Images
>neuvector-enforcer

neuvector-enforcer

A per-node DaemonSet container that enforces NeuVector's zero-trust network and runtime security policies across every node in a Kubernetes cluster.

neuvector/controller, neuvector/manager, neuvector/scanner, neuvector/allinone

What is neuvector-enforcer?

The neuvector-enforcer image is the data-plane component of the NeuVector container security platform, maintained by SUSE. One Enforcer pod runs on every node in the cluster as a DaemonSet, sitting inline to inspect and enforce security policy on all container workloads on that node.

The Enforcer performs deep packet inspection up to Layer 7 to detect and block network threats — including DDoS, DNS attacks, SQL injection, and lateral movement between pods. It also monitors process and file activity inside running containers, enforcing allowlists derived from observed baseline behavior. When NeuVector operates in Protect mode, the Enforcer actively blocks unauthorized network connections and process executions in real time rather than just alerting on them.

The Enforcer does not make policy decisions on its own — it receives policy from the Controller and reports events back to it. Together they form the enforcement layer of the NeuVector platform, which also includes a Manager (web UI), Scanner (vulnerability scanning), and Updater (CVE database refresh).

How to use this image

The neuvector-enforcer is deployed as part of the full NeuVector stack via Helm. It runs as a DaemonSet and requires privileged access to the host network namespace to perform deep packet inspection and process monitoring.

Install the full NeuVector stack via Helm:

helm repo add neuvector https://neuvector.github.io/neuvector-helm/
helm repo update
helm install neuvector neuvector/core \
  --namespace neuvector --create-namespace \
  --set registry=registry.echo.ai \
  --set tag=5.3.0
To deploy the Enforcer DaemonSet directly via manifest:
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: neuvector-enforcer-pod
  namespace: neuvector
spec:
  selector:
    matchLabels:
      app: neuvector-enforcer-pod
  template:
    metadata:
      labels:
        app: neuvector-enforcer-pod
    spec:
      serviceAccountName: enforcer
      containers:
        - name: neuvector-enforcer-pod
          image: registry.echo.ai/neuvector/enforcer:5.3.0
          securityContext:
            privileged: true
          env:
            - name: CLUSTER_JOIN_ADDR
              value: neuvector-svc-controller.neuvector

After the DaemonSet rolls out, each Enforcer pod joins the Controller cluster via ports 18301 (TCP/UDP) and 18401 (TCP), begins observing workload behavior in Discover mode, and starts enforcing policies once the Controller distributes them. To exclude a node from Enforcer scheduling — for example, a dedicated controller node — add a nodeAffinity rule to the DaemonSet spec.

Image variants

Published under neuvector/enforcer, the image is versioned in lockstep with the NeuVector platform:

  • enforcer:<version> — Version-pinned tags (e.g., 5.3.0) aligned with NeuVector platform releases. Controller, Enforcer, and Manager images must all run the same version — mismatched versions across components are not supported.
  • enforcer:latest — Tracks the most recent stable release. Not recommended for production as uncontrolled upgrades can cause version skew across the NeuVector component set.

Unlike the Scanner and Updater images — which are designed to be left on latest so they always carry the most current CVE database — the Enforcer should always be pinned to an explicit version tag and upgraded deliberately alongside the rest of the NeuVector stack.

Interested in base images that start and stay clean?

Chat with a product expert