Exposing NeuVector external facing services
This document (000020892) is provided subject to the disclaimer at the end of this document.
By default, our deployment example YAML will include these services for completeness but not required services should be excluded to limit exposure and reduce complexity. The following internal services are always required (not exposed externally): neuvector-svc-crd-webhook, neuvector-svc-admission-webhook, and neuvector-svc-controller.
How services are exposed depends on your cluster setup. It is good practice to expose the WebUI service through ingress. Depending on ingress provider, different ingress annotations will be needed to connect to the backend service depending on how the backend is setup.
- By default, NV Manager webui service is running over SSL with a self-signed certificate. You can configure the ingress to use ssl passthrough which means the self-signed WebUI certificate will be exposed. There is an option to replace the self-signed certificate with a real certificate. The steps can be found here --> https://docs.neuvector.com:1594/configuration/console/replacecert
- You can also use the ingress to front WebUI service with your own certificate and disable the WebUI SSL. Instructions to do this is found here --> https://docs.neuvector.com:1594/configuration/console#enabling-http-for-manager
- Lastly, you can enabled what's commonly called end-to-end TLS where both the ingress and the WebUI is running over SSL, the ingress will have to communicate with the backend WebUI service via SSL protocol. If the self-signed certificate continues to be used, the ingress must be able to accept self-signed certs or often called tls-skip-verify.
- Here's an example ingress definition for ingress-nginx for NeuVector's WebUI Service with end-to-end TLS.
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" name: neuvector-webui-ingress namespace: neuvector spec: rules: - host: ui.nvlab.domain.co http: paths: - backend: serviceName: neuvector-service-webui servicePort: 8443 path: / pathType: ImplementationSpecific tls: - hosts: - ui.nvlab.domain.co secretName: ui.nvlab
The Federation Master, Federation Worker/REST API service can follow the same pattern of exposure.
[NOTE] The above annotation is for ingress-nginx with default annotations-prefix setting. (See https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/ for more details.)
[NOTE] Kong Ingress requires the service to have a specific annotation in order to communicate over SSL with it. (See https://github.com/Kong/kubernetes-ingress-controller/issues/69#issuecomment-725835072 for details.)
❯ k get svc neuvector-service-webui -o yaml apiVersion: v1 kind: Service metadata: annotations: konghq.com/protocol: https <======== ... name: neuvector-service-webui ...
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020892
- Creation Date: 14-Dec-2022
- Modified Date:11-Jan-2023
- SUSE NeuVector
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com