The governance framework in Red Hat Advanced Cluster Management for Kubernetes (RHACM) can be used to show how Red Hat Advanced Cluster Security for Kubernetes (RHACS) and RHACM are better together. The community policies available with RHACM can be used to deploy the RHCS Central server and the Secured Cluster services. Keep reading to find out more about how these products are better together.

Prerequisites

View the following prerequisites to follow along in this blog:

  • RHACM 2.3.x or RHACM 2.4.x is already installed on your cluster. A new feature that supports resolving templates in the policy on the managed cluster is used.
  • RHACS 3.61 or newer is installed. The RHACS operator is used to deploy RHACS components.
  • RHACS resources must be installed in the stackrox namespace.
  • RHACS Central server is installed on the same cluster as the RHACM hub cluster.
  • Only OpenShift clusters can be used.

Product Value

  • Advanced Cluster Security helps manage compliance and vulnerabilities in your Kubernetes clusters and gives you visibility into the security of your deployments.

  • Advanced Cluster Management helps you manage your fleet of clusters, including the applications, governance, and monitoring of those clusters. This ability of Advanced Cluster Management to manage your fleet of customers can also be used to easily deploy Advanced Cluster Security.

How It Works

Advanced Cluster Security can now be configured on clusters using an operator. The operator can respond to custom resources that correspond to the two components of the Advanced Cluster Security architecture:

  • Central Server: The Central Server runs only on the hub cluster and receives the security data, processes policies, handles compliance scanning, and displays all the security details through one convenient web console.

  • Secured Cluster Services: Secured Cluster Services runs on each managed cluster and send security details about the cluster to the Central Server.

Advanced Cluster Management has tools to help you manage your fleet of clusters, including:

  • Channels and subscriptions in the Application lifecycle pillar of Advanced Cluster Management can mirror secrets from the Advanced Cluster Management hub cluster to the managed clusters.

  • The Governance pillar can be used to deploy policies that apply the Advanced Cluster Management operator and create the Central Server and Secured Cluster Services on the desired set of clusters.

All this can be done with a few simple steps. What’s important to remember is, as new managed clusters are created and added to Advanced Cluster Management, there’s nothing to do to get the Secured Clusters Services added to Advanced Cluster Security. The automation here displays the "better together story between Red Hat Advanced Cluster Security and Advanced Cluster Management.

Another important point to notice is that each secured cluster that is added to the Advanced Cluster Security Central server is added with the same name that Advanced Cluster Management uses for its managed clusters. This helps you consistently handle any security issues as they arise since you don’t have to map the Advanced Cluster Security cluster names to Advanced Cluster Management managed cluster names—They’re the same!

Migration to 2.5

For the Secured Cluster Services to continue deployment to new managed clusters on RHACM version 2.5 or newer, you must perform some new migration steps to push secrets to managed clusters. Most of the work is done automatically just by deploying the OpenShift Plus PolicySet, but the following steps migrate and clean up resources that are no longer used.

These commands must all be run on the RHACM hub cluster:

  1. Delete the namespaces, subscriptions, and PlacementRules that are no longer used. Run the following command:
oc delete ns stackrox-staging stackrox-cluster-channel
oc delete subscription.apps.open-cluster-management.io -n stackrox secured-cluster-sub
oc delete PlacementRule -n stackrox secured-cluster-placement
  1. Compare your RHACS policies configuration information to the details in the RHACM version 2.5 OpenShift Plus PolicySet. Carry over any configuration changes you need to the OpenShift Plus policyset and remove any policyset policies you do not need. See the following policies:

  2. Delete the old policies for Advanced Cluster Security. This does not remove Advanced Cluster Security, only the policies. The next step is for deploying the new policies.

oc delete policies.policy.open-cluster-management.io -n <namespace>policy-advanced-cluster-security-central policy-advanced-managed-cluster-security
  1. Deploy the OpenShift Plus PolicySet. If you do not want some of the components of OpenShift Plus to be installed, be sure to edit the policy manifest file to remove those components.

See the README.md for more details on the OpenShift Plus PolicySet.

Procedure

The procedure for this integration is also described in the open-cluster-management repository advanced-cluster-security.

See the following three main steps that need to be completed, then learn the details in the following sections:

  1. Deploy the Advanced Cluster Security Central Server to the Advanced Cluster Management hub server.
  2. Mirror the Advanced Cluster Security certificates created from the Central Server (the init bundle) to the Advanced Cluster Management managed clusters.
  3. Deploy the Advanced Cluster Security Secured Cluster Services to the Advanced Cluster Management managed clusters.

Deploying the Advanced Cluster Security Central Server

To deploy the Advanced Cluster Security Central server, you must simply deploy an Advanced Cluster Management Policy. The policy is deployed to only the Advanced Cluster Management hub cluster.

While the Advanced Cluster Security Central server could be deployed to another cluster, this procedure assumes you want the Advanced Cluster Management hub cluster and the Advanced Cluster Security Central server on the same OpenShift cluster.

  1. In the Advanced Cluster Management web console, select Governance > Create Policy.
  2. In the YAML editor, paste the full contents of the central server policy from the Central Server Policy repository.
  3. Update the Namespace field so this policy is created in the desired namespace. Note: Do not create policies in the managed cluster namespaces. The remaining settings can be used as-is, but you should review the contents of this policy since it creates a Central custom resource with default settings that you may want to customize in the YAML editor.
  4. After you're satisfied with the contents of the policy, select the Create button to apply the policy. This policy is distributed to the Advanced Cluster Management hub cluster only.
  5. Select the policy and wait for it to become Compliant.

Mirror the Advanced Cluster Security Certificates

After the Central server policy is deployed, wait a few minutes for the deployment to complete, and then complete a few manual steps to log in to the server and create an API token that can be used later in this step.

Log In to Advanced Cluster Security from the OpenShift Web Console

  1. Select Networking > Routes. In the table of routes, find the entry for namespace stackrox and name central.

  2. Click the Location link in that row to launch the Central server web console.

    Screen Shot 2022-06-29 at 11.41.56 AM
  3. Login to the Central server with the user id admin. The password is contained in a secret.

  4. Click the Workloads menu in the OpenShift web console, and then select Secrets. Change the Projects to stackrox so you only see the stackrox secrets. Select the secret named central-htpasswd. Look for the field named password in the Data section, and select the image to copy the password to your clipboard. Paste this value into the password field of the Central server login prompt.
    Screen Shot 2022-06-29 at 11.42.56 AM

Create an API Token

Create an API token by following this procedure in the web console for the Central server.

  1. Select the menu Platform Configuration and then select Integrations. Screen Shot 2022-06-29 at 10.59.06 AM

  2. Select the API Token integration.
    Screen Shot 2022-06-29 at 11.00.22 AM

  3. Configure a new API Token by giving it a name and the Admin role, and then select Generate.
    Screen Shot 2022-06-29 at 11.01.44 AM

  4. The token is displayed only this one time. You must copy the token and set the environment variable shown in the following sample.

    At your command prompt, set a variable containing the API token:

    export ROX_API_TOKEN=<token>

Install yq

Install the yq command on your system:

  • RHEL: Follow these instructions: Install yq on RHEL
  • Mac: Run the command brew install yq

Install roxctl

Download and install the roxctl command from the Advanced Cluster Security web console by following these steps:

  1. Click the Download CLI link on the top banner of the Advanced Cluster Security web console.

    Screen Shot 2022-06-29 at 11.05.11 AM

  2. Select the platform that matches your local system.

  3. Install the downloaded binary file so it can be accessed from your path.

Create and Deploy the init Bundle

  1. Download and run the deploy script using the following command:

    curl https://raw.githubusercontent.com/open-cluster-management/advanced-cluster-security/main/scripts/deploy-bundle.sh -o deploy-bundle.sh
    bash deploy-bundle.sh -i bundle.yaml | oc apply -f -
  2. Verify secrets that were deployed to the stackrox namespace:

    oc get secret -n stackrox | grep tls

You should see several secrets listed, including:

  • admission-control-tls
  • collector-tls
  • sensor-tls

Deploy the Advanced Cluster Security Secured Cluster Services Policy

  1. In the Advanced Cluster Management web console, select Governance > Create Policy.
  2. In the YAML editor, paste the full contents of the Secured Cluster server policy located in the following policy-collection community: Advanced Cluster Security Secured Clusters policy.
  3. Update the Namespace field so this policy is created in the desired namespace.

This policy is distributed to all managed clusters that have the vendor=OpenShift tag by default. Note: Do not create policies in the managed cluster namespaces.

The remaining settings can be used as-is, but you should review the contents of this policy since it creates a SecuredCluster custom resource with default settings that you may want to customize in the YAML editor.

  1. After you're satisfied with the contents of the policy, select Create to apply the policy. Wait a few minutes for the policy to become Compliant.

Validation

Wait a few minutes for the Advanced Cluster Security operators to act on all the SecuredCluster resources. Log back in to the Advanced Cluster Security web console, and select Platform Configuration > Clusters menu entry. You should see your secured clusters!

Note that all the cluster names match the Advanced Cluster Management managed cluster names. You can run the command to see your Advanced Cluster Management managed clusters to help verify that the names match.

oc get managedclusters

You can also view the Clusters in the Advanced Cluster Management web console. Screen Shot 2022-06-29 at 11.10.09 AM

Conclusion

This post has described one way that Advanced Cluster Management and Advanced Cluster Security are better together. A few things to keep in mind about this integration:

  • If a cluster is removed from management in Advanced Cluster Management, it does not remove the cluster from management in Advanced Cluster Security.

  • When a new init bundle must be deployed, the secrets are automatically propagated to each managed cluster, but you may need to delete the Advanced Cluster Security pods for the Secured Cluster services to begin using the new certificates.

Now your deployment of Advanced Cluster Security is automatically handled within your Advanced Cluster Management installation. Be sure to log in to your Advanced Cluster Security Central server and see all your clusters that are attached and named after your Advanced Cluster Management managed cluster names. Add a new managed cluster, and watch that cluster automatically appear in Advanced Cluster Security. No extra effort required!