Expose NeuVector services
This document (000020922) is provided subject to the disclaimer at the end of this document.
By default, our deployment example YAML will include these services for completeness but not required services should be excluded to limit exposure and reduce complexity. The following internal services are always required (not exposed externally): neuvector-svc-crd-webhook, neuvector-svc-admission-webhook and neuvector-svc-controller.
How services are exposed depends on your cluster setup. It is good practice to expose the WebUI service through ingress. Depending on the ingress provider, different ingress annotations will be needed to connect to the backend service depending on how the backend is configured.
- By default, NeuVector Manager WebUI service runs over SSL with a self-signed certificate. You can configure the ingress to use SSL passthrough which means the self-signed WebUI certificate will be exposed. There is an option to replace the self-signed certificate with a real certificate. The steps can be found here --> https://open-docs.neuvector.com/configuration/console/replacecert
- You can also use the ingress to front WebUI service with your certificate and disable the WebUI SSL. Instructions to do this are found here --> https://open-docs.neuvector.com/configuration/console#enabling-http-for-manager
- Lastly, you can enable what's commonly called end-to-end TLS where both the ingress and the WebUI are running over SSL. The ingress will have to communicate via SSL protocol with the backend WebUI service. If the self-signed certificate continues to be used, the ingress must be able to accept self-signed certs, often called tls-skip-verify.
apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" name: neuvector-webui-ingress namespace: neuvector spec: rules: - host: ui.nvlab.domain.co http: paths: - backend: serviceName: neuvector-service-webui servicePort: 8443 path: / pathType: ImplementationSpecific tls: - hosts: - ui.nvlab.domain.co secretName: ui.nvlab
The Federation Master, Federation Worker/REST API service can follow the same pattern of exposure.
[NOTE] The above annotation is for ingress-nginx with default annotations-prefix setting. (See https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/ for more details.)
[NOTE] Kong Ingress requires the service to have a specific annotation in order to communicate over SSL with it. (See https://github.com/Kong/kubernetes-ingress-controller/issues/69#issuecomment-725835072 for details.)
❯ k get svc neuvector-service-webui -o yaml apiVersion: v1 kind: Service metadata: annotations: konghq.com/protocol: https <======== ... name: neuvector-service-webui ...
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020922
- Creation Date: 17-Jan-2023
- Modified Date:18-Jan-2023
- SUSE NeuVector
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com