Security is becoming a bigger concern in the marketing especially in the area of container-native where experience and best practices are lacking. Further, the acquisition of Stackrox by Red Hat was highly touted and an integral part of the OpenShift plus offering as the Advanced Cluster Security for Kubernetes (ACS). Ansible automation support would be desirable if not strategic.
Proposed Solution
Create the means for automating the management and workflow of stackrox/ACS container security operations in Ansible that are analogous to roxctl, the stackrox CLI.
Requirements
This collection should provide an Ansible-native solution equivalent of roxctl, the stackrox CLI. These roxctl commands include:
- central backup
- central db restore
- sensor generate k8s|openshift
- sensor get-bundle
- cluster delete
- deployment check
- image check
- image scan
- central debug log
- central debug dump
This collection should have authentication options built-in to its interface in a way that can be utilized by the AAP controller.
This collection should include documentation for viewing logs using the k8s_log module.
User Experience
This solution should conform to the standard recommended Ansible practices. It should reduce the knowledge and time necessary to automate these use cases by abstracting implementation details and error handling and avoiding programming constructs at the play level with a concise declarative style interface. It should provide user conveniences such as reasonable parameter defaults and support of module defaults. The solution should also integrate with the Ansible Platform controller services such as its integrated credential management.
Documentation
The integrations and functionality described will require new documentation for each piece of content.
Use Cases
- Backup and Restore of the Central Database
- Generating Sensor Deployment files for K8s and OCP
- Downloading Sensor bundle for existing clusters
- Deleting cluster integration
- Checking policy compliance of deployment YAML files, images and image scan results
- Managing stackrox log levels
- Producing stackrox debugging dumps