Adding HA notes for NeuVector

e022d560 · brandt keller · Micah Nagel · b612e786 · e022d560
Commit e022d560 authored 2 years ago by brandt keller Committed by Micah Nagel 2 years ago
--- a/docs/understanding-bigbang/package-architecture/neuvector.md
+++ b/docs/understanding-bigbang/package-architecture/neuvector.md
-# Neuvector
+# NeuVector

 ## Overview

@@ -10,7 +10,7 @@

 ### UI

-The Neuvector UI runs on the manager, a simple pod that providesis the primary way of accessing and managing Neuvector. The UI is accessible via a web application on the cluster at the DNS name "neuvector" (e.g. neuvector.bigbang.dev/). UI access is exposed through the Istio Virtual Service. For more information, see [Using the Neuvector UI](https://open-docs.neuvector.com/navigation/navigation).
+The Neuvector UI runs on the manager, a simple pod that provides the primary way of accessing and managing NeuVector. The UI is accessible via a web application on the cluster at the DNS name "neuvector" (e.g. neuvector.bigbang.dev/). UI access is exposed through the Istio Virtual Service. For more information, see [Using the NeuVector UI](https://open-docs.neuvector.com/navigation/navigation).

 ### Dependency Packages

@@ -38,4 +38,35 @@ When deploying BigBang, neuvector depends on monitoring, gatekeeper/kyverno, and
  {{- end }}
 ```

+## High Availability

+NeuVector provides High Availability for the controller and scanner deployments with `3` replicas and a default `podAntiAffinity` in order to attempt installation of replicas to separate nodes if possible. These can be modified by providing new values to `controller.replicas` and `scanner.replicas` accordingly. 
+
+```yaml
+neuvector:
+  values:
+    controller:
+      replicas: 3
+
+    scanner:
+      replicas: 3
+```
+
+The enforcer pods are part of a daemonset that will be based upon the number of cluster nodes - with default tolerations for standard control-plane taints. Addition tolerations can be set for nodes by appending to the existing set:
+
+**Note:** The controller, manager, and cve.scanner deployments can also have their tolerations updated by mirroring this process. 
+
+```yaml
+neuvector:
+  values:
+    enforcer: # controller, manager, cve.scanner also have tolerations
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+        - effect: NoSchedule
+          key: custom-example-taint
+```
+
+The manager deployment houses the Security Center Admin Console and is explicitly set to `1` replica and cannot be scaled.