This repository provides a GitOps-based deployment for Red Hat Advanced Cluster Security (RHACS) using Argo CD. It can be used for both testing in a lab environment and for existing ACM deployments with managed clusters. The repository deploys several critical components to the hub cluster and uses ACM Policy Sets to distribute security policies to all managed OpenShift clusters.
- OpenShift GitOps Operator has been installed
- ArgoCD ServiceAccount
openshift-gitops-argocd-application-controllerhasClusterRoleofcluster-adminoc adm policy add-cluster-role-to-user cluster-admin -z openshift-gitops-argocd-application-controller -n openshift-gitops
- Infra node labels for RHACS-Central
oc label node <node_name> node-role.kubernetes.io/infra=""
- Namespace
rhacm-hubexistsoc new-project rhacm-hub
- Managed Cluster(s) have a label of
spoke-gitops=true - Prior to applying the PolicySet, perform these steps:
- OpenShift GitOps must be configured to provide the
--enable-alpha-pluginsflag when you run Kustomize. Run the following command to configure OpenShift GitOps:oc -n openshift-gitops patch argocd openshift-gitops --type merge --patch "$(curl https://raw.githubusercontent.com/turbra/acm-lab/refs/heads/main/clusters/live/lab/rhacs-policies/patch/argocd-patch.yaml)"
- OpenShift GitOps must be configured to provide the
The Argo CD ApplicationSet in this repository generates Applications that deploy the following resources on the hub cluster:
-
rhacs-operator:
The ACS operator is deployed in the hub cluster to manage and coordinate the security components. -
rhacs-central:
This component installs the central services (for example, the central console, API, and related resources) that are part of the ACS solution. -
rhacs-secured-cluster:
This resource is used to register and secure the hub cluster as a managed cluster, enabling centralized compliance and security policy enforcement. -
ACM Policy Sets (2x):
- acs-sensors-hub-info – Configures Advanced Cluster Security components that are used to set up the hub for securing each managed cluster.
- acs-sensor-clusters – Distributes ACS components to all OpenShift managed clusters to ensure cluster security.
-
Argo CD ApplicationSet:
- An ApplicationSet monitors the Git repository and generates individual Argo CD Applications based on the defined folder structure.
- This ensures that each component is deployed in the correct namespace on the hub cluster.
-
GitOps Pipeline:
- The repository uses a combination of Kustomize and the PolicyGenerator plugin to assemble and generate the final manifests.
-
Policy Generation and Distribution:
- A PolicyGenerator configuration processes raw policy definitions (manifests) and wraps them into ACM‑compatible Policy Custom Resources.
- Two distinct Policy Sets are defined:
- acs-sensors-hub-info: Targets the hub cluster, ensuring that necessary ACS components are installed and configured to secure managed clusters.
- acs-sensor-clusters: Targets all OpenShift managed clusters (using label selectors) to deploy distributed security policies.
-
ACM and Managed Clusters:
- Once the policies are generated and applied to the hub cluster, ACM uses them to enforce security and compliance on all connected managed clusters.
- Managed clusters are selected based on labels (for example,
spoke-gitops=true) so that policies are distributed accordingly.
-
Lab Testing:
Quickly deploy and test ACS components in a lab environment using GitOps principles. The repository simplifies re-deployment and iterative testing through Argo CD. -
Production ACM Deployment:
In an existing ACM setup, use this repository to deploy and manage ACS components on the hub cluster and propagate security policies to all managed clusters automatically.
- Deployment via Argo CD: An ApplicationSet is used to deploy the RHACS operator, central services, and secured cluster configuration to the hub cluster.
- Policy Sets: Two ACM Policy Sets are generated to:
- Set up the hub for securing managed clusters.
- Distribute ACS security policies to all OpenShift managed clusters.
- GitOps Driven: Changes to policy definitions and configurations in Git are automatically propagated to the clusters, ensuring consistency and compliance.
This setup provides a robust, GitOps-based workflow for deploying and managing Advanced Cluster Security with ACM, whether you’re running a lab environment or a full production deployment.
Below is an example ApplicationSet that generates Applications from the repository. This ApplicationSet scans all subdirectories under clusters/live/lab/ (excluding others that are not needed), and deploys them into namespaces named after their folder:
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: cluster-configs
namespace: openshift-gitops
spec:
goTemplate: true
goTemplateOptions: ["missingkey=error"]
generators:
- git:
repoURL: https://github.com/turbra/acm-lab.git
revision: main
directories:
- path: clusters/live/lab/*
template:
metadata:
name: '{{.path.basename}}'
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://github.com/turbra/acm-lab.git
targetRevision: main
path: '{{.path.path}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{.path.basename}}'
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
jsonPointers:
- /webhooks/0/clientConfig/caBundle
syncPolicy:
automated:
prune: true
allowEmpty: true