NeuVector Improves Container Security With Admission Control | eWeek

NeuVector Improves Container Security With Admission Control

NeuVector
Dec 3, 2018
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

NeuVector will issue a new release of its platform on Dec. 4, providing organizations with enhanced capabilities to secure cloud-native, container environments.

The NeuVector 2.3 release expands the container, cloud-native firewall technology with admission control security capabilities that can be directly integrated with the Kubernetes container orchestration platform.

“NeuVector uses the features of Kubernetes as a trigger and enforcement point for image deployment,” NeuVector CTO Gary Duan told eWEEK. “By integrating with Kubernetes, via kube-apiserver, NeuVector can get notification for any image attempting to be deployed, then apply the policy, which an admin has configured in NeuVector to decide whether to allow or block the deployment through Kubernetes.”

NeuVector’s platform provides a container firewall that can filter application layer traffic to help identify anomalous behavior and traffic. 


The company was launched in January 2017 and has raised $9 million in venture funding. In a video interview with eWEEK, Fei Huang, CEO and co-founder of NeuVector, explained the core principles of his company’s platform and its network-centric view of container and cloud-native security.

Admission control is a net new feature that is part of NeuVector’s overall CI/CD pipeline integration for security, according to Duan. For example, he said users today can fail a build based on vulnerabilities using the Jenkins plug-in from NeuVector. They can also automatically scan new or updated images in repositories. 

“Now, with admission control, they will be able to block deployment of containers based on various criteria such as vulnerabilities, labels, users, namespace etc.,” Duan said. “So, now we have improved security enforcement for the entire Build-Ship-Run pipeline.”

Additionally, he explained that admission control uses the NeuVector registry scanning results to determine whether the image should be allowed to be deployed. NeuVector can also verify the digital signature of images for admission control.

Enforcement

There are multiple ways that policies can be enforced in a Kubernetes-based deployment, including using the Container Networking Interface (CNI) as a hook to block and quarantine access. Duan explained that while NeuVector is compatible with all CNI/network plug-ins, it does not rely on them to enforce network policy.

“We have built our own Layer 7 packet filtering technology, which can run as an inline firewall for selected services,” Duan said. “With a run-time feature called Response rules, users are able to define policies such as if vulnerable images are found in containers, then the containers can be network quarantined.”

The first release of the admission control feature is only being made available for Kubernetes and Kubernetes-based systems including OpenShift and Rancher. Duan said NeuVector is considering adding other container orchestration system, including Docker Swarm, to the product roadmap in 2019.

RBAC

There are multiple security hooks that are available in Kubernetes, including Role Based Access Control (RBAC), which is a feature used by organizations to help secure workloads based on identity.

Duan said that admission control and RBAC are two different types of security features. He explained that NeuVector focuses on validating the security policy to allow container deployment—for example, vulnerability policy for specific users and namespaces. 

“Kubernetes users can still be able to deploy vulnerable images with RBAC in place,” he said.

Looking forward, NeuVector will be looking at potential integration with the Istio service mesh, which is an increasingly popular cloud-native approach that is run alongside Kubernetes. 

“We will continue to build on our container network security expertise and add more network threat intelligence,” Duan said. “We will also integrate our security mesh technology with service meshes more tightly.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.