# neuvector yaml version for NeuVector 5.x.x on CRI-O apiVersion: v1 kind: Service metadata: name: neuvector-svc-crd-webhook namespace: neuvector spec: ports: - port: 443 targetPort: 30443 protocol: TCP name: crd-webhook type: ClusterIP selector: app: neuvector-controller-pod --- apiVersion: v1 kind: Service metadata: name: neuvector-svc-admission-webhook namespace: neuvector spec: ports: - port: 443 targetPort: 20443 protocol: TCP name: admission-webhook type: ClusterIP selector: app: neuvector-controller-pod --- apiVersion: v1 kind: Service metadata: name: neuvector-service-webui namespace: neuvector spec: ports: - port: 8443 name: manager protocol: TCP type: ClusterIP selector: app: neuvector-manager-pod --- apiVersion: v1 kind: Service metadata: name: neuvector-svc-controller namespace: neuvector spec: ports: - port: 18300 protocol: "TCP" name: "cluster-tcp-18300" - port: 18301 protocol: "TCP" name: "cluster-tcp-18301" - port: 18301 protocol: "UDP" name: "cluster-udp-18301" clusterIP: None selector: app: neuvector-controller-pod --- apiVersion: route.openshift.io/v1 kind: Route metadata: name: neuvector-route-webui namespace: neuvector spec: to: kind: Service name: neuvector-service-webui port: targetPort: manager tls: termination: passthrough --- apiVersion: apps/v1 kind: Deployment metadata: name: neuvector-manager-pod namespace: neuvector spec: selector: matchLabels: app: neuvector-manager-pod replicas: 1 template: metadata: labels: app: neuvector-manager-pod spec: serviceAccountName: basic serviceAccount: basic containers: - name: neuvector-manager-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/manager: env: - name: CTRL_SERVER_IP value: neuvector-svc-controller.neuvector restartPolicy: Always --- apiVersion: apps/v1 kind: Deployment metadata: name: neuvector-controller-pod namespace: neuvector spec: selector: matchLabels: app: neuvector-controller-pod minReadySeconds: 60 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 replicas: 3 template: metadata: labels: app: neuvector-controller-pod spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - neuvector-controller-pod topologyKey: "kubernetes.io/hostname" serviceAccountName: controller serviceAccount: controller containers: - name: neuvector-controller-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/controller: securityContext: runAsUser: 0 readinessProbe: exec: command: - cat - /tmp/ready initialDelaySeconds: 5 periodSeconds: 5 env: - name: CLUSTER_JOIN_ADDR value: neuvector-svc-controller.neuvector - name: CLUSTER_ADVERTISED_ADDR valueFrom: fieldRef: fieldPath: status.podIP - name: CLUSTER_BIND_ADDR valueFrom: fieldRef: fieldPath: status.podIP # - name: CTRL_PERSIST_CONFIG # value: "1" volumeMounts: # - mountPath: /var/neuvector # name: nv-share # readOnly: false - mountPath: /etc/config name: config-volume readOnly: true terminationGracePeriodSeconds: 300 restartPolicy: Always volumes: # - name: nv-share # persistentVolumeClaim: # claimName: neuvector-data - name: config-volume projected: sources: - configMap: name: neuvector-init optional: true - secret: name: neuvector-init optional: true - secret: name: neuvector-secret optional: true --- apiVersion: apps/v1 kind: DaemonSet metadata: name: neuvector-enforcer-pod namespace: neuvector spec: selector: matchLabels: app: neuvector-enforcer-pod updateStrategy: type: RollingUpdate template: metadata: labels: app: neuvector-enforcer-pod spec: tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane hostPID: true serviceAccountName: enforcer serviceAccount: enforcer containers: - name: neuvector-enforcer-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/enforcer: securityContext: privileged: true env: - name: CLUSTER_JOIN_ADDR value: neuvector-svc-controller.neuvector - name: CLUSTER_ADVERTISED_ADDR valueFrom: fieldRef: fieldPath: status.podIP - name: CLUSTER_BIND_ADDR valueFrom: fieldRef: fieldPath: status.podIP volumeMounts: - mountPath: /lib/modules name: modules-vol readOnly: true # - mountPath: /run/runtime.sock # name: runtime-sock # readOnly: true # - mountPath: /host/proc # name: proc-vol # readOnly: true # - mountPath: /host/cgroup # name: cgroup-vol # readOnly: true - mountPath: /var/nv_debug name: nv-debug readOnly: false terminationGracePeriodSeconds: 1200 restartPolicy: Always volumes: - name: modules-vol hostPath: path: /lib/modules # - name: runtime-sock # hostPath: # path: /var/run/crio/crio.sock # - name: proc-vol # hostPath: # path: /proc # - name: cgroup-vol # hostPath: # path: /sys/fs/cgroup - name: nv-debug hostPath: path: /var/nv_debug --- apiVersion: apps/v1 kind: Deployment metadata: name: neuvector-scanner-pod namespace: neuvector spec: selector: matchLabels: app: neuvector-scanner-pod strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 replicas: 2 template: metadata: labels: app: neuvector-scanner-pod spec: serviceAccountName: scanner serviceAccount: scanner containers: - name: neuvector-scanner-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/scanner: imagePullPolicy: Always env: - name: CLUSTER_JOIN_ADDR value: neuvector-svc-controller.neuvector restartPolicy: Always --- apiVersion: batch/v1 kind: CronJob metadata: name: neuvector-updater-pod namespace: neuvector spec: schedule: "0 0 * * *" jobTemplate: spec: template: metadata: labels: app: neuvector-updater-pod spec: serviceAccountName: updater serviceAccount: updater containers: - name: neuvector-updater-pod image: image-registry.openshift-image-registry.svc:5000/neuvector/updater: imagePullPolicy: Always command: - /bin/sh - -c - TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`; /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $TOKEN" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod' restartPolicy: Never