Introduction

The Governance framework in Red Hat Advanced Cluster Management for Kubernetes (RHACM) can be used to show how Red Hat Advanced Cluster Security for Kubernetes (RHACS) and RHACM are better together. The community policies available with RHACM can be used to deploy the RHCS Central server and the Secured Cluster services. Keep reading to find out more about how these products are better together.

Prerequisites

View the following prerequisites to follow along in this blog:

  • RHACM 2.3.x or RHACM 2.4.x is already installed on your cluster. A new feature that supports resolving templates in the policy on the managed cluster is used.
  • RHACS 3.61 or newer is installed. The RHACS operator is used to deploy RHACS components.
  • RHACS resources must be installed in the stackrox namespace.
  • RHACS Central server is installed on the same cluster as the RHACM hub cluster.
  • Only OpenShift clusters can be used.

Product value

  • Advanced Cluster Security helps manage compliance and vulnerabilities in your Kubernetes clusters and gives you visibility into the security of your deployments.

  • Advanced Cluster Management helps you manage your fleet of clusters, including the applications, governance and monitoring of those clusters. This ability of Advanced Cluster Management to manage your fleet of customers can also be used to easily deploy Advanced Cluster Security.

How it works

Advanced Cluster Security can now be configured on clusters using an operator. The operator can respond to custom resources created that correspond to the two components of the Advanced Cluster Security architecture:

  • Central Server: The Central Server runs only on the hub cluster and receives the security data, processes policies, handles compliance scanning, and displays all of the security details through one convenient web console.

  • Secured Cluster Services: Secured Cluster Services runs on each managed cluster and send security details about the cluster to the Central Server.

Advanced Cluster Management has tools to help you manage your fleet of clusters including:

  • Channels and subscriptions in the Application lifecycle pillar of Advanced Cluster Management can mirror secrets from the Advanced Cluster Management hub cluster to the managed clusters.

  • The Governance pillar can be used to deploy policies that apply the Advanced Cluster Management operator and create the Central Server and Secured Cluster Services on the desired set of clusters.

All of this can be done with a few simple steps. What’s important to remember, as new managed clusters are created and added to Advanced Cluster Management, there’s nothing to do to get the Secured Clusters Services added to Advanced Cluster Security. The automation here displays the better together story we have between Advanced Cluster Security and Advanced Cluster Management.

Another important point to notice is that each secured cluster that is added to the Advanced Cluster Security Central server is added with the same name that Advanced Cluster Management uses for its managed clusters. This helps you consistently handle any security issues as they arise since you don’t have to map the Advanced Cluster Security cluster names to Advanced Cluster Management managed cluster names -- they’re the same!

Procedure

The procedure for this integration is also described in the open-cluster-management repository advanced-cluster-security.

See the following three main steps that need to be completed, the learn about the details in the sections that follow:

  1. Deploy the Advanced Cluster Security Central Server to the Advanced Cluster Management Hub Server
  2. Mirror the Advanced Cluster Security certificates that we create from the Central Server (the init bundle) to the Advanced Cluster Management managed clusters
  3. Deploy the Advanced Cluster Security Secured Cluster Services to the Advanced Cluster Management managed clusters

Deploying the Advanced Cluster Security Central Server

To deploy the Advanced Cluster Security Central server, you must simply deploy an Advanced Cluster Management Policy. The policy will be deployed to only the Advanced Cluster Management hub cluster.

While the Advanced Cluster Security Central server could be deployed to another cluster, this procedure assumes that you want the Advanced Cluster Management hub cluster and the Advanced Cluster Security Central server on the same OpenShift cluster.

  1. In the Advanced Cluster Management web console, select Governance > Create Policy.
  2. In the YAML editor, paste the full contents of the central server policy from the Central Server Policy repository.
  3. Update the Namespace field so this policy is created in the desired namespace. Note: Do not create policies in the managed cluster namespaces. The remaining settings can be used as-is, but you should review the contents of this policy since it will create a Central custom resource with default settings that you may want to customize in the YAML editor.
  4. After you are satisfied with the contents of the policy, select the Create button to apply the policy. This policy is distributed to the Advanced Cluster Management hub cluster only. 5 . Select the policy and wait for it to become Compliant.

Mirror the Advanced Cluster Security Certificates

After the Central server policy is deployed, wait a few minutes for the deployment to complete, then complete a few manual steps to login to the server and create an API token that can be used later in this step.

Log in to Advanced Cluster Security from the OpenShift web console

  1. Select Networking > Routes. In the table of routes, find the entry for namespace stackrox and name central.

  2. Click the Location link in that row to launch the Central server web console. See the following image:

     

    acs-central-route
  3. Login to the Central server with the user id admin. The password is contained in a secret.

  4. Click the Workloads menu in the OpenShift web console and then select Secrets. Change the Projects to stackrox so you only see the stackrox secrets. Select the secret named central-htpasswd. Look for the field named password in the Data section and select the image to copy the password to your clipboard. Paste this value into the password field of the Central server login prompt. See the following image:

     

    acs-central-login-secret

Create an API Token

Create an API token by following this procedure in the web console for the Central server.

  1. Select the menu Platform Configuration and then select Integrations as shown in the following image:

    acs-central-integrations-menu
  2. Select the API Token integration as shown in the following image:

    acs-central-api-token-image
  3. Configure a new API Token by giving it a name and the Admin role, then select Generate as shown.

    acs-central-create-token (1)
  4. The token is displayed only this one time. You must copy the token and set the environment variable shown in the following sample.

    At your command prompt, set a variable containing the API token:

    export ROX_API_TOKEN=<token>

Install yq

Install the yq command on your system:

  • RHEL: Follow these instructions: Install yq on RHEL
  • MAC: Run the command brew install yq

Install roxctl

Download and install the roxctl command from the Advanced Cluster Security web console by following these steps:

  1. Click the Download CLI link on the top banner of the Advanced Cluster Security web console.

    acs-central-create-token
  2. Select the platform that matches your local system.

  3. Install the downloaded binary file so it can be accessed from your path.

Create and deploy the init bundle

  1. Download and run the deploy script using the following command:

    curl https://raw.githubusercontent.com/open-cluster-management/advanced-cluster-security/main/scripts/deploy-bundle.sh -o deploy-bundle.sh
    bash deploy-bundle.sh -i bundle.yaml | oc apply -f -
  2. Verify secrets that were deployed to the stackrox namespace:

    oc get secret -n stackrox | grep tls

You should see several secrets listed including the following:

  • admission-control-tls
  • collector-tls
  • sensor-tls

Deploy the Advanced Cluster Security Secured Cluster Services Policy

  1. In the Advanced Cluster Management web console, select Governance > Create Policy.
  2. In the YAML editor, paste the full contents of the Secured Cluster server policy located in the following policy-collection community: Advanced Cluster Security Secured Clusters policy.
  3. Update the Namespace field so this policy is created in the desired namespace.

This policy is distributed to all managed clusters that have the vendor=OpenShift tag by default. Note: Do not create policies in the managed cluster namespaces.

The remaining settings can be used as-is, but you should review the contents of this policy since it will create a SecuredCluster custom resource with default settings that you may want to customize in the YAML editor.

  1. After you are satisfied with the contents of the policy, select Create to apply the policy. Wait a few minutes for the policy to become Compliant.

Validation

Wait a few minutes for the Advanced Cluster Security operators to act on all of the SecuredCluster resources. Log back into the Advanced Cluster Security web console and select Platform Configuration > Clusters menu entry. You should see your secured clusters!

Note that all of the cluster names match the Advanced Cluster Management managed cluster names. You can run the command to see your Advanced Cluster Management managed clusters to help verify that the names match.

oc get managedclusters

You can also view the Clusters in the Advanced Cluster Management web console.


acs-central-secured-clusters-list

Conclusion

This blog has described one way that Advanced Cluster Management and Advanced Cluster Security are better together. A few things to keep in mind about this integration:

  • If a cluster is removed from management in Advanced Cluster Management, it does not remove the cluster from management in Advanced Cluster Security.

  • When a new init bundle needs to be deployed, the secrets are automatically propagated to each managed cluster, but you may need to delete the Advanced Cluster Security pods for the Secured Cluster services to begin using the new certificates.

Now your deployment of Advanced Cluster Security is automatically handled within your Advanced Cluster Management installation. Be sure to log in to your Advanced Cluster Security Central server and see all of your clusters that are attached and named after your Advanced Cluster Management managed cluster names. Add a new managed cluster and watch that cluster automatically appear in Advanced Cluster Security. No extra effort required!


Categories

How-tos, Security, Red Hat Advanced Cluster Management, Red Hat Advanced Cluster Security for Kubernetes

< Back to the blog