Merge pull request #20 from SUSE-Enceladus/exist-policy

Use existing role policy
SUSE-Enceladus · Sep 14, 2023 · ebecce9 · ebecce9
2 parents 031115c + 6ac13b3
commit ebecce9
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 28 deletions.
diff --git a/content/neuvector-prime/aws/contents.lr b/content/neuvector-prime/aws/contents.lr
@@ -41,16 +41,7 @@ This will return the OIDC provider's ARN, with the ID at the end.
 
 ### IAM Role
 
-To provide the necessary permissions, an IAM policy and an attached role are required. The role is passed as an argument during the *helm* deployment. Download [`neuvector-csp-iam-policy.json`](./neuvector-csp-iam-policy.json) to locally inspect the policy. Create the policy with a *policy name* of your choosing:
-
-```
-curl https://suse-enceladus.github.io/marketplace-docs/neuvector-prime/aws/neuvector-csp-iam-policy.json \
-  > neuvector-csp-iam-policy.json
-
-aws iam create-policy \
-  --policy-name $POLICY_NAME \
-  --policy-document file://neuvector-csp-iam-policy.json
-```
+To provide the necessary permissions, an IAM role and an attached policy are required. The role is passed as an argument during the *helm* deployment.
 
 Download [`neuvector-csp-iam-role.json`](./neuvector-csp-iam-role.json) to your current working directory. Edit the document, where:
 
@@ -70,7 +61,7 @@ aws iam create-role \
 ```
 aws iam attach-role-policy \
   --role-name $ROLE_NAME \
-  --policy-arn=arn:aws:iam::$AWS_ACCOUNT_ID:policy/$POLICY_NAME
+  --policy-arn=arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess
 ```
 
 ## Admin password
@@ -91,6 +82,7 @@ users:
 Deploy this config to your EKS cluster:
 
 ```
+kubectl create namespace neuvector
 kubectl create secret generic neuvector-init \
   --from-file=userinitcfg.yaml -n neuvector
 ```
@@ -148,10 +140,10 @@ This URL provides access to the NeuVector console which is running by default on
 The NeuVector scanner image is updated daily with a new CVE database. These updates are found on the NeuVector Docker hub registry. It is recommended that the image path be changed to allow for automated daily updates. This can be accomplished by modifying the scanner and updater image paths after successful deployment:
 
 ```
-kubectl set image deploy/neuvector-scanner-pod \
+kubectl set image -n neuvector deploy/neuvector-scanner-pod \
   neuvector-scanner-pod=docker.io/neuvector/scanner:latest
 
-kubectl set image  cronjob/neuvector-updater-pod \
+kubectl set image -n neuvector cronjob/neuvector-updater-pod \
   neuvector-updater-pod=docker.io/neuvector/updater:latest
 ```
 

diff --git a/content/neuvector-prime/aws/neuvector-csp-iam-policy.json b/content/neuvector-prime/aws/neuvector-csp-iam-policy.json
diff --git a/content/neuvector-prime/aws/neuvector-csp-iam-policy.json.lr b/content/neuvector-prime/aws/neuvector-csp-iam-policy.json.lr