alvarolop/ocp-acs

This repository explores the typical installation scenarios and relevant considerations of OpenShift Advanced Cluster Security.

OpenShift - Advanced Cluster Security

This repository explores the typical installation scenarios and relevant considerations of Red Hat Advanced Cluster Security.

Table of Contents

• 1. Introduction
• 2. What I’m doing?
• 3. Installation
• 4. Container image for Jobs
• 5. Script-based installation
• 6. Useful Documentation

1. Introduction

Red Hat Advanced Cluster Security is an enterprise-ready, Kubernetes-native container security solution that enables you to securely build, deploy, and run cloud-native applications anywhere.

In this repository, we will use the GitOps approach to deploy and configure a typical setup of RHACS.

2. What I’m doing?

This repository uses an ArgoCD application to deploy RHACS from scratch in your OpenShift cluster. These are currently the available features configured:

• Deploy the RHACS operator on the rhacs-operator namespace.

• Deploy an ACS Central instance in the stackrox namespace.

• OCP Job to download the init-bundle from Central and create the OCP secrets. This Job uses an SA with RBAC to create secrets in the stackrox namespace.

• OCP Job to download vulnerabilities from stackrox.io and upload them to Central.

• WIP: Create a ConsoleLink to quickly access the Central instance.

• WIP: Create a SecuredCluster to monitor the local cluster.

3. Installation

💡

This installation mode expects you to have a running OCP GitOps instance running in your cluster. If not, you can use this repo to deploy an ArgoCD instance fully configured for this approach: https://github.com/alvarolop/ocp-gitops-playground. Once cloned, use the ./auto-install.sh script to deploy ArgoCD.

If you have fulfilled the prerequisite, just apply the ArgoCD application on your cluster:

oc apply -f application-rhacs.yaml

Wait for a few seconds, and you should see how the operator and components are deployed and configured.

4. Container image for Jobs

Some of the OCP Jobs that we use in this repo for day 2 configuration of RHACS need several tools like: * curl to download vulnerabilities and check if central is deployed. * oc cli to apply initBundle secrets. * roxctl to download the initBundle and also apply the vulnerabilities.

There isn’t a Red Hat supported image containing all the previously mentioned binaries. Therefore, I’ve created a really basic container image based on the RH-supported ose-cli image with the required roxctl binary. It is publicly accessible at quay.io/alopezme/rhacs-roxctl-oc.

If you want to build your own, you can do it with the following commands:

# Build the container image
podman build -t quay.io/alopezme/rhacs-roxctl-oc:4.3.4 .

# Push it to the container registry
podman push quay.io/alopezme/rhacs-roxctl-oc:4.3.4

5. Script-based installation

If you don’t have an ArgoCD at hand, or you don’t want to install it, you can still use the legacy installation mode based on a Shell script. Execute the following command:

./auto-install.sh

ℹ️	Take into account that this script is limited and currently just deploys ACS in Online mode.

6. Useful Documentation

• Latest documentation: https://docs.openshift.com/acs/4.3/welcome/index.html

• RH ACS Workshop: https://redhat-scholars.github.io/acs-workshop/acs-workshop/index.html

• Git Repo full of resources: https://github.com/stackrox/contributions

• Example, manage Policies with Ansible: https://github.com/neilcar/ansible-acs-policy-mgmt