Cloud
August 19, 2021 By Laura Bennett
Shikha Maheshwari
Chris Rosen
5 min read

Step-by-step instructions to integrate NeuVector with the IBM Cloud Kubernetes Service to provide complete runtime container security.

Container technology makes it easy to deploy applications in the cloud, and Kubernetes is one of the popular choices for deploying containerized applications. But in this new and ever-changing container and microservices world, container security is critical. Vulnerabilities in applications residing within a container can be exploited if the right protections are not in place. This tutorial demonstrates how NeuVector integrates with the IBM Cloud Kubernetes Service to provide complete runtime container security for your production Kubernetes workloads.

NeuVector is a cloud-native container firewall for monitoring and protecting Kubernetes container deployments in production. The NeuVector solution is comprised of security containers that can be deployed on each node — like how you deploy your applications using Kubernetes. For evaluation purposes, NeuVector makes an Allinone container and an Enforcer container available.

Prerequisites

Steps

Step 1: Create a Kubernetes cluster in IBM Cloud

  1. Log into your IBM Cloud account. Select Kubernetes from the Navigation Menu.
  2. On the Kubernetes Overview page, select Create a Cluster.
  3. To create a cluster, set the following parameters:
    • Select Standard from the list of pricing plans.
    • Within the Orchestration services section, select the most current version of Kubernetes (if you are presented with a choice).
    • If you are offered Infrastructure options, choose Classic.
    • If you are offered Location choices, keep the default options that are prefilled.
    • If you are offered Worker pool choices to set up the number of worker nodes for your workload, leave it at the default number (this can be resized.)
    • Within the Resource details section, enter a name for your cluster.
    • In the Summary pane, review the order summary and then click Create.
  4. Worker nodes can take a few minutes to provision, but you can see the progress in the Worker nodes tab. When the status reaches Ready, you can start working with your cluster. See the Getting started with IBM Cloud Kubernetes Service documentation for more details about cluster creation.

You can also create a cluster from the command line by using the following IBM Cloud CLI command:

ibmcloud ks cluster create classic --name my_cluster

Step 2: Access the Kubernetes cluster

Now that the cluster is provisioned, you can access it from the IBM Cloud CLI tool that you downloaded in the Prerequisites.

Go to IBM Cloud Dashboard, click on Clusters under the Resource Summary section, then click on the name of the cluster that you created in Step 1. Then click on Actions > Connect via CLI, as shown below:

It will list the instructions to be performed:

Follow the instructions on the terminal to do the following:

  • Log into your cluster.
  • Set the Kubernetes context to your cluster.
  • Verify that you can connect to your cluster.

Step 3: Deploy NeuVector onto your Kubernetes cluster

3.1: Create a NeuVector service instance using IBM Cloud

Create an instance of NeuVector Container Security Platform using the IBM Cloud Catalog:

Provide the name of the service of your choice and click on Create.

Once the service is created, go to IBM Cloud Dashboard > Resource Summary section > Services and Softwares and click on the name of the NeuVector service created. It will take you the page to manage the NeuVector service instance:

Go to the Deployment section. The steps mentioned under Deploying the NeuVector Platform on an IBM Cloud IKS cluster need to be executed. It asks you to download two configuration files inclusing secret manifest and helm values. Please download those in the current working directory and copy the below steps in one bash script and execute all the steps in one go using the script:

Note: Please replace the IC_IKS_CLUSTER_ID value in below script with your cluster ID. To get your cluster ID, you can use the command ibmcloud ks cluster ls |grep <cluster-name>.

# To get your cluster ID
#ibmcloud ks cluster ls |grep <cluster-name>

# Set IKS cluster id (e.g. c1cd1i4xxxj1v6g)
IC_IKS_CLUSTER_ID=c1cd1i4xxxj1v6g

ibmcloud ks cluster config --admin --cluster $IC_IKS_CLUSTER_ID

IC_IKS_INGRESS_DOMAIN=$(ibmcloud ks cluster get --cluster $IC_IKS_CLUSTER_ID --json | python -c "import json,sys;obj=json.load(sys.stdin);print((obj['ingress']['hostname'] if 'ingress' in obj and 'hostname' in obj['ingress'] else (obj['ingressHostname'] if 'ingressHostname' in obj else '')));")
echo $IC_IKS_INGRESS_DOMAIN

IC_IKS_INGRESS_SECRET_NAME=$(ibmcloud ks cluster get --cluster $IC_IKS_CLUSTER_ID --json | python -c "import json,sys;obj=json.load(sys.stdin);print((obj['ingress']['secretName'] if 'ingress' in obj and 'secretName' in obj['ingress'] else (obj['ingressSecretName'] if 'ingressSecretName' in obj else '')));")
echo $IC_IKS_INGRESS_SECRET_NAME

kubectl config current-context
kubectl get pod --all-namespaces

kubectl create namespace neuvector

kubectl apply -n neuvector -f ./neuvector-secret-registry.yaml

NV_VERSION=4.2.2

helm install \
    'neuvector-core' \
    'core' \
    --repo 'https://neuvector.github.io/neuvector-helm/' \
    --namespace neuvector \
    --values ./neuvector-helm.yaml \
    --set "manager.ingress.host=neuvector.${IC_IKS_INGRESS_DOMAIN}" \
    --set "manager.ingress.secretName=${IC_IKS_INGRESS_SECRET_NAME}" \
    --set "tag=${NV_VERSION}" \
    --atomic –wait

After successful execution of all steps, it will give you URL to access NeuVector WebUI as https://neuvector.${IC_IKS_INGRESS_DOMAIN}.

3.2: Apply NeuVector license

Access the URL provided after successful deployment and login to NeuVector using default credentials admin/admin:

  • Accept the End User license agreement. Click on Accept.
  • You will see the following in bottom-right corner:
  • You can click on it to change the password. It will take you to the Profile Settings. Click on Edit Profile. Provide the current password and new password, then click Save.
  • Login again with new password.
  • Next is to add license key. Navigate to the License section as shown below and copy the license key:
  • Login to NeuVector and navigate to Settings > License. Paste the copied license key in the License Code box and click Activate.

Now you are all set to use NeuVector with your IBM Cloud Kubernetes Service Cluster.

Summary

The IBM Cloud Kubernetes Service makes it easy to set up a Kubernetes cluster to host your containerized applications. When running such applications in production, security is required to ensure that the applications are safe and communicating properly. NeuVector provides that runtime security in any cloud environment, providing a Layer 7 firewall, host and container processes monitoring, and vulnerability scanning solution. You can request a demo and access to the download by contacting NeuVector at info@neuvector.com.

Was this article helpful?
YesNo
Laura Bennett
Engineering Manager, Emerging Tech
Shikha Maheshwari
Solutions Architect, Code Patterns Team
Chris Rosen
Program Director, Offering Management

More from Cloud
June 26, 2024

A major upgrade to Db2® Warehouse on IBM Cloud®

2 min read - We’re thrilled to announce a major upgrade to Db2® Warehouse on IBM Cloud®, which introduces several new capabilities that make Db2 Warehouse even more performant, capable, and cost-effective. Here's what's new Up to 34 times cheaper storage costs The next generation of Db2 Warehouse introduces support for Db2 column-organized tables in Cloud Object Storage. Db2 Warehouse on IBM Cloud customers can now store massive datasets on a resilient, highly scalable storage tier, costing up to 34x less. Up to 4 times…

June 24, 2024

Manage the routing of your observability log and event data 

4 min read - Comprehensive environments include many sources of observable data to be aggregated and then analyzed for infrastructure and app performance management. Connecting and aggregating the data sources to observability tools need to be flexible. Some use cases might require all data to be aggregated into one common location while others have narrowed scope. Optimizing where observability data is processed enables businesses to maximize insights while managing to cost, compliance and data residency objectives.  As announced on 29 March 2024, IBM Cloud® released its next-gen observability…

June 19, 2024

The recipe for RAG: How cloud services enable generative AI outcomes across industries

4 min read - According to research from IBM®, about 42% of enterprises surveyed have AI in use in their businesses. Of all the use cases, many of us are now extremely familiar with natural language processing AI chatbots that can answer our questions and assist with tasks such as composing emails or essays. Yet even with widespread adoption of these chatbots, enterprises are still occasionally experiencing some challenges. For example, these chatbots can produce inconsistent results as they’re pulling from large data stores…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters