• Manager/Scanner Placement: These can run on any node, but often share space with Controllers. Node selectors and affinities in the Helm chart can control deployment locations.

So, in the Coffee Shop application, each node hosting orders, payments, or inventory services gets an Enforcer pod:

Compliance & vulnerability management

• Nightly CVE Updates: The Updater container automatically fetches the latest CVE database each night.
• Scanner Image Refresh: NeuVector regularly publishes new Scanner images that include updated vulnerability definitions.
• Automated Scanner Rollout: When a new scanner version is available, the Updater redeploys all Scanner pods by briefly scaling their deployment to zero, then back up again. This forces Kubernetes to pull the latest image automatically, ensuring the most recent CVE data is always in use without manual intervention.

This mechanism keeps all image, runtime, and node scans aligned with the latest known vulnerabilities.

Vulnerability scanning

• Registry Scanning: Scans images in Docker Hub, Harbor, AWS ECR, Azure ACR, and GHCR.
• Build-Time Scanning: Integrates with Jenkins, GitLab CI, and Azure DevOps to detect issues early.
• Runtime and Node Scanning: Identifies vulnerabilities in running containers and host nodes.

Consequently, NeuVector correlates all scan results in the Security Risks dashboard, offering a single view of your cluster’s security posture.

Admission control

• contain high-severity CVEs with available fixes.
• use unsigned or unscanned images.
• violate Pod Security Admission (PSA) rules.

Generally, admission control rules operate strictly in two modes:

• Monitor: Alerts users of any anomalous behavior and detects runtime violations of your security policy
• Protect: Blocks anomalous behavior and any networks that are detected

Note: Discover mode is used for learning and identifying network connections. It automatically builds a whitelist of network rules to protect normal behavior. In fact, this is typically used in Dev/Staging environments.

Managing compliance and CIS benchmarks

NeuVector automates compliance checks using built-in and custom benchmark templates. It supports Kubernetes, Docker, GKE, and OpenShift (draft) CIS benchmarks and provides templates for PCI-DSS, GDPR, and HIPAA frameworks.

Consequently, the results appear in the Compliance and Security Risks dashboards for reporting and remediation.

Monitoring and managing vulnerabilities

NeuVector provides multiple interfaces and APIs to manage vulnerabilities and compliance across your workloads:

• Dashboard: Displays a Security Risk Score that reflects workload posture using metrics like ingress/egress risk, privilege escalation, admission control violations, and CVE count.
• Assets Menu: Shows vulnerability and compliance results for registries, nodes, and containers.
• Security Risks Menu: Consolidates registry, node, and container scan results along with compliance checks for unified reporting.
• Notifications → Risk Reports: Displays historical scan events and remediation trends.
• Response Rules: Automate actions such as sending webhooks, triggering alerts, or quarantining containers based on scan results.
• REST API: Enables automation of scan triggers, policy queries, and result collection.
• SYSLOG and Webhook Alerts: Stream alerts and scan results to SIEM tools for enterprise integration.

Example coffee shop CI/CD pipeline

Let’s revisit the coffee shop microservices example to see how NeuVector secures the deployment lifecycle.

1. Code Push: A developer pushes a new image (coffee-order-service:v2) to GitHub Container Registry.
2. Build Scan: Jenkins triggers NeuVector to scan the image. If more than five high-severity CVEs are detected, a violation flag is raised.
3. Admission Control: During deployment, NeuVector’s webhook validates the image.
   • Blocked: If in Protect mode and policy violations exist.
   • Allowed: If compliant.
4. Runtime Protection: The Enforcer ensures the service only communicates with approved components such as payments and order-db.

Best Practices

• Automate scans in CI/CD: Integrate NeuVector scanners into Jenkins, GitHub Actions, or GitLab CI pipelines.
• Use signed images: Enforce container image signing and verification through Admission Control.
• Regularly update CVE database: Schedule Updater jobs to ensure the Scanner uses the latest vulnerability data.
• Centralize policy management: Use Federation mode for consistent Admission Control and scanning policies across clusters.

When NeuVector is the right choice

All in all, NeuVector is best suited for dynamic, large-scale Kubernetes environments that require continuous scanning, compliance automation, and real-time runtime protection.

Specifically, some key benefits are:

• Kubernetes-Native Security: Integrates directly with Kubernetes APIs to protect workloads at every stage of the lifecycle.
• Adaptive Security Policies: Automatically updates declarative network and process policies as deployments scale or change.
• Centralized Federation: Provides unified visibility and policy control across multi-cluster environments.
• Broad Platform Support: Validated on EKS, AKS, GKE, and Red Hat OpenShift; includes support for GKE CIS Benchmarks.
• Behavioral Learning: In Discover mode, NeuVector builds a whitelist of expected network, process, and file activities for each service group.
• Zero-Drift Protection: For hardened containers, NeuVector enforces a strict allow-list of processes based on the parent image to prevent unauthorized changes.
• Compliance Automation: Automatically runs CIS Benchmarks for Kubernetes, Docker, OpenShift, and GKE, and supports reporting for PCI, GDPR, and HIPAA.
• Shift-Left Security: Integrates into CI/CD pipelines to detect vulnerabilities early and enforce policy compliance.
• Admission Control: Blocks insecure deployments based on configurable rules, such as high CVE counts, unsigned images (Sigstore/Cosign), or PSA violations.
• Policy as Code: Exports discovered security rules (Network, Process, DLP/WAF, Admission Control) as CRDs for versioning and GitOps workflows.
• Build-Phase Scanning: Integrates with CI tools like Jenkins, Azure DevOps, GitHub Actions, and CircleCI to fail builds if vulnerability thresholds are exceeded.

In Docker Native or Swarm setups, key Kubernetes-dependent features like Admission Control, CRDs, and automated deployment are unavailable. For such environments, use the All-in-One container for limited protection without full platform features.