Image Overview: neuvector-scanner

Overview: neuvector-scanner Chainguard Image

A Wolfi-based image for NeuVector - a full lifecycle container security platform.

Download this Image

The image is available on cgr.dev:

docker pull cgr.dev/chainguard/neuvector-scanner:latest

Install the Helm repository

Install the NeuVector Helm chart repository and update:

helm repo add neuvector https://neuvector.github.io/neuvector-helm/
helm repo update

Generate internal certificates

Refer to NeuVector’s documentation on generating internal certs here. These are not provided out of the box as they should be changed within a production environment.

Create a namespace for NeuVector:

kubectl create ns neuvector

Create a secret with the internal certs:

kubectl create secret generic internal-cert -n neuvector --from-file=cert.key --from-file=cert.pem --from-file=ca.cert

Deploy CRD

Deploy the custom resource definition:

helm install core neuvector/crd -n neuvector

Deploy core

Deploy NeuVector core:

helm install core neuvector/core -n neuvector \
  --set registry=cgr.dev \
  \
  --set controller.image.repository=chainguard/neuvector-controller \
  --set controller.internal.certificate.secret=internal-cert \
  --set controller.internal.certificate.keyFile=cert.key \
  --set controller.internal.certificate.pemFile=cert.pem \
  --set controller.internal.certificate.caFile=ca.cert \
  \
  --set enforcer.image.repository=chainguard/neuvector-enforcer \
  --set enforcer.internal.certificate.secret=internal-cert \
  --set enforcer.internal.certificate.keyFile=cert.key \
  --set enforcer.internal.certificate.pemFile=cert.pem \
  --set enforcer.internal.certificate.caFile=ca.cert \
  \
  --set manager.image.repository=chainguard/neuvector-manager \
  \
  --set cve.scanner.image.registry=cgr.dev \
  --set cve.scanner.image.repository=chainguard/neuvector-scanner \
  --set cve.scanner.internal.certificate.secret=internal-cert \
  --set cve.scanner.internal.certificate.keyFile=cert.key \
  --set cve.scanner.internal.certificate.pemFile=cert.pem \
  --set cve.scanner.internal.certificate.caFile=ca.cert \
  \
  --set cve.updater.image.registry=cgr.dev \
  --set cve.updater.image.repository=chainguard/neuvector-updater \
  \
  --set crdwebhook.enabled=false

Note that the container runtime will need to be changed depending on where NeuVector is deployed. For example, for k3s we would set:

  --set k3s.enabled=true \
  --set k3s.runtimePath=/run/k3s/containerd/containerd.sock

By default, the runtime is set to docker.

The *.internal.certificate.* entries can all be removed except for *.internal.certificate.secret if using the default values of keyFile=tls.key, pemFile=tls.pem, and caFile=ca.crt.

Deploy monitor

Deploy the monitor chart with prometheus exporter:

helm install monitor neuvector/monitor -n neuvector \
  --set registry=cgr.dev \
  --set exporter.apiSvc=neuvector-svc-controller:10443 \
  --set exporter.image.repository=chainguard/neuvector-prometheus-exporter

The API service is changed as by default it points to a non-existant neuvector-svc-controller-api service.

You’re now running NeuVector with Chainguard images! Consult NeuVector’s documentation for additional configuration.

Last updated: 2024-06-05 00:36