SUSE Support

Here When You Need Us

Implement less privilege service account for Updater, Scanner, and Manager

This document (000020886) is provided subject to the disclaimer at the end of this document.

Situation

As a security tool, a certain part of the NeuVector system requires a privileged service account. This must be the case for key components like controllers and enforcers. For the other parts of the system, it is possible to use less privileged service accounts for other tasks. Below are steps to implement a less privileged service account for the updater, scanner, and manager.

Resolution

Steps to create roles and bindings (https://open-docs.neuvector.com/deploying/kubernetes#deploy-neuvector #step 4) include the creation of the rolebinding neuvector-admin for the updater. This rolebinding should be updated with the service account neuvector:udater.

 

UPDATER:

kubectl create serviceaccount updater -n neuvector
kubectl delete rolebinding neuvector-admin -n neuvector
kubectl create rolebinding neuvector-admin --clusterrole=admin --serviceaccount=neuvector:updater --serviceaccount=neuvector:default -n neuvector

Update Updater cronjob to reflect the new service account

kubectl patch cronjob neuvector-updater-pod -n neuvector --patch '{"spec":{"jobTemplate": {"spec": {"template": {"spec": {"serviceAccountName": "updater", "serviceAccount": "updater"}}}}}}'

SCANNER and MANAGER:

kubectl create serviceaccount basic -n neuvector
Update Scanner and Manager deployment to reflect the new service account

kubectl patch deploy neuvector-manager-pod -n neuvector --patch '{"spec":{"template": {"spec": {"serviceAccountName": "basic", "serviceAccount": "basic"}}}}'
kubectl patch deploy neuvector-scanner-pod -n neuvector --patch '{"spec":{"template": {"spec": {"serviceAccountName": "basic", "serviceAccount": "basic"}}}}'
Note: No extra bindings are necessary but extra steps are needed for Kubernetes employing PSP or on OpenShift.

PSP:

In addition to the neuvector-binding-psp (https://open-docs.neuvector.com/deploying/kubernetes#deploy-neuvector), the below neuvector-binding-psp-basic needs to be added with less privilege.).  
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: neuvector-binding-psp-basic
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
allowedCapabilities: null
requiredDropCapabilities:
- ALL
volumes:
- '*'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: neuvector-binding-psp-basic
  namespace: neuvector
rules:
- apiGroups:
  - policy
  - extensions
  resources:
  - podsecuritypolicies
  verbs:
  - use
  resourceNames:
  - neuvector-binding-psp-basic

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: neuvector-binding-psp-basic
  namespace: neuvector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: neuvector-binding-psp-basic
subjects:
- kind: ServiceAccount
  name: basic
  namespace: neuvector
NOTE: PSP policies are matched in the order from top to bottom.  The above PSP policy needs to be at the top of the policy list, or the below commands must be applied to set a runasuser.  More details regarding runasuser can be found here --> https://open-docs.neuvector.com/deploying/kubernetes#deploy-neuvector.
kubectl patch deploy neuvector-manager-pod -n neuvector --patch '{"spec":{"template": {"spec": {"securityContext":{"runAsUser":1000}}}}}'
kubectl patch deploy neuvector-scanner-pod -n neuvector --patch '{"spec":{"template": {"spec": {"securityContext":{"runAsUser":1000}}}}}'

OpenShift:

oc -n neuvector adm policy add-scc-to-user hostaccess -z basic

NOTE: These recommendations are not integrated into the helm chart.  It is necessary to git clone and manually make the changes for implementation.  Please contact NeuVector Support if you have any questions or need further assistance.

Additional Information

Making these changes as of the current release will result in WebUI throwing an error stating 'Kubernetes rolebinding "neuvector-admin" is requested to grant the permission defined in clusterrole "admin" to service account...'. This error can be ignored. Additionally, these steps will not work and do not apply to all-in-one deployments.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020886
  • Creation Date: 07-Mar-2023
  • Modified Date:16-Mar-2023
    • SUSE NeuVector

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center