Getting Started

We will install ACS thought the RHACS Operator and afterwards we will install an small demo that will serve examples to our workshop.

You can request in RHPDS the environment already installed (including the demo) - Go to Multi-Product Demo → Openshift 4 Advanced Cluster Security 4

RHACS Components

Red Hat Advanced Cluster Security for Kubernetes (ACS) consists of:

  • The Central service, which exposes api and console and communicates with Sensors on secured clusters.

  • The Scanner service, which has the role of scanning the deployed pods images.

  • The Sensor, which monitors your Kubernetes and OpenShift Container Platform clusters.

  • The Admision Controller which prevent users from creating workloads that violate configured security policies.

  • The Collector which moniotrs runtime activity on each node for your secured clusters. It reports to Sensor.

You should check the specific version for you RHACS version to check memory/storage requirements ACS components and the sizing guidelines as well.

RHACS Operator Installation

  1. Find and the Advanced Cluster Security Operator from the Operator Hub.

    ACS Operator 1
  2. Install the selected operator by clicking on the Install button.

    ACS Operator 2
  3. Confirm default installation parameters (auto update, latest channel, rhacs-operator namespace).

    ACS Operator 3
  4. Wait for completion, the installation will take a few seconds.

    ACS Operator 4
  5. When the installation finishes.

    ACS Operator 5
  6. Access the now ready operator by clicking on the View Operator button.

    ACS Operator 6
This step is not required if you are using the Cloud Service for Red Hat Advanced Cluster Security for Kubernetes (ACS).

RHACS Central Cluster Installation

Once the operator has been installed we need to deploy the Central component. This component must be deployed in Red Hat OpenShift 4.9 or higher. However, it can be deployed in Kubernetes but you must carefully read Red Hat Advanced Cluster Security for Kubernetes Support Policy.

In this section we will deploy the Central component in the lab cluster. The Central is made up two main deployments:

  • The central service, which exposes api and console and communicates with Sensors on secured clusters.

  • The scanner service, which has the role of scanning the deployed pods images.

RHACS Central requirements

Central uses a database referred as Central DB (PostgreSQL 13) and both Central and PostgreSQL require persistent storage. SSD storage is recommended for best performance but different storage can be used as well.

Using an external database is currently a Technology Preview and will not be covered in this workshop.

RHACS requires external access to:

  1. definitions.stackrox.io for downloading updated vulnerability definitions.

  2. collector-modules.stackrox.io to download updated kernel support packages.

RHACS Central deployment

RHACS Central deployment can be performed in several ways:

This step is not required if you are using the Cloud Service for Red Hat Advanced Cluster Security for Kubernetes (ACS).

Deploying Central using the ACS Operator (Web Console)

  1. From the operator ready screen by clicking on View Operator or navigating to the Operators → Installed Operators page. Then, under the Provided APIs section, select Create Central on the Central API:

    ACS Operator 51
  2. Check the YAML radio button and paste the Central CR you see below and click on the Create button.

    ACS Operator 52
  3. You can check the progress by switching to the Developer perspective, in the Topology menu.

    ACS Operator 53

You can also do the same using the Developer perspective:

+ image::install/04_3_create_central_resource.png[ACS Operator 53, 800]

You can also do the same using the Developer perspective:

  1. Within the stackrock project selected, +Add → Import YAML

    ACS Operator 511
  2. Paste the YAML content and click on the Create button:

    ACS Operator 512

Deploying Central using the oc client (CLI)

Log in to your OpenShift cluster and create a new stackrox namespace (using the web console or the cli as follows). We will install our components here.

oc new-project stackrox

The following is an example of the central custom resource. You can do this in two ways, via the web console or via the CLI.

apiVersion: platform.stackrox.io/v1alpha1
kind: Central
metadata:
  name: stackrox-central-services
  namespace: stackrox
spec:
  central:
    exposure:
      loadBalancer:
        enabled: false
        port: 443
      nodePort:
        enabled: false
      route:
        enabled: true
    persistence:
      persistentVolumeClaim:
        claimName: stackrox-db
  egress:
    connectivityPolicy: Online
  scanner:
    analyzer:
      scaling:
        autoScaling: Enabled
        maxReplicas: 5
        minReplicas: 2
        replicas: 3
    scannerComponent: Enabled
  1. Create the central custom resource using the template file provided in this repository.

    oc apply -f stackrox-central-services.yaml -n stackrox
  2. Monitor the installation using the watch option:

    oc get pods -n stackrox -w

RHACS login

  1. Once the installation is complete, obtain and copy the generated admin password from the central-htpasswd secret.

    1. Using the command line:

      oc -n stackrox get secret central-htpasswd -o go-template='{{index .data "password" | base64decode}}'
    2. Using the web console, Secrets view from the Developer perspective (search for central-htpasswd secret):

      ACS Operator 61
  2. Extract the hostname of the generated route from the command line as follows or using the Topology view from the web console.

    oc get routes/central -n stackrox -o jsonpath='{.spec.host}'
  3. Login to https://<route_hostname>; using the admin username and the password extracted before.

    ACS Operator 62

RHACS Secured Cluster Configuration

To import a cluster into ACS, you need to generate a cluster init bundle containing TLS secrets for Sensor, Collectors, and Admission Controllers.

Generating an init bundle by using the RHACS portal

  1. Generate the cluster init bundle by accessing the Integration subsection in the Platform Configuration section

    ACS Operator 7
  2. Generate the bundle with a unique cluster name, in our case, demo-cluster

    ACS Operator 8
  3. Download the cluster init bundle secret.

    ACS Operator 9
  4. Apply the cluster init bundle secret on the target secured cluster

    oc apply -f ~/Downloads/demo-cluster-cluster-init-secrets.yaml -n stackrox

    You can open the yaml file, copy the content and paste it to the web console using the +Add → Import YAML shortcut. As you are cluster-admin and all the object have the namespace key set you will get all the object created in their respective namespaces regrardless the project you choose in the web console (all projects or whatever).

Installing secured cluster services

This workshop uses the same cluster as central and secured cluster. In a real time scenario there will be many different secured clusters. Please ensure to install the ACS Operator in all the secured cluster in order to manage the SecuredCluster CR.

The SecuredCluster custom resource is quite simple. The following example shows the configuration for a demo-cluster target. Notice the collector configuration, with the collection method set to EBPF. The alternative collection approach would be KernelModule. The TolerateTaints lets the Collector daemonset be deployed also on nodes with special taints, like the ODF nodes.

apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
  name: stackrox-secured-cluster-services
  namespace: stackrox
spec:
  admissionControl:
    listenOnCreates: true
    listenOnEvents: true
    listenOnUpdates: true
  clusterName: demo-cluster
  perNode:
    collector:
      collection: EBPF
      imageFlavor: Regular
    taintToleration: TolerateTaints
Check the settings of the SecuredCluster operator documentation for more information.
  1. Create the Secured Cluster custom Resource using (and optionally custumizing) the example provided in the repository.

    oc apply -f stackrox-secured-cluster-services.yaml -n stackrox

    Or using the web console, in the ACS opertator view, as follows:

    1. Under the Provided APIs section, select Create instance on the Secured Cluster API

      ACS Operator 9
    2. And then copy & paste the yaml content

      ACS Operator 10

    Or as in the previous section, with the +Add → Import YAML path.

  2. Monitor the installation using the watch option (or using the web console Topology view from the Developer perspective as mentioned before):

    oc get pods -n stackrox -w
  3. At the end of the installation, go to the central console and check the correct attachment of the secured cluster.

    ACS Operator 11

Deploying ACS manually

We have seen how to deploy ACS using the web user interface but, sometimes it is necessary to automate the deployment using tools such ansible for instance.

Let’s see how to manually, using the CLI, we can deploy ACS so we will be able to automate it with any tool.

First we need to create a namespace to deploy the ACS operator:

oc new-project rhacs-operator

We need to create the operator group creating the following yaml file:

  apiVersion: operators.coreos.com/v1
  kind: OperatorGroup
  metadata:
    name: rhacs-operator
    namespace: rhacs-operator

Apply the file to create the operator group:

oc apply -f acs-operator-group.yaml -n rhacs-operator

Create the subscription yaml file:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: rhacs-operator
  namespace: rhacs-operator
  labels:
    operators.coreos.com/rhacs-operator.rhacs-operator: ''
spec:
  channel: stable
  installPlanApproval: Automatic
  name: rhacs-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace

Apply the subscription file:

oc apply -f subscription.yaml

At this moment the ACS operator will be installing. It will take sometime to install. Not much, just a few seconds.

Now we need to deploy central. So the first thing is to create the namespace where Central will be deployed:

oc new-project stackrox

The following is an example of the central custom resource:

apiVersion: platform.stackrox.io/v1alpha1
kind: Central
metadata:
  name: stackrox-central-services
  namespace: stackrox
spec:
  central:
    exposure:
      loadBalancer:
        enabled: false
        port: 443
      nodePort:
        enabled: false
      route:
        enabled: true
    persistence:
      persistentVolumeClaim:
        claimName: stackrox-db
  egress:
    connectivityPolicy: Online
  scanner:
    analyzer:
      scaling:
        autoScaling: Enabled
        maxReplicas: 5
        minReplicas: 2
        replicas: 3
    scannerComponent: Enabled

Create the custom resource:

oc apply -f stackrox-central-services.yaml -n stackrox

Central will be deployed. You can check it:

oc get pods -n stackrox -w

Now you will need to get the ACS admin password:

oc -n stackrox get secret central-htpasswd -o jsonpath="{.data['password']}" | base64 -d

and the ACS Central console URL:

oc -n stackrox get routes/central -o jsonpath='{.spec.host}'

Once the ACS Central is deployed we will need to add clusters into ACS. To add the cluster where we have deployed Central to ACS we need to download the roxctl command.

You will need to download the version matching the ACS version you have deployed. You can also use a containerized version, but in this workshop we will use the command line tool.

We use the roxctl to create the init bundle:

roxctl -e <ACS CONSOLE URL>:443 central init-bundles generate demo-cluster --insecure-skip-tls-verify --output-secrets /tmp/demo-cluster.yaml --password <ACS ADMIN PASSWORD>

Apply the init bundle:

oc -n stackrox apply -f /tmp/demo-cluster.yaml

The secured cluster resource yaml file:

apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
  name: acs-secured-cluster-services
  namespace: stackrox
spec:
  admissionControl:
    listenOnCreates: true
    listenOnEvents: true
    listenOnUpdates: true
  clusterName: demo-cluster
  perNode:
    collector:
      collection: EBPF
      imageFlavor: Regular
    taintToleration: TolerateTaints
 oc -n stackrox apply -f secured-cluster.yaml

After that the cluster will have been included in ACS.

Deploying Demo in RHACS - Mandatory

Independent of which option to install you used, you need to deploy the ACS Demo into your cluster.
  1. Download the repo with the demo:

    ansible-galaxy collection install kubernetes.core
    pip install kubernetes jmespath
    git clone https://github.com/rh-mobb/rhacs-demo
    cd rhacs-demo
  2. Apply the ansible demo into the cluster:

    you must be logged to the OpenShift cluster before you execute the playbook.
    ansible-playbook rhacs-demo.yaml -e stackrox_central_admin_password=[your_pass](1)
    1 The same password you obtained in the step 1 of the ACS login section.
  3. After the Playbook execution (and if everything worked properly), the output will be the following:

    TASK [ocp4_workload_stackrox_demo_apps : post_workload tasks complete] ********************************************************
    ok: [localhost] => {
        "msg": "Post-Workload Tasks completed successfully."
    }

Deploying Apps - Optional

If you do not plan to follow the remaining sections (which are based on deploying the demo) and prefer to play and make your own findings, simply follow the steps below:

  1. Create a new project:

    oc new-project test
  2. Start some applications with critical vulnerabilities:

    oc run shell --labels=app=shellshock,team=test-team \
      --image=vulnerables/cve-2014-6271 -n test
    oc run samba --labels=app=rce \
      --image=vulnerables/cve-2017-7494 -n test
  3. Navigate to the RHACS portal to view the violations.

    ACS Operator 7