#+TITLE: Red Hat Advanced Cluster Security #+DATE: <2025-01-28 Tue> #+AUTHOR: James Blair * Initial demo setup ** Verify cluster auth status #+NAMEL: Verify cluster login status #+begin_src tmux oc status && oc whoami #+end_src ** Install the compliance operator #+NAME: Install openshift compliance operator #+begin_src tmux cat << EOF | oc apply --filename - # Create a dedicated namespace for dev spaces apiVersion: v1 kind: Namespace metadata: name: openshift-compliance --- # Create an operatorgroup resource for the openshift-compliance namespace apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: openshift-compliance-8m7b7 namespace: openshift-compliance --- # Create a subscription for the compliance operator apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: compliance-operator namespace: openshift-compliance spec: channel: stable installPlanApproval: Automatic source: redhat-operators sourceNamespace: openshift-marketplace name: compliance-operator EOF #+end_src ** Create compliance scanschedule #+NAME: Create compliance scan schedule #+begin_src tmux apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: finalizers: - suite.finalizers.compliance.openshift.io name: nist-800-53-daily namespace: openshift-compliance spec: scans: - content: ssg-ocp4-ds.xml contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809 maxRetryOnTimeout: 3 name: ocp4-moderate profile: xccdf_org.ssgproject.content_profile_moderate rawResultStorage: pvAccessModes: - ReadWriteOnce rotation: 3 size: 1Gi scanTolerations: - operator: Exists scanType: Platform showNotApplicable: false strictNodeScan: false timeout: 30m0s - content: ssg-ocp4-ds.xml contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809 maxRetryOnTimeout: 3 name: ocp4-moderate-node-master nodeSelector: node-role.kubernetes.io/master: "" profile: xccdf_org.ssgproject.content_profile_moderate-node rawResultStorage: pvAccessModes: - ReadWriteOnce rotation: 3 size: 1Gi scanTolerations: - operator: Exists scanType: Node showNotApplicable: false strictNodeScan: false timeout: 30m0s - content: ssg-ocp4-ds.xml contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809 maxRetryOnTimeout: 3 name: ocp4-moderate-node-worker nodeSelector: node-role.kubernetes.io/worker: "" profile: xccdf_org.ssgproject.content_profile_moderate-node rawResultStorage: pvAccessModes: - ReadWriteOnce rotation: 3 size: 1Gi scanTolerations: - operator: Exists scanType: Node showNotApplicable: false strictNodeScan: false timeout: 30m0s schedule: 0 1 * * * suspend: false #+end_src ** Authenticate with roxctl #+NAME: Login to central via roxctl #+begin_src tmux source .env roxctl central login && roxctl central whoami #+end_src * Demo - Identifying vulnerabilities in a workload #+NAME: Deploy a workload with interesting cve's #+begin_src tmux oc apply --filename medical-application --recursive #+end_src #+NAME: Scan a workload image with roxctl #+begin_src tmux roxctl image scan --image quay.io/rhacs-demo/netflow:latest #+end_src #+NAME: Check a workload image with roxctl #+begin_src tmux roxctl image check --image quay.io/rhacs-demo/netflow:latest #+end_src * Demo - Runtime enforcement to scale down a vulnerable workload #+NAME: Delete payments processor #+begin_src tmux oc delete --filename medical-application/payments/everything.yml #+end_src #+NAME: Create payments processor #+begin_src tmux oc apply --filename medical-application/payments/everything.yml #+end_src #+NAME: Delete vulnerable log4j deployment #+begin_src tmux oc delete --filename spring4shell-app/deployment.yaml #+end_src #+NAME: Create vulnerable log4j deployment #+begin_src tmux oc apply --filename spring4shell-app/deployment.yaml #+end_src * Demo - Roxctl netpol generate #+begin_src tmux roxctl netpol generate medical-application/payments/everything.yml --output-dir payments-policies --remove #+end_src #+begin_src tmux roxctl netpol connectivity map payments-policies --output-format dot #+end_src