181 lines
4.5 KiB
Org Mode
181 lines
4.5 KiB
Org Mode
#+TITLE: Red Hat Advanced Cluster Security
|
|
#+DATE: <2025-01-28 Tue>
|
|
#+AUTHOR: James Blair
|
|
|
|
|
|
* Initial demo setup
|
|
|
|
** Verify cluster auth status
|
|
|
|
#+NAMEL: Verify cluster login status
|
|
#+begin_src tmux
|
|
oc status && oc whoami
|
|
#+end_src
|
|
|
|
|
|
** Install the compliance operator
|
|
|
|
#+NAME: Install openshift compliance operator
|
|
#+begin_src tmux
|
|
cat << EOF | oc apply --filename -
|
|
# Create a dedicated namespace for dev spaces
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: openshift-compliance
|
|
|
|
---
|
|
# Create an operatorgroup resource for the openshift-compliance namespace
|
|
apiVersion: operators.coreos.com/v1
|
|
kind: OperatorGroup
|
|
metadata:
|
|
name: openshift-compliance-8m7b7
|
|
namespace: openshift-compliance
|
|
|
|
---
|
|
# Create a subscription for the compliance operator
|
|
apiVersion: operators.coreos.com/v1alpha1
|
|
kind: Subscription
|
|
metadata:
|
|
name: compliance-operator
|
|
namespace: openshift-compliance
|
|
spec:
|
|
channel: stable
|
|
installPlanApproval: Automatic
|
|
source: redhat-operators
|
|
sourceNamespace: openshift-marketplace
|
|
name: compliance-operator
|
|
EOF
|
|
#+end_src
|
|
|
|
|
|
** Create compliance scanschedule
|
|
|
|
#+NAME: Create compliance scan schedule
|
|
#+begin_src tmux
|
|
apiVersion: compliance.openshift.io/v1alpha1
|
|
kind: ComplianceSuite
|
|
metadata:
|
|
finalizers:
|
|
- suite.finalizers.compliance.openshift.io
|
|
name: nist-800-53-daily
|
|
namespace: openshift-compliance
|
|
spec:
|
|
scans:
|
|
- content: ssg-ocp4-ds.xml
|
|
contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809
|
|
maxRetryOnTimeout: 3
|
|
name: ocp4-moderate
|
|
profile: xccdf_org.ssgproject.content_profile_moderate
|
|
rawResultStorage:
|
|
pvAccessModes:
|
|
- ReadWriteOnce
|
|
rotation: 3
|
|
size: 1Gi
|
|
scanTolerations:
|
|
- operator: Exists
|
|
scanType: Platform
|
|
showNotApplicable: false
|
|
strictNodeScan: false
|
|
timeout: 30m0s
|
|
- content: ssg-ocp4-ds.xml
|
|
contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809
|
|
maxRetryOnTimeout: 3
|
|
name: ocp4-moderate-node-master
|
|
nodeSelector:
|
|
node-role.kubernetes.io/master: ""
|
|
profile: xccdf_org.ssgproject.content_profile_moderate-node
|
|
rawResultStorage:
|
|
pvAccessModes:
|
|
- ReadWriteOnce
|
|
rotation: 3
|
|
size: 1Gi
|
|
scanTolerations:
|
|
- operator: Exists
|
|
scanType: Node
|
|
showNotApplicable: false
|
|
strictNodeScan: false
|
|
timeout: 30m0s
|
|
- content: ssg-ocp4-ds.xml
|
|
contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809
|
|
maxRetryOnTimeout: 3
|
|
name: ocp4-moderate-node-worker
|
|
nodeSelector:
|
|
node-role.kubernetes.io/worker: ""
|
|
profile: xccdf_org.ssgproject.content_profile_moderate-node
|
|
rawResultStorage:
|
|
pvAccessModes:
|
|
- ReadWriteOnce
|
|
rotation: 3
|
|
size: 1Gi
|
|
scanTolerations:
|
|
- operator: Exists
|
|
scanType: Node
|
|
showNotApplicable: false
|
|
strictNodeScan: false
|
|
timeout: 30m0s
|
|
schedule: 0 1 * * *
|
|
suspend: false
|
|
#+end_src
|
|
|
|
|
|
** Authenticate with roxctl
|
|
|
|
#+NAME: Login to central via roxctl
|
|
#+begin_src tmux
|
|
source .env
|
|
roxctl central login && roxctl central whoami
|
|
#+end_src
|
|
|
|
|
|
* Demo - Identifying vulnerabilities in a workload
|
|
|
|
#+NAME: Deploy a workload with interesting cve's
|
|
#+begin_src tmux
|
|
oc apply --filename medical-application --recursive
|
|
#+end_src
|
|
|
|
#+NAME: Scan a workload image with roxctl
|
|
#+begin_src tmux
|
|
roxctl image scan --image quay.io/rhacs-demo/netflow:latest
|
|
#+end_src
|
|
|
|
#+NAME: Check a workload image with roxctl
|
|
#+begin_src tmux
|
|
roxctl image check --image quay.io/rhacs-demo/netflow:latest
|
|
#+end_src
|
|
|
|
|
|
* Demo - Runtime enforcement to scale down a vulnerable workload
|
|
|
|
#+NAME: Delete payments processor
|
|
#+begin_src tmux
|
|
oc delete --filename medical-application/payments/everything.yml
|
|
#+end_src
|
|
|
|
#+NAME: Create payments processor
|
|
#+begin_src tmux
|
|
oc apply --filename medical-application/payments/everything.yml
|
|
#+end_src
|
|
|
|
#+NAME: Delete vulnerable log4j deployment
|
|
#+begin_src tmux
|
|
oc delete --filename spring4shell-app/deployment.yaml
|
|
#+end_src
|
|
|
|
#+NAME: Create vulnerable log4j deployment
|
|
#+begin_src tmux
|
|
oc apply --filename spring4shell-app/deployment.yaml
|
|
#+end_src
|
|
|
|
|
|
* Demo - Roxctl netpol generate
|
|
|
|
#+begin_src tmux
|
|
roxctl netpol generate medical-application/payments/everything.yml --output-dir payments-policies --remove
|
|
#+end_src
|
|
|
|
#+begin_src tmux
|
|
roxctl netpol connectivity map payments-policies --output-format dot
|
|
#+end_src
|