ACSbox installs Red Hat Advanced Cluster Security (RHACS/ACS) on an existing SNObox OpenShift Container Platform cluster. SNObox owns cluster lifecycle and state; this add-on layers ACS resources on top through the same inventory model.
The intended workflow starts from the SNObox repository root:
tools/boxctl install acsbox
tools/boxctl run acsbox --limit <host>boxctl install clones the public add-on repository into SNObox's ignored
local add-on area and copies the inventory overlay:
snobox/
└── addons/
└── acsbox/
├── repo/ # git clone of git@github.com:o1e/acsbox_addon.git
└── inventory/ # local overlay copied from the add-on template
The add-on is EE-first. It is expected to run through the same
ansible-navigator / Ansible Execution Environment workflow used by SNObox, so
OpenShift, Kubernetes, OperatorHub and libvirt-related tooling live in the EE
instead of being installed ad hoc on the controller.
ACSbox uses the Red Hat ACS OperatorHub flow. It is intended for OCP clusters; OKD is handled by ROXbox with the upstream StackRox flow.
The add-on owns:
- RHACS Operator namespace, OperatorGroup and Subscription
stackroxnamespace- RHACS Central admin secret
- RHACS Central custom resource
- optional RHACS SecuredCluster custom resource
- optional RHACS declarative OpenShift OAuth configuration
- optional RHACS Compliance report schedule
SNObox owns:
- VM lifecycle
- OpenShift installation
- OpenShift users, certificates, OperatorHub policy and LVMS setup
- generated kubeconfig and state directories
- A completed SNObox OCP cluster
- RHACS available from the configured OperatorHub catalog
- The SNObox Ansible Execution Environment
- Access to the SNObox kubeconfig at
{{ sno_workdirs.ocp }}/auth/kubeconfig - A default or explicitly configured storage class for RHACS Central DB
The playbook targets the existing SNObox inventory group:
hosts: snoboxIt consumes these SNObox variables:
sno_boxsno_dnssno_workdirssno_tlssno_lvms
ACS-specific configuration is provided through the add-on inventory overlay.
The internal role and variable prefix is acsbox_.
inventory/
├── inventory.yml
└── group_vars/
└── snobox/
├── acsbox.yml
├── acsbox_central.yml
└── acsbox_secured_cluster.yml
Base defaults are in inventory/group_vars/snobox/acsbox.yml:
acsbox_defaults:
admin_password: ChangeMe
operator:
channel: stable
starting_csv: ""
oauth:
enabled: true
compliance_reports:
enabled: true
profiles:
- ocp4-bsi
- ocp4-bsi-node
- ocp4-cis
- ocp4-cis-node
schedule:
interval_type: DAILY
hour: 6
minute: 0Host overrides use acsbox_overrides in the SNObox checkout:
addons/acsbox/inventory/host_vars/<host>/acsbox.yml
Start from the example overlay when a host needs overrides:
mkdir -p addons/acsbox/inventory/host_vars/<host>
cp addons/acsbox/repo/inventory/host_vars/snobox1_example/acsbox.yml \
addons/acsbox/inventory/host_vars/<host>/acsbox.ymlExample:
acsbox_overrides:
central_db_storage_class: lvms-vg-lvmsEnable the Compliance report schedule after RHACS has synced the requested profiles. The add-on installs the OpenShift Compliance Operator automatically when compliance reports are enabled:
acsbox_overrides:
compliance_reports:
enabled: trueInstall a specific RHACS minor version on a fresh lab by selecting the matching OperatorHub channel:
acsbox_overrides:
operator:
channel: rhacs-4.9For an exact CSV pin on a fresh install, add starting_csv:
acsbox_overrides:
operator:
channel: rhacs-4.9
starting_csv: rhacs-operator.v4.9.8install_plan_approval: Automatic approves install plans within the selected
channel. It does not switch a fresh rhacs-4.9 install to stable, but it may
consume newer z-stream updates published to the selected channel.
Central and SecuredCluster resource overrides follow the same pattern:
acsbox_central_overrides:
spec:
scannerV4:
indexer:
scaling:
maxReplicas: 2
acsbox_secured_cluster_overrides:
spec:
sensor:
resources:
requests:
memory: 200Miboxctl is preferred. The equivalent direct command from the SNObox repository
root is:
ANSIBLE_ROLES_PATH="addons/acsbox/repo/roles:${ANSIBLE_ROLES_PATH:-roles}" \
ansible-navigator run addons/acsbox/repo/playbooks/site.yml \
-i inventory/inventory.yml \
-i addons/acsbox/inventory \
--limit <host>For cleanup from the SNObox repository root:
addons/acsbox/repo/tools/delete-acs.shThe script auto-discovers ./state/*/ocp/auth/kubeconfig when exactly one
SNObox kubeconfig exists. Override explicitly when needed:
KUBECONFIG=./state/<cluster>/ocp/auth/kubeconfig \
addons/acsbox/repo/tools/delete-acs.shacsboxacsbox_validateacsbox_operatoracsbox_centralacsbox_securedacsbox_oauthacsbox_compliance_operatoracsbox_compliance_reports
Run checks through the configured Ansible Execution Environment:
make lintFor local development outside snobox/addons/acsbox/repo, point make at the
SNObox checkout:
make lint SNOBOX_ROOT=/path/to/snobox