Progress on exercise 5.
This commit is contained in:
@ -17,7 +17,7 @@ Ultimately the ACME team wants to manage everything with GitOps, but for today A
|
||||
|
||||
|
||||
|
||||
## 2.1 Installing the rhacs operator
|
||||
## 2.1 - Installing the rhacs operator
|
||||
|
||||
You’re in front of a screen together with the Web Console open. The first step of installing the operator should be easy, better get started!
|
||||
|
||||
@ -28,7 +28,7 @@ Documentation you may find helpful is:
|
||||
- https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html-single/installing/index#install-acs-operator_install-central-ocp
|
||||
|
||||
|
||||
## 2.2 Deploying central services
|
||||
## 2.2 - Deploying central services
|
||||
|
||||
With the operator installed and healthy we now need to deploy an instance of **Central** for Angie. This Central instance will provide the management interface, API and secure the full fleet of ACME’s OpenShift clusters along with some EKS clusters ACME are currently running in AWS.
|
||||
|
||||
@ -48,7 +48,7 @@ Documentation you may find helpful is:
|
||||
- https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html-single/installing/index#verify-central-install-operator_install-central-ocp
|
||||
|
||||
|
||||
## 2.3 Generating an init bundle
|
||||
## 2.3 - Generating an init bundle
|
||||
|
||||
Alright, you've given Angie a quick tour around the Red Hat Advanced Cluster Security Console, now it's time to secure this hub cluster by generating an init bundle named `prd-acme-hub`.
|
||||
|
||||
@ -67,7 +67,7 @@ Documentation you may find helpful is:
|
||||
- https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html-single/installing/index#portal-generate-init-bundle_init-bundle-ocp
|
||||
|
||||
|
||||
## 2.4 Securing the hub cluster
|
||||
## 2.4 - Securing the hub cluster
|
||||
|
||||
The pair session is going well, Angie is impressed how quickly you got to this point. You now have the init bundle downloaded and explain to her that you just need to import it on the cluster and create the `SecuredCluster` resource to finish the process.
|
||||
|
||||
|
||||
@ -21,7 +21,7 @@ You decide to make enabling encryption top of your list for the morning to try a
|
||||
|
||||
|
||||
|
||||
## 3.1 Encrypting internal cluster traffic
|
||||
## 3.1 - Encrypting internal cluster traffic
|
||||
|
||||
With IPsec enabled, you can encrypt internal pod-to-pod cluster traffic on the OVN-Kubernetes cluster network between nodes.
|
||||
|
||||
@ -38,7 +38,7 @@ Documentation you may find helpful is:
|
||||
- https://docs.openshift.com/container-platform/4.16/networking/network_security/configuring-ipsec-ovn.html
|
||||
|
||||
|
||||
## 3.2 Observing cluster network rollout
|
||||
## 3.2 - Observing cluster network rollout
|
||||
|
||||
Your change window on the ACME cluster is 30 minutes for the cluster network update. You've advised the ACME team there could be some minor disruption to the cluster while the cluster network operator is progressing the update.
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ Angie is really keen to tap into your knowledge on what she can do to make to th
|
||||
You're in a meeting room going over things together, so far so good.
|
||||
|
||||
|
||||
## 4.1 Ruh roh...
|
||||
## 4.1 - Ruh roh...
|
||||
|
||||
You're looking over the RHACS Dashboard together in the RHACS console.
|
||||
|
||||
@ -26,7 +26,7 @@ The core banking payments processor namespace `prd-acme-payments` is vulnerable
|
||||
|
||||
|
||||
|
||||
## 4.2 What the %$^& do we do????
|
||||
## 4.2 - What the %$^& do we do????
|
||||
|
||||
In the minutes following the alarming discovery you observe a series of rushed conversations and Microsoft Skype for Business™ chats between Angie and various security team members, service owners and incident management team members.
|
||||
|
||||
|
||||
@ -17,11 +17,11 @@ The bank must comply with this specific benchmark to meet the requirements of th
|
||||
|
||||
|
||||
|
||||
## 5.1 Installing the compliance operator
|
||||
## 5.1 - Installing the compliance operator
|
||||
|
||||
You’re got an upcoming Microsoft Skype for Business™ video call with Melissa in 30 minutes to show her how compliant the cluster is currently.
|
||||
|
||||
Time to quickly get the OpenShift Compliance Operator installed and run a scan via Red Hat Advanced Cluster Security. Better hurry!
|
||||
Time to quickly get the [OpenShift Compliance Operator](https://docs.openshift.com/container-platform/4.16//security/compliance_operator/co-overview.html) installed and run a scan via Red Hat Advanced Cluster Security. Better hurry!
|
||||
|
||||
As with last time, to limit PTSD induced panic attacks among the ACME platform team the operator must be set to update mode `Manual`.
|
||||
|
||||
@ -30,7 +30,7 @@ Documentation you may find helpful is:
|
||||
- https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/security_and_compliance/compliance-operator#installing-compliance-operator-web-console_compliance-operator-installation
|
||||
|
||||
|
||||
## 5.2 Scheduling a compliance scan
|
||||
## 5.2 - Scheduling a compliance scan
|
||||
|
||||
Operator installed it's time to join the virtual meeting with Melissa and step her through how to run a compliance scan against NIST 800-53 and visualise results using the Red Hat Advanced Cluster Security Dashboard.
|
||||
|
||||
@ -47,13 +47,16 @@ Documentation you may find helpful is:
|
||||
- https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html/operating/managing-compliance#scheduling-compliance-scans-and-assessing-profile-compliance
|
||||
|
||||
|
||||
## 5.3 Remediating a compliance issue
|
||||
## 5.3 - Remediating a compliance issue
|
||||
|
||||
Scan finished you begin stepping through Melissa the individual results, inspecting `ComplianceCheckResult` and `ComplianceRemediation` resources.
|
||||
|
||||
To demonstrate to her how the compliance operator can make automated remediation of compliance issues easy you pick out the `ocp4-moderate-oauth-or-oauthclient-token-maxage` compliance remediation and apply it, then trigger a re-scan from the compliance operator to validate this issue is now remediated on the cluster.
|
||||
|
||||
Scan finished you begin stepping through Melissa the individual results.
|
||||
|
||||
## 5.4 - Check your work
|
||||
|
||||
If you've successfully run the compliance scan and remediated the compliance issue please post an issue in `#event-anz-ocp-security-hackathon` with the message:
|
||||
If you've successfully run the compliance scan and remediated the compliance issue to show Melissa how things work please post an issue in `#event-anz-ocp-security-hackathon` with the message:
|
||||
|
||||
> Please review [team name] solution for exercise 5, our cluster is now [percentage] compliant against NIST 800-53 at a cluster level.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user