talks/2025-01-28-advanced-cluster-security

Red Hat Advanced Cluster Security

• Initial demo setup
  • Verify cluster auth status
  • Install the compliance operator
  • Create compliance scanschedule
  • Authenticate with roxctl
• Demo - Identifying vulnerabilities in a workload
• Demo - Runtime enforcement to scale down a vulnerable workload
• Demo - Roxctl netpol generate

Initial demo setup

Verify cluster auth status

oc status && oc whoami

Install the compliance operator

cat << EOF | oc apply --filename -
# Create a dedicated namespace for dev spaces
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-compliance

---
# Create an operatorgroup resource for the openshift-compliance namespace
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name:  openshift-compliance-8m7b7
  namespace:  openshift-compliance

---
# Create a subscription for the compliance operator
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: compliance-operator
  namespace: openshift-compliance
spec:
  channel: stable
  installPlanApproval: Automatic
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  name: compliance-operator
EOF

Create compliance scanschedule

apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceSuite
metadata:
  finalizers:
  - suite.finalizers.compliance.openshift.io
  name: nist-800-53-daily
  namespace: openshift-compliance
spec:
  scans:
  - content: ssg-ocp4-ds.xml
    contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809
    maxRetryOnTimeout: 3
    name: ocp4-moderate
    profile: xccdf_org.ssgproject.content_profile_moderate
    rawResultStorage:
      pvAccessModes:
      - ReadWriteOnce
      rotation: 3
      size: 1Gi
    scanTolerations:
    - operator: Exists
    scanType: Platform
    showNotApplicable: false
    strictNodeScan: false
    timeout: 30m0s
  - content: ssg-ocp4-ds.xml
    contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809
    maxRetryOnTimeout: 3
    name: ocp4-moderate-node-master
    nodeSelector:
      node-role.kubernetes.io/master: ""
    profile: xccdf_org.ssgproject.content_profile_moderate-node
    rawResultStorage:
      pvAccessModes:
      - ReadWriteOnce
      rotation: 3
      size: 1Gi
    scanTolerations:
    - operator: Exists
    scanType: Node
    showNotApplicable: false
    strictNodeScan: false
    timeout: 30m0s
  - content: ssg-ocp4-ds.xml
    contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:b286929357b82f8ff3845f535bab23382bf06f075ff2379063e2456f1a93e809
    maxRetryOnTimeout: 3
    name: ocp4-moderate-node-worker
    nodeSelector:
      node-role.kubernetes.io/worker: ""
    profile: xccdf_org.ssgproject.content_profile_moderate-node
    rawResultStorage:
      pvAccessModes:
      - ReadWriteOnce
      rotation: 3
      size: 1Gi
    scanTolerations:
    - operator: Exists
    scanType: Node
    showNotApplicable: false
    strictNodeScan: false
    timeout: 30m0s
  schedule: 0 1 * * *
  suspend: false

Authenticate with roxctl

source .env
roxctl central login && roxctl central whoami

Demo - Identifying vulnerabilities in a workload

oc apply --filename medical-application --recursive

roxctl image scan --image quay.io/rhacs-demo/netflow:latest

roxctl image check --image quay.io/rhacs-demo/netflow:latest

Demo - Runtime enforcement to scale down a vulnerable workload

oc delete --filename medical-application/payments/everything.yml

oc apply --filename medical-application/payments/everything.yml

oc delete --filename spring4shell-app/deployment.yaml

oc apply --filename spring4shell-app/deployment.yaml

Demo - Roxctl netpol generate

roxctl netpol generate medical-application/payments/everything.yml --output-dir payments-policies --remove

roxctl netpol connectivity map payments-policies --output-format dot