Exposing NeuVector external facing services

This document (000020892) is provided subject to the disclaimer at the end of this document.

Situation

NeuVector includes several external-facing services. They are WebUI (Console), REST API/Federation Worker, and Federation Master. Not all these services are required. For example, if you are running a single cluster, the Federation master service is not needed. Unless you are going to be making REST API calls, the REST API/Federation Worker service will not need to be exposed.

By default, our deployment example YAML will include these services for completeness but not required services should be excluded to limit exposure and reduce complexity. The following internal services are always required (not exposed externally): neuvector-svc-crd-webhook, neuvector-svc-admission-webhook, and neuvector-svc-controller.

Resolution

How services are exposed depends on your cluster setup. It is good practice to expose the WebUI service through ingress. Depending on ingress provider, different ingress annotations will be needed to connect to the backend service depending on how the backend is setup.

By default, NV Manager webui service is running over SSL with a self-signed certificate. You can configure the ingress to use ssl passthrough which means the self-signed WebUI certificate will be exposed. There is an option to replace the self-signed certificate with a real certificate. The steps can be found here --> https://open-docs.neuvector.com/configuration/console/replacecert
You can also use the ingress to front WebUI service with your own certificate and disable the WebUI SSL. Instructions to do this is found here --> https://open-docs.neuvector.com/configuration/console#enabling-http-for-manager
Lastly, you can enabled what's commonly called end-to-end TLS where both the ingress and the WebUI is running over SSL, the ingress will have to communicate with the backend WebUI service via SSL protocol. If the self-signed certificate continues to be used, the ingress must be able to accept self-signed certs or often called tls-skip-verify.

- Here's an example ingress definition for ingress-nginx for NeuVector's WebUI Service with end-to-end TLS.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  name: neuvector-webui-ingress
  namespace: neuvector
spec:
  rules:
  - host: ui.nvlab.domain.co
    http:
      paths:
      - backend:
          serviceName: neuvector-service-webui
          servicePort: 8443
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - ui.nvlab.domain.co
    secretName: ui.nvlab

The Federation Master, Federation Worker/REST API service can follow the same pattern of exposure.

[NOTE] The above annotation is for ingress-nginx with default annotations-prefix setting. (See https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/ for more details.)

[NOTE] Kong Ingress requires the service to have a specific annotation in order to communicate over SSL with it. (See https://github.com/Kong/kubernetes-ingress-controller/issues/69#issuecomment-725835072 for details.)

❯ k get svc neuvector-service-webui -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    konghq.com/protocol: https <========
...
  name: neuvector-service-webui
...

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.