Skip to content

o1e/acsbox_addon

Repository files navigation

ACSbox Add-on

ACSbox installs Red Hat Advanced Cluster Security (RHACS/ACS) on an existing SNObox OpenShift Container Platform cluster. SNObox owns cluster lifecycle and state; this add-on layers ACS resources on top through the same inventory model.

The intended workflow starts from the SNObox repository root:

tools/boxctl install acsbox
tools/boxctl run acsbox --limit <host>

boxctl install clones the public add-on repository into SNObox's ignored local add-on area and copies the inventory overlay:

snobox/
└── addons/
    └── acsbox/
        ├── repo/       # git clone of git@github.com:o1e/acsbox_addon.git
        └── inventory/  # local overlay copied from the add-on template

The add-on is EE-first. It is expected to run through the same ansible-navigator / Ansible Execution Environment workflow used by SNObox, so OpenShift, Kubernetes, OperatorHub and libvirt-related tooling live in the EE instead of being installed ad hoc on the controller.

What It Installs

ACSbox uses the Red Hat ACS OperatorHub flow. It is intended for OCP clusters; OKD is handled by ROXbox with the upstream StackRox flow.

The add-on owns:

  • RHACS Operator namespace, OperatorGroup and Subscription
  • stackrox namespace
  • RHACS Central admin secret
  • RHACS Central custom resource
  • optional RHACS SecuredCluster custom resource
  • optional RHACS declarative OpenShift OAuth configuration
  • optional RHACS Compliance report schedule

SNObox owns:

  • VM lifecycle
  • OpenShift installation
  • OpenShift users, certificates, OperatorHub policy and LVMS setup
  • generated kubeconfig and state directories

Prerequisites

  • A completed SNObox OCP cluster
  • RHACS available from the configured OperatorHub catalog
  • The SNObox Ansible Execution Environment
  • Access to the SNObox kubeconfig at {{ sno_workdirs.ocp }}/auth/kubeconfig
  • A default or explicitly configured storage class for RHACS Central DB

Inventory Contract

The playbook targets the existing SNObox inventory group:

hosts: snobox

It consumes these SNObox variables:

  • sno_box
  • sno_dns
  • sno_workdirs
  • sno_tls
  • sno_lvms

ACS-specific configuration is provided through the add-on inventory overlay. The internal role and variable prefix is acsbox_.

inventory/
├── inventory.yml
└── group_vars/
    └── snobox/
        ├── acsbox.yml
        ├── acsbox_central.yml
        └── acsbox_secured_cluster.yml

Base defaults are in inventory/group_vars/snobox/acsbox.yml:

acsbox_defaults:
  admin_password: ChangeMe
  operator:
    channel: stable
    starting_csv: ""
  oauth:
    enabled: true
  compliance_reports:
    enabled: true
    profiles:
      - ocp4-bsi
      - ocp4-bsi-node
      - ocp4-cis
      - ocp4-cis-node
    schedule:
      interval_type: DAILY
      hour: 6
      minute: 0

Host overrides use acsbox_overrides in the SNObox checkout:

addons/acsbox/inventory/host_vars/<host>/acsbox.yml

Start from the example overlay when a host needs overrides:

mkdir -p addons/acsbox/inventory/host_vars/<host>
cp addons/acsbox/repo/inventory/host_vars/snobox1_example/acsbox.yml \
  addons/acsbox/inventory/host_vars/<host>/acsbox.yml

Example:

acsbox_overrides:
  central_db_storage_class: lvms-vg-lvms

Enable the Compliance report schedule after RHACS has synced the requested profiles. The add-on installs the OpenShift Compliance Operator automatically when compliance reports are enabled:

acsbox_overrides:
  compliance_reports:
    enabled: true

Install a specific RHACS minor version on a fresh lab by selecting the matching OperatorHub channel:

acsbox_overrides:
  operator:
    channel: rhacs-4.9

For an exact CSV pin on a fresh install, add starting_csv:

acsbox_overrides:
  operator:
    channel: rhacs-4.9
    starting_csv: rhacs-operator.v4.9.8

install_plan_approval: Automatic approves install plans within the selected channel. It does not switch a fresh rhacs-4.9 install to stable, but it may consume newer z-stream updates published to the selected channel.

Central and SecuredCluster resource overrides follow the same pattern:

acsbox_central_overrides:
  spec:
    scannerV4:
      indexer:
        scaling:
          maxReplicas: 2

acsbox_secured_cluster_overrides:
  spec:
    sensor:
      resources:
        requests:
          memory: 200Mi

Direct Ansible Run

boxctl is preferred. The equivalent direct command from the SNObox repository root is:

ANSIBLE_ROLES_PATH="addons/acsbox/repo/roles:${ANSIBLE_ROLES_PATH:-roles}" \
ansible-navigator run addons/acsbox/repo/playbooks/site.yml \
  -i inventory/inventory.yml \
  -i addons/acsbox/inventory \
  --limit <host>

Cleanup

For cleanup from the SNObox repository root:

addons/acsbox/repo/tools/delete-acs.sh

The script auto-discovers ./state/*/ocp/auth/kubeconfig when exactly one SNObox kubeconfig exists. Override explicitly when needed:

KUBECONFIG=./state/<cluster>/ocp/auth/kubeconfig \
  addons/acsbox/repo/tools/delete-acs.sh

Tags

  • acsbox
  • acsbox_validate
  • acsbox_operator
  • acsbox_central
  • acsbox_secured
  • acsbox_oauth
  • acsbox_compliance_operator
  • acsbox_compliance_reports

Validation

Run checks through the configured Ansible Execution Environment:

make lint

For local development outside snobox/addons/acsbox/repo, point make at the SNObox checkout:

make lint SNOBOX_ROOT=/path/to/snobox

About

ACSbox installs Red Hat Advanced Cluster Security (RHACS/ACS) on an existing SNObox OpenShift Container Platform cluster.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors