You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/02.deploying/10.remove/10.remove.md
+17-10Lines changed: 17 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,21 +29,28 @@ In addition to deleting as discussed above and redeploying NeuVector, the follow
29
29
30
30
The admin password is the key to administering the NeuVector deployment and viewing the cluster network activities. It is important to change the password upon install and keep it safely guarded. If you have `kubectl` access to the cluster, you can reset the admin password to the default using the following steps.
31
31
32
-
Bash access is disabled by default to harden NeuVector pod security. If resetting the admin password, you need to first disable `nv_protect` which is tied to the Enforcer where the Controller is running in order to access Bash.
32
+
Consul CLI access is disabled by default to harden NeuVector pod security. If resetting the admin password, you need to first disable `nv_protect` which is tied to the Enforcer where the Controller is running in order to access the consul CLI. The below `override.yaml` configuration can be applied by an admin user to disable `nv_protect` and allows for running your consul CLI directly in the Controller pods.
33
33
34
-
1. Execute the command below through the NeuVector CLI to disable `nv_protect`, then you will be able to `kubectl exec` into the specified Controller.
34
+
:::important
35
35
36
-
```shell
37
-
set enforcer <enforcer_id> nv_protect disable true
38
-
```
36
+
If using continuous delivery in your deployment, you can add a temporary admin user by enabling the attribute `always_reload: true` noted in the example `userinitcfg.yaml` in the [ConfigMap](/deploying/production/configmap/#complete-sample-neuvector-configmap-initcfgyaml) and then following the steps below.
37
+
38
+
:::
39
+
40
+
```yaml
41
+
enforcer:
42
+
env:
43
+
- name: ENFORCER_SKIP_NV_PROTECT
44
+
value: "1"
45
+
```
39
46
40
-
2. `kubectl exec` into one of the Controllers.
47
+
1. `kubectl exec` into one of the Controllers.
41
48
42
49
```shell
43
50
kubectl exec -it <controller> -n neuvector -- sh
44
51
```
45
52
46
-
3. Check that the admin entry exists and save the output JSON somewhere for safe keeping.
53
+
2. Check that the admin entry exists and save the output JSON somewhere for safe keeping.
47
54
48
55
```shell
49
56
consul kv get object/config/user/admin
@@ -55,13 +62,13 @@ Bash access is disabled by default to harden NeuVector pod security. If resettin
55
62
56
63
:::
57
64
58
-
4. Take the output from the above `consul kv get` command and replace the `password_hash` string with the below string.
65
+
3. Take the output from the above `consul kv get` command and replace the `password_hash` string with the below string.
Copy file name to clipboardExpand all lines: versioned_docs/version-5.4/02.deploying/10.remove/10.remove.md
+17-10Lines changed: 17 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,21 +29,28 @@ In addition to deleting as discussed above and redeploying NeuVector, the follow
29
29
30
30
The admin password is the key to administering the NeuVector deployment and viewing the cluster network activities. It is important to change the password upon install and keep it safely guarded. If you have `kubectl` access to the cluster, you can reset the admin password to the default using the following steps.
31
31
32
-
Starting in v5.4.3, Bash access is disabled by default to harden NeuVector pod security. If resetting the admin password, you need to first disable `nv_protect` which is tied to the Enforcer where the Controller is running in order to access Bash.
32
+
Starting in v5.4.3, consul CLI access is disabled by default to harden NeuVector pod security. If resetting the admin password, you need to first disable `nv_protect` which is tied to the Enforcer where the Controller is running in order to access the consul CLI. The below `override.yaml` configuration can be applied by an admin user to disable `nv_protect` and allows for running your consul CLI directly in the Controller pods.
33
33
34
-
1. Execute the command below through the NeuVector CLI to disable `nv_protect`, then you will be able to `kubectl exec` into the specified Controller.
34
+
:::important
35
35
36
-
```shell
37
-
set enforcer <enforcer_id> nv_protect disable true
38
-
```
36
+
If using continuous delivery in your deployment, you can add a temporary admin user by enabling the attribute `always_reload: true` noted in the example `userinitcfg.yaml` in the [ConfigMap](/deploying/production/configmap/#complete-sample-neuvector-configmap-initcfgyaml) and then following the steps below.
37
+
38
+
:::
39
+
40
+
```yaml
41
+
enforcer:
42
+
env:
43
+
- name: ENFORCER_SKIP_NV_PROTECT
44
+
value: "1"
45
+
```
39
46
40
-
2. `kubectl exec` into one of the Controllers.
47
+
1. `kubectl exec` into one of the Controllers.
41
48
42
49
```shell
43
50
kubectl exec -it <controller> -n neuvector -- sh
44
51
```
45
52
46
-
3. Check that the admin entry exists and save the output JSON somewhere for safe keeping.
53
+
2. Check that the admin entry exists and save the output JSON somewhere for safe keeping.
47
54
48
55
```shell
49
56
consul kv get object/config/user/admin
@@ -55,13 +62,13 @@ Starting in v5.4.3, Bash access is disabled by default to harden NeuVector pod s
55
62
56
63
:::
57
64
58
-
4. Take the output from the above `consul kv get` command and replace the `password_hash` string with the below string.
65
+
3. Take the output from the above `consul kv get` command and replace the `password_hash` string with the below string.
0 commit comments