kubeconfig.awscurleksctlhelm (v3 or greater)⚠ NOTE: You may need to add --profile or --region arguments to your aws or eksctl commands, as required for your environment.
Your EKS cluster is required to have an OIDC provider installed. To check for an OIDC provider first find the OIDC issuer with the following command. Substitute $CLUSTER_NAME with the Name of your EKS cluster:
aws eks describe-cluster --name $CLUSTER_NAME --query cluster.identity.oidc.issuer --output text
A URL is returned, like https://oidc.eks.region.amazonaws.com/id/1234567890ABCDEF. The part after https:// will be referred to in later instructions as the OIDC Provider Identity (e.g. oidc.eks.region.amazonaws.com/id/1234567890ABCDEF). The final section of the URL, 1234567890ABCDEF, is the $OIDC_ID.
Using the id of the issuer found above you can check if a provider is installed with the following command:
aws iam list-open-id-connect-providers | grep $OIDC_ID
If there is no output, you will need to create an OIDC provider:
eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve
To provide the necessary permissions, an IAM role and an attached policy are required. The role name is passed as an argument during the helm deployment.
Create the role with a role name of your choosing (for example, neuvector-csp-iam-role), and the required policy attached to it:
eksctl create iamserviceaccount \
--namespace neuvector --cluster $CLUSTER_NAME \
--role-name $ROLE_NAME --role-only \
--attach-policy-arn 'arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess' \
--name csp \
--approve
Create a file named userinitcfg.yaml in your current working directory, with the following template, where:
$PASSWORD is the initial password for the admin account.
⚠ The password is required to contain at least 8 characters, at least 1 uppercase character, at least 1 lowercase character and at least 1 number.
users:
- Fullname: admin
Password: $PASSWORD
Role: admin
Deploy this config to your EKS cluster:
kubectl create namespace neuvector
kubectl create secret generic neuvector-init \
--from-file=userinitcfg.yaml -n neuvector
This step is mandatory: the admin user will not be created unless configured with a user-specified password, making the NeuVector deployment unmanageable.
Log helm into the AWS Marketplace ECR, to fetch the application. Note that the AWS Marketplace ECR is always in the us-east-1 region:
export HELM_EXPERIMENTAL_OCI=1
aws --region us-east-1 ecr get-login-password \
| helm registry login --username AWS \
--password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com
Install Neuvector into your cluster using helm. Customize your helm installation values if needed:
helm install -n neuvector neuvector --create-namespace \
oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/suse/{{repository}}/core \
--version {{chart_version}} \
--set global.aws.accountNumber=$AWS_ACCOUNT_ID \
--set global.aws.roleName=$ROLE_NAME
The manager service type was set to Load Balancer during install. An external hostname has been assigned for accessing the NeuVector console. By default this URL is accessible from the internet. However, your organization may have placed additional restrictions on external access to your cluster. To retrieve details about the load balancer use the following command:
kubectl get svc -n neuvector neuvector-service-webui
The full dashboard url can be retrieved with the following commands:
SERVICE_IP=$(kubectl get svc --namespace neuvector neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
echo https://$SERVICE_IP:8443
This will print out a URL that looks like:
https://a1234abcde12345678a12arbc12a1-09876543210.us-west-2.elb.amazonaws.com:8443
This URL provides access to the NeuVector console which is running by default on port 8443.
The NeuVector scanner image is updated daily with a new CVE database. These updates are found on the NeuVector Docker hub registry. It is recommended that the image path be changed to allow for automated daily updates. This can be accomplished by modifying the scanner and updater image paths after successful deployment:
kubectl set image -n neuvector deploy/neuvector-scanner-pod \
neuvector-scanner-pod=docker.io/neuvector/scanner:latest
kubectl set image -n neuvector cronjob/neuvector-updater-pod \
neuvector-updater-pod=docker.io/neuvector/updater:latest
Once logged in, you can begin to navigate and configure NeuVector.
For further information see the AWS Marketplace Billing doc and official Neuvector documentation.