This workshop is meant to introduce you to the application development cycle leveraging OpenShift’s tooling & features with a special focus on securing your environment using Advanced Cluster Security for Kubernetes (ACS). And all in a fun way.
Setting up the Outer Development Loop for the CI/CD team
+
Outer Dev Loop
-
Learn to work with OpenShift Pipelines based on Tekton
-
Use OpenShift GitOps based on ArgoCD
+
Learn to work with Tekton Pipelines
+
Use GitOps with ArgoCD
Secure your app and OpenShift cluster with ACS
Introduction to ACS
Example use cases
-
Add ACS scanning to a Tekton Pipeline
+
Add ACS scanning to Tekton Pipeline
What to Expect
+
We try to balance guided workshop steps and challenging you to use your knowledge to learn new skills. This means you’ll get detailed step-by-step instructions for every new chapter/task, later on the guide will become less verbose and we’ll weave in some challenges.
-
This workshop is for intermediate OpenShift users. A good understanding of how OpenShift works along with hands-on experience is expected. For example we will not tell you how to log in with oc to your cluster or tell you what it is… ;)
+
A good understanding of how OpenShift works together with hands-on experience is expected. For example we will not tell you how to log in oc to your cluster or tell you what it is… ;)
-
We try to balance guided workshop steps and challenge you to use your knowledge to learn new skills. This means you’ll get detailed step-by-step instructions for every new chapter/task, later on the guide will become less verbose and we’ll weave in some challenges.
Workshop Environment
-
As Part of a Red Hat Workshop
-
For Attendees
-
As part of the workshop you will be provided with freshly installed OpenShift 4.10 clusters. Depending on attendee numbers we might ask you to gather in teams. Some workshop tasks must be done only once for the cluster (e.g. installing Operators), others like deploying and securing the application can be done by every team member separately in their own Project. This will be mentioned in the guide.
-
You’ll get all access details for your lab cluster from the facilitators. This includes the URL to the OpenShift console and information about how to SSH into your bastion host to run oc if asked to.
-
For Facilitators
-
The easiest way to provide this environment is through the Red Hat Demo System. Provision catalog item Red Hat OpenShift Container Platform 4 Demo for the the attendees.
-
Self Hosted
-
While the workshop is designed to be run on Red Hat Demo System (RHDS) and the environment AWS with OpenShift Open Environment, you should be able to run the workshop on a 4.14 cluster of your own.
-
Just make sure :
-
-
You have cluster admin privileges
-
Sizing
-
-
3 Controlplane Nodes (Similar to AWS m5.2x.large)
-
3 Worker (Similar to AWS m5.4x.large)
-
-
-
Authentication htpasswd enabled
-
For the ACM chapter you will need AWS credentials to automatically deploy a SingleNode OpenShift
-
Some names in the workshop may need to be customized for your environment (e.g. storage naming)
-
-
This workshop was tested with these versions :
-
-
Red Hat OpenShift : 4.14.18
-
Red Hat Advanced Cluster Security for Kubernetes: 4.4.0
-
Red Hat OpenShift Dev Spaces : 3.12.0
-
Red Hat OpenShift Pipelines: 1.14.3
-
Red Hat OpenShift GitOps: 1.12.0
-
Red Hat Quay: 3.8.15
-
Red Hat Quay Bridge Operator: 3.7.11
-
Red Hat Data Foundation : 4.14.06
-
Gitea Operator: 1.3.0
-
Web Terminal: 1.9.0
-
+
You will be provided with freshly installed OpenShift 4 clusters running in AWS. Depending on attendee numbers we might ask you to gather in teams. Some workshop tasks must be done only once for the cluster (e.g. installing Operators), others like deploying and securing the application can be done by every team member separately in her/his own Project. This will be mentioned in the guide.
Workshop Flow
-
We’ll tackle the topics at hand step by step with an introduction covering the things worked on before each section.
-
And finally a sprinkle of JavaScript magic
-
You’ll notice placeholders for cluster access details, mainly the part of the domain that is specific to your cluster. There are two options:
-
-
Whenever you see the placeholder <DOMAIN> replace it with the value for your environment
-
-
This is the part to the right of apps. e.g. for console-openshift-console.apps.cluster-t50z9.t50z9.sandbox4711.opentlc.com replace with cluster-t50z9.t50z9.sandbox4711.opentlc.com
-
-
-
Use a query parameter in the URL of this lab guide to have all occurences replaced automagically, e.g.:
-
You can use the Link Generator in the next chapter to create the URL for you
-
-
-
-
URL Generator for Custom Lab Guide
-
Enter your OpenShift url after the apps part (e.g. cluster-t50z9.t50z9.sandbox4711.opentlc.com ) and click the button to generate a link that will customize your lab guide.
-
Click the generated link once to apply it the the current guide.
During the workshop you went through the OpenShift developer experience starting from software development using Quarkus and odo, moving on to automating build and deployment using Tekton pipelines and finally using GitOps for production deployments.
-
Now it’s time to add another extremely important piece to the setup: enhancing application security in a containerized world. Using Red Hat Advanced Cluster Security for Kubernetes, of course!
+
During the workshop you went through the OpenShift developer experience starting from software development using Quarkus and odo, moving on to automating build and deployment using Tekton pipelines and finally using GitOps for production deployments.
+
Now it’s time to add another extremely important piece to the setup; enhancing application security in a conainerized world. Using the most recent addition to the OpenShift portfolio: Red Hat Advanced Cluster Security for Kubernetes!
Install RHACS
-
RHCAS Operator
-
Install the Advanced Cluster Security for Kubernetes operator from the OperatorHub:
+
Install the Operator
-
Switch Update approval to Manual
-
Apart from this use the default settings
-
Approve the installation when asked
+
Install the “Advanced Cluster Security for Kubernetes” operator from OperatorHub with the default values.
-
Red Hat recommends installing the Red Hat Advanced Cluster Security for Kubernetes Operator in the rhacs-operator namespace. This will happen by default..
+
Red Hat recommends installing the Red Hat Advanced Cluster Security for Kubernetes Operator in the rhacs-operators namespace. This will happen by default..
-
Installing the main component Central
+
Install the main component Central
You must install the ACS Central instance in its own project and not in the rhacs-operator and openshift-operator projects, or in any project in which you have installed the ACS Operator!
@@ -529,103 +472,36 @@
Installing the main component
Navigate to Operators → Installed Operators
Select the ACS operator
-
You should now be in the rhacs-operator project the Operator created, create a new OpenShift Project for the Central instance:
+
You should now be in the rhacs-operator project the Operator created, create a new Project for the Central instance:
-
Create a new project called stackrox (Red Hat recommends using stackrox as the project name.) by selecting Projects: Create project
+
Select Project: rhacs-operator → Create project
+
Create a new project stackrox (Red Hat recommends using stackrox as the project name.)
-
In the Operator view under Provided APIs on the tile Central click Create Instance
Accept the name to stackrox-central-services and accept the default values
Click Create
-
After the deployment has finished (StatusConditions: Deployed, Initialized in the Operator view on the Central tab), it can take some time until the application is completely up and running. One easy way to check the state, is to switch to the Developer console view on the upper left. Then make sure you are in the stackrox project and open the Topology map. You’ll see the three deployments of the Central instance:
+
After deployment has finished ("Status Conditions: Deployed, Initialized”) it can take some time until the application is completely up and running. One easy way to check the state is to switch to the Developer console view at the upper left. Then make sure you are in the rhacs-operator project and open the Topology map. You’ll see the three deployments of an Central instance:
-
scanner
scanner-db
-
central
-
central-db
+
scanner
+
centrals
Wait until all Pods have been scaled up properly.
Verify the Installation
-
Switch to the Administrator console view again. Now to check the installation of your Central instance, access the ACS Portal:
+
Switch to the Administrator console view again. Now to check the installation of your Central instance, access the RHACS Portal:
Look up the central-htpasswd secret that was created to get the password
-
If you access the details of your Central instance in the Operator page you’ll find the complete commandline using oc to retrieve the password from the secret under Admin Credentials Info. Just sayin… ;)
+
If you access the details of your Central instance you’ll find the complete commandline using oc to retrieve the password from the secret under Admin Credentials Info. Just sayin… ;)
-
Look up and access the route central which was also generated automatically.
+
Look up and access the route central which was also generated automatically.
-
This will get you to the ACS Portal, accept the self-signed certificate and login as user admin with the password from the secret.
+
This will get you to the RHACS portal, accept the self-signed certificate and login as user admin with the password from the secret.
Now you have a Central instance that provides the following services in an
RHACS setup:
@@ -633,98 +509,94 @@
Installing the main component The application management interface and services. It handles data persistence, API interactions, and user interface access. You can use the same Central instance to secure multiple OpenShift or Kubernetes clusters.
-
Scanner, which is a vulnerability scanner for scanning container images. It analyzes all image layers for known vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list. Scanner also identifies vulnerabilities in packages installed by package managers and in dependencies for multiple programming languages.
+
Scanner, which is a vulnerability scanner for scanning container images. It analyzes all image layers to check known vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list. Scanner also identifies vulnerabilities in packages installed by package managers and in dependencies for multiple programming languages.
-
To actually do and see anything you need to add a SecuredCluster (be it the same or another OpenShift cluster). For effect go to the ACS Portal, the Dashboard should by pretty empty, click on either of the Compliance link in the menu to the left, lots of zero’s and empty panels, too.
+
To actually do and see anything you need to add a SecuredCluster (be it the same or another OpenShift cluster). For effect go to the RHACS Portal, the Dashboard should by pretty empty, click on the Compliance link in the menu to the left, lots of zero’s and empty panels, too.
This is because you don’t have a monitored and secured OpenShift cluster yet.
Prepare to add Secured Clusters
-
Now we’ll add your OpenShift cluster as Secured Cluster to ACS.
-
First, you have to generate an init bundle which contains certificates and is used to authenticate a SecuredCluster to the Central instance, regardless if it’s the same cluster as the Central instance or a remote/other cluster.
-
We are using the API to create the init bundle in this workshop, because if we use the Web Terminal we can’t upload and downloaded file to it. For the steps to create the init bundle in the ACS Portal see the appendix.
-
Let’s create the init bundle using the ACS API on the commandline:
-
Go to your Web Terminal (if it timed out just start it again), then paste, edit and execute the following lines:
+
First you have to generate an init bundle which contains certificates and is used to authenticate a SecuredCluster to the Central instance, again regardless if it’s the same cluster as the Central instance or a remote/other cluster.
+
In the RHACS Portal:
-
Set the ACS API endpoint, replace <central_url> with the base URL of your ACS portal (without ‘https://’ e.g. central-stackrox.apps.cluster-cqtsh.cqtsh.example.com)
+
Navigate to Platform Configuration → Integrations.
+
Under the Authentication Tokens section, click on Cluster Init Bundle.
+
Click Generate bundle
+
Enter a name for the cluster init bundle and click Generate.
+
Click Download Kubernetes Secret File to download the generated bundle.
-
export ROX_ENDPOINT=<central_url>:443
-
-
Set the admin password (same as for the portal, look up the secrets again)
-
-
export PASSWORD=<password>
-
-
Give the init bundle a name
-
-
export DATA={\"name\":\"my-init-bundle\"}
-
-
Finally run the curl command against the API to create the init bundle using the variables set above
You should now have these two files in your Web Terminal session: bundle.json and kube-secrets.bundle.
-
The init bundle needs to be applied to all OpenShift clusters you want to secure and monitor.
-
-
As said, you can create an init bundle in the ACS Portal, download it and apply it from any terminal where you can run oc against your cluster. We used the API method to show you how to use it and to enable you to use the Web Terminal.
-
-
+
The init bundle needs to be applied on all OpenShift clusters you want to secure & monitor.
Prepare the Secured Cluster
For this workshop we run Central and SecuredCluster on one OpenShift cluster. E.g. we monitor and secure the same cluster the central services live on.
Apply the init bundle
-
Again in the web terminal:
-
Run oc create -f kube-secrets.bundle -n stackrox pointing to the init bundle you downloaded from the Central instance or created via the API as above.
-
This will create a number of secrets, the output should be:
+
Use the oc command to log in to the OpenShift cluster as cluster-admin.
+
+
The easiest way might be to use the Copy login command link from the UI
+
+
+
Switch to the Project you installed ACS Central in, it should be stackrox.
+
Run oc create -f <init_bundle>.yaml -n stackrox pointing to the init bundle you downloaded from the Central instance and the Project you created.
+
This will create a number of secrets:
secret/collector-tls created
secret/sensor-tls created
secret/admission-control-tls created
Add the Cluster as SecuredCluster to ACS Central
-
You are ready to install the SecuredClusters instance, this will deploy the secured cluster services:
+
Now you are ready to install the SecuredClusters instance, this will deploy the secured cluster services:
-
In the OpenShift Web Console go to the ACS Operator in Operators->Installed Operators
+
Go to the ACS Operator in Operators->Installed Operators
Using the Operator create an instance of the Secured Cluster type in the Project you created (should be stackrox)
-
If you are in the YAML view switch to the Form view
-
Change the Cluster Name for the cluster if you want, it’ll appear under this name in the ACS Portal
-
And most importantly for Central Endpoint enter the address and port number of your Central instance, this is the same as the ACS Portal.
+
Change the Cluster Name for the cluster if you want, it’ll appear under this name in the RHACS Portal
+
And most importantly for Central Endpoint enter the address and port number of your Central instance, this is the same as the RACS Portal.
-
If your ACS Portal is available at https://central-stackrox.apps.<DOMAIN> the endpoint is central-stackrox.apps.<DOMAIN>:443.
+
If the RHACS Portal is available at https://central-stackrox.apps.cluster-65h4j.65h4j.sandbox1803.opentlc.com/ the endpoint is central-stackrox.apps.cluster-65h4j.65h4j.sandbox1803.opentlc.com:443.
Under Admission Control Settings make sure
-
listenOnCreates, listenOnUpdates and ListenOnEvents is enabled
+
listenOnCreates, listenOnUpdates and Listen On Events is enabled
Set Contact Image Scanners to ScanIfMissing
-
Click Create
-
Now go to your ACS Portal again, after a couple of minutes you should see your secured cluster under Platform Configuration->Clusters. Wait until all Cluster Status indicators become green.
-
Configure Quay Integrations in ACS
-
Create an integration to scan the Quay registry
-
To enable scanning of images in your Quay registry, you’ll have to configure an Integration with valid credentials, so this is what you’ll do.
-
Now, create a new Integration:
+
Now go to your RHACS Portal again, after a couple of minutes you should see you secured cluster under Platform Configuration->Clusters. Wait until all Cluster Status indicators become green.
+
Create a serviceaccount to scan the internal registry
+
The integrations to the internal registry where created automatically. To enable scanning of images in the internal registry, you’ll have to configure credentials, so this is what you’ll do:
+
+
add a serviceaccount
+
assign it the needed privileges
+
configure the Integrations in ACS with the credentials
+
+
Create ServiceAccount to read images from Registry
-
Access the RHACS Portal and configure the already existing integrations of type Generic Docker Registry.
-
Go to Platform Configuration -> Integrations -> Generic Docker Registry.
-
Click the New integration button
-
Integration name: Quay local
-
Endpoint: https://quay-quay-quay.apps.<DOMAIN> (replace domain if required)
-
Username: quayadmin
-
Password: quayadmin
+
Make sure you are in the stackroxProject
+
User Management -> ServiceAccounts -> Create ServiceAccount
+
Replace the example name in the YAML with acs-registry-reader and click Create
+
In the new ServiceAccount, under Secrets click one of the acs-registry-reader-token-... secrets
+
Under Data copy the Token
+
Using oc give the ServiceAccount the right to read images from all projects:
Access the RHACS Portal and configure the already existing integrations of type Generic Docker Registry. Go to Platform Configuration -> Integrations -> Generic Docker Registry. You should see a number of autogenerated (from existing pull-secrets) entries.
+
Change four entries pointing to the internal registry, you can easily recognize them by the placeholder Usernameserviceaccount.
+
For each click Edit integration using the three dots at the right:
+
+
Put in acs-registry-reader as Username
+
Paste the token you copied from the secret into the Password field
+
Select Disable TLS certificate validation
Press the Test button to validate the connection and press Save when the test is successful.
-
Architecture recap
-
-
-
Click image to enlarge
-
-
-
+
ACS is now able to scan images in the internal registry!
To synchronize the internal default OpenShift Registry with the Quay Registry, the Quay Bridge is used. Now we need to create a new Organization in Quay:
-
-
To access the Quay Portal make sure you are in the quay Project
-
Go to Networking->Routes, access the Quay portal using the URL of the first route (quay-quay)
-
Login with
-
-
User: quayadmin
-
Password: quayadmin
-
-
-
In the top + menu click Create New Organization
-
-
Name it openshift_integration
-
-
-
Click Create Organization
-
-
We need an OAuth Application in Quay for the integration:
-
-
Again In the Quay Portal, click the Applications icon in the menubar to the left
-
Click Create New Application at the upper right
-
-
Name it openshift, press Enter and click on the new openshift item by clicking it
-
-
-
In the menubar to the left click the Generate Token icon
+
Test
+
Using a variable from config.toml
+
Value of var “deployment” is: production
+
Annotations:
+
+
Text here
+
+
+
+
Text here
+
+
+
Fold-outs
+Click here for Solution
+
+
-
Check all boxes and click Generate Access token
-
-
-
Click image to enlarge
-
-
-
-
In the next view click Authorize Application and confirm
-
In the next view copy the Access Token and save it somewhere, we’ll need it again
-
+
+
Module: yum
-
-
Now create a new secret for the Quay Bridge to access Quay. In the OpenShift web console make sure you are in the quay Project. Then:
-
-
Go to Workloads->Secrets and click Create->Key/value secret
-
-
Secret name: quay-credentials
-
Key: token
-
Value: paste the Access Token you generated in the Quay Portal in the text field below the grey Value field
-
Click Create
-
+
+
Arguments: name=nano
-
-
And you are done with the installation and integration of Quay as your registry!
-Test if the integration works:
-
-
In the Quay Portal you should see your OpenShift Projects are synced and represented as Quay Organizations, prefixed with openshift_ (you might have to reload the browser).
-
-
E.g. there should be a openshift_git Quay Organization.
-
+
+
Tick Enable Privilege Escalation
-
In the OpenShift web console create a new test Project, make sure it’s synced to Quay as an Organization and delete it again.
Vulnerability Management: Protect the software supply chain and prevent known vulnerabilities from being used as an entry point in your applications.
Configuration Management: Leverage the OpenShift platform for declarative security to prevent or limit attacks, even in the presence of exploitable vulnerabilities.
-
Network Segmentation: Using Kubernetes network policies in OpenShift, restrict open network paths for isolation and prevent lateral movement by attackers.
+
Network Segmentation: Using Kubernetes network policies in OpenShift, restrict open network paths for isolation and to prevent lateral movement by attackers.
Risk Profiling: Prioritize applications and security risks automatically to focus investigation and mitigation efforts.
-
Threat detection and incident response: Continuous observation and response in order to take action on attack-related activities, and to use observed behavior to inform mitigation efforts to harden security.
+
Threat detection and incident response: Continuous observation and response in order to take action on attack-related activity, and to use observed behavior to inform mitigation efforts to harden security.
Compliance: Making sure that industry and regulatory standards are being met in your OpenShift environments.
UI Overview
-
-
-
Click image to enlarge
-
-
-
Dashboard:
@@ -523,7 +467,9 @@
Click image to enlarge
Top bar:
-Near the top, we see a condensed overview of the status. It provides insight into the status of clusters, nodes, violations and so on. The top bar provides links to Search, Command-line tools, Cluster Health, Documentation, API Reference, and the logged-in user account.
+Near the top, we see an overview of our OpenShift clusters. It provides insight into the usage of images and secrets.
+The top bar provides links to Search, Command-line tools, Cluster Health, Documentation, API Reference, and logged-in
+user account
Left menus:
@@ -541,7 +487,7 @@
Exploring the Security Use Cases
Network Graph:
The Network Graph is a flow diagram, firewall diagram, and firewall rule builder in one.
-
The default view Active shows the actual traffic for the past hour between the deployments in all namespaces.
+
The default view Active the actual traffic for the Past Hour between the deployments in all namespaces is shown.
@@ -560,7 +506,7 @@
Exploring the Security Use Cases
Vulnerability Management:
Vulnerability Management provides several important reports - where the vulnerabilities are, which are the most widespread or the most recent, where my images are coming from.
-
In the upper right are buttons to link to all policies, CVEs, and images, and a menu to bring you to reports by cluster, namespace, deployment, and so on.
+
In the upper right are buttons to link to all policies, CVEs, and images, and a menu to bring you to reports by cluster, namespace, deployment, and co.
@@ -572,42 +518,31 @@
Exploring the Security Use Cases
Risk:
-
The Risk view goes beyond the basics of vulnerabilities. It helps to understand how deployment configuration and runtime activity impact the likelihood of an exploit to occurr and how successful those exploits might be.
+
The Risk view goes beyond the basics of vulnerabilities. It helps to understand how deployment configuration and runtime activity impact the likelihood of an exploit occurring and how successful those exploits will be.
This list view shows all deployments, in all clusters and namespaces, ordered by Risk priority.
+
System Policies
+
As the foundation of ACS are the system policies, have a good look around:
+
+
Navigate to the System Policies section from Platform Configuration in the left side menu.
+
You will get an overview of the Built-in Policies
+
All of the policies that ship with the product are designed with the goal of providing targeted remediation that improves security hardening.
+
You’ll see this list contains many Build and Deploy time policies to catch misconfigurations early in the pipeline, but also Runtime policies.
+
These policies come from us at Red Hat - our expertise, our interpretation of industry best practice, and our interpretation of common compliance standards, but you can modify them or create your own.
+
Filters
-
Most UI pages have a filter section at the top that allows you to narrow the view to matching or non-matching criteria. Almost all of the attributes that ACS gathers can be filtered, try it out:
+
Most UI pages have a filters section at the top that allows you to narrow the reporting view to matching or non-matching criteria. Almost all of the attributes that ACS gathers are filterable, try it out:
Go to the Risk view
Click in the Filters Bar
Start typing Process Name and select the Process Name key
-
Type java and press enter: click away to get the filters dropdown to clear
+
Type java and press enter; click away to get the filters dropdown to clear
You should see your deployment that has been “seen” running Java since it started
Try another one: limit the filter to your Project namespace only
Note the Create Policy button. It can be used to create a policy from the search filter to automatically identify this criteria.
-
System Policies
-
As the foundation of ACS are the system policies, have a good look around:
-
-
Navigate to the Policiy Management section from Platform Configuration in the left side menu.
-
You will get an overview of the built-in policies
-
All of the policies that ship with the product are designed with the goal to provide targeted remediation strategies that improve security hardening.
-
You’ll see this list contains many Build and Deploy time policies to catch misconfigurations early in the pipeline, but also Runtime policies.
-
These policies come from us at Red Hat - our expertise, our interpretation of industry best practice, and our interpretation of common compliance standards, but you can modify them or create your own.
-
-
-
By default only some policies are enforced. If you want to get an overview which ones, you can use the filter view introduced above. Use Enforcement as filter key and FAIL_BUILD_ENFORCEMENT as value.
You should have one or more pipelines to build your application from the first workshop part, now we want to secure the build and deployment of it. For the sake of this workshop we’ll take a somewhat simplified use case:
-
We want to scan our application image for the Red Hat Security Advisory RHSA-2021:4904 concerning openssl-lib.
-
If this RHSA is found in an image we don’t want to deploy the application.
+
You should by now have one or more pipelines to build your application, now we want to secure the build and deployment of it. For the sake of this workshop we’ll take a somewhat simplified use case:
+
We want to scan our application image for the Red Hat Security Advisory RHSA-2020:5566 concerning openssl-lib.
+
If this RHSA is found in an image we don’t want to deploy the application using it.
These are the steps you will go through:
Create a custom Security Policy to check for the advisory
Test if the policy is triggered in non-enforcing mode
-
with an older image version that contains the issue
-
and then with a newer version with the issue fixed
+
with an older image version that contains the advisory
+
and then with a newer versiowhere the issue has been fixed.
The final goal is to integrate the policy into the build pipeline
Create a Custom System Policy
-
First create a new policy category and the system policy. In the ACS Portal do the following:
First create the system policy. In the ACS Portal do the following:
-
Name: Workshop RHSA-2021:4904
+
System Policies->Create Policy
+
NAME: Workshop RHSA-2020:5566
Severity: Critical
-
Categories: Workshop
-
Click Next
-
-
-
Policy Behaviour
-
Lifecycle Stages: Build, Deploy
-
Response method: Inform
-
Click Next
-
-
-
Policy Criteria
-
-
Find the CVE policy criteria under Drag out policy fields in Image contents
-
Drag & drop it on the drop zone of Policy Section 1
-
Put RHSA-2021:4904 into the CVE identifier field
-
Click Next
-
-
-
Policy Scope
+
Categories: Workshop
-
You could limit the scope the policy is applied in, do nothing for now
-
Click Next
+
This will create a new Category if it doesn’t exist
-
Review Policy
-
-
Have a quick look around, if the policy would create a violation you get a preview here
+
->Next
+
Click Add a new condition
+
Find the policy field CVE in Image Contents and drag-and-drop it into the Drop A Policy Field Inside area.
+
Put RHSA-2020:5566 into the CVE field
+
Click ->Next
+
The next page will show Deployments that would generate violations
+
Click ->Next
+
On the next page you could enable enforcement of the policy for the Build and/or Deploy stages. Don’t enable enforcement yet!
Click Save
-
-
-
-
-
Click image to enlarge
-
-
-
-
Currently there is an issue with persisting the group change to the central instance. As a workaround run this in your Web Terminal zu restart the central instance:
-
oc delete pod -n stackrox -l app=central
-
Test the Policy
+
Test the Policy
Start the pipeline with the affected image version:
-
In the OpenShift Web Console go to the Pipeline in your workshop-int project, start it and set Version to java-old-image (Remember how we set up this ImageStreamtag to point to an old and vulnerable version of the image?)
-
In the ACS Portal follow the Violations view
-
-
-
To make it easier spotting the violations for this deployment you can filter the list by entering namespace and then workshop-int in the filter bar.
-
-
-
+
Go to the Pipeline, Start it and set Version to java-old-image
+
Follow the Violations in the ACS Portal
Expected result:
You’ll see the build deployments (Quarkus-Build-Options-Git-Gsklhg-Build-...) come and go when they are finished.
-
When the final build is deployed you’ll see a violation in ACS Portal for policy Workshop RHSA-2021:4904 (Check the Time of the violation)
+
When the final build is deployed you’ll see a violation in ACS Portal for policy Workshop RHSA-2020:5566 (Check the Time of the violation)
-
-
There will be other policy violations listed, triggered by default policies, have a look around. Note that none of the policies are enforced (so that the pipeline build would be stopped) yet!
-
-
Now start the pipeline with the fixed image version that doesn’t contain the CVE anymore:
-
Start the pipeline again but this time leave the Java Version as is (openjdk-11-el7).
+
Start the pipeline again but this time leave the Java Version as is.
Follow the Violations in the ACS Portal
Expected result:
You’ll see the build deployments come up and go
-
When the final build is deployed you’ll see the policy violation for Workshop RHSA-2021:4904 for your deployment is gone because the image no longer contains it
+
When the final build is deployed you’ll see the policy violation in ACS Portal from before is gone because the image no longer contains it.
-
This shows how ACS is automatically scanning images when they become active against all enabled policies. But we don’t want to just admire a violation after the image has been deployed, we want to disable the deployment during build time! So the next step is to integrate the check into the build pipeline and enforce it (don’t deploy the application).
-
Architecture recap
-
-
-
Click image to enlarge
-
-
-
+
This shows how ACS is automatically scanning images when they become active against all enabled policies. But we don’t want to just see a violation after the image has been deployed, we want to disable the deployment during build time! So the next step is to integrate the check into the build pipeline and enforce it (don’t deploy the application).
There are basically two ways to interface with ACS. The UI, which focuses on the needs of the security team, and a separate “interface” for developers to integrate into their existing toolset (CI/CD pipeline, consoles, ticketing systems etc): The roxctl commandline tool. This way ACS provides a familiar interface to understand and address issues that the security team considers important.
-
ACS policies can act during the CI/CD pipeline to identify security risk in container images before they are started.
+
ACS policies can act during the CI/CD pipeline to identify security risk in images before they are run as a container.
Integrate Image Scan into the Pipeline
-
You should have created and build a custom policy in ACS and tested it to trigger violations. Now you will integrate it into the build pipeline.
-
Our task will use the roxctl cli
-
Build-time policies require the use of the roxctl command-line tool which is available for download from the ACS Central UI, in the upper right corner of the dashboard. You don’t need to to download this now as our Tekton task will do this automatically.
-
roxctl needs to authenticate to ACS Central to do anything. You can use either username and password or API tokens to authenticate against ACS Central. It’s good practice to use a token so that’s what we’ll do.
-
Let’s Go : Create the roxctl token
-
In the ACS portal:
+
You should have created and build a custom policy in ACS and tested it for triggering violations. Now you will integrate it into the build pipeline.
+
Let’s go: Prepare roxctl
+
Build-time policies require the use of the roxctl command-line tool which is available for download from the ACS Central UI, in the upper right corner of the dashboard. Roxctl needs to authenticate to ACS Central to do anything. It can use either username and password authentication to Central, or API token based. It’s good practice to use a token so that’s what you’ll do.
+
Create the roxctl token
+
On the ACS portal:
-
Navigate to Platform Configuration > Integrations.
+
navigate to Configure > Integrations.
Scroll down to the Authentication Tokens category, and select API Token.
Click Generate Token. Enter the name pipeline for the token and select the role Admin.
Select Generate
Save the contents of the token somewhere!
Create OCP secret with token
-
Change to the OpenShift Web Console and create a secret with the API token in the project your pipeline lives in:
+
In your OCP cluster, create a secret with the API token in the project your pipeline lives in:
-
In the UI switch to your workshop-int Project
-
Create a new key/value Secret named roxsecrets
+
In the UI switch to your Project
+
Create a new key/value secret named roxsecrets
Introduce these key/values into the secret:
-
rox_central_endpoint: <the URL to your ACS Portal> (without https:// but adding the port, e.g. entral-stackrox.apps.cluster-cqtsh.cqtsh.example.com:443)
+
rox_central_endpoint: <the URL to your ACS Portal>
-
If the DOMAIN placeholder was automatically replaced it should be: central-stackrox.apps.<DOMAIN>:443
-
If not, replace it manually with your DOMAIN
+
It should be something like central-stackrox.apps.cluster-psslb.psslb.sandbox555.opentlc.com:443”
rox_api_token: <the API token you generated>
-
-
Even if the form says Drag and drop file with your value here… you can just paste the text.
-
-
-
Remove ImageStream Change Trigger
-
There is one more thing you have to do before integrating the image scanning into your build pipeline:
-When you created your deployment, a trigger was automatically added that deploys a new version when the image referenced by the ImageStream changes.
-
This is not what we want! Because this way a newly build image would be deployed immediately even if the roxctl scan detects a policy violation and terminates the pipeline.
-
Have a look for yourself:
-
-
In the OCP console go to Workloads->Deployments and open the workshop Deployment
-
Switch to the YAML view
-
Near the top under annotations (around lines 11-12) you’ll find an annotation image.openshift.io/triggers.
This way we make sure that a new image won’t be deployed automatically right after the build task which also updates the ImageStream.
Create a Scan Task
You are now ready to create a new pipeline task that will use roxctl to scan the image build in your pipeline before the deploy step:
-
In the OpenShift UI, make sure you are still in the project with your pipeline and the secret roxsecrets
+
In the OCP UI, make sure you are still in the project with your pipeline and the secret roxsecrets
Go to Pipelines->Tasks
Click Create-> ClusterTask
Replace the YAML displayed with this:
@@ -584,7 +512,7 @@
Create a Scan Task
- description: Secret containing the StackRox API token with CI permissions
name: rox_api_token
type: string
- - description: "Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)"
+ - description: 'Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1)'name: image
type: string
- description: Use image digest result from s2i-java build task
@@ -623,9 +551,9 @@
Create a Scan Task
--image $(params.image)@$(params.image_digest)
Take your time to understand the Tekton task definition:
-
First, some parameters are defined, it’s important to understand some of these are taken or depend on the build task that run before.
+
First some parameters are defined, it’s important to understand some of these are taken or depend on the build task that run before.
The script action pulls the roxctl binary into the pipeline workspace so you’ll always have a version compatible with your ACS version.
-
The most important bit is the roxctl execution, of course:
+
The most important bit is the roxctl execution, of course.
it executes the image check command
only checks against policies from category Workshop that was created above. This way you can check against a subset of policies!
@@ -633,115 +561,55 @@
Create a Scan Task
-
Add the Scan Task to the Pipeline
-
Now add the rox-image-check task to your pipeline between the build and deploy steps.
+
Add the Task to the Pipeline
-
In the Pipelines view of your project click the three dots to the right and the Edit Pipeline
+
Now add the rox-image-check task to your pipeline between the build and deploy steps.
-
-
Remember how we edited the pipeline directly in yaml before? OpenShift comes with a graphical Pipeline editor that we will use this time.
-
-
-
-
Hover your mouse over build task and click the + at the right side of it, to add a task
-
Click on Add task
-
Then enter rox-image-check in the search box
-
-
-
Click image to enlarge
-
-
-
-
Click the Add button to add to the pipeline
-
To add the required parameters from the pipeline for the task so the ACS client can connect to central, click the rox-image-check task.
-
-
-
Click image to enlarge
-
-
-
-
A form with the parameters will open, fill it in:
+
After you added it you have to fill in values for the parameters the task defines. Click the task, a form with the parameters will open, fill it in:
rox_central_endpoint: roxsecrets
rox_api_token: roxsecrets
-
image: quay-quay-quay.apps.<DOMAIN>/openshift_workshop-int/workshop (if the DOMAIN placeholder hasn’t been replaced automatically, do it manually)
This variable takes the result of the build task and uses it in the scan task.
-
-
-
Click image to enlarge
-
-
-
+
This variable takes the result of the build task and uses it in the scan task.
-
Don’t save yet
+
Click Save
-
Add the oc patch Task to the Pipeline
-
As you remember we removed the trigger that updates the Deployment on ImageStream changes. Now the Deployment will never be updated and our new Image version will never be deployed to workshop-int.
-
To fix this we will add a new oc client Task that updates the Deployment, only after the Scan Task has run.
+
Test the Scan Task
+
With our Workshop Security Policy still not set to enforce we first are going to test the pipeline integration. Start the pipeline with Java Versionjava-old-image
-
While still in the visual pipeline editor
-
Click on the + button to the left of the deploy Task
-
Click on Add Task
-
In the search window enter openshiftand select the openshift-client from Red Hat
The rox-image-check task should succeed, but if you have a look at the output (click the task in the visual representation) you should see that the build violated our policy!
-
-
-
Click image to enlarge
-
-
-
-
-
Now save the pipeline
-
-
Test the Scan Task
-
With our custom System Policy still not set to enforce we first are going to test the pipeline integration. Go to Pipelines and next to your pipeline click on the three dots and then Start. Now in the pipeline startform enter java-old-image in the Version field.
+
To test the fixed image, just start the task with the default (latest) Java version again.
Expected Result:
-
The rox-image-check task should succeed, but if you have a look at the output (click the task in the visual representation) you should see that the build violated our policy!
+
The rox-image-check task should succeed, if you have a look at the output you should see no policy violation!
Enforce the Policy
-
The last step is to enforce the System Policy. If the policy is violated the pipeline should be stopped and the application should not be deployed.
+
The last step is to enforce the Security Policy. If the policy is violated the pipeline should be stopped and the application should not be deployed.
-
Edit your custom System PolicyWorkshop RHSA-2021:4904 in ACS Portal and set Response Method to Inform and enforce and then switch on Build and Deploy below.
-
Run the pipeline again, first with Versionjava-old-image and then with Versionopenjdk-11-el7 (default)
-
Expected results:
+
Edit the Security Policy in ACS Portal and set enforcement to On for the stages Build and Deploy
+
Run the pipeline again, first with Java Versionjava-old-image and then with the latest default version.
+
Expecte results:
We are sure you know by now what to expect!
-
The pipeline should fail with the old image version and succeed with the latest image version!
-
Make sure you run the pipeline once, otherwise your application will not have a valid image tag when you kill the running pod in the next chapter
+
The pipeline should fail with the old Java image version and succeed with the latest image version!
So far you’ve seen how ACS can handle security issues concerning Build and Deploy stages. But ACS is also able to detect and secure container runtime behaviour. Let’s have a look…
Handling Security Issues at Runtime
-
As a scenario let’s assume you want to protect container workloads against attackers who are trying to install software. ACS comes with pre-configured policies for Ubuntu and Red Hat-based containers to detect if a package management tool is installed, this can be used in the Build and Deploy stages:
+
As a scenario let’s assume you won’t to protect container workloads against attackers who are trying to install software. ACS comes with pre-configured policies for Ubuntu and Red Hat-based containers to detect if a package management tool is installed, this can be used in the Build and Deploy stages:
Red Hat Package Manager in Image
@@ -506,7 +456,7 @@
Handling Security Issues at Runtime
Red Hat Package Manager Execution
-
In the ACS Portal, go to Platform Configuration->Policy Management, search for the policies by e.g. typing policy and then red hat into the filter. Open the policy detail view by clicking it and have a look at what they do.
+
In the ACS Portal, go to Platform Configuration->System Policies, search for the policies by e.g. typing policy and then red hat into the filter. Open the policy detail view by clicking it and have a look at what they do.
You can use the included policies as they are but you can always e.g. clone and adapt them to your needs or write completely new ones.
@@ -520,8 +470,8 @@
Test the Runtime Policy
To see how the alert would look like, we have to trigger the condition:
You should have a namespace with your Quarkus application runnning
-
In the OpenShift Web Console navigate to the pod and open a terminal into the container
-
Run yum search test
+
In the OCP UI navigate to the pod and open a terminal into the container
+
Run yum search test. Or whatever.
Go to the Violations view in the ACS Portal.
You should see a violation of the policy, if you click it, you’ll get the details.
Run several yum commands in the terminal and check back with the Violations view:
@@ -534,29 +484,21 @@
Test the Runtime Policy
Enforce Runtime Protection
But the real fun starts when you enforce the policy. Using the included policy, it’s easy to just “switch it on”:
-
In the ACS Portal bring up the Red Hat Package Manager Execution Policy again.
-
Click the Edit Policy button in the Actions drop-down to the upper right.
-
Click Next until you arrive at the Policy behaviour page.
-
Under Response Method select Inform and enforce
-
Set Configure enforcement behaviour for Runtime to Enforce on Runtime
-
Click Next until you arrive at the last page and click Save
+
In the ACS Portal bring up the Red Hat Package Manager Execution again.
+
Click the Edit button above the Details view to the right.
+
Click ->Next until you arrive at the Enforcement Behaviour page.
+
Set Runtime to ON
+
Click Save
-
Now trigger the policy again by opening a terminal into the pod in the OpenShift Web Console and executing yum. See what happens:
+
Now trigger the policy again by opening a terminal into the pod and executing yum. See what happens:
Runtime enforcement will kill the pod immediately (via k8s).
-
OpenShift will scale it up again automatically
+
Kubernetes will scale it up again automatically
-
This is expected and allows to contain a potential compromise while not causing a production outage.
+
This is to be expected and allows to contain a potential compromise while not causing a production outage.
Red Hat Advanced Cluster Management for Kubernetes (ACM) provides management, visibility and control for your OpenShift and Kubernetes environments. It provides management capabilities for:
-
-
cluster creation
-
application lifecycle
-
security and compliance
-
-
All across hybrid cloud environments.
-
Clusters and applications are visible and managed from a single console, with built-in security policies. Run your operations from anywhere that Red Hat OpenShift runs, and manage any Kubernetes cluster in your fleet.
-
Install Advanced Cluster Managagement
-
Before you can start using ACM, you have to install it using an Operator on your OpenShift cluster.
-
-
Login to the OpenShift Web Console with you cluster admin credentials
-
In the Web Console, go to Operators > OperatorHub and search for the Advanced Cluster Management for Kubernetes operator.
-
Install the operator with the default settings
-
It will install into a new Projectopen-cluster-management by default.
-
-
After the operator has been installed it will inform you to create a MultiClusterHub, the central component of ACM.
-
-
-
Click image to enlarge
-
-
-
-
Click the Create MultiClusterHub button and have a look at the available installation parameters, but don’t change anything.
-
Click Create.
-
At some point you will be asked to refresh the web console. Do this, you’ll notice a new drop-down menu at the top of the left menu bar. If left set to local-cluster you get the standard console view, switching to All Clusters takes you to a view provided by ACM covering all your clusters.
-
Okay, right now you’ll only see one, your local-cluster listed here.
-
A first look at Advanced Cluster Management
-
Now let’s change to the full ACM console:
-
-
Switch back to the local-clusters view
-
Go to Operators->Installed operators and click the Advanced Cluster Management for Kubernetes operator
-
In the operator overview page choose the MultiClusterHub tab.
-
The multiclusterhub instance you deployed should be in StatusRunning by now.
-
Switch back to the All Clusters
-
-
You are now in your ACM dashboard!
-
-
-
Click image to enlarge
-
-
-
-
Have a look around:
-
-
Go to Infrastructure->Clusters
-
You’ll see your lab OpenShift cluster here, the infrastructure it’s running on and the version.
-
-
There might be a version update available, don’t run it please… ;)
-
-
-
If you click the cluster name, you’ll get even more information, explore!
-
-
Manage Cluster Lifecycle
-
One of the main features of Advanced Cluster Management is cluster lifecycle management. ACM can help to:
-
-
manage credentials
-
deploy clusters to various cloud providers and on-premises
-
import existing clusters
-
use labels on clusters for management purposes
-
-
Let’s give this a try!
-
Deploy an OpenShift Cluster
-
Okay, do not overstress our cloud ressources and for the fun of it we’ll deploy a Single Node OpenShift (SNO) cluster to the same AWS account your lab cluster is running in.
-
Create Cloud Credentials
-
The first step is to create credentials in ACM to deploy to the Amazon Web Services account.
-
-
You’ll get the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY needed to deploy to AWS from your facilitators.
-
-
-
-
On your OpenShift cluster, create a new namespace sno
-
In the ACM web console, navigate to Credentials and click Add credential:
-
-
As Credential type select AWS
-
Credential name: sno
-
Namespace: Choose the sno namespace
-
Base DNS domain: sandbox<NNNN>.opentlc.com, replace <NNNN> with your id, you can find it e.g. in the URL
-
Click Next
-
Now you need to enter the AWS credentials, enter the Access key ID and Secret access key as provided.
-
Click Next
-
Click Next again for proxy settings
-
Now you need to enter an OpenShift Pull Secret, copy it from your OpenShift cluster:
-
-
Switch to the project openshift-config and copy the content of the secret pull-secret
-
-
-
To connect to the managed SNO you need to enter a SSH private key ($HOME/.ssh/<LABID>key.pem) and public key ($HOME/.ssh/<LABID>key.pub).
-
-
Use the respective keys from your lab environments bastion host, the access details will be provided.
-
The <LABID> can be found in the URL, e.g. multicloud-console.apps.cluster-z48z9.z48z9.sandbox910.opentlc.com
-
-
-
Click Next
-
Click Add
-
-
-
-
You have created a new set of credentials to deploy to the AWS account you are using.
-
Deploy Single Node OpenShift
-
Now you’ll deploy a new OpenShift instance:
-
-
In the ACM console, navigate to Infrastructure -> Clusters and click Create cluster.
-
As provider choose Amazon Web Services
-
Infrastructure provider credential: Select the sno credential you created.
-
Control plane type - AWS: Standalone
-
Cluster name: aws-sno
-
Cluster set: Leave empty …
-
Base DNS Domain: Set automatically from the credentials
-
Release name: Use the latest 4.14.19 release available
-
Additional Label: sno=true
-
Click Next
-
On the Node pools view leave the Region set to us-east-1
-
Architecture: amd64
-
Expand Control plane pool
-
-
read the information for Zones (and leave the setting empty)
-
change Instance Type to m5.2xlarge.
-
-
-
Expand Worker pool 1:
-
-
Set Node count to 0 (we want a single node OCP…).
-
-
-
Click Next
-
Have a look at the network screen but don’t change anything
-
-
Now click Next until you arrive at the Review. Do the following:
-
-
Set YAML: On
-
In the cluster YAML editor select the install-config tab
-
In the controlPlane section change the replicas field to 1.
-
-
It’s time to deploy your cluster, click Create!
-
ACM monitors the installation of the new cluster and finally imports it. Click View logs under Cluster install to follow the installation log.
-
-
Installation of a SNO takes around 30 minutes in our lab environment.
-
-
-
After the installation has finished, access the Clusters section in the ACM portal again.
-
-
-
Click image to enlarge
-
-
-
-
Explore the information ACM is providing, including the Console URL and the access credentials of your shiny new SNO instance. Use them to login to the SNO Web Console.
-
Application Lifecycle Management
-
In the previous lab, you explored the Cluster Lifecycle functionality of RHACM by deploying a new OpenShift single-node instance to AWS. Now let’s have a look at another capability, Application Lifecycle management.
-
Application Lifecycle management is used to manage applications on your clusters. This allows you to define a single or multi-cluster application using Kubernetes specifications, but with additional automation of the deployment and lifecycle management of resources to individual clusters. An application designed to run on a single cluster is straightforward and something you ought to be familiar with from working with OpenShift fundamentals. A multi-cluster application allows you to orchestrate the deployment of these same resources to multiple clusters, based on a set of rules you define for which clusters run the application components.
-
The naming convention of the different components of the Application Lifecycle model in RHACM is as follows:
-
-
Channel: Defines a place where deployable resources are stored, such as an object store, Kubernetes namespace, Helm repository, or GitHub repository.
-
Subscription: Definitions that identify deployable resources available in a Channel resource that are to be deployed to a target cluster.
-
PlacementRule: Defines the target clusters where subscriptions deploy and maintain the application. It is composed of Kubernetes resources identified by the Subscription resource and pulled from the location defined in the Channel resource.
-
Application: A way to group the components here into a more easily viewable single resource. An Application resource typically references a Subscription resource.
-
-
Creating a Simple Application with ACM
-
Start with adding labels to your two OpenShift clusters in your ACM console:
-
-
On the local cluster add a label: environment=prod
-
On the new SNO deployment add label: environment=dev
Select Deploy application resources only on clusters with all specified labels
-
Cluster sets: default
-
Label: environment
-
Value: dev
-
-
-
-
Click image to enlarge
-
-
-
-
Click Create and then the topology tab to view the application being deployed:
-
-
-
Click image to enlarge
-
-
-
-
-
Select Cluster, the application should have been deployed to the SNO cluster because of the label environment=dev
-
Select the Route and click on the URL, this should take you to the Book Import application
-
Explore the other objects
-
-
Now edit the application in the ACM console and change the label to environment=prod. What happens?
-
In this simple example you have seen how to deploy an application to an OpenShift cluster using ACM. All manifests defining the application where kept in a Git repo, ACM then used the manifests to deploy the required objects into the target cluster.
-
Bonus Chapter : Pre/Post Tasks with Ansible Automation Platform 2
-
You can integrate Ansible Automation Platform and the Automation Controller (formerly known as Ansible Tower) with ACM to perform pre / post tasks within the application lifecycle engine. The prehook and posthook task allows you to trigger an Ansible playbook before and after the application is deployed, respectively.
-
Notice that you will need a Red Hat Account with a valid Ansible subscription for this part.
-
Install Automation Controller
-
To give this a try you need an Automation Controller instance. So let’s deploy one on your cluster using the AAP Operator:
-
-
In OperatorHub search for the Ansible Automation Platform operator and install it using the default settings.
-
After installation has finished create an Automation Controller instance using the Operator, name it automationcontroller
-
When the instance is ready, look up automationcontroller-admin-password secret
-
Then look up the automationcontroller route, access it and login as user admin using the password from the secret
-
Apply a manifest or use the username/password login to the Red Hat Customer Portal and add a subscription
-
-
You are now set with a shiny new Ansible Automation Platform Controller!
-
Add Auth Token
-
In the Automation Controller web UI, generate a token for the admin user:
-
-
Go to Users
-
Click admin and select Tokens
-
Click the Add button
-
As description add Token for use by ACM
-
Update the Scope to Write
-
Click Save
-
-
Save the token value to a text file, you will need this token later!
-
Configure Template in Automation Controller
-
For Automation Controller to run something we must configure a Project and a Template first.
Verify that the Job run by going to Jobs and looking for an acm-test job showing a successful Playbook run.
-
Create AAP credentials in ACM
-
Set up the credential which is going to allow ACM to interact with your AAP instance in your ACM Portal:
-
-
Click on Credentials on the left menu and select Add Credential button.
-
Credential type: Red Hat Ansible Automation Platform
-
Credential name: appaccess
-
Namespace: open-cluster-management
-
Click Next
-
Ansible Tower Host:
-
Ansible Tower token:
-
Click Next and Add
-
-
Use the ACM - Ansible integration
-
And now let’s configure the ACM integration with Ansible Automation Platform to kick off a job in Automation Controller. In this case the Ansible job will just run our simple playbook that will only output a message.
-
In the ACM Portal:
-
-
Go to the Applications menu on the left and click Create application → Subscription
Expand the Configure automation for prehook and posthook dropdown menu
-
Ansible Automation Platform credential: appaccess
-
Select Deploy application resources only on clusters matching specified labels
-
Label: environment
-
Value: dev
-
Click Create
-
-
Give this a few minutes. The application will complete and in the application topology view you will see the Ansible prehook. In Automation Controller go to Jobs and verify the Automation Job run.
During this workshop you’ll install and use a good number of software components. The first one is OpenShift Data Foundation for providing storage. We’ll start with it because the install takes a fair amount of time. Number two is Gitea for providing Git services in your cluster with more to follow in subsequent chapters.
-
But fear not, all are managed by Kubernetes Operators on OpenShift.
-
Install OpenShift Data Foundation
-
Let’s install OpenShift Data Foundation which you might know under the old name OpenShift Container Storage. It is engineered as the data and storage services platform for OpenShift and provides software-defined storage for containers.
-
-
Login to the OpenShift Webconsole with your cluster admin credentials
-
In the Web Console, go to Operators > OperatorHub and search for the OpenShift Data Foundation operator
-
-
-
Click image to enlarge
-
-
-
-
Install the operator with default settings
-
-
After the operator has been installed it will inform you to install a StorageSystem. From the operator overview page click Create StorageSystem with the following settings:
-
-
Backing storage: Leave Deployment TypeFull deployment and for Backing storage type make sure gp2 is selected.
-
Click Next
-
Capacity and nodes: Leave the Requested capacity as is (2 TiB) and select all nodes.
-
Click Next
-
Security and network: Leave set to Default (SDN)
-
Click Next
-
-
You’ll see a review of your settings, hit Create StorageSystem. Don’t worry if you see a temporary 404 Page. Just releod the browser page once and you will see the System Overview
-
-
-
Click image to enlarge
-
-
-
-
As mentioned already this takes some time, so go ahead and install the other prerequisites. We’ll come back later.
-
Prepare to run oc commands
-
You will be asked to run oc (the OpenShift commandline tool) commands a couple of times. We will do this by using the OpenShift Web Terminal. This is the easiest way because you don’t have to install oc or an SSH client.
-
Install OpenShift Web Terminal
-
To extend OpenShift with the Web Terminal option, install the Web Terminal operator:
-
-
Login to the OpenShift Webconsole with your cluster admin credentials
-
In the Web Console, go to Operators > OperatorHub and search for the Web Terminal operator
-
Install the operator with the default settings
-
-
This will take some time and installs another operator as a dependency.
-
After the operator has installed, reload the OCP Web Console browser window. You will now have a new button (>_) in the upper right. Click it to start a new web terminal. From here you can run the oc commands when the lab guide requests it (copy/paste might depend on your laptop OS and browser settings, e.g. try Ctrl-Shift-V for pasting).
-
-
-
Click image to enlarge
-
-
-
-
-
The terminal is not persistent, so if it was closed for any reason anything you did in the terminal is gone after re-opening.
-
-
-
If for any reason you can’t use the webterminal, your options are:
-
-
Install and run oc on your laptop
-
SSH into the bastion host, if running on a Red Hat RHDP lab environment. From here you can just run oc without login.
-
-
TODO: Change yaml applies to direct git download
-
Install and Prepare Gitea
-
We’ll need Git repository services to keep our app and infrastructure source code, so let’s just install trusted Gitea using an operator:
-
-
Gitea is an OpenSource Git Server similar to GitHub. A team at Red Hat was so nice to create an Operator for it. This is a good example of how you can integrate an operator into your catalog that is not part of the default OperatorHub already.
-
-
-
To integrate the Gitea operator into your Operator catalog you need to access your cluster with the oc client. You can do this in two ways:
-
-
If you don’t already have the oc client installed, you can download the matching version for your operating system here
-
Login to the OpenShift Web Console with you cluster admin credentials
-
On the top right click on your username and then Copy login command to copy your login token
-
On you local machine open a terminal and login with the oc command you copied above, you may need to add –insecure-skip-tls-verify at the end of the line
-
-
Or, if working on a Red Hat RHPDS environment:
-
-
Use the information provided to login to your bastion host via SSH
-
When logged in as lab-user you will be able to run oc commands without additional login.
-
-
Now using oc add the Gitea Operator to your OpenShift OperatorHub catalog:
Access the route URL (you’ll find it e.g. in Networking > Routes > repository > Location). If the Route is not yet there just wait a couple of minutes.
-
This will take you to the Gitea web UI
-
Sign-In to Gitea with user gitea and password gitea
-
If your Gitea UI appears in a language other then English (depending on your locale settings), switch it to English. Change the language in your Gitea UI, the example below shows a German example:
-
-
-
-
-
-
-
-
-
-
-
-
-
Click image to enlarge
-
-
-
-
-
-
Click image to enlarge
-
-
-
-
-
-
-
Import the Required Repositories
-
Now we will clone a git repository of a sample application into our Gitea, so we have some code to works with
In the cloned repository you’ll find a devfile.yaml. We will need the URL to the file soon, so keep the tab open.
-
In later chapters we will need a second repository to hold your GitOps yaml resources. Let’s create this now as well
-
-
In Gitea create a New Migration and clone the Config GitOps Repo which will be the repository that contains our GitOps infrastructure components and state
Check OpenShift Data Foundation (ODF) Storage Deployment
-
Now it’s time to check if the StorageSystem deployment from ODF completed succesfully. In the openShift web console:
-
-
Open Storage->DataFoundation
-
On the overview page go to the Storage Systems tab
-
Click ocs-storagecluster-storagesystem
-
On the next page make sure the status indicators on the Block and File and Object tabs are green!
-
-
-
-
Click image to enlarge
-
-
-
-
-
-
Click image to enlarge
-
-
-
-
Your container storage is ready to go, explore the information on the overview pages if you’d like.
-
Install Red Hat Quay Container Registry
-
The image that we have just deployed was pushed to the internal OpenShift Registry which is a great starting point for your cloud native journey. But if you require more control over you image repos, a graphical GUI, scalability, internal security scanning and the like you may want to upgrade to Red Hat Quay. So as a next step we want to replace the internal registry with Quay.
-
Quay installation is done through an operator, too:
-
-
In Operators->OperatorHub filter for Quay
-
Install the Red Hat Quay Operator with the default settings
-
Create a new project called quay at the top Project selection menu
-
While in the project quay go to Administration->LimitRanges and delete the quay-core-resource-limits
-
-
-
Click image to enlarge
-
-
-
-
In the operator overview of the Quay Operator on the Quay Registry tile click Create instance
-
If the YAML view is shown switch to Form view
-
Make sure you are in the quay project
-
Change the name to quay
-
Click Create
-
Click the new Quayregistry, scroll down to Conditions and wait until the Available type changes to True
-
-
-
Click image to enlarge
-
-
-
-
-
Now that the Registry is installed you have to configure a superuser:
-
-
Make sure you are in the quay Project
-
Go to Networking->Routes, access the Quay portal using the URL of the first route (quay-quay)
-
Click Create Account
-
-
As username put in quayadmin, a (fake) email address and and quayadmin as password.
-
-
-
Click Create Account again
-
In the OpenShift Web Console open Workloads->Secrets
-
Search for quay-config-editor-credentials-..., open the secret and copy the values, you’ll need them in a second.
-
Go back to the Routes and open the quay-quay-config-editor route
-
Login with the values of the secret from above
-
Click Sign in
-
Scroll down to Access Settings
-
As Super User put in quayadmin
-
click Validate Configuration Changes and after the validation click Reconfigure Quay
-
-
Reconfiguring Quay takes some time. The easiest way to determine if it’s been finished is to open the Quay portal (using the quay-quay Route). At the upper right you’ll see the username (quayadmin), if you click the username the drop-down should show a link Super User Admin Panel. When it shows up you can proceed.
-
-
-
Click image to enlarge
-
-
-
-
Integrate Quay as Registry into OpenShift
-
To synchronize the internal default OpenShift Registry with the Quay Registry, Quay Bridge is used.
-
-
In the OperatorHub of your cluster, search for the Quay Bridge Operator
-
-
Install it with default settings
-
-
-
-
Now we finally create an Quay Bridge instance. :
-
-
Go to the Red Hat Quay Bridge Operator overview (make sure you are in the quay namespace)
-
On the Quay Integration tile click Create Instance
-
-
Open Credentials secret
-
-
Namespace containing the secret: quay
-
Key within the secret: token
-
-
-
Copy the Quay Portal hostname (including https://) and paste it into the Quay Hostname field
