NeuVector无法删除Federated Policy下的Process Profile Rules解决方法

发表于 分类于

概述

在 NeuVector 中,联邦可以在主节点中创建规则,这些规则会自动传播到每个集群。联邦规则将以只读形式出现在每个集群中,并且不能由集群的本地管理员删除或编辑。

但是在 5.4.3/5.4.4 版本(以及老一点的版本可能也有问题,还未没验证),在 NeuVector UI 通过 Federated Policy 创建的 Process Profile Rules,无法编辑或者删除。

Workaround

  1. 获取 token
1
2
3
4
5
6
7
8
TOKEN=`curl -skL -H "Content-Type:application/json" \
--data '{
  "password": {
    "username": "admin",
    "password": "admin"
  }
}' \
https://10.43.74.221:10443/v1/auth | jq -r .token.token`
  1. 确认 token 可以正常使用
1
2
3
4
curl -k -H "Content-Type: application/json" \
 -H "X-Auth-Token: $TOKEN" \
 "https://10.43.74.221:10443/v1/controller" \
 | jq .controllers[].display_name
  1. 删除旧 Rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
curl -k -H "Content-Type: application/json" \
 -H "X-Auth-Token: $TOKEN" \
  "https://10.43.74.221:10443/v1/process_profile/fed.test?scope=fed" \
 -X PATCH \
 --data '{
    "process_profile_config":
    {
        "group": "fed.test",
        "process_delete_list":
        [
            {
                "action": "allow",
                "allow_update": false,
                "cfg_type": "federal",
                "name": "ls",
                "path": "*"
            }
        ]
    }
}'

参数说明:

  • https://xxx/v1/process_profile/ 后面要跟 group_name,与 process_profile_config 下的 group 的名称相同。
     - process_delete_list 下 的 action & name & path ,需要填写实际的规则配置。
  1. 添加新 Rule(可选)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
curl -k -H "Content-Type: application/json" \
 -H "X-Auth-Token: $TOKEN" \
  "https://10.43.74.221:10443/v1/process_profile/fed.test?scope=fed" \
 -X PATCH \
 --data '{
    "process_profile_config":
    {
        "group": "fed.test",
        "process_change_list":
        [
            {
                "action": "allow",
                "allow_update": false,
                "cfg_type": "federal",
                "name": "ls",
                "path": "/usr/bin/ls"
            }
        ]
    }
}'
  1. 上面这种方法获取的 token 有效期只有 300s,可以在 NeuVector UI - Setting - ‘Users, API Keys & Roles’ - API Keys 页面下,获取时效更长的 API Key

主要参数说明:

  • Automatically expire:key 过期时间
  • Global Role:key 的角色等级,由于需要操作 Federated Policy 下的资源,这里需要使用 fedAdmin

复制其中的 X-Auth-Apikey,然后该 Key 进行操作即可,不需要频繁更新 Token:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
KEY="test:MAGLzdSksL9oedSAUMkmwBWriKE/4cWX2QF0pl2hDUNexHSmDck1Y1JIJNMfJ1UM"

curl -k -H "Content-Type: application/json" -H "X-Auth-Apikey: $KEY" https://10.43.74.221:10443/v1/controller

curl -k -H "Content-Type: application/json" \
 -H "X-Auth-Apikey: $KEY" \
 "https://10.43.74.221:10443/v1/process_profile/fed.test?scope=fed" \
 -X PATCH \
  --data '{
    "process_profile_config":
    {
        "group": "fed.test",
        "process_delete_list":
        [
            {
                "action": "allow",
                "allow_update": false,
                "cfg_type": "federal",
                "name": "ls",
                "path": "*"
            }
        ]
    }
}'