Complete container security for pods

BLOG

NeuVector: Secure Your Kubernetes Pods with Comprehensive Protection

NeuVector is an open-source container security platform that provides complete run-time protection for containers, pods, and nodes.

Introduction

Considering the huge growth of software development and deployment, containerization technologies like Docker and Kubernetes are becoming more popular. Strong security measures are required with the growing usage of containerized applications. Security solutions like NeuVector are designed to deal with difficulties that come along with the applications that are running inside the containers.

NeuVector is an open-source container security platform that provides complete run-time protection for containers, pods, and nodes. Recognized for its ability to provide scanning during all stages of the container’s lifecycle, pinpointing barriers that impede the adoption of robust security measures, and incorporating security policies at the early stages of development to improve developer flexibility.

Here are some of the features that NeuVector offers as part of Security hardening;

  • Automated docker bench tests and Kubernetes CIS benchmarks are run to ensure security of containerized environments, which are common best practices for deploying docker containers.
  • Check any suspicious activities by observing the file system processes, and file activity in containers and on hosts. Furthermore, it identifies the instances of privilege escalation.
  • With the Jenkins plugin, it can scan images, and registries and enforce admission control rules which aim to ensure optimal performance and resource utilization.
  • It monitors network traffic to prevent sensitive data from being lost and to detect common OWASP top 10 WAP attacks.
  • Runtime vulnerability scanning is provided by actively checking the vulnerability of the application while it is running.
  • Checks the normal behavior of the application and creates a whitelist-based policy to detect violations of normal behavior.

Getting started with NeuVector

The installation process for NeuVector may differ according to the version and deployment environments like Docker, and Kubernetes. NeuVector can be installed using helm, kubectl commands, and using rancher.

NeuVector supports NeuVector deployment using Helm chart https://github.com/neuvector/neuvector-helm

  1. Install helm and then add the NeuVector Helm repository to the helm configuration and search for neuvector core helm charts.
  1. Navigate to https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml and then copy the value.yaml file and make the required changes for the deployment. Install the helm chart from the repository neuvector/core with the values specified from the values.yaml file

$ helm install neuvector neuvector/core -n neuvector –create-namespace -f values.yaml

  1. check the pods using the below command

$ kubectl get pods -n neuvector

Access the neuvector console from neuvector-service-webui using https://external-ip:8443 by providing a username and password as admin.

HOW NEUVECTOR WORKS

NeuVector comprises security containers such as controllers, enforcers, managers, and scanners. To combine controller, scanner, enforcer, and manager tasks into a single container, a unique container called Allinone is used.

Controller: this container is responsible for managing the enforcer container cluster and for providing rest API. Multiple controllers are recommended for high-availability configurations.

Enforcer: is a daemon set which is deployed in each node. It is a lightweight container whose purpose is to enforce security policies.

Manager: is a stateless container that provides a web-UI console. We can deploy more than one manager as necessary.

Scanner: It is a replica set that does vulnerability scanning. It has a CVE database. It can be scaled up to as many parallel scanners to increase the performance.

Updater: This is a CVE database update container. Neuvector publishes new scanner images to the latest CVE, the updater redeploys all scanner pods.

NeuVector offers a deep network visibility which is an important component of runtime container security. The only way to thwart attacks before they reach the application or workload is to examine container network traffic, which reveals how the application interacts with other applications. It finds sensitive data and conducts in-depth packet inspection to find attacks. Its layer 7 container firewall guards against DNS and DDoS attacks on applications.

Conclusion

Everything about NeuVector’s functions works together to give businesses using containerization technology a reliable and flexible security solution. Neuvector provides a container security platform that monitors and manages multiple Kubernetes clusters through a single Interface. Therefore it offers a good solution for securing applications in a containerised environment. NeuVector safeguards containerized applications throughout their lifecycle by fusing proactive methods such as including vulnerability assessment, with real-time monitoring and reaction mechanisms.

Amrutha Suresh

Amrutha Suresh is an experienced DevOps Engineer renowned for his proficiency in crafting innovative solutions. With a demonstrated history of success in the Information Technology and Services industry, he excels in leveraging his expertise across various domains, including Kubernetes, AWS, Docker, and Jenkins.