jmhbnz/workshops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a0a7dc9dea821de8879b82fa54fc6ac5771cb212
workshops/data/workshop/exercise4.mdx
James Blair a0a7dc9dea Progress on exercise 4.
2024-08-31 23:23:03 +12:00

111 lines
5.3 KiB
Plaintext
Raw Blame History

---
title: Deploy advanced cluster security
exercise: 4
date: '2024-08-31'
tags: ['openshift','containers','kubernetes','disconnected']
draft: false
authors: ['default']
summary: "Time to up our security & compliance game! 🔒"
---
With our Red Hat Advanced Cluster Security Operator installed and standing by to do some work for us, let's give it some work to do by telling it to deploy Red Hat Advanced Cluster Security onto our cluster.
## 4.1 - Getting familiar with rhacs
Before we get into the technical implementation let's take a moment to get up to speed with Red Hat Advanced Cluster Security works.
Fundamentally you install RHACS as a set of containers in your OpenShift Container Platform or Kubernetes cluster. RHACS includes the following services:
1. **Central** services you install on a designated "hub" cluster.
2. **Secured cluster** services you install on each cluster you want to secure by RHACS.
<Zoom>
|![workshop](/static/images/compliance/acs-architecture-kubernetes.png) |
|:-----------------------------------------------------------------------------:|
| *Red Hat Advanced Cluster Security high level architecture* |
</Zoom>
> Note: For an overview of which sources Red Hat Advanced Cluster Security uses for vulnerability information and a more detailed walkthrough of each component, take a moment to review https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html-single/architecture/index.
## 4.2 - Deploying central services
Let's now create our **Central** services on our cluster by creating a new `Central` custom resource which our newly installed operator will then manage and deploy on our behalf. We'll deploy these services into a new namespace called `acs-central`.
```bash
cat << EOF | oc apply --filename -
---
apiVersion: v1
kind: Namespace
metadata:
name: acs-central
spec:
finalizers:
- kubernetes
---
apiVersion: platform.stackrox.io/v1alpha1
kind: Central
metadata:
name: stackrox-central-services
namespace: acs-central
spec:
central:
exposure:
route:
enabled: true
egress:
connectivityPolicy: Offline
EOF
```
> Note: The values we used for the `Central` instance are all defaults, aside from `connectivityPolicy: Offline`, which tells Red Hat Advanced Cluster Security it will be operating in a disconnected environment. For more details on how RHACS works in a disconnected environment refer to https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html/configuring/enable-offline-mode.
Once the `Central` resource has been created you can check the state of the RHACS pods by running `oc get pods -n acs-central` in your highside terminal. Or navigating to **Workloads** > **Pods** for the `acs-central` project in the OpenShift Web Console.
<Zoom>
|![workshop](/static/images/compliance/acs-central-pods.png) |
|:-----------------------------------------------------------------------------:|
| *Red Hat Advanced Cluster Security central pods* |
</Zoom>
Once all pods are `Running` and `Ready` you can move on to the next step.
## 4.3 - Logging into rhacs dashboard
Time to bring up our RHACS dashboard. We'll first retrieve the `admin` user password which was auto generated by the operator and stored in a **Secret**. Then we can open the **Route** for RHACS in a new browser tab and log in.
1. Return to your vnc session and the open tab with our OpenShift Web Console.
2. Click **Workloads** > **Secrets**, ensuring you are looking at the `acs-central` **Project**.
3. Click into the `central-htpasswd` **Secret**
4. Scroll down and click **Reveal values** on the right hand side.
5. Copy the `password` field, we'll need this shortly.
6. Navigate to **Networking** > **Routes** in the left hand menu.
7. Click on the **Location** URL for the route named `central`.
8. Login with the username `admin` and the password you copied earlier.
> Note: Ironically (given the subject matter), you may receive a tls verification warning when opening the rhacs dashboard. This is expected in this short lived workshop environment (because James is lazy) and should be accepted (Kids please don't do this at home 😂).
<Zoom>
|![workshop](/static/images/compliance/central-login.gif) |
|:-----------------------------------------------------------------------------:|
| *Logging into Red Hat Advanced Cluster Security dashboard* |
</Zoom>
## 4.4 Securing our hub cluster
To begin securing our OpenShift "hub" cluster with RHACS we need to:
1. Generate an init bundle to download and apply to the cluster.
2. Create and apply a `SecuredCluster` custom resource.
We'll start with generating the init bundle. Just for future familiarity for this step we'll use and follow the official RHACS documentation: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html/installing/installing-rhacs-on-red-hat-openshift#portal-generate-init-bundle_init-bundle-ocp
Follow the steps in `4.3.1.1` to generate an init bundle named `hub` using the RHACS dashboard, selecting the **Operator** based installation method.
Once the `hub-Operator-secrets-cluster-init-bundle.yaml` file has been downloaded we'll apply it to the cluster using the OpenShift Web Console **Import YAML** feature.
Reference in New Issue View Git Blame Copy Permalink