Skip to content

How to upgrade the NeuVector Package chart📜

BigBang makes modifications to the upstream helm chart. The full list of changes is at the end of this document.

  1. Renovate should have made a renovate/ironbank branch with all necessary version updates. Checkout this branch locally.
  2. From the root of the repo run kpt pkg update chart@<version> --strategy alpha-git-patch replacing <version> with the latest version tag from the upstream repo that has matching image versions. You may be prompted to resolve some conflicts - choose what makes sense (if there are BB additions/changes keep them, if there are upstream additions/changes keep them). You may want to use an alternative strategy with kpt (like force-delete-replace), and then restore the BB changes as needed.
  3. Update chart/Chart.yaml to the appropriate versions. The annotation version should match the appVersion. If we have moved to a new chart version reset the bb.X version to bb.0.
    version: X.X.X-bb.X
    appVersion: X.X.X
    annotations: |
        - NeuVector: X.X.X
  4. Update gluon to a new version (if necessary) and run helm dependency update chart to package up new gluon as a .tgz.
  5. Update with an entry for the update. At minimum add the new image versions and any chart version update.
  6. Update following the gluon library script instructions.
  7. Use a development environment to deploy and test NeuVector. See more detailed testing instructions below. Also make sure to test an upgrade from the previous version. Make any adjustments as needed based on testing and update the again if required.
  8. Validate CI has passed then move your MR into review (Renovate should’ve opened an MR for you).

Testing new NeuVector version📜

Deploy NeuVector as part of Big Bang📜

  • Create a k8s dev environment. One option is to use the Big Bang with no arguments which will give you the default configuration. The following steps assume you are using the script.
  • Follow the instructions at the end of the script to connect to the k8s cluster and install flux.
  • Deploy NeuVector with these dev values overrides. Core apps are disabled for quick deployment.

      enabled: true
      sourceType: "git"
        path: chart
        tag: null
        branch: "replace-me-with-your-branch-name"

  • A more robust option is to deploy Big Bang with Istio, Monitoring, and Neuvector enabled. For Neuvector on k3d you will need to enable the k3s runtime value as shown below:

  enabled: true
  enabled: true
  enabled: true
      enabled: true
  sourceType: "git"
    path: chart
    tag: null
    branch: "replace-me-with-your-branch-name"
  enabled: true

Testing NeuVector📜

  1. Validate all pods successfully go to “Running”.
  2. Validate you are able to hit the UI, which should be exposed at (make sure this is in your /etc/hosts file).
  3. Login with the default admin user (username: admin, password: admin)
  4. Validate pages show information. Key pages to check:
  5. Main dashboard should be populated with details in most/all panels
  6. Network Activity (you may need to zoom in/out to see pods/hosts)
  7. Assets pages: Should show nodes/containers, “System Components” should show connected controllers and enforcers (and several scanners up)
  8. Under the Assets -> Containers page run a scan on a few images. You may just want to enable the Auto Scan option on the top right. Validate that scans finish and vulnerabilities are found on the vulnerabilities tab for a given image. You can also try the same scan on Assets -> Hosts to scan the k3d hosts.
  9. If the big-bang/base image has been updated, the “updater” functionality should be verified - this updates the CVE database by forcing a pull of the scanner image. The updater job is run via the cronjob neuvector-updater-pod, so check that this runs successfully.

Modifications made to upstream chart📜

This is a high-level list of modifications that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.

NOTE: This list may not be complete yet - it should be updated as updates are worked to ensure we have a complete list.


  • Append -bb.x to Chart version
  • Add gluon library dependency
  • Add BB dev application version annotation
  • Add monitor subchart dependency


  • Add support for scheme and tlsConfig


  • Add appProtocol: http to the metrics port to support Istio protocol detection


  • Add empty defaults for scheme and tlsConfig


  • Templates added to support network policies, mTLS, and Istio virtual service


  • Images changed to Ironbank images rather than upstream
  • Added JDK_JAVA_OPTIONS to manager.env.envs
    # This setting should be enabled when in FIPS environments to prevent Java errors arising from the FIPS alignment
    - name: JDK_JAVA_OPTIONS
      value: "-Dcom.redhat.fips=false"
  • Added at the bottom of the values file are changes to support Istio, monitoring, and optional network policies.
  enabled: false
  injection: "enabled"
    enabled: false
    customAuthorizationPolicies: []
    # - name: "allow-nothing"
    #   enabled: true
    #   spec: {}
    enabled: true
    annotations: {}
    labels: {}
      - istio-system/main
      - neuvector.{{ .Values.domain }}
  # -- Default neuvector peer authentication
    # -- STRICT = Allow only mutual TLS traffic,
    # PERMISSIVE = Allow both plain text and mutual TLS traffic
    mode: STRICT

  enabled: false
  namespace: monitoring

  enabled: false
    app: istio-ingressgateway
    istio: ingressgateway

  imagePullSecrets: private-registry

# Bigbang helm test values default disabled
  enabled: false
    artifacts: true
      cypress_url: "http://neuvector-service-webui.{{ .Release.Namespace }}.svc.cluster.local:8443"
      URL: "http://neuvector-service-webui.{{ .Release.Namespace }}.svc.cluster.local:8443"

Grafana Dashboards📜

  • Added chart/dashboards/neuvector-dashboard.json
  • Added chart/templates/bigbang/neuvector-dashboards.yaml
# To update Neuvector Dashboard
# Current version was pulled from
curl -o chart/dashboards/neuvector-dashboard.json


The mutating Kyverno policy named update-automountserviceaccounttokens is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false. This policy is configured by namespace in the Big Bang umbrella chart repository at chart/templates/kyverno-policies/values.yaml.

This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods: array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.

Last update: 2024-03-20 by massey.robert