NeuVector: AI-Optimized Technical Reference

Core Functionality & Architecture

Primary Capabilities

• Auto-learning network policies: Observes container behavior for 24-48 hours (realistically 1-2 weeks) to generate firewall rules automatically
• Runtime protection: Detects suspicious processes in containers (e.g., unexpected /bin/bash spawns)
• Layer 7 network segmentation: Understands HTTP/gRPC traffic beyond port-level filtering
• Vulnerability scanning: CVE detection in container images
• Compliance reporting: CIS Kubernetes benchmarks, basic SOC 2/PCI DSS coverage

Architecture Components

Component	Function	Critical Failure Modes	Resource Requirements
Controllers	Policy management, brains of system	First to break on K8s upgrades	1-2GB RAM, 200-500m CPU
Enforcers	DaemonSet traffic blocking	Crash with containerd misconfig	300-800MB RAM, 100-300m CPU
Manager	Web UI (Angular/Scala)	SSL cert lockouts	512MB-1GB RAM
Scanners	Image vulnerability detection	CPU theft from workloads	2-4GB RAM when active

Minimum cluster requirement: 4GB+ RAM total across all nodes

Critical Configuration Requirements

Essential Helm Installation Flags

helm upgrade --install neuvector neuvector/core \
  --namespace neuvector --create-namespace \
  --set tag=5.4.4 \
  --set containerd.enabled=true \
  --set k3s.enabled=true \
  --set controller.replicas=3 \
  --set manager.env.ssl=off \
  --set controller.resources.limits.memory=1Gi \
  --set enforcer.resources.limits.memory=512Mi

Critical Flag Explanations

• containerd.enabled=true: MANDATORY - Without this, enforcers crash with "Unknown container runtime" error
• k3s.enabled=true: Required for K3s clusters due to non-standard socket paths
• controller.replicas=3: Default of 1 causes downtime during K8s upgrades
• ssl=off: Prevents SSL certificate lockout issues
• Memory limits: Default limits cause OOMKilled (exit code 137) in production

Deployment Failure Scenarios & Solutions

Container Runtime Issues

Problem: "Unknown container runtime" error
Root Cause: Missing containerd configuration
Solution: Always set containerd.enabled=true
Additional Context: K3s changes socket paths between versions unpredictably

Memory Exhaustion

Problem: Exit code 137 (OOMKilled)
Impact: Complete security policy enforcement failure
Solution: Set enforcer memory to minimum 512Mi, controllers to 1Gi
Warning: Marketing claims of "lightweight" are false

Learning Phase Disruption

Problem: Policy learning resets to zero
Trigger: Any new deployment during learning period
Impact: 1-2 weeks of learning time lost
Mitigation: Freeze all deployments for minimum 1 week during learning

Performance Impact Reality

Network Latency Addition

• HTTP traffic: 1-3ms (not the claimed <1ms)
• gRPC with large payloads: 5-15ms
• TLS termination in containers: 10-50ms
• Operational impact: Requires increasing connection pool sizes from 20 to 50, timeout increases of 10-20ms

Resource Consumption (20-node cluster example)

• Total NeuVector overhead: 8-12GB RAM
• Per-request processing: 2-3% CPU spike
• Network throughput reduction: ~5-10% under heavy load

Cloud Provider Specific Failures

AWS EKS

• Bottlerocket: Requires custom containerd socket paths (undocumented)
• Fargate: Incompatible (requires DaemonSet node access)
• ALB: Non-standard header manipulation breaks network learning

Azure AKS

• Windows nodes: Require separate enforcer configurations
• AKS 1.28+: Upgrades break enforcer communication with "failed to connect to controller:11443"
• Azure CNI: Conflicts with network policies

Google GKE

• Autopilot: Incompatible (blocks privileged access)
• Container-Optimized OS: Needs additional security contexts

Decision Support Matrix

Use NeuVector When:

• Open source requirement is non-negotiable
• Budget constraint: <$2,000/node/year vs $3,000-4,000+ for alternatives
• Learning-based policy generation preferred over manual YAML writing
• Runtime protection more important than perfect vulnerability coverage

Avoid NeuVector When:

• Continuous deployment (multiple times daily) - learning phase never completes
• Custom CNI plugins in use - causes configuration conflicts
• Network latency <1ms required - adds 1-3ms minimum
• Under-resourced clusters - needs 4GB+ RAM overhead
• Windows container heavy environment - limited support

Production Deployment Timeline

Realistic Implementation Schedule

• Week 1: Installation, containerd troubleshooting, configuration fixes
• Week 2: Learning mode observation period
• Week 3: Policy fine-tuning, false positive resolution
• Week 4: Enforcement enablement, legitimate traffic blocking issues
• Week 5: Resource scaling, memory limit adjustments
• Week 6: Stability achievement

Critical Warning: Plan 2-3 months for production deployment, not the marketed "30-60 minutes"

Cost Analysis

NeuVector Total Cost of Ownership

• Software: $0 (open source)
• SUSE Support: $1,500-2,000/node/year
• Implementation time: 40-80 engineering hours
• Ongoing maintenance: 4-8 hours/month

Competitive Comparison

Solution	Cost/Node/Year	Strengths	Critical Weaknesses
NeuVector	$1,500	Open source, auto-learning	UI quality, edge case bugs
Aqua Security	$3,000+	Bulletproof runtime protection	Expensive, complex policies
Prisma Cloud	$4,000+	Comprehensive features	Corporate bloat, steep learning
Sysdig Secure	$3,000+	Excellent observability	Manual policy management

Compliance Coverage Reality

What Works:

• CIS Kubernetes benchmark scanning: Catches real misconfigurations
• Basic policy violation reporting
• Comprehensive audit logging (potentially excessive)

What's Missing:

• SOC 2 Type II: Requires manual report interpretation
• PCI DSS: Basic coverage only, additional controls needed
• GDPR: Mostly documentation templates

Common Troubleshooting Scenarios

Enforcer Communication Failures

Symptom: "failed to connect to controller:11443"
Common Causes:

• Network policy conflicts
• Kubernetes upgrade compatibility issues
• SSL certificate problems

Policy Blocking Legitimate Traffic

Root Causes:

• Load balancer IP rotation (AWS ALB)
• Batch job execution outside normal patterns
• Service autoscaling changing traffic patterns
  Solution: Whitelist monitoring endpoints before enabling enforcement

Learning Phase Never Completing

Triggers:

• CI/CD deployments during learning
• Dynamic service discovery
• Frequent configuration changes
  Mitigation: Complete deployment freeze during learning period

Support & Documentation Quality Assessment

Effective Resources:

• GitHub Issues: Active maintainer response, search before posting
• Stack Overflow: Real-world problem solutions
• Andreas Marqvardsen's technical deep dive: Production deployment walkthrough

Limited Value Resources:

• Official documentation: 80% coverage, lacks edge case troubleshooting
• SUSE marketing materials: Inflated performance claims
• Level 1 support: Basic issues only, escalation required for complex problems

Integration Requirements

SIEM Integration

• Syslog format requires custom parsing rules
• Splunk built-in app more confusing than custom queries
• High volume of events requires filtering strategy

Authentication Integration

• LDAP: Requires anonymous bind (security team resistance)
• SAML: Better option but needs SUSE support contract
• Local auth: Not suitable for enterprise environments

Version-Specific Critical Information

Current Stable: 5.4.4

• Fixes container runtime detection with newer containerd
• Resolves K8s 1.29 compatibility issues
• Helm chart version 2.8.8 recommended

Upgrade Risks:

• Controllers fail if only 1 replica during K8s upgrades
• Enforcers may need manual restarts post-upgrade
• Network policies can break with version mismatches

This reference provides all operational intelligence needed for successful NeuVector deployment while highlighting real-world constraints and failure modes that affect implementation decisions.