Skip to content

Commit

Permalink
Add logic to ACS policy set to replace the init-bundle when the Certi…
Browse files Browse the repository at this point in the history 
…ficatePolicy is in NotCompliant state

Signed-off-by: Brian Jarvis <[email protected]>
(cherry picked from commit 6790c95)
  • Loading branch information
@brian-jarvis @magic-mirror-bot
brian-jarvis authored and magic-mirror-bot[bot] committed Dec 18, 2023
1 parent 11d811b commit 967fdec
Show file tree
Hide file tree
Showing 5 changed files with 163 additions and 78 deletions.
18 changes: 18 additions & 0 deletions .../policy-sets/stable/openshift-plus/input-sensor/policy-acs-central-ca-bundle-expired.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
apiVersion: v1
kind: Secret
metadata:
name: sensor-tls
namespace: stackrox
---
apiVersion: v1
kind: Secret
metadata:
name: collector-tls
namespace: stackrox
---
apiVersion: v1
kind: Secret
metadata:
name: admission-control-tls
namespace: stackrox
6 changes: 6 additions & 0 deletions ...rator/policy-sets/stable/openshift-plus/input-sensor/policy-acs-central-ca-bundle-v1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: create-cluster-init-bundle
namespace: stackrox
110 changes: 110 additions & 0 deletions ...rator/policy-sets/stable/openshift-plus/input-sensor/policy-acs-central-ca-bundle-v2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "2"
name: create-cluster-init-bundle-v2
namespace: stackrox
labels:
init-bundle: central
spec:
template:
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
labels:
init-bundle: central
spec:
containers:
- command:
- /bin/bash
- -c
- |
#!/usr/bin/env bash
if kubectl get secret/sensor-tls &> /dev/null; then
echo "cluster-init bundle has already been configured, doing nothing"
exit 0
else
# Wait for central to be ready
attempt_counter=0
max_attempts=20
echo "Waiting for central to be available..."
until $(curl -k --output /dev/null --silent --head --fail https://central); do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts reached"
exit 1
fi
printf '.'
attempt_counter=$(($attempt_counter+1))
echo "Made attempt $attempt_counter, waiting..."
sleep 5
done
# attempt to create init-bundle
# on failure attempt to delete the bundle
attempt_counter=0
max_attempts=5
echo "Configuring cluster-init bundle"
# set the bundle name to include todays date
bundle_name=local-cluster-$(date '+%Y%m%d')
export DATA={\"name\":\"$bundle_name\"}
until (curl -k -o /tmp/bundle.json -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA --fail https://central/v1/cluster-init/init-bundles); do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts to create bundle reached"
exit 1
fi
echo "Check to see if there is an existing bundle that can be revoked"
curl -o /tmp/find_bundle.json -k -X GET -u "admin:$PASSWORD" -H "Content-Type: application/json" https://central/v1/cluster-init/init-bundles
bundle_id=$(cat /tmp/find_bundle.json | python -c "import sys, json; result = [x for x in json.load(sys.stdin)[\"items\"] if x[\"name\"]==\"$bundle_name\"]; print(result[0][\"id\"])")
echo "-------------------------"
echo "bundle name is $bundle_name bundle id $bundle_id"
echo "-------------------------"
if [ "${bundle_id}" != "" ];then
echo "executing revoke command"
export REVOKE="{\"ids\":[\"$bundle_id\"],\"confirmImpactedClustersIds\":[]}"
curl -k -X PATCH -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $REVOKE https://central/v1/cluster-init/init-bundles/revoke
fi
printf '.'
attempt_counter=$(($attempt_counter+1))
echo "Made create bundle attempt $attempt_counter, waiting..."
sleep 5
done
echo "Bundle received"
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
BASE='base64 -w 0'
elif [[ "$OSTYPE" == "darwin"* ]]; then
BASE='base64'
fi
echo "Applying bundle"
# No jq in container, python to the rescue
cat /tmp/bundle.json | python3 -c "import sys, json; print(json.load(sys.stdin)['kubectlBundle'])" | ${BASE} -d | oc apply -f -
ACS_HOST="$(oc get route central -o custom-columns=HOST:.spec.host --no-headers):443"
oc patch secret sensor-tls --type='json' -p="[{\"op\" : \"add\", \"path\" : \"/data/acs-host\", \"value\" : \"$(echo $ACS_HOST | ${BASE})\"}]"
echo "ACS Cluster init bundle generated and applied"
fi
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
key: password
name: central-htpasswd
image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
imagePullPolicy: Always
name: create-cluster-init-bundle
dnsPolicy: ClusterFirst
restartPolicy: Never
serviceAccount: create-cluster-init
serviceAccountName: create-cluster-init
terminationGracePeriodSeconds: 30
76 changes: 0 additions & 76 deletions ...enerator/policy-sets/stable/openshift-plus/input-sensor/policy-acs-central-ca-bundle.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,79 +62,3 @@ subjects:
- kind: ServiceAccount
name: create-cluster-init
namespace: stackrox
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "2"
name: create-cluster-init-bundle
namespace: stackrox
spec:
template:
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
containers:
- command:
- /bin/bash
- -c
- |
#!/usr/bin/env bash
if kubectl get secret/sensor-tls &> /dev/null; then
echo "cluster-init bundle has already been configured, doing nothing"
exit 0
else
# Wait for central to be ready
attempt_counter=0
max_attempts=20
echo "Waiting for central to be available..."
until $(curl -k --output /dev/null --silent --head --fail https://central); do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts reached"
exit 1
fi
printf '.'
attempt_counter=$(($attempt_counter+1))
echo "Made attempt $attempt_counter, waiting..."
sleep 5
done
echo "Configuring cluster-init bundle"
export DATA={\"name\":\"local-cluster\"}
curl -k -o /tmp/bundle.json -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://central/v1/cluster-init/init-bundles
echo "Bundle received"
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
BASE='base64 -w 0'
elif [[ "$OSTYPE" == "darwin"* ]]; then
BASE='base64'
fi
echo "Applying bundle"
# No jq in container, python to the rescue
cat /tmp/bundle.json | python3 -c "import sys, json; print(json.load(sys.stdin)['kubectlBundle'])" | ${BASE} -d | oc apply -f -
ACS_HOST="$(oc get route central -o custom-columns=HOST:.spec.host --no-headers):443"
oc patch secret sensor-tls --type='json' -p="[{\"op\" : \"add\", \"path\" : \"/data/acs-host\", \"value\" : \"$(echo $ACS_HOST | ${BASE})\"}]"
echo "ACS Cluster init bundle generated and applied"
fi
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
key: password
name: central-htpasswd
image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
imagePullPolicy: Always
name: create-cluster-init-bundle
dnsPolicy: ClusterFirst
restartPolicy: Never
serviceAccount: create-cluster-init
serviceAccountName: create-cluster-init
terminationGracePeriodSeconds: 30
31 changes: 29 additions & 2 deletions policygenerator/policy-sets/stable/openshift-plus/policyGenerator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,31 +38,58 @@ policies:
- name: policy-acs-central-ca-bundle
categories:
- SI System and Information Integrity
consolidateManifests: false
controls:
- SI-5 Security Alerts Advisories and Directives
dependencies:
- name: policy-acs-central-status
manifests:
- path: input-sensor/policy-acs-central-ca-bundle.yaml
- path: input-sensor/policy-acs-central-ca-bundle-v2.yaml
- path: input-sensor/policy-acs-central-ca-bundle-v1.yaml
complianceType: mustnothave
- name: policy-acs-sync-resources
categories:
- SI System and Information Integrity
consolidateManifests: false
controls:
- SI-5 Security Alerts Advisories and Directives
dependencies:
- name: policy-acs-central-status
- name: policy-acs-central-ca-bundle
manifests:
- path: input-sensor/policy-acs-sync-resources.yaml
- name: policy-acs-monitor-certs
categories:
- SC System and Communications Protection
consolidateManifests: false
controls:
- SC-8 Transmission Confidentiality and Integrity
dependencies:
- name: policy-acs-sync-resources
- name: policy-acs-central-ca-bundle
manifests:
- path: input-sensor/acs-check-certificates.yaml
- path: input-sensor/policy-acs-central-ca-bundle-expired.yaml
remediationAction: inform
- name: policy-acs-central-ca-bundle-expired
categories:
- SC System and Communications Protection
consolidateManifests: false
complianceType: mustnothave
controls:
- SC-8 Transmission Confidentiality and Integrity
dependencies:
- name: policy-acs-monitor-certs
compliance: "NonCompliant"
policyAnnotations:
policy.open-cluster-management.io/description: 'Policy will remove expired certificates created by the init-bundle in policy policy-acs-central-ca-bundle so we can create a new init-bundle'
evaluationInterval:
compliant: 1m
noncompliant: 45s
## ignorePending prevents the NotCompliant dependency from causing this policy to always report as pending
ignorePending: true
manifests:
- path: input-sensor/policy-acs-central-ca-bundle-expired.yaml
- path: input-sensor/policy-acs-central-ca-bundle-v2.yaml
- name: policy-advanced-managed-cluster-security
categories:
- SI System and Information Integrity
Expand Down

0 comments on commit 967fdec

Please sign in to comment.