jmhbnz/workshops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Begin working on exercise 5.

Browse Source
This commit is contained in:
James Blair
2024-09-01 13:05:48 +12:00
parent 63137af30c
commit f2b66c2e9a
3 changed files with 34 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
data/workshop/README.org
View File

@ -8,7 +8,7 @@ This document captures the steps required to set up an instance of the workshop.
* Connect to the low side instance * Connect to the low side instance
#+begin_src tmux #+begin_src tmux
ssh lab-user@3.21.229.143 ssh lab-user@3.143.149.146
#+end_src #+end_src
@ -16,13 +16,13 @@ ssh lab-user@3.21.229.143
#+begin_src tmux #+begin_src tmux
cd /mnt/low-side-data/ cd /mnt/low-side-data/
curl -L -o oc-mirror.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/oc-mirror.tar.gz curl -L -o oc-mirror.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.35/oc-mirror.tar.gz
tar -xzf oc-mirror.tar.gz tar -xzf oc-mirror.tar.gz
rm -f oc-mirror.tar.gz rm -f oc-mirror.tar.gz
chmod +x oc-mirror chmod +x oc-mirror
sudo cp -v oc-mirror /bin sudo cp -v oc-mirror /bin
curl -L -o mirror-registry.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/mirror-registry/latest/mirror-registry.tar.gz curl -L -o mirror-registry.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/mirror-registry/latest/mirror-registry.tar.gz
curl -L -o openshift-install.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/openshift-install-linux.tar.gz curl -L -o openshift-install.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.35/openshift-install-linux.tar.gz
tar -xzf openshift-install.tar.gz openshift-install tar -xzf openshift-install.tar.gz openshift-install
rm -f openshift-install.tar.gz rm -f openshift-install.tar.gz
curl -L -o oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/openshift-client-linux.tar.gz curl -L -o oc.tar.gz https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.14.19/openshift-client-linux.tar.gz
@ -50,7 +50,7 @@ mirror:
channels: channels:
- name: stable-4.14 - name: stable-4.14
type: ocp type: ocp
minVersion: 4.14.34 minVersion: 4.14.35
maxVersion: 4.14.35 maxVersion: 4.14.35
additionalImages: additionalImages:
- name: registry.redhat.io/rhel8/support-tools - name: registry.redhat.io/rhel8/support-tools

5
data/workshop/exercise4.mdx
View File

@ -115,9 +115,9 @@ Once the `hub-Operator-secrets-cluster-init-bundle.yaml` file has been downloade
5. Paste the contents into the **Import YAML** text field and click the blue **Create** button. 5. Paste the contents into the **Import YAML** text field and click the blue **Create** button.
<Zoom> <Zoom>
|![workshop](/static/images/compliance/central-login.gif) | |![workshop](/static/images/compliance/init-bundle-import.gif) |
|:-----------------------------------------------------------------------------:| |:-----------------------------------------------------------------------------:|
| *Logging into Red Hat Advanced Cluster Security dashboard* | | *Importing an init bundle into our hub cluster* |
</Zoom> </Zoom>
> Note: These init bundles contain secrets enabling a secured cluster to communicate with RHACS Central so it's important to store these securely. > Note: These init bundles contain secrets enabling a secured cluster to communicate with RHACS Central so it's important to store these securely.
@ -187,4 +187,5 @@ After a short wait for pods to initialise in the `acs-securedcluster` namespace
| *Hub cluster is now secured by Red Hat Advanced Cluster Security* | | *Hub cluster is now secured by Red Hat Advanced Cluster Security* |
</Zoom> </Zoom>
If you now have Red Hat Advanced Cluster Security **Central** and **SecuredCluster** components deployed then congratulations your RHACS instance is fully deployed and you're ready to start improving your cluster security and compliance posture in Exercise 5! 🎉

27
data/workshop/exercise5.mdx Normal file
View File

@ -0,0 +1,27 @@
---
title: Running a cluster compliance scan
exercise: 5
date: '2024-09-01'
tags: ['openshift','containers','kubernetes','disconnected']
draft: false
authors: ['default']
summary: "Let's check our cluster compliance against NIST 800-53 👀"
---
We've done the work to set the OpenShift Compliance Operator and Red Hat Advanced Cluster Security up on our cluster, now let's make the most of it by using them to schedule and run a compliance scan on our cluster.
For the scan we'll be using the included `NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift` and `NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level` scan profiles that are included with the OpenShift Compliance Operator.
Two scan profiles are required as we need to scan both the OpenShift cluster, as well as each individual node running RHEL CoreOS.
For more details on these compliance profiles please take some time to review:
- https://static.open-scap.org/ssg-guides/ssg-ocp4-guide-moderate.html
- https://static.open-scap.org/ssg-guides/ssg-ocp4-guide-moderate-node.html
- https://docs.openshift.com/container-platform/4.14/security/compliance_operator/co-scans/compliance-operator-supported-profiles.html
## 5.1 - Scheduling a scan
There are two methods you can use to schedule Compliance Operator scans.