A demonstration showcasing GitOps policy-as-code approaches with Red Hat Advanced Cluster Security for Kubernetes (ACS) and Ansible.
Fork this repo to your own account.
Create a new 'StackRox API integration' admin token in Red Hat Advanced Cluster Security for Kubernetes (ACS) and copy the value.
Update the Ansible vault.yml to reference your ACS cluster and the API token.
vaulted_acs_host: central-acs-central.apps.cluster.example.com:443
vaulted_acs_token: your-acs-admin-tokenCreate the components in Ansible Automation Platform required to orchestrate policy updates.
Create a new project, and replace the URL with your forked copy of this repo. Ensure that the following options are checked:
- Discard local changes before syncing
- Delete the project before syncing
- Update revision on job launch
Create a new Vault credential
Create an inventory for Localhost, with a host for 127.0.0.1. Ensure that the ansible_connection: local variable is specified for the host.
Create a new template in Ansible, specifying the following:
- Inventory: Localhost (from above)
- Project: ACS Policy as Code source (from above)
- Playbook: playbooks/update.yml
- Credentials: Vault (from above)
Select 'Enable Webhook' and save the template. A new webhook token will be provided once the template is saved.
Navigate to Settings in your forked repo and select Webhooks.
Select Add webhook and configure a new webhook using the Ansible webhook endpoint.
Find a policy in ACS, such as Curl in Image. Verify that the policy is currently disabled.
Find the corresponding JSON file, in this case Curl in Image.json. Update the disabled attribute to false.
Commit and push the change to your repo, and verify that the Ansible automation jobs start.
Once the Ansible automation jobs complete, verify that the policy is now Enabled.
