├── .editorconfig
├── .github
    └── workflows
    │   └── docs.yml
├── .gitignore
├── .nvmrc
├── Dockerfile
├── LICENSE
├── README.adoc
├── apps
    └── app1
    │   └── run.sh
├── dev-site.yml
├── documentation
    ├── antora.yml
    └── modules
    │   └── ROOT
    │       ├── assets
    │           └── images
    │           │   ├── acs-logo.svg
    │           │   ├── acs_features.png
    │           │   ├── architecture_acs.png
    │           │   ├── cicd
    │           │       ├── 00-acs_cicd_overview.png
    │           │       └── 01-devsecops_pipeline.png
    │           │   ├── cli
    │           │       └── roxctl1.png
    │           │   ├── compliance
    │           │       ├── 00_compliance_dash.png
    │           │       ├── 00_compliance_pci.png
    │           │       ├── 00_compliance_pci2.png
    │           │       ├── 01_compliance_scan.png
    │           │       ├── 02_compliance_result.png
    │           │       ├── 03_compliance_operator_in_acs.png
    │           │       ├── 04_co_acs_detail.png
    │           │       ├── 05_nist0.png
    │           │       ├── 06_nist1.png
    │           │       └── 07_nist2.png
    │           │   ├── configmgmt
    │           │       ├── 01-config.png
    │           │       ├── 02-config.png
    │           │       ├── 03-config.png
    │           │       └── 04-config.png
    │           │   ├── dashboard
    │           │       ├── acs_dashboard.png
    │           │       ├── acs_dashboard_header.png
    │           │       ├── acs_dashboard_information.png
    │           │       └── acs_dashboard_menu.png
    │           │   ├── install
    │           │       ├── 00_operator_hub.png
    │           │       ├── 01_select_acs_operator.png
    │           │       ├── 02_install_acs_operator.png
    │           │       ├── 03_wait_for_completion.png
    │           │       ├── 04_11_create_central_resource.png
    │           │       ├── 04_1_create_central_resource.png
    │           │       ├── 04_22_create_central_resource.png
    │           │       ├── 04_2_create_central_resource.png
    │           │       ├── 04_3_create_central_resource.png
    │           │       ├── 04_operator_installed.png
    │           │       ├── 04_operator_ready.png
    │           │       ├── 05_1_login_password.png
    │           │       ├── 05_2_login.png
    │           │       ├── 06_acs_integrations.png
    │           │       ├── 07_generate_cluster_init_bundle.png
    │           │       ├── 07_generate_cluster_init_bundle_name.png
    │           │       ├── 08_download_cluster_init_bundle_secret.png
    │           │       ├── 09_create_secured_cluster_resource.png
    │           │       ├── 10_create_secured_cluster_resource_yaml.png
    │           │       └── 11_verify_cluster_list.png
    │           │   ├── integrations
    │           │       ├── 00-integrate-acs.png
    │           │       ├── 01-oauth.png
    │           │       ├── 01-sso.png
    │           │       ├── 02-oauth.png
    │           │       ├── 02-sso.png
    │           │       ├── 03-oauth.png
    │           │       ├── 03-registry_ocp_internal.png
    │           │       ├── 03-sso.png
    │           │       ├── 04-integration-slack.png
    │           │       ├── 04-sso.png
    │           │       ├── 04_oauth.png
    │           │       ├── 05-integrations-slack.png
    │           │       ├── 05-oauth.png
    │           │       ├── 05-sso.png
    │           │       ├── 06-integrations-slack.png
    │           │       ├── 06-oauth.png
    │           │       ├── 06-sso.png
    │           │       ├── 07-integrations-slack.png
    │           │       ├── 07-oauth.png
    │           │       ├── 07-sso.png
    │           │       ├── 08-integrations-slack.png
    │           │       ├── 08-oauth.png
    │           │       ├── 08-sso.png
    │           │       ├── 09-integrations-slack.png
    │           │       ├── 09-oauth.png
    │           │       ├── 09-sso.png
    │           │       └── 10-oauth.png
    │           │   ├── kubelogo.png
    │           │   ├── multicluster
    │           │       ├── 01_multi.png
    │           │       ├── 02_multi.png
    │           │       ├── 03_multi.png
    │           │       ├── 04_multi.png
    │           │       ├── 06_multi.png
    │           │       ├── 07_multi.png
    │           │       ├── 08_multi.png
    │           │       └── 0_multi.png
    │           │   ├── network-flow
    │           │       ├── 00-network.png
    │           │       ├── 01-network.png
    │           │       ├── 02-network.png
    │           │       ├── 03-network.png
    │           │       ├── 04-network.png
    │           │       └── 05-network.png
    │           │   ├── policies
    │           │       ├── 00-policies.png
    │           │       ├── 01-policies.png
    │           │       ├── 02-policies.png
    │           │       ├── 03-policies.png
    │           │       └── 04-policies.png
    │           │   ├── risks
    │           │       ├── 01-risks.png
    │           │       ├── 02-risks.png
    │           │       ├── 03-risks.png
    │           │       ├── 04-risks.png
    │           │       ├── 05-risks.png
    │           │       ├── 05_1-risks.png
    │           │       └── 06-risks.png
    │           │   ├── violations
    │           │       ├── 00-test-example.png
    │           │       ├── 01-violations.png
    │           │       ├── 02-violations.png
    │           │       ├── 03-violations.png
    │           │       └── 04-violations.png
    │           │   └── vulnerabilities
    │           │       ├── 01-filter.png
    │           │       ├── 01-inactive.png
    │           │       ├── 02-filter.png
    │           │       ├── 02-inactive.png
    │           │       ├── 02-vuln.png
    │           │       ├── 03-filter.png
    │           │       ├── 03-vuln.png
    │           │       ├── 04-vuln.png
    │           │       ├── 05-vuln.png
    │           │       ├── 06-vuln.png
    │           │       ├── 40_vuln.png
    │           │       ├── active_inactive.png
    │           │       └── top-riskiest-images.png
    │       ├── examples
    │           ├── acs-log4shell-policy.json
    │           ├── co-ns.yaml
    │           ├── co-og.yaml
    │           ├── co-scan.yaml
    │           ├── co-subs.yaml
    │           ├── install-co.sh
    │           ├── log4shell-deployment.yaml
    │           ├── run.sh
    │           ├── sso-instance.yaml
    │           ├── sso-og.yaml
    │           ├── sso-realm.yaml
    │           └── sso-subs.yaml
    │       ├── nav.adoc
    │       ├── pages
    │           ├── 01-setup.adoc
    │           ├── 02-getting_started.adoc
    │           ├── 03-overview-acs.adoc
    │           ├── 04-vulnerabilities.adoc
    │           ├── 05-risk.adoc
    │           ├── 06-network_graph-2.0.adoc
    │           ├── 06-network_graph.adoc
    │           ├── 07-violations.adoc
    │           ├── 08-compliance.adoc
    │           ├── 09-configuration_management.adoc
    │           ├── 10-system_policies.adoc
    │           ├── 11-integrations.adoc
    │           ├── 12-platform_configuration.adoc
    │           ├── 13-cicd.adoc
    │           ├── 14-apicli.adoc
    │           ├── 15-contributors.adoc
    │           ├── _attributes.adoc
    │           └── index.adoc
    │       └── partials
    │           └── exec_pod.adoc
├── gulpfile.babel.js
├── lib
    ├── remote-include-processor.js
    └── tab-block.js
├── package.json
├── site.sh
├── site.yml
├── supplemental-ui
    ├── .nojekyll
    ├── img
    │   └── favicon.ico
    ├── partials
    │   └── footer-nav.hbs
    └── ui.yml
└── vscode-asciidoc-extra.json


/.editorconfig:
--------------------------------------------------------------------------------
1 | root = true
2 | 
3 | [*]
4 | indent_style = space
5 | indent_size = 2
6 | charset = utf-8
7 | trim_trailing_whitespace = false
8 | insert_final_newline = false


--------------------------------------------------------------------------------
/.github/workflows/docs.yml:
--------------------------------------------------------------------------------
 1 | name: docs
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - master
 7 | env:
 8 |   SITE_DIR: "gh-pages"
 9 | jobs:
10 |   build_site:
11 |     name: "Build site with Antora"
12 |     runs-on: [ubuntu-latest]
13 |     steps:
14 |       - name: Checkout
15 |         uses: actions/checkout@v2
16 |       - name: "Generate site using antora site action"
17 |         uses: kameshsampath/antora-site-action@master
18 |         with:
19 |           antora_playbook: site.yml
20 |       - name: "Upload generated site"
21 |         uses: actions/upload-artifact@v1.0.0
22 |         with:
23 |           name: site
24 |           path: "${{ github.workspace }}/${{ env.SITE_DIR }}"
25 |   deploy_site:
26 |     runs-on: [ubuntu-latest]
27 |     needs: [build_site]
28 |     name: "Deploy GitHub Pages"
29 |     steps:
30 |       - name: Checkout
31 |         uses: actions/checkout@v2
32 |       - name: Download generated site
33 |         uses: actions/download-artifact@v1
34 |         with:
35 |           name: site
36 |           path: "${{ github.workspace }}/${{ env.SITE_DIR }}"
37 |       - name: Deploy to GitHub Pages
38 |         uses: JamesIves/github-pages-deploy-action@3.2.1
39 |         with:
40 |           # ACCESS_TOKEN: # optional
41 |           GITHUB_TOKEN: "${{ github.token}}"
42 |           FOLDER: "${{ env.SITE_DIR }}"
43 |           BRANCH: "gh-pages"
44 |           COMMIT_MESSAGE: "[CI] Publish Documentation for ${{ github.sha }}"
45 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | target/
 2 | !.mvn/wrapper/maven-wrapper.jar
 3 | audit.log
 4 | .cache/
 5 | *.log
 6 | 
 7 | docs/
 8 | gh-pages/
 9 | dependency-reduced-pom.xml
10 | svm.jar
11 | 
12 | ### STS ###
13 | .apt_generated
14 | .classpath
15 | .factorypath
16 | .project
17 | .settings
18 | .springBeans
19 | 
20 | ### IntelliJ IDEA ###
21 | .idea
22 | *.iws
23 | *.iml
24 | *.ipr
25 | 
26 | ### NetBeans ###
27 | nbproject/private/
28 | build/
29 | nbbuild/
30 | dist/
31 | nbdist/
32 | .nb-gradle/
33 | 
34 | .DS_Store
35 | .vscode
36 | istio-1.1.1
37 | firebase*
38 | yarn*
39 | package*
40 | !package.json
41 | node_modules
42 | .firebaserc
43 | .firebase
44 | 


--------------------------------------------------------------------------------
/.nvmrc:
--------------------------------------------------------------------------------
1 | 12


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM docker.io/antora/antora as builder
 2 | 
 3 | ADD . /antora/
 4 | 
 5 | RUN antora generate --stacktrace site.yml
 6 | 
 7 | FROM registry.access.redhat.com/rhscl/httpd-24-rhel7
 8 | 
 9 | COPY --from=builder /antora/gh-pages/ /var/www/html/
10 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.adoc:
--------------------------------------------------------------------------------
1 | # Advanced Cluster Security for Kubernetes Workshop
2 | 
3 | This is the repository for the ACS Workshop available in https://redhat-scholars.github.io/acs-workshop/[ACS Workshop Guide].
4 | 


--------------------------------------------------------------------------------
/apps/app1/run.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | echo "Hello World"


--------------------------------------------------------------------------------
/dev-site.yml:
--------------------------------------------------------------------------------
 1 | runtime:
 2 |   cache_dir: ./.cache/antora
 3 | 
 4 | site:
 5 |   title: ACS Workshop (Dev Mode)
 6 |   url: http://localhost:3000/rhs-build-course/index.html
 7 |   start_page: acs-workshop::index.adoc
 8 | 
 9 | content:
10 |   sources:
11 |     - url: .
12 |       branches: HEAD
13 |       start_path: documentation
14 | asciidoc:
15 |   attributes:
16 |     title: ACS Workshop (Dev Mode)
17 |   extensions:
18 |     - ./lib/remote-include-processor.js
19 |     - ./lib/tab-block.js
20 | ui:
21 |   bundle:
22 |     url: https://github.com/redhat-scholars/course-ui/releases/download/v0.1.14/ui-bundle.zip
23 |     snapshot: true
24 |   supplemental_files: ./supplemental-ui
25 | output:
26 |   dir: ./gh-pages
27 | 


--------------------------------------------------------------------------------
/documentation/antora.yml:
--------------------------------------------------------------------------------
1 | name: acs-workshop
2 | title: ACS Workshop
3 | version: master
4 | nav:
5 |   - modules/ROOT/nav.adoc
6 | 
7 | start_page: ROOT:index.adoc
8 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/acs-logo.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8" standalone="no"?>
2 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
3 | <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid meet" viewBox="0 0 642 280" width="642" height="280"><defs><path d="M153.45 90.47L161.15 90.47L179.06 134.31L171.92 134.31L166.85 121.47L147.24 121.47L142.11 134.31L135.29 134.31L153.45 90.47ZM164.72 116.02L157.08 96.8L149.44 116.02L164.72 116.02Z" id="ffFGjZwq6"></path><path d="M205.55 131.3C202.81 133.59 199.34 134.83 195.77 134.81C186.74 134.81 179.68 127.58 179.68 118.34C179.68 109.1 186.76 101.93 195.9 101.93C199.36 101.93 202.72 103.04 205.51 105.08C205.51 104.11 205.51 99.24 205.51 90.47L211.77 89.1L211.77 134.31L205.55 134.31C205.55 132.7 205.55 131.7 205.55 131.3ZM205.51 125.55C205.51 124.11 205.51 112.55 205.51 111.1C203.24 108.64 200.03 107.27 196.68 107.35C190.55 107.35 185.84 112.04 185.84 118.3C185.84 124.57 190.52 129.36 196.65 129.36C200.02 129.45 203.26 128.06 205.51 125.55Z" id="e554g3sJuj"></path><path d="M215.62 102.43L222.51 102.43L232.47 126.29L242.42 102.43L249.13 102.43L235.35 134.31L229.4 134.31L215.62 102.43Z" id="b167mnrDp"></path><path d="M264.28 115.46C267.27 115.46 270.23 116.05 272.98 117.21C272.98 116.88 272.98 114.17 272.98 113.83C272.98 109.32 270.29 107.07 265.22 107.07C262.27 107.07 259.27 107.88 255.32 109.76C255.09 109.29 253.24 105.53 253.01 105.06C257.77 102.81 261.9 101.81 266.09 101.81C274.36 101.81 279.12 105.88 279.12 113.2C279.12 114.61 279.12 121.63 279.12 134.28L272.98 134.28C272.98 132.66 272.98 131.75 272.98 131.57C270.18 133.82 266.67 135 263.09 134.89C256.14 134.87 251.38 130.92 251.38 125.16C251.38 119.14 256.26 115.46 264.28 115.46ZM272.94 127.23C272.94 126.67 272.94 122.26 272.94 121.71C270.42 120.37 267.6 119.7 264.74 119.77C260.17 119.77 257.36 121.84 257.36 125.03C257.39 128.11 260.3 130.24 264.51 130.24C267.6 130.33 270.61 129.26 272.94 127.23Z" id="cluGz7CdC"></path><path d="M286.32 102.43L292.58 102.43C292.58 104.35 292.58 105.41 292.58 105.62C295.12 103.1 298.58 101.72 302.16 101.81C309.49 101.81 314.62 106.88 314.62 114.27C314.62 115.61 314.62 122.28 314.62 134.31L308.36 134.31C308.36 122.91 308.36 116.58 308.36 115.32C308.36 110.31 305.29 107.24 300.47 107.24C297.3 107.13 294.3 108.7 292.58 111.37C292.58 112.9 292.58 120.54 292.58 134.29L286.32 134.29L286.32 102.43Z" id="aU6ggiW3t"></path><path d="M349.37 129.54C346.07 132.94 341.53 134.86 336.79 134.87C327.66 134.69 320.4 127.15 320.58 118.02C320.74 109.14 327.91 101.98 336.79 101.81C341.61 101.8 346.23 103.71 349.63 107.13C349.23 107.55 346.08 110.96 345.68 111.39C343.46 108.87 340.27 107.41 336.92 107.38C331.09 107.38 326.58 112.2 326.58 118.34C326.58 124.6 331.15 129.36 337.04 129.36C340.23 129.36 343.05 128.11 345.62 125.47C346.37 126.29 349 129.14 349.37 129.54Z" id="a2WRH1XVFJ"></path><path d="M351.75 118.34C351.75 109.13 358.77 101.93 367.72 101.93C376.49 101.93 383.13 109.19 383.13 118.59C383.13 118.71 383.13 119.31 383.13 120.39C368.02 120.39 359.63 120.39 357.95 120.39C358.76 125.7 363.36 129.6 368.73 129.53C371.66 129.6 374.52 128.61 376.8 126.76C377.2 127.15 380.41 130.31 380.81 130.71C377.32 133.5 372.95 134.98 368.47 134.87C359.08 134.87 351.75 127.64 351.75 118.34ZM376.93 115.71C375.99 110.83 372.23 107.19 367.6 107.19C362.78 107.19 358.95 110.64 358.01 115.71C361.8 115.71 375.04 115.71 376.93 115.71Z" id="cZHbsq3br"></path><path d="M413.62 131.3C410.89 133.59 407.42 134.83 403.85 134.81C394.82 134.81 387.76 127.58 387.76 118.34C387.76 109.1 394.84 101.93 403.98 101.93C407.42 101.93 410.78 103.03 413.56 105.06C413.56 104.09 413.56 99.23 413.56 90.47L419.82 89.1L419.82 134.31L413.62 134.31C413.62 132.7 413.62 131.7 413.62 131.3ZM413.56 125.55C413.56 124.11 413.56 112.55 413.56 111.1C411.29 108.64 408.08 107.27 404.73 107.35C398.6 107.35 393.89 112.04 393.89 118.3C393.89 124.57 398.6 129.36 404.73 129.36C408.09 129.44 411.31 128.05 413.56 125.55Z" id="c59BQl4MQ"></path><path d="M479.69 127.42C475.13 132.25 468.79 134.99 462.15 134.99C449.19 134.99 439.17 125.04 439.17 112.39C439.17 99.74 449.19 89.78 462.15 89.78C469.04 89.78 475.68 92.67 479.81 97.36C479.37 97.81 475.86 101.42 475.42 101.87C472.1 98.02 467.26 95.82 462.18 95.85C452.91 95.85 445.92 102.99 445.92 112.38C445.92 121.77 453 128.91 462.39 128.91C467.37 128.94 472.11 126.8 475.36 123.04C476.23 123.91 479.25 126.98 479.69 127.42Z" id="ic98KlEGv"></path><path d="M491.64 134.31L485.38 134.31L485.38 90.47L491.64 89.1L491.64 134.31Z" id="c3rDYqlC2T"></path><path d="M505.17 121.34C505.17 126.35 508.24 129.48 513.05 129.48C516.23 129.56 519.2 127.96 520.88 125.26C520.88 123.74 520.88 116.11 520.88 102.38L527.15 102.38L527.15 134.26L520.88 134.26C520.88 132.34 520.88 131.27 520.88 131.06C518.35 133.6 514.89 134.98 511.3 134.89C503.98 134.89 498.91 129.75 498.91 122.36C498.91 121.03 498.91 114.39 498.91 102.43L505.17 102.43C505.17 112.52 505.17 118.82 505.17 121.34Z" id="aBGCWvyKO"></path><path d="M534.91 126.04C538.23 128.67 541.73 130.05 545.3 130.05C549.81 130.05 552.94 128.11 552.94 125.29C552.94 123.04 551.32 121.72 547.81 121.22C547.24 121.14 542.65 120.49 542.08 120.4C535.75 119.47 532.56 116.52 532.56 111.58C532.56 105.82 537.57 101.94 545.02 101.94C549.62 101.91 554.11 103.34 557.86 106.01C557.54 106.43 554.98 109.73 554.67 110.14C551.16 107.83 547.96 106.83 544.59 106.83C540.76 106.83 538.2 108.58 538.2 111.15C538.2 113.47 539.7 114.59 543.45 115.15C544.03 115.24 548.64 115.89 549.22 115.97C555.54 116.91 558.85 119.92 558.85 124.86C558.85 130.56 553.09 134.88 545.51 134.88C540 134.88 535.06 133.25 531.55 130.18C532.22 129.35 534.24 126.87 534.91 126.04Z" id="c64YtJA9yC"></path><path d="M567.16 107.69L560.4 107.69L560.4 102.43L567.16 102.43L567.16 94.29L573.36 92.79L573.36 102.42L582.75 102.42L582.75 107.68L573.39 107.68C573.39 118.04 573.39 123.8 573.39 124.95C573.39 128.21 574.7 129.4 578.09 129.4C579.64 129.44 581.19 129.18 582.66 128.65C582.66 129.17 582.66 133.38 582.66 133.9C580.73 134.51 578.73 134.82 576.71 134.84C570.51 134.84 567.19 131.9 567.19 126.41C567.19 123.92 567.18 117.68 567.16 107.69Z" id="cvItR63"></path><path d="M585.25 118.34C585.25 109.13 592.27 101.93 601.23 101.93C609.99 101.93 616.63 109.19 616.63 118.59C616.63 118.71 616.63 119.31 616.63 120.39C601.52 120.39 593.13 120.39 591.45 120.39C592.26 125.7 596.86 129.6 602.23 129.53C605.17 129.58 608.03 128.58 610.31 126.71C610.71 127.11 613.91 130.27 614.31 130.66C610.82 133.48 606.45 134.96 601.97 134.87C592.58 134.87 585.25 127.64 585.25 118.34ZM610.43 115.71C609.49 110.83 605.73 107.19 601.1 107.19C596.27 107.19 592.46 110.64 591.52 115.71C595.3 115.71 608.54 115.71 610.43 115.71Z" id="b19jCMUKZf"></path><path d="M622.58 102.43L628.84 102.43C628.84 104.87 628.84 106.23 628.84 106.5C630.7 103.46 634.04 101.65 637.6 101.75C638.69 101.69 639.78 101.86 640.8 102.25C640.8 102.81 640.8 107.32 640.8 107.88C639.62 107.43 638.37 107.2 637.1 107.19C633.41 107.19 630.48 109.19 628.84 113.02C628.84 114.44 628.84 121.53 628.84 134.31L622.58 134.31L622.58 102.43Z" id="i2fLbStUT"></path><path d="M139.73 187.44C144.49 192.07 149.36 194.32 154.82 194.32C161.15 194.32 165.47 191.31 165.47 187C165.47 183.11 162.96 181.17 156.58 180.11C155.84 179.99 149.98 179.02 149.25 178.9C141.24 177.59 137.29 173.83 137.29 167.51C137.29 159.87 143.67 154.92 153.45 154.92C159.82 154.94 166.02 157.03 171.11 160.87C170.74 161.37 167.85 165.38 167.49 165.88C162.73 162.27 158.03 160.5 153.15 160.5C147.45 160.5 143.63 163.12 143.63 167.01C143.63 170.58 145.82 172.27 151.46 173.21C152.17 173.32 157.84 174.21 158.55 174.32C167.82 175.83 172.01 179.65 172.01 186.47C172.01 194.55 165 199.94 154.55 199.94C147.48 199.93 140.71 197.08 135.76 192.04C136.56 191.12 138.94 188.36 139.73 187.44Z" id="f4HxK07QgS"></path><path d="M176.49 183.37C176.49 174.16 183.5 166.96 192.46 166.96C201.22 166.96 207.86 174.22 207.86 183.61C207.86 183.73 207.86 184.34 207.86 185.42C192.76 185.42 184.37 185.42 182.69 185.42C183.48 190.74 188.09 194.65 193.47 194.57C196.4 194.63 199.26 193.64 201.54 191.78C201.94 192.18 205.14 195.34 205.55 195.73C202.05 198.53 197.68 200 193.21 199.89C183.82 199.89 176.49 192.67 176.49 183.37ZM201.66 180.73C200.72 175.85 196.97 172.22 192.33 172.22C187.51 172.22 183.69 175.67 182.75 180.73C186.53 180.73 199.77 180.73 201.66 180.73Z" id="a3wv4pOVr"></path><path d="M241.48 194.57C238.18 197.97 233.64 199.89 228.9 199.89C219.77 199.72 212.51 192.18 212.69 183.05C212.86 174.16 220.02 167 228.9 166.83C233.72 166.82 238.34 168.74 241.74 172.16C241.34 172.58 238.19 175.99 237.79 176.41C235.57 173.9 232.38 172.44 229.03 172.41C223.2 172.41 218.69 177.22 218.69 183.37C218.69 189.63 223.26 194.38 229.15 194.38C232.34 194.38 235.16 193.13 237.73 190.5C238.48 191.32 241.11 194.16 241.48 194.57Z" id="bPZwqOB6s"></path><path d="M252.7 186.36C252.7 191.37 255.76 194.5 260.58 194.5C263.75 194.59 266.73 192.98 268.41 190.29C268.41 188.76 268.41 181.14 268.41 167.41L274.67 167.41L274.67 199.29L268.41 199.29C268.41 197.37 268.41 196.3 268.41 196.09C265.88 198.63 262.41 200.01 258.83 199.91C251.5 199.91 246.43 194.78 246.43 187.39C246.43 186.06 246.43 179.42 246.43 167.46L252.7 167.46C252.7 177.54 252.7 183.84 252.7 186.36Z" id="a5uzK3FPi"></path><path d="M282.06 167.46L288.32 167.46C288.32 169.9 288.32 171.26 288.32 171.53C290.18 168.49 293.53 166.68 297.09 166.77C298.18 166.72 299.27 166.89 300.29 167.27C300.29 167.84 300.29 172.34 300.29 172.91C299.1 172.46 297.85 172.23 296.59 172.22C292.89 172.22 289.97 174.22 288.32 178.04C288.32 179.46 288.32 186.56 288.32 199.33L282.06 199.33L282.06 167.46Z" id="e1HTUnUNp"></path><path d="M308.42 154.56C308.42 154.56 308.42 154.56 308.42 154.56C310.56 154.48 312.37 156.15 312.45 158.29C312.54 160.43 310.87 162.24 308.73 162.32C308.62 162.33 308.52 162.33 308.42 162.32C306.29 162.31 304.59 160.57 304.6 158.45C304.6 158.44 304.6 158.44 304.6 158.44C304.59 156.31 306.29 154.58 308.42 154.56ZM311.55 199.33L305.29 199.33L305.29 167.46L311.55 167.46L311.55 199.33Z" id="b3GbegyIX4"></path><path d="M323.07 172.72L316.3 172.72L316.3 167.46L323.06 167.46L323.06 159.32L329.25 157.81L329.25 167.45L338.64 167.45L338.64 172.71L329.25 172.71C329.25 183.07 329.25 188.83 329.25 189.98C329.25 193.23 330.57 194.43 333.95 194.43C335.51 194.47 337.06 194.21 338.52 193.67C338.52 194.2 338.52 198.4 338.52 198.93C336.6 199.53 334.59 199.85 332.58 199.87C326.37 199.87 323.06 196.93 323.06 191.44C323.06 188.94 323.07 182.7 323.07 172.72Z" id="aV4WR1Bbb"></path><path d="M353.13 199.46L340.42 167.46L347.31 167.46L356.64 191.82L366.91 167.46L373.67 167.46C364.43 188.87 359.29 200.77 358.27 203.15C355.32 209.98 351.94 212.67 346.06 212.67C344.94 212.7 343.82 212.57 342.73 212.3C342.73 211.75 342.73 207.34 342.73 206.79C343.66 206.98 344.61 207.06 345.55 207.03C348.44 207.03 350.5 205.53 351.88 202.34C352.05 201.95 352.46 201 353.13 199.46Z" id="a7jFWJrNV"></path><path d="M143.67 232.98C143.67 229.42 143.67 227.43 143.67 227.04C143.67 220.9 147.12 217.52 153.39 217.52C154.81 217.46 156.24 217.65 157.6 218.08C157.6 218.5 157.6 221.8 157.6 222.21C156.35 221.8 155.04 221.6 153.72 221.61C150.03 221.61 148.3 223.37 148.3 227.19C148.3 227.57 148.3 229.52 148.3 233.01L157.63 233.01L157.63 236.94L148.25 236.94L148.25 264.37L143.67 264.37L143.67 236.94L136.27 236.94L136.27 233L143.67 232.98Z" id="az1Caf5YW"></path><path d="M191.52 248.62C191.52 257.73 184.44 264.99 175.55 264.99C166.66 264.99 159.52 257.85 159.52 248.64C159.52 239.43 166.6 232.36 175.55 232.36C184.44 232.36 191.52 239.5 191.52 248.62ZM175.55 236.47C169.16 236.47 164.11 241.79 164.11 248.62C164.11 255.44 169.12 260.83 175.55 260.83C181.98 260.83 186.95 255.47 186.95 248.64C186.95 241.79 181.94 236.47 175.55 236.47Z" id="a1F2xfNijO"></path><path d="M197.96 232.98L202.6 232.98C202.6 235.65 202.6 237.14 202.6 237.43C204.34 234.22 207.72 232.24 211.37 232.3C212.37 232.27 213.36 232.42 214.31 232.74C214.31 233.16 214.31 236.57 214.31 236.99C213.26 236.63 212.16 236.44 211.05 236.43C207.17 236.43 204.23 238.69 202.63 242.88C202.63 244.32 202.63 251.47 202.63 264.36L197.99 264.36L197.96 232.98Z" id="b9q6Vm1hn2"></path><path d="M233.97 220.53L238.79 220.53L238.79 241.32L261.46 220.53L267.78 220.53L243.98 242L268.28 264.36L261.5 264.36L238.78 243.29L238.78 264.36L233.96 264.36L233.97 220.53Z" id="i2dvSSsrh"></path><path d="M274.55 251.9C274.55 257.47 277.93 260.93 283.31 260.93C286.87 261.01 290.19 259.14 291.96 256.05C291.96 254.51 291.96 246.82 291.96 232.98L296.59 232.98L296.59 264.36L291.96 264.36C291.96 262.19 291.96 260.99 291.96 260.75C289.51 263.57 286.2 265 282.13 265C274.9 265 269.98 260.06 269.98 252.85C269.98 251.53 269.98 244.91 269.98 232.98L274.55 232.98C274.55 243.07 274.55 249.38 274.55 251.9Z" id="a2Dm0dhInM"></path><path d="M309.05 261.25C309.05 261.46 309.05 262.5 309.05 264.38L304.48 264.38L304.48 220.55L309.11 219.48C309.11 229.6 309.11 235.21 309.11 236.34C311.85 233.8 315.47 232.43 319.2 232.52C328.08 232.52 334.98 239.6 334.98 248.68C334.98 257.76 328.08 264.86 319.13 264.86C315.45 264.86 311.89 263.58 309.05 261.25ZM309.11 256.47C311.52 259.27 315.05 260.86 318.75 260.79C325.37 260.79 330.39 255.59 330.39 248.71C330.39 241.82 325.32 236.56 318.75 236.56C315.03 236.47 311.49 238.08 309.11 240.94C309.11 244.04 309.11 254.91 309.11 256.47Z" id="b3vkHmROx"></path><path d="M340.05 249.11C340.04 248.96 340.05 248.81 340.05 248.66C340.05 239.63 346.87 232.51 355.51 232.51C363.84 232.51 370.35 239.65 370.35 248.66C370.35 248.76 370.35 249.24 370.35 250.11C354.9 250.11 346.31 250.11 344.59 250.11C345.28 256.3 350.16 260.87 356.36 260.87C359.62 260.87 362.88 259.81 365 258C365.29 258.3 367.6 260.76 367.89 261.07C364.54 263.64 360.42 265 356.2 264.92C347.37 265.01 340.14 257.93 340.05 249.11ZM365.74 246.39C364.93 240.81 360.6 236.56 355.41 236.56C349.94 236.56 345.62 240.63 344.74 246.39C344.75 246.39 363.64 246.39 365.74 246.39Z" id="a3Cl5yq9Nk"></path><path d="M376.8 232.98L381.44 232.98C381.44 235.65 381.44 237.14 381.44 237.43C383.17 234.22 386.55 232.24 390.2 232.3C391.2 232.27 392.2 232.42 393.15 232.74C393.15 233.16 393.15 236.57 393.15 236.99C392.1 236.63 391 236.44 389.89 236.43C386.01 236.43 383.06 238.69 381.46 242.88C381.46 244.32 381.46 251.47 381.46 264.36L376.82 264.36L376.8 232.98Z" id="bLu7yFrmf"></path><path d="M398.47 232.98L403.1 232.98C403.1 235.2 403.1 236.44 403.1 236.68C405.54 233.8 408.93 232.36 413 232.36C420.13 232.36 425.08 237.31 425.08 244.51C425.08 245.83 425.08 252.46 425.08 264.38L420.51 264.38C420.51 253.02 420.51 246.71 420.51 245.45C420.51 239.87 417.13 236.42 411.75 236.42C408.2 236.33 404.89 238.18 403.1 241.23C403.1 242.77 403.1 250.48 403.1 264.34L398.47 264.34L398.47 232.98Z" id="b1WjpnmXI4"></path><path d="M431.4 249.11C431.4 248.96 431.4 248.81 431.4 248.66C431.4 239.63 438.23 232.51 446.87 232.51C455.19 232.51 461.71 239.65 461.71 248.66C461.71 248.76 461.71 249.24 461.71 250.11C446.27 250.11 437.69 250.11 435.97 250.11C436.67 256.3 441.55 260.87 447.75 260.87C451 260.87 454.26 259.81 456.39 258C456.68 258.3 458.98 260.76 459.27 261.07C455.92 263.65 451.78 265.01 447.55 264.92C438.72 265.01 431.49 257.93 431.4 249.11ZM457.09 246.39C456.28 240.81 451.95 236.56 446.76 236.56C441.3 236.56 436.98 240.63 436.11 246.39C440.31 246.39 454.99 246.39 457.09 246.39Z" id="g4BM63AGvh"></path><path d="M470.79 236.94L464.03 236.94L464.03 233L470.79 233L470.79 225.03L475.36 223.83L475.36 232.97L484.82 232.97L484.82 236.94L475.36 236.94C475.36 248.48 475.36 254.88 475.36 256.17C475.36 259.55 476.74 260.86 480.18 260.86C481.74 260.91 483.3 260.64 484.75 260.05C484.75 260.46 484.75 263.71 484.75 264.12C482.97 264.68 481.11 264.95 479.24 264.93C473.82 264.93 470.81 262.31 470.81 257.36C470.81 254.64 470.8 247.83 470.79 236.94Z" id="a1t0BgWgyw"></path><path d="M487.32 249.11C487.32 248.96 487.32 248.81 487.32 248.66C487.32 239.63 494.15 232.51 502.79 232.51C511.12 232.51 517.63 239.65 517.63 248.66C517.63 248.76 517.63 249.24 517.63 250.11C502.19 250.11 493.61 250.11 491.89 250.11C492.58 256.3 497.47 260.87 503.67 260.87C506.93 260.87 510.18 259.81 512.31 258C512.6 258.3 514.9 260.76 515.19 261.07C511.84 263.64 507.71 265 503.48 264.92C494.65 265.02 487.42 257.94 487.32 249.11ZM513.02 246.39C512.21 240.81 507.89 236.56 502.69 236.56C497.22 236.56 492.9 240.63 492.02 246.39C492.02 246.39 510.92 246.39 513.02 246.39Z" id="d11cff5nu"></path><path d="M524.02 257.03C526.77 259.69 530.43 261.2 534.25 261.25C539.26 261.25 542.77 258.93 542.77 255.61C542.77 252.92 540.96 251.4 536.95 250.85C536.4 250.77 532.07 250.18 531.53 250.1C525.27 249.16 522.26 246.41 522.26 241.67C522.26 236.41 527.14 232.53 534.03 232.53C538.46 232.5 542.77 233.94 546.3 236.62C546.06 236.93 544.13 239.44 543.89 239.75C540.38 237.34 537.19 236.24 533.75 236.24C529.43 236.24 526.48 238.37 526.48 241.44C526.48 244.14 528.17 245.45 532.3 246.07C532.85 246.15 537.18 246.75 537.72 246.83C543.98 247.7 547.12 250.52 547.12 255.34C547.12 260.79 541.61 264.92 534.41 264.92C529.21 264.92 524.51 263.17 521.2 260.04C521.76 259.44 523.45 257.63 524.02 257.03Z" id="cjTjFwxtT"></path><path d="M78.47 53.05C86 53.05 96.9 51.5 96.9 42.54C96.92 41.85 96.86 41.16 96.71 40.48C96.26 38.53 92.67 22.95 92.22 21C91.19 16.71 90.28 14.77 82.75 11C76.89 8.01 64.17 3.08 60.4 3.08C56.9 3.08 55.86 7.62 51.7 7.62C47.68 7.62 44.69 4.25 40.93 4.25C37.32 4.25 34.96 6.71 33.15 11.77C33.15 11.77 28.08 26.06 27.43 28.13C27.33 28.51 27.28 28.9 27.29 29.3C27.29 34.85 49.16 53.05 78.47 53.05M98.06 46.18C99.11 51.11 99.11 51.63 99.11 52.28C99.11 60.71 89.63 65.39 77.17 65.39C48.96 65.38 24.33 48.9 24.33 38C24.32 36.48 24.63 34.98 25.23 33.59C15.11 34.1 2 35.92 2 47.47C2 66.42 46.91 89.78 82.47 89.78C109.73 89.78 116.61 77.45 116.61 67.72C116.61 60.06 109.99 51.36 98.05 46.17" id="hH88A7ePS"></path><path d="M99.25 46.42C100.29 51.35 100.29 51.87 100.29 52.52C100.29 60.95 90.82 65.63 78.36 65.63C50.17 65.63 25.53 49.15 25.53 38.25C25.53 36.73 25.84 35.23 26.44 33.84C26.66 33.29 28.42 28.93 28.64 28.38C28.53 28.76 28.48 29.15 28.49 29.54C28.49 35.09 50.37 53.3 79.67 53.3C87.2 53.3 98.1 51.75 98.1 42.79C98.12 42.1 98.06 41.41 97.91 40.73C98.18 41.87 98.98 45.28 99.25 46.42Z" id="b6OxCuoxEQ"></path><path d="M351.96 58.9C351.96 66.06 356.27 69.54 364.12 69.54C366.54 69.48 368.94 69.14 371.28 68.53C371.28 67.7 371.28 61.06 371.28 60.23C369.78 60.7 368.22 60.94 366.65 60.93C363.42 60.93 362.22 59.92 362.22 56.88C362.22 56.03 362.22 51.79 362.22 44.15L371.59 44.15L371.59 35.6L362.22 35.6L362.22 24.76L351.99 26.98L351.99 35.6L345.2 35.6L345.2 44.15L351.97 44.15C351.97 52.02 351.96 56.93 351.96 58.9ZM320.05 59.09C320.05 56.88 322.27 55.8 325.63 55.8C327.68 55.81 329.72 56.07 331.71 56.56C331.71 56.99 331.71 60.43 331.71 60.86C329.75 61.93 327.55 62.48 325.33 62.45C322.04 62.45 320.07 61.18 320.07 59.09M323.2 69.67C326.81 69.67 329.73 68.91 332.45 67.07C332.45 67.21 332.45 67.88 332.45 69.1L342.58 69.1C342.58 56.22 342.58 49.06 342.58 47.63C342.58 39.46 337.07 34.99 327.89 34.99C322.76 34.99 317.69 36.19 312.24 38.66C312.6 39.41 315.54 45.44 315.91 46.2C319.84 44.55 323.13 43.53 326.04 43.53C330.26 43.53 332.44 45.18 332.44 48.54C332.44 48.7 332.44 50.02 332.44 50.18C329.96 49.54 327.4 49.22 324.84 49.23C316.22 49.23 311.03 52.84 311.03 59.3C311.03 65.19 315.72 69.68 323.19 69.68M267.53 69.12L278.42 69.12L278.42 51.75L296.66 51.75L296.66 69.1L307.55 69.1L307.55 24.77L296.68 24.77L296.68 41.81L278.45 41.81L278.45 24.77L267.56 24.77L267.53 69.12ZM226.05 52.32C226.05 47.5 229.85 43.83 234.86 43.83C237.46 43.77 240 44.7 241.95 46.43C241.95 47.6 241.95 56.95 241.95 58.12C240.03 59.91 237.48 60.87 234.86 60.78C229.92 60.78 226.05 57.11 226.05 52.3M242.07 69.08L252.21 69.08L252.21 22.56L241.97 24.77C241.97 32.33 241.97 36.54 241.97 37.38C239.37 35.9 236.42 35.13 233.42 35.16C223.67 35.16 216.01 42.69 216.01 52.32C215.88 61.71 223.4 69.43 232.79 69.56C232.89 69.56 232.99 69.56 233.09 69.56C236.32 69.57 239.47 68.55 242.07 66.65C242.07 66.97 242.07 67.78 242.07 69.08ZM195.6 43.37C198.83 43.37 201.55 45.46 202.63 48.68C201.23 48.68 190.05 48.68 188.65 48.68C189.66 45.33 192.2 43.37 195.62 43.37M178.31 52.38C178.31 62.13 186.29 69.73 196.54 69.73C202.18 69.73 206.3 68.21 210.54 64.66C209.86 64.06 204.44 59.24 203.76 58.64C202.18 60.29 199.84 61.18 197.06 61.18C193.48 61.28 190.2 59.16 188.82 55.86C190.41 55.86 198.37 55.86 212.69 55.86C212.69 54.34 212.69 53.5 212.69 53.33C212.69 42.69 205.54 35.03 195.79 35.03C186.29 34.89 178.47 42.47 178.33 51.97C178.32 52.11 178.32 52.24 178.32 52.38M160.65 34.08C164.26 34.08 166.28 36.36 166.28 39.09C166.28 41.81 164.25 44.09 160.65 44.09C159.93 44.09 156.34 44.09 149.88 44.09L149.88 34.08C155.62 34.08 159.21 34.08 160.65 34.08ZM138.97 69.1L149.86 69.1L149.86 52.95L158.15 52.95L166.52 69.1L178.67 69.1C172.82 58.46 169.57 52.55 168.92 51.37C173.99 49.31 177.3 44.37 177.28 38.89C177.28 30.91 171.01 24.77 161.62 24.77C160.11 24.77 152.57 24.77 138.99 24.77L138.97 69.1Z" id="ajv4IudZ0"></path></defs><g><g><g><use xlink:href="#ffFGjZwq6" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#ffFGjZwq6" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#e554g3sJuj" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#e554g3sJuj" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#b167mnrDp" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#b167mnrDp" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#cluGz7CdC" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#cluGz7CdC" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#aU6ggiW3t" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#aU6ggiW3t" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#a2WRH1XVFJ" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#a2WRH1XVFJ" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#cZHbsq3br" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#cZHbsq3br" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#c59BQl4MQ" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#c59BQl4MQ" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#ic98KlEGv" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#ic98KlEGv" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#c3rDYqlC2T" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#c3rDYqlC2T" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#aBGCWvyKO" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#aBGCWvyKO" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#c64YtJA9yC" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#c64YtJA9yC" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#cvItR63" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#cvItR63" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#b19jCMUKZf" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#b19jCMUKZf" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#i2fLbStUT" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#i2fLbStUT" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#f4HxK07QgS" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#f4HxK07QgS" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#a3wv4pOVr" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#a3wv4pOVr" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#bPZwqOB6s" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#bPZwqOB6s" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#a5uzK3FPi" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#a5uzK3FPi" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#e1HTUnUNp" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#e1HTUnUNp" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#b3GbegyIX4" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#b3GbegyIX4" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#aV4WR1Bbb" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#aV4WR1Bbb" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#a7jFWJrNV" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#a7jFWJrNV" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#az1Caf5YW" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#az1Caf5YW" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#a1F2xfNijO" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#a1F2xfNijO" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#b9q6Vm1hn2" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#b9q6Vm1hn2" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#i2dvSSsrh" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#i2dvSSsrh" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#a2Dm0dhInM" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#a2Dm0dhInM" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#b3vkHmROx" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#b3vkHmROx" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#a3Cl5yq9Nk" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#a3Cl5yq9Nk" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#bLu7yFrmf" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#bLu7yFrmf" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#b1WjpnmXI4" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#b1WjpnmXI4" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#g4BM63AGvh" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#g4BM63AGvh" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#a1t0BgWgyw" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#a1t0BgWgyw" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#d11cff5nu" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#d11cff5nu" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#cjTjFwxtT" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#cjTjFwxtT" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#hH88A7ePS" opacity="1" fill="#ee0000" fill-opacity="1"></use><g><use xlink:href="#hH88A7ePS" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#b6OxCuoxEQ" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#b6OxCuoxEQ" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g><g><use xlink:href="#ajv4IudZ0" opacity="1" fill="#000000" fill-opacity="1"></use><g><use xlink:href="#ajv4IudZ0" opacity="1" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="0"></use></g></g></g></g></svg>


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/acs_features.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/acs_features.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/architecture_acs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/architecture_acs.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/cicd/01-devsecops_pipeline.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/cicd/01-devsecops_pipeline.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/cli/roxctl1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/cli/roxctl1.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/00_compliance_dash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/00_compliance_dash.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/00_compliance_pci.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/00_compliance_pci.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/00_compliance_pci2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/00_compliance_pci2.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/01_compliance_scan.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/01_compliance_scan.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/02_compliance_result.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/02_compliance_result.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/03_compliance_operator_in_acs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/03_compliance_operator_in_acs.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/04_co_acs_detail.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/04_co_acs_detail.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/05_nist0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/05_nist0.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/06_nist1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/06_nist1.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/compliance/07_nist2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/compliance/07_nist2.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/configmgmt/01-config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/configmgmt/01-config.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/configmgmt/02-config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/configmgmt/02-config.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/configmgmt/03-config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/configmgmt/03-config.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/configmgmt/04-config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/configmgmt/04-config.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/dashboard/acs_dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/dashboard/acs_dashboard.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/dashboard/acs_dashboard_header.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/dashboard/acs_dashboard_header.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/dashboard/acs_dashboard_information.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/dashboard/acs_dashboard_information.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/dashboard/acs_dashboard_menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/dashboard/acs_dashboard_menu.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/00_operator_hub.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/00_operator_hub.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/01_select_acs_operator.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/01_select_acs_operator.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/02_install_acs_operator.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/02_install_acs_operator.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/03_wait_for_completion.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/03_wait_for_completion.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/04_11_create_central_resource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/04_11_create_central_resource.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/04_1_create_central_resource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/04_1_create_central_resource.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/04_22_create_central_resource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/04_22_create_central_resource.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/04_2_create_central_resource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/04_2_create_central_resource.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/04_3_create_central_resource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/04_3_create_central_resource.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/04_operator_installed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/04_operator_installed.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/04_operator_ready.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/04_operator_ready.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/05_1_login_password.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/05_1_login_password.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/05_2_login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/05_2_login.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/06_acs_integrations.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/06_acs_integrations.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/07_generate_cluster_init_bundle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/07_generate_cluster_init_bundle.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/07_generate_cluster_init_bundle_name.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/07_generate_cluster_init_bundle_name.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/08_download_cluster_init_bundle_secret.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/08_download_cluster_init_bundle_secret.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/09_create_secured_cluster_resource.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/09_create_secured_cluster_resource.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/10_create_secured_cluster_resource_yaml.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/10_create_secured_cluster_resource_yaml.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/install/11_verify_cluster_list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/install/11_verify_cluster_list.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/00-integrate-acs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/00-integrate-acs.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/01-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/01-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/01-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/01-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/02-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/02-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/02-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/02-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/03-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/03-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/03-registry_ocp_internal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/03-registry_ocp_internal.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/03-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/03-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/04-integration-slack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/04-integration-slack.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/04-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/04-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/04_oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/04_oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/05-integrations-slack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/05-integrations-slack.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/05-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/05-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/05-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/05-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/06-integrations-slack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/06-integrations-slack.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/06-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/06-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/06-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/06-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/07-integrations-slack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/07-integrations-slack.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/07-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/07-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/07-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/07-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/08-integrations-slack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/08-integrations-slack.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/08-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/08-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/08-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/08-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/09-integrations-slack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/09-integrations-slack.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/09-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/09-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/09-sso.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/09-sso.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/integrations/10-oauth.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/integrations/10-oauth.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/kubelogo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/kubelogo.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/multicluster/01_multi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/multicluster/01_multi.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/multicluster/02_multi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/multicluster/02_multi.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/multicluster/03_multi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/multicluster/03_multi.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/multicluster/04_multi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/multicluster/04_multi.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/multicluster/06_multi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/multicluster/06_multi.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/multicluster/07_multi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/multicluster/07_multi.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/multicluster/08_multi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/multicluster/08_multi.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/multicluster/0_multi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/multicluster/0_multi.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/network-flow/00-network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/network-flow/00-network.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/network-flow/01-network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/network-flow/01-network.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/network-flow/02-network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/network-flow/02-network.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/network-flow/03-network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/network-flow/03-network.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/network-flow/04-network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/network-flow/04-network.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/network-flow/05-network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/network-flow/05-network.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/policies/00-policies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/policies/00-policies.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/policies/01-policies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/policies/01-policies.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/policies/02-policies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/policies/02-policies.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/policies/03-policies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/policies/03-policies.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/policies/04-policies.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/policies/04-policies.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/risks/01-risks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/risks/01-risks.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/risks/02-risks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/risks/02-risks.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/risks/03-risks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/risks/03-risks.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/risks/04-risks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/risks/04-risks.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/risks/05-risks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/risks/05-risks.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/risks/05_1-risks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/risks/05_1-risks.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/risks/06-risks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/risks/06-risks.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/violations/00-test-example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/violations/00-test-example.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/violations/01-violations.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/violations/01-violations.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/violations/02-violations.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/violations/02-violations.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/violations/03-violations.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/violations/03-violations.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/violations/04-violations.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/violations/04-violations.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/01-filter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/01-filter.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/01-inactive.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/01-inactive.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/02-filter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/02-filter.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/02-inactive.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/02-inactive.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/02-vuln.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/02-vuln.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/03-filter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/03-filter.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/03-vuln.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/03-vuln.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/04-vuln.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/04-vuln.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/05-vuln.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/05-vuln.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/06-vuln.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/06-vuln.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/40_vuln.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/40_vuln.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/active_inactive.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/active_inactive.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/assets/images/vulnerabilities/top-riskiest-images.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/assets/images/vulnerabilities/top-riskiest-images.png


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/acs-log4shell-policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "policies": [
 3 |         {
 4 |             "id": "22514e2d-08dc-4ffa-ab90-98794c4269dc",
 5 |             "name": "Log4Shell - CVE-2021-44228",
 6 |             "description": "Block build and deployment of images affected by CVE-2021-44228.",
 7 |             "rationale": "CVE-2021-44228 is a critical vulnerability impacting log4j from v2.0 to v2.14.1 that allows RCE from a malicious LDAP contacted via Jndi lookup",
 8 |             "remediation": "Disable Jndi lookup on the impacted applications by removing the JndiLookup class or passing the property log4j2.formatMsgNoLookups = true",
 9 |             "disabled": false,
10 |             "categories": [
11 |                 "Vulnerability Management"
12 |             ],
13 |             "fields": null,
14 |             "lifecycleStages": [
15 |                 "BUILD",
16 |                 "DEPLOY"
17 |             ],
18 |             "eventSource": "NOT_APPLICABLE",
19 |             "whitelists": [],
20 |             "exclusions": [],
21 |             "scope": [],
22 |             "severity": "HIGH_SEVERITY",
23 |             "enforcementActions": [
24 |                 "FAIL_BUILD_ENFORCEMENT",
25 |                 "SCALE_TO_ZERO_ENFORCEMENT",
26 |                 "UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT"
27 |             ],
28 |             "notifiers": [],
29 |             "lastUpdated": "2021-12-13T15:55:51.052841396Z",
30 |             "SORTName": "",
31 |             "SORTLifecycleStage": "",
32 |             "SORTEnforcement": false,
33 |             "policyVersion": "1.1",
34 |             "policySections": [
35 |                 {
36 |                     "sectionName": "CVEs",
37 |                     "policyGroups": [
38 |                         {
39 |                             "fieldName": "CVE",
40 |                             "booleanOperator": "OR",
41 |                             "negate": false,
42 |                             "values": [
43 |                                 {
44 |                                     "value": "CVE-2021-44228"
45 |                                 }
46 |                             ]
47 |                         }
48 |                     ]
49 |                 }
50 |             ],
51 |             "mitreAttackVectors": [
52 |                 {
53 |                     "tactic": "TA0002",
54 |                     "techniques": []
55 |                 }
56 |             ],
57 |             "criteriaLocked": false,
58 |             "mitreVectorsLocked": false,
59 |             "isDefault": false
60 |         }
61 |     ]
62 | }
63 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/co-ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 |   name: openshift-compliance


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/co-og.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1
2 | kind: OperatorGroup
3 | metadata:
4 |   name: compliance-operator
5 |   namespace: openshift-compliance
6 | spec:
7 |   targetNamespaces:
8 |   - openshift-compliance


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/co-scan.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: compliance.openshift.io/v1alpha1
 2 | kind: ScanSettingBinding
 3 | metadata:
 4 |   name: cis-scan
 5 |   namespace: openshift-compliance
 6 | profiles:
 7 | - apiGroup: compliance.openshift.io/v1alpha1
 8 |   kind: Profile
 9 |   name: ocp4-cis
10 | settingsRef:
11 |   apiGroup: compliance.openshift.io/v1alpha1
12 |   kind: ScanSetting
13 |   name: default
14 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/co-subs.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: operators.coreos.com/v1alpha1
 2 | kind: Subscription
 3 | metadata:
 4 |   name: compliance-operator-sub
 5 |   namespace: openshift-compliance
 6 | spec:
 7 |   channel: "release-0.1"
 8 |   installPlanApproval: Automatic
 9 |   name: compliance-operator
10 |   source: redhat-operators
11 |   sourceNamespace: openshift-marketplace


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/install-co.sh:
--------------------------------------------------------------------------------
1 | 
2 | ```
3 | oc new-project openshift-compliance
4 | ```


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/log4shell-deployment.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | apiVersion: v1
 3 | kind: Namespace
 4 | metadata:
 5 |   labels:
 6 |     kubernetes.io/metadata.name: log4shell-rogue-ns
 7 |   name: log4shell-rogue-ns
 8 | spec: {}
 9 | 
10 | ---
11 | apiVersion: apps/v1
12 | kind: Deployment
13 | metadata:
14 |   labels:
15 |     app: log4shell
16 |   name: log4shell
17 |   namespace: log4shell-rogue-ns
18 | spec:
19 |   progressDeadlineSeconds: 600
20 |   replicas: 3
21 |   revisionHistoryLimit: 10
22 |   selector:
23 |     matchLabels:
24 |       app: log4shell
25 |   strategy:
26 |     rollingUpdate:
27 |       maxSurge: 25%
28 |       maxUnavailable: 25%
29 |     type: RollingUpdate
30 |   template:
31 |     metadata:
32 |       creationTimestamp: null
33 |       labels:
34 |         app: log4shell
35 |     spec:
36 |       containers:
37 |       - image: quay.io/gbsalinetti/log4shell-vulnerable-app
38 |         imagePullPolicy: Always
39 |         name: log4shell-vulnerable-app
40 |         resources: {}
41 |         terminationMessagePath: /dev/termination-log
42 |         terminationMessagePolicy: File
43 |       dnsPolicy: ClusterFirst
44 |       restartPolicy: Always
45 |       schedulerName: default-scheduler
46 |       securityContext: {}
47 |       terminationGracePeriodSeconds: 30
48 | 
49 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/run.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo "Hello World"


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/sso-instance.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: keycloak.org/v1alpha1
2 | kind: Keycloak
3 | metadata:
4 |   name: rhacs-keycloak
5 |   namespace: single-sign-on
6 | spec:
7 |   externalAccess:
8 |     enabled: true
9 |   instances: 1


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/sso-og.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/documentation/modules/ROOT/examples/sso-og.yaml


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/sso-realm.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: keycloak.org/v1alpha1
 2 | kind: KeycloakRealm
 3 | metadata:
 4 |  name: rhacs-keycloakrealm
 5 |  namespace: single-sign-on
 6 | spec:
 7 |  instanceSelector:
 8 |    matchLabels:
 9 |      app: keycloak
10 |  realm:
11 |    displayName: Basic Realm
12 |    enabled: true
13 |    id: basic
14 |    realm: basic


--------------------------------------------------------------------------------
/documentation/modules/ROOT/examples/sso-subs.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: operators.coreos.com/v1alpha1
 2 | kind: Subscription
 3 | metadata:
 4 |   name: rhsso-operator
 5 | spec:
 6 |   channel: alpha
 7 |   installPlanApproval: Manual
 8 |   name: rhsso-operator
 9 |   source: redhat-operators
10 |   sourceNamespace: openshift-marketplace


--------------------------------------------------------------------------------
/documentation/modules/ROOT/nav.adoc:
--------------------------------------------------------------------------------
 1 | * xref:01-setup.adoc[Setup]
 2 | ** xref:01-setup.adoc#prerequisite[Prerequisites]
 3 | 
 4 | * xref:02-getting_started.adoc[Getting Started]
 5 | ** xref:02-getting_started#rhacs_components[RHACS Components]
 6 | ** xref:02-getting_started#install_acs_operator[Install RHACS Operator]
 7 | ** xref:02-getting_started#install_acs_central[Install RHACS Central Cluster]
 8 | ** xref:02-getting_started#config_acs_securedcluster[Configuration of the RHACS Secured Cluster ]
 9 | ** xref:02-getting_started#deploy_acs_manually[Deploying ACS manually]
10 | ** xref:02-getting_started#deploy_demo_acs[Deploying Demo in RHACS]
11 | ** xref:02-getting_started#deploy_apps[Deploying Apps]
12 | 
13 | * xref:03-overview-acs.adoc[RHACS Overview]
14 | ** xref:03-overview-acs.adoc#acs_architecture[RHACS Architecture]
15 | ** xref:03-overview-acs.adoc#dashboard_acs[RHACS Dashboard]
16 | *** xref:03-overview-acs.adoc#dashboard_acs_header[Dashboard Header]
17 | *** xref:03-overview-acs.adoc#dashboard_acs_menu[Dashboard Left Menu]
18 | *** xref:03-overview-acs.adoc#dashboard_acs_information[Dashboard Information]
19 | 
20 | * xref:04-vulnerabilities.adoc[Vulnerability Management]
21 | ** xref:04-vulnerabilities#image_overview_image_details[Image overview and image details]
22 | ** xref:04-vulnerabilities#vulnerability_management_panel[Review Vulnerability Management Dashboard]
23 | ** xref:04-vulnerabilities#scanning_images[Scanning images for vulnerabilities]
24 | ** xref:04-vulnerabilities#filtering_vulnerabilities_scans[Filtering vulnerabilities scans]
25 | ** xref:04-vulnerabilities#review_cve_images[Image CVE Vulnerability Analysis]
26 | ** xref:04-vulnerabilities#image_correlation_deployments[Image CVE correlation with Deployments]
27 | 
28 | * xref:05-risk.adoc[Risk Management]
29 | ** xref:05-risk.adoc#risk_dashboard[Review Risk Dashboard]
30 | ** xref:05-risk.adoc#risk_single_deployment_details[Single Deployment Details]
31 | ** xref:05-risk.adoc#risk_process_discovery[Process Discovery / Runtime]
32 | ** xref:05-risk.adoc#risk_filtering[Filtering]
33 | 
34 | * xref:06-network_graph.adoc[Network Graph]
35 | ** xref:06-network_graph.adoc#network_graph_overview[Network Graph Overview]
36 | ** xref:06-network_graph.adoc#network_graph_views[Network Graph Views]
37 | ** xref:06-network_graph.adoc#network_policy_simulator[Network Policy Simulator]
38 | 
39 | * xref:06-network_graph-2.0.adoc[Network Graph 2.0]
40 | ** xref:06-network_graph-2.0.adoc#network_graph_overview-2[Network Graph Overview]
41 | ** xref:06-network_graph-2.0.adoc#network_graph_views-2[Network Graph Views]
42 | ** xref:06-network_graph-2.0.adoc#network_policy_simulator-2[Network Policy Simulator]
43 | 
44 | * xref:07-violations.adoc[Violations]
45 | ** xref:07-violations.adoc#violations_overview[Violations Dashboard Overview]
46 | ** xref:07-violations.adoc#violations_example[Violations Build & Deploy Example]
47 | ** xref:07-violations.adoc#violations_runtime[Violations Runtime Example]
48 | ** xref:07-violations.adoc#violations_behaviour[Violations Behaviour]
49 | ** xref:07-violations.adoc#policy_summary[Policy Summary]
50 | 
51 | * xref:08-compliance.adoc[Compliance]
52 | ** xref:08-compliance.adoc#compliance_dashboard[Review Compliance Dashboard]
53 | ** xref:08-compliance.adoc#compliance_dashboard_scan[Execute the first Compliance Scan]
54 | ** xref:08-compliance.adoc#compliance_dashboard_review[Review the Compliance Reports in the Compliance Dashboard]
55 | ** xref:08-compliance.adoc#compliance_dashboard_ns[Namespace Compliance Details]
56 | ** xref:08-compliance.adoc#compliance_dashboard_report[Evidence Export]
57 | ** xref:08-compliance.adoc#compliance_operator[Integrating Compliance Operator with RHACS ]
58 | ** xref:08-compliance.adoc#compliance_operator_acs_review[Review Compliance Scans of the Compliance Operator in RHACS]
59 | ** xref:08-compliance.adoc#acs_policy_compliance[Configure Policy in RHACS to Invoke Compliance related Controls]
60 | ** xref:08-compliance.adoc#acs_policy_compliance_nist[Enforce Policies that Meet Guidance for NIST Control 4.2.2]
61 | ** xref:08-compliance.adoc#acs_policy_compliance_nist_view[View Updated Compliance Scan Results in RHACS]
62 | ** xref:08-compliance.adoc#acs_policy_compliance_nist_revert[Revert the Policy Changes]
63 | 
64 | * xref:09-configuration_management.adoc[Configuration Management]
65 | ** xref:09-configuration_management.adoc#conf_management_overview[Configuration Management Overview]
66 | ** xref:09-configuration_management.adoc#conf_management_cis[Configuration Management CIS]
67 | 
68 | * xref:10-system_policies.adoc[System Policies]
69 | ** xref:10-system_policies.adoc#system_policies_overview[System Policies Overview]
70 | ** xref:10-system_policies.adoc#system_policies_example[System Policies Build and Deploy Example]
71 | ** xref:10-system_policies.adoc#system_policies_enforcement[System Policies Enforcement]
72 | 
73 | * xref:11-integrations.adoc[RHACS Integrations]
74 | ** xref:11-integrations.adoc#integrate_with_internal_openshift_registry[Integrate with Internal Openshift Registry]
75 | *** xref:11-integrations.adoc#integrate_with_internal_openshift_registry_config_acs[Configure RHACS integration for Internal Openshift Registry]
76 | ** xref:11-integrations.adoc#integrate_acs_slack[Integrate RHACS with Slack]
77 | ** xref:11-integrations.adoc#integrate_acs_oauth[Integrate RHACS with OpenShift OAuth]
78 | ** xref:11-integrations.adoc#integrate_acs_sso[Integrate RHACS with OpenShift RHSSO]
79 | 
80 | * xref:12-platform_configuration.adoc[RHACS Secure Cluster Management]
81 | ** xref:12-platform_configuration.adoc#clusters[RHACS Secured Clusters]
82 | ** xref:12-platform_configuration.adoc#clusters_vuln[Add vulnerabilities to the Secured Cluster]
83 | ** xref:12-platform_configuration.adoc#system_configuration[RHACS System Configuration]
84 | ** xref:12-platform_configuration.adoc#system_health[RHACS System Health]
85 | ** xref:12-platform_configuration.adoc#access_control[RHACS Access Control]
86 | 
87 | * xref:13-cicd.adoc[DevSecOps Pipelines]
88 | ** xref:13-cicd#install_devsecops_pipelines[Installing RHACS DevSecOps Pipeline]
89 | ** xref:13-cicd#run_devsecops_pipelines[Running the demo of DevSecOps Pipeline]
90 | 
91 | * xref:14-apicli.adoc[RHACS API and CLI]
92 | ** xref:14-apicli.adoc#cli-overview[RHACS CLI Overview]
93 | ** xref:14-apicli.adoc#cli-integration[RHACS CLI Integration]
94 | ** xref:14-apicli.adoc#api-overview[RHACS API Overview]
95 | 
96 | * xref:15-contributors.adoc[Contributors]


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/01-setup.adoc:
--------------------------------------------------------------------------------
  1 | = Setup
  2 | include::_attributes.adoc[]
  3 | 
  4 | [#prerequisite]
  5 | == Prerequisite CLI tools
  6 | 
  7 | The following CLI tools are required for running the exercises in this workshop. 
  8 | Please have them installed and configured before you get started with any of the workshop chapters.
  9 | 
 10 | [cols="4*^,4*.",options="header,+attributes"]
 11 | |===
 12 | |**Tool**|**macOS**|**Fedora**|**windows**
 13 | 
 14 | | `Git`
 15 | | https://git-scm.com/download/mac[Download]
 16 | | https://git-scm.com/download/linux[Download]
 17 | | https://git-scm.com/download/win[Download]
 18 | 
 19 | | `Docker`
 20 | | https://docs.docker.com/docker-for-mac/install[Docker for Mac]
 21 | | `dnf install podman podman-docker`
 22 | | https://docs.docker.com/docker-for-windows/install[Docker for Windows]
 23 | 
 24 | | `kubectl {kubernetes-version}`
 25 | | https://storage.googleapis.com/kubernetes-release/release/{kubernetes-version}/bin/darwin/amd64/kubectl[Download]
 26 | | https://storage.googleapis.com/kubernetes-release/release/{kubernetes-version}/bin/linux/amd64/kubectl[Download]
 27 | | https://storage.googleapis.com/kubernetes-release/release/{kubernetes-version}/bin/windows/amd64/kubectl.exe[Download]
 28 | 
 29 | | `kustomize {kustomize-version}`
 30 | | https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.1.2/kustomize_{kustomize-version}_darwin_amd64.tar.gz[Download]
 31 | | https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.1.2/kustomize_{kustomize-version}_linux_amd64.tar.gz[Download]
 32 | | https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.1.2/kustomize_{kustomize-version}_windows_amd64.tar.gz[Download]
 33 | 
 34 | | `Ansible`
 35 | | `python -m pip install --user ansible`
 36 | | `sudo dnf install ansible`
 37 | | 
 38 | 
 39 | |===
 40 | 
 41 | The following CLI tools are optional for running the exercises in this tutorial.
 42 | Although they are used in the tutorial, you could use others without any problem.
 43 | 
 44 | [cols="4*^,4*.",options="header,+attributes"]
 45 | |===
 46 | |**Tool**|**macOS**|**Fedora**|**windows**
 47 | 
 48 | | https://github.com/mikefarah/yq[yq v2.4.1]
 49 | | https://github.com/mikefarah/yq/releases/download/2.4.1/yq_darwin_amd64[Download]
 50 | | https://github.com/mikefarah/yq/releases/download/2.4.1/yq_linux_amd64[Download]
 51 | | https://github.com/mikefarah/yq/releases/download/2.4.1/yq_windows_amd64.exe[Download]
 52 | 
 53 | | https://github.com/stedolan/jq[jq v1.6.0]
 54 | | https://github.com/stedolan/jq/releases/download/jq-1.6/jq-osx-amd64[Download]
 55 | | https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64[Download]
 56 | | https://github.com/stedolan/jq/releases/download/jq-1.6/jq-win64.exe[Download]
 57 | 
 58 | | watch
 59 | | `brew install watch`
 60 | | `dnf install procps-ng`
 61 | |
 62 | 
 63 | |===
 64 | 
 65 | 
 66 | [#downloadtutorial]
 67 | == Get tutorial sources
 68 | 
 69 | :tutorial-url: https://github.com/redhat-scholars/acs-workshop.git
 70 | :folder: acs-workshop
 71 | include::https://raw.githubusercontent.com/redhat-developer-demos/rhd-tutorial-common/master/download-sources.adoc[]
 72 | 
 73 | 
 74 | [#kubernetes]
 75 | == Setup OpenShift Cluster
 76 | 
 77 | :profile: acs
 78 | 
 79 | To run OpenShift4, you need to have one provisioned using https://try.openshift.com[try.openshift.com] or can use any existing OpenShift4 cluster.	
 80 | Once you have your cluster, you can download the latest OpenShift client(oc) from https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/[here] and add to your path.	
 81 | 
 82 | You can check the OpenShift version using:
 83 | 
 84 | [.console-input]
 85 | [source,bash,subs="attributes+,+macros"]	
 86 | ----	
 87 | oc version	
 88 | ----
 89 | 
 90 | The output should show oc version >=4.10:	
 91 | 
 92 | [.console-output]
 93 | [source,bash,subs="attributes+,+macros"]	
 94 | ----	
 95 | Client Version: 4.10.0-...
 96 | Kubernetes Version: {kubernetes-version}	
 97 | ----
 98 | 
 99 | And then you are ready for installing RHACS on Openshift.
100 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/02-getting_started.adoc:
--------------------------------------------------------------------------------
  1 | = Getting Started
  2 | include::_attributes.adoc[]
  3 | :profile: acs
  4 | 
  5 | We will install ACS thought the RHACS Operator and afterwards we will install an small demo that will serve examples to our workshop.
  6 | 
  7 | NOTE: You can request in RHPDS the environment already installed (including the demo) - Go to Multi-Product Demo -> Openshift 4 Advanced Cluster Security 4
  8 | 
  9 | [#rhacs_components]
 10 | == RHACS Components
 11 | 
 12 | Red Hat Advanced Cluster Security for Kubernetes (ACS) consists of:
 13 | 
 14 | * The ``Central`` service, which exposes api and console and communicates with Sensors on secured clusters.
 15 | 
 16 | * The ``Scanner`` service, which has the role of scanning the deployed pods images.
 17 | 
 18 | * The ``Sensor``, which monitors your Kubernetes and OpenShift Container Platform clusters.
 19 | 
 20 | * The ``Admision Controller`` which prevent users from creating workloads that violate configured security policies.
 21 | 
 22 | * The ``Collector`` which monitors runtime activity on each node for your secured clusters. It reports to **Sensor**.
 23 | 
 24 | NOTE: You should check the specific version for your RHACS version to check memory/storage requirements ACS components and the sizing guidelines as well.
 25 | 
 26 | [#install_acs_operator]
 27 | == RHACS Operator Installation
 28 | 
 29 | . Find and the Advanced Cluster Security Operator from the Operator Hub.
 30 | +
 31 | image::install/00_operator_hub.png[ACS Operator 1, 800]
 32 | 
 33 | . Install the selected operator by clicking on the ``Install`` button.
 34 | +
 35 | image::install/01_select_acs_operator.png[ACS Operator 2, 800]
 36 | 
 37 | . Confirm default installation parameters (auto update, ``latest channel``, ``rhacs-operator`` namespace).
 38 | +
 39 | image::install/02_install_acs_operator.png[ACS Operator 3, 800]
 40 | 
 41 | . Wait for completion, the installation will take a few seconds.
 42 | +
 43 | image::install/03_wait_for_completion.png[ACS Operator 4, 800]
 44 | 
 45 | . When the installation finishes.
 46 | +
 47 | image::install/04_operator_ready.png[ACS Operator 5, 800]
 48 | 
 49 | . Access the now ready operator by clicking on the ``View Operator`` button.
 50 | +
 51 | image::install/04_operator_installed.png[ACS Operator 6]
 52 | 
 53 | NOTE: This step is not required if you are using the Cloud Service for Red Hat Advanced Cluster Security for Kubernetes (ACS).
 54 | 
 55 | [#install_acs_central]
 56 | == RHACS Central Cluster Installation
 57 | 
 58 | Once the operator has been installed we need to deploy the Central component. This component must be deployed in Red Hat OpenShift 4.9 or higher. However, it can be deployed in Kubernetes but you must carefully read https://access.redhat.com/node/5822721[Red Hat Advanced Cluster Security for Kubernetes Support Policy].
 59 | 
 60 | In this section we will deploy the Central component in the lab cluster. The Central is made up two main deployments:
 61 | 
 62 | * The ``central`` service, which exposes api and console and communicates with Sensors on secured clusters.
 63 | 
 64 | * The ``scanner`` service, which has the role of scanning the deployed pods images.
 65 | 
 66 | === RHACS Central requirements
 67 | 
 68 | Central uses a database referred as Central DB (PostgreSQL 13) and both Central and PostgreSQL require persistent storage. SSD storage is recommended for best performance but different storage can be used as well.
 69 | 
 70 | NOTE: Using an external database is currently a Technology Preview and will not be covered in this workshop.
 71 | 
 72 | RHACS requires external access to:
 73 | 
 74 | . https://definitions.stackrox.io[definitions.stackrox.io] for downloading updated vulnerability definitions.
 75 | . https://collector-modules.stacrox.io[collector-modules.stackrox.io] to download updated kernel support packages.
 76 | 
 77 | === RHACS Central deployment
 78 | 
 79 | RHACS Central deployment can be performed in several ways:
 80 | 
 81 | * <<install_acs_central_web_console>>
 82 | * <<install_acs_central_oc_client>>
 83 | * Using roxctl (CLI)
 84 | * Using Helm Charts
 85 | 
 86 | NOTE: This step is not required if you are using the Cloud Service for Red Hat Advanced Cluster Security for Kubernetes (ACS).
 87 | 
 88 | [#install_acs_central_web_console]
 89 | === Deploying Central using the ACS Operator (Web Console)
 90 | 
 91 | . From the operator _ready screen_ by clicking on ``View Operator`` or navigating to the **Operators → Installed Operators** page. Then, under the **Provided APIs** section, select ``Create Central`` on the ``Central`` API:
 92 | +
 93 | image::install/04_1_create_central_resource.png[ACS Operator 51, 800]
 94 | 
 95 | . Check the ``YAML`` radio button and paste the ``Central`` CR you see below and click on the ``Create`` button.
 96 | +
 97 | image::install/04_2_create_central_resource.png[ACS Operator 52, 800]
 98 | 
 99 | . You can check the progress by switching to the `Developer` perspective, in the `Topology` menu.
100 | +
101 | image::install/04_3_create_central_resource.png[ACS Operator 53, 800]
102 | 
103 | You can also do the same using the ``Developer`` perspective:
104 | +
105 | image::install/04_3_create_central_resource.png[ACS Operator 53, 800]
106 | 
107 | You can also do the same using the ``Developer`` perspective:
108 | 
109 | . Within the ``stackrock`` project selected, **+Add → Import YAML**
110 | +
111 | image::install/04_11_create_central_resource.png[ACS Operator 511, 800]
112 | 
113 | . Paste the YAML content and click on the ``Create`` button:
114 | +
115 | image::install/04_22_create_central_resource.png[ACS Operator 512, 800]
116 | 
117 | [#install_acs_central_oc_client]
118 | === Deploying Central using the oc client (CLI)
119 | 
120 | Log in to your OpenShift cluster and create a new ``stackrox`` namespace (using the web console or the cli as follows). We will install our components here.
121 | 
122 | [.console-input]
123 | [source,bash,subs="attributes+,+macros"]	
124 | ----	
125 | oc new-project stackrox	
126 | ----
127 | 
128 | The following is an example of the central custom resource. You can do this in two ways, via the web console or via the CLI.
129 | 
130 | [.console-input]
131 | [source,yaml,subs="attributes+,+macros"]	
132 | ----	
133 | apiVersion: platform.stackrox.io/v1alpha1
134 | kind: Central
135 | metadata:
136 |   name: stackrox-central-services
137 |   namespace: stackrox
138 | spec:
139 |   central:
140 |     exposure:
141 |       loadBalancer:
142 |         enabled: false
143 |         port: 443
144 |       nodePort:
145 |         enabled: false
146 |       route:
147 |         enabled: true
148 |     persistence:
149 |       persistentVolumeClaim:
150 |         claimName: stackrox-db
151 |   egress:
152 |     connectivityPolicy: Online
153 |   scanner:
154 |     analyzer:
155 |       scaling:
156 |         autoScaling: Enabled
157 |         maxReplicas: 5
158 |         minReplicas: 2
159 |         replicas: 3
160 |     scannerComponent: Enabled	
161 | ----
162 | 
163 | . Create the ``central`` custom resource using the template file provided in this repository.
164 | +
165 | [.console-input]
166 | [source,bash,subs="attributes+,+macros"]	
167 | ----	
168 | oc apply -f stackrox-central-services.yaml -n stackrox
169 | ----
170 | 
171 | . Monitor the installation using the watch option:
172 | +
173 | [.console-input]
174 | [source,bash,subs="attributes+,+macros"]	
175 | ----	
176 | oc get pods -n stackrox -w
177 | ----
178 | 
179 | === RHACS login
180 | 
181 | . Once the installation is complete, obtain and copy the generated admin password from the ``central-htpasswd`` secret.
182 | .. Using the command line:
183 | +
184 | [.console-input]
185 | [source,bash,subs="attributes+,+macros"]	
186 | ----	
187 | oc -n stackrox get secret central-htpasswd -o go-template='{{index .data "password" | base64decode}}'
188 | ----
189 | .. Using the web console, **Secrets** view from the ``Developer`` perspective (search for ``central-htpasswd`` secret):
190 | +
191 | image::install/05_1_login_password.png[ACS Operator 61, 800]
192 | 
193 | . Extract the hostname of the generated route from the command line as follows or using the ``Topology`` view from the web console.
194 | +
195 | [.console-input]
196 | [source,bash,subs="attributes+,+macros"]	
197 | ----	
198 | oc get routes/central -n stackrox -o jsonpath='{.spec.host}'
199 | ----
200 | 
201 | . Login to https://<route_hostname> using the ``admin`` username and the password extracted before.
202 | +
203 | image::install/05_2_login.png[ACS Operator 62, 800]
204 | 
205 | [#config_acs_securedcluster]
206 | == RHACS Secured Cluster Configuration
207 | 
208 | To import a cluster into ACS, you need to generate a cluster init bundle containing TLS secrets for Sensor, Collectors, and Admission Controllers.
209 | 
210 | [#config_acs_securedcluster_init_bundle]
211 | === Generating an init bundle by using the RHACS portal
212 | 
213 | . Generate the cluster init bundle by accessing the ``Integration`` subsection in the ``Platform Configuration`` section 
214 | +
215 | image::install/06_acs_integrations.png[ACS Operator 7, 800]
216 | 
217 | . Generate the bundle with a unique cluster name, in our case, ``demo-cluster``
218 | +
219 | image::install/07_generate_cluster_init_bundle.png[ACS Operator 8, 800]
220 | 
221 | . Download the cluster init bundle secret.
222 | +
223 | image::install/08_download_cluster_init_bundle_secret.png[ACS Operator 9, 800]
224 | 
225 | . Apply the cluster init bundle secret on the target secured cluster
226 | +
227 | [.console-input]
228 | [source,bash,subs="attributes+,+macros"]	
229 | ----	
230 | oc apply -f ~/Downloads/demo-cluster-cluster-init-secrets.yaml -n stackrox
231 | ----
232 | +
233 | [TIP]
234 | ====
235 | You can open the yaml file, copy the content and paste it to the web console using the **+Add → Import YAML** shortcut. As you are ``cluster-admin`` and all the object have the `namespace` key set you will get all the object created in their respective namespaces regrardless the project you choose in the web console (all projects or whatever).
236 | ====
237 | 
238 | [#config_acs_securedcluster_install_scs]
239 | === Installing secured cluster services
240 | 
241 | NOTE: This workshop uses the same cluster as central and secured cluster. In a real time scenario there will be many different secured clusters. Please ensure to install the ACS Operator in all the secured cluster in order to manage the SecuredCluster CR.
242 | 
243 | The ``SecuredCluster`` custom resource is quite simple. The following example shows the configuration for a ``demo-cluster`` target. Notice the ``collector`` configuration, with the collection method set to ``EBPF``. The alternative collection approach would be ``KernelModule``. The ``TolerateTaints`` lets the Collector daemonset be deployed also on nodes with special taints, like the ODF nodes.
244 | 
245 | [.console-input]
246 | [source,yaml,subs="attributes+,+macros"]	
247 | ----	
248 | apiVersion: platform.stackrox.io/v1alpha1
249 | kind: SecuredCluster
250 | metadata:
251 |   name: stackrox-secured-cluster-services
252 |   namespace: stackrox
253 | spec:
254 |   admissionControl:
255 |     listenOnCreates: true
256 |     listenOnEvents: true
257 |     listenOnUpdates: true
258 |   clusterName: demo-cluster
259 |   perNode:
260 |     collector:
261 |       collection: EBPF
262 |       imageFlavor: Regular
263 |     taintToleration: TolerateTaints
264 | ----
265 | 
266 | NOTE: Check the settings of the https://docs.openshift.com/acs/installing/install-ocp-operator.html#addmission-controller-settings_install-ocp-operator[SecuredCluster operator documentation] for more information.
267 | 
268 | . Create the Secured Cluster custom Resource using (and optionally customizing) the example provided in the repository.
269 | +
270 | [.console-input]
271 | [source,bash,subs="attributes+,+macros"]	
272 | ----	
273 | oc apply -f stackrox-secured-cluster-services.yaml -n stackrox
274 | ----
275 | +
276 | Or using the web console, in the ACS operator view, as follows:
277 | +
278 | .. Under the Provided APIs section, select Create instance on the Secured Cluster API
279 | +
280 | image::install/09_create_secured_cluster_resource.png[ACS Operator 9, 800]
281 | 
282 | .. And then copy & paste the yaml content
283 | +
284 | image::install/10_create_secured_cluster_resource_yaml.png[ACS Operator 10, 800]
285 | 
286 | +
287 | Or as in the previous section, with the **+Add → Import YAML** path.
288 | 
289 | . Monitor the installation using the watch option (or using the web console ``Topology`` view from the ``Developer`` perspective as mentioned before):
290 | +
291 | [.console-input]
292 | [source,bash,subs="attributes+,+macros"]	
293 | ----	
294 | oc get pods -n stackrox -w
295 | ----
296 | 
297 | . At the end of the installation, go to the central console and check the correct attachment of the secured cluster. 
298 | +
299 | image::install/11_verify_cluster_list.png[ACS Operator 11, 800]
300 | 
301 | [#deploy_acs_manually]
302 | === Deploying ACS manually
303 | 
304 | We have seen how to deploy ACS using the web user interface but, sometimes it is necessary to automate the deployment using tools such ansible for instance.
305 | 
306 | Let's see how to manually, using the CLI, we can deploy ACS so we will be able to automate it with any tool.
307 | 
308 | First we need to create a namespace to deploy the ACS operator:
309 | 
310 | [.console-input]
311 | [source,bash,subs="attributes+,+macros"]	
312 | ----	
313 | oc new-project rhacs-operator
314 | ----
315 | 
316 | We need to create the operator group creating the following yaml file:
317 | 
318 | [.console-input]
319 | [source,yaml,subs="attributes+,+macros"]	
320 | ----	
321 |   apiVersion: operators.coreos.com/v1
322 |   kind: OperatorGroup
323 |   metadata:
324 |     name: rhacs-operator
325 |     namespace: rhacs-operator
326 | ----
327 | 
328 | Apply the file to create the operator group:
329 | 
330 | [.console-input]
331 | [source,bash,subs="attributes+,+macros"]	
332 | ----	
333 | oc apply -f acs-operator-group.yaml -n rhacs-operator
334 | ----
335 | 
336 | Create the subscription yaml file:
337 | 
338 | [.console-input]
339 | [source,yaml,subs="attributes+,+macros"]	
340 | ----	
341 | apiVersion: operators.coreos.com/v1alpha1
342 | kind: Subscription
343 | metadata:
344 |   name: rhacs-operator
345 |   namespace: rhacs-operator
346 |   labels:
347 |     operators.coreos.com/rhacs-operator.rhacs-operator: ''
348 | spec:
349 |   channel: stable
350 |   installPlanApproval: Automatic
351 |   name: rhacs-operator
352 |   source: redhat-operators
353 |   sourceNamespace: openshift-marketplace
354 | ----
355 | 
356 | Apply the subscription file:
357 | 
358 | [.console-input]
359 | [source,bash,subs="attributes+,+macros"]	
360 | ----	
361 | oc apply -f subscription.yaml
362 | ----
363 | 
364 | At this moment the ACS operator will be installing. It will take sometime to install. Not much, just a few seconds.
365 | 
366 | Now we need to deploy central.  So the first thing is to create the namespace where Central will be deployed:
367 | 
368 | [.console-input]
369 | [source,bash,subs="attributes+,+macros"]	
370 | ----	
371 | oc new-project stackrox
372 | ----
373 | 
374 | The following is an example of the central custom resource:
375 | 
376 | [.console-input]
377 | [source,yaml,subs="attributes+,+macros"]	
378 | ----	
379 | apiVersion: platform.stackrox.io/v1alpha1
380 | kind: Central
381 | metadata:
382 |   name: stackrox-central-services
383 |   namespace: stackrox
384 | spec:
385 |   central:
386 |     exposure:
387 |       loadBalancer:
388 |         enabled: false
389 |         port: 443
390 |       nodePort:
391 |         enabled: false
392 |       route:
393 |         enabled: true
394 |     persistence:
395 |       persistentVolumeClaim:
396 |         claimName: stackrox-db
397 |   egress:
398 |     connectivityPolicy: Online
399 |   scanner:
400 |     analyzer:
401 |       scaling:
402 |         autoScaling: Enabled
403 |         maxReplicas: 5
404 |         minReplicas: 2
405 |         replicas: 3
406 |     scannerComponent: Enabled
407 | ----
408 | 
409 | Create the custom resource:
410 | 
411 | [.console-input]
412 | [source,bash,subs="attributes+,+macros"]	
413 | ----	
414 | oc apply -f stackrox-central-services.yaml -n stackrox
415 | ----
416 | 
417 | Central will be deployed. You can check it:
418 | 
419 | [.console-input]
420 | [source,bash,subs="attributes+,+macros"]	
421 | ----	
422 | oc get pods -n stackrox -w
423 | ----
424 | 
425 | Now you will need to get the ACS admin password:
426 | 
427 | [.console-input]
428 | [source,bash,subs="attributes+,+macros"]	
429 | ----	
430 | oc -n stackrox get secret central-htpasswd -o jsonpath="{.data['password']}" | base64 -d
431 | ----
432 | 
433 | and the ACS Central console URL:
434 | 
435 | [.console-input]
436 | [source,bash,subs="attributes+,+macros"]	
437 | ----	
438 | oc -n stackrox get routes/central -o jsonpath='{.spec.host}'
439 | ----
440 | 
441 | Once the ACS Central is deployed we will need to add clusters into ACS. To add the cluster where we have deployed Central to ACS we need to download the https://mirror.openshift.com/pub/rhacs/assets/4.0.2/bin/Linux/roxctl[roxctl] command.
442 | 
443 | NOTE: You will need to download the version matching the ACS version you have deployed. You can also use a containerized version, but in this workshop we will use the command line tool.
444 | 
445 | We use the _roxctl_ to create the init bundle:
446 | 
447 | [.console-input]
448 | [source,bash,subs="attributes+,+macros"]	
449 | ----	
450 | roxctl -e <ACS CONSOLE URL>:443 central init-bundles generate demo-cluster --insecure-skip-tls-verify --output-secrets /tmp/demo-cluster.yaml --password <ACS ADMIN PASSWORD>
451 | ----
452 | 
453 | Apply the init bundle:
454 | 
455 | [.console-input]
456 | [source,bash,subs="attributes+,+macros"]	
457 | ----	
458 | oc -n stackrox apply -f /tmp/demo-cluster.yaml
459 | ----
460 | 
461 | The secured cluster resource yaml file:
462 | 
463 | [.console-input]
464 | [source,yaml,subs="attributes+,+macros"]	
465 | ----	
466 | apiVersion: platform.stackrox.io/v1alpha1
467 | kind: SecuredCluster
468 | metadata:
469 |   name: acs-secured-cluster-services
470 |   namespace: stackrox
471 | spec:
472 |   admissionControl:
473 |     listenOnCreates: true
474 |     listenOnEvents: true
475 |     listenOnUpdates: true
476 |   clusterName: demo-cluster
477 |   perNode:
478 |     collector:
479 |       collection: EBPF
480 |       imageFlavor: Regular
481 |     taintToleration: TolerateTaints
482 | ----
483 | 
484 | [.console-input]
485 | [source,bash,subs="attributes+,+macros"]	
486 | ----	
487 |  oc -n stackrox apply -f secured-cluster.yaml
488 | ----
489 | 
490 | After that the cluster will have been included in ACS.
491 | 
492 | [#deploy_demo_acs] 
493 | == Deploying Demo in RHACS - Mandatory
494 | 
495 | IMPORTANT: Independent of which option to install you used, you need to deploy the ACS Demo into your cluster.
496 | 
497 | . Download the repo with the demo:
498 | +
499 | [.console-input]
500 | [source,bash,subs="attributes+,+macros"]	
501 | ----
502 | ansible-galaxy collection install kubernetes.core
503 | pip install kubernetes jmespath
504 | git clone https://github.com/rh-mobb/rhacs-demo
505 | cd rhacs-demo
506 | ----
507 | 
508 | . Apply the ansible demo into the cluster:
509 | +
510 | WARNING: you must be logged to the OpenShift cluster before you execute the playbook.
511 | +
512 | [.console-input]
513 | [source,bash,subs="attributes+,+macros"]	
514 | ----
515 | ansible-playbook rhacs-demo.yaml -e stackrox_central_admin_password=[your_pass]<1>
516 | ----
517 | <1> The same password you obtained in the step 1 of the ``ACS login`` section.
518 | 
519 | . After the Playbook execution (and if everything worked properly), the output will be the following:
520 | +
521 | [.console-output]
522 | [source,bash,subs="attributes+,+macros"]	
523 | ----	
524 | TASK [ocp4_workload_stackrox_demo_apps : post_workload tasks complete] ********************************************************
525 | ok: [localhost] => {
526 |     "msg": "Post-Workload Tasks completed successfully."
527 | }
528 | ----
529 | 
530 | [#deploy_apps] 
531 | == Deploying Apps - Optional
532 | 
533 | If you do not plan to follow the remaining sections (which are based on deploying the demo) and prefer to play and make your own findings, simply follow the steps below:
534 | 
535 | . Create a new project:
536 | +
537 | [.console-input]
538 | [source,bash,subs="attributes+,+macros"]	
539 | ----	
540 | oc new-project test
541 | ----
542 | 
543 | . Start some applications with critical vulnerabilities:
544 | +
545 | [.console-input]
546 | [source,bash,subs="attributes+,+macros"]	
547 | ----	
548 | oc run shell --labels=app=shellshock,team=test-team \
549 |   --image=vulnerables/cve-2014-6271 -n test
550 | ----
551 | +
552 | [.console-input]
553 | [source,bash,subs="attributes+,+macros"]	
554 | ----	
555 | oc run samba --labels=app=rce \
556 |   --image=vulnerables/cve-2017-7494 -n test
557 | ----
558 | 
559 | . Navigate to the RHACS portal to view the violations.
560 | +
561 | image::violations/00-test-example.png[ACS Operator 7, 800]
562 | 
563 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/03-overview-acs.adoc:
--------------------------------------------------------------------------------
 1 | = Overview RHACS
 2 | include::_attributes.adoc[]
 3 | :profile: acs
 4 | 
 5 | In this section we will face the following:
 6 | 
 7 | * How to deploy ACS.
 8 | * ACS Architecture.
 9 | * The ACS Dashboard.
10 | 
11 | [#acs_architecture]
12 | == RHACS Architecture
13 | 
14 | The StackRox Kubernetes Security Platform installs as a set of pods in your Kubernetes or OpenShift cluster and includes the following components:
15 | 
16 | image::architecture_acs.png[RHACS Architecture, 800]
17 | 
18 | * https://docs.openshift.com/acs/architecture/acs-architecture.html#centralized-components_acs-architecture[**Central**]: [Centralized components] Central is the main component of Red Hat Advanced Cluster Security for Kubernetes and it is installed as a Kubernetes deployment. It handles data persistence, API interactions, and user interface (Portal) access. You can use the same Central instance to secure multiple OpenShift Container Platform or Kubernetes clusters.
19 | 
20 | * https://docs.openshift.com/acs/architecture/acs-architecture.html#centralized-components_acs-architecture[**Scanner**]: [Centralized component] Red Hat Advanced Cluster Security for Kubernetes includes an image vulnerability scanning component called Scanner. It analyzes all image layers to check for known vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list. Scanner also identifies vulnerabilities in packages installed by package managers and in dependencies for multiple programming languages. 
21 | 
22 | * https://docs.openshift.com/acs/architecture/acs-architecture.html#per-cluster-components_acs-architecture[**Sensor**]: [1 x Per Cluster] Red Hat Advanced Cluster Security for Kubernetes uses the Sensor component to monitor Kubernetes and OpenShift Container Platform clusters. It handles interactions with the OpenShift Container Platform or Kubernetes API server for policy detection and enforcement, and it coordinates with Collector. 
23 | 
24 | * https://docs.openshift.com/acs/architecture/acs-architecture.html#per-cluster-components_acs-architecture[**Admission controller**]: [1 x Cluster] The admission controller prevents users from creating workloads that violate security policies in Red Hat Advanced Cluster Security for Kubernetes. [1 x Admission Controller]
25 | 
26 | * https://redhat-scholars.github.io/acs-workshop/acs-workshop/03-overview-acs.html#acs_architecture[**Collector**]: [1 x Node OCP/K8s Nodes] Collector collects and monitors information about container runtime and network activity. It then sends the collected information to Sensor.
27 | 
28 | 
29 | NOTE: Scanner only scans those images that are not already scanned by other integrated vulnerability scanners. It means that if you have integrated Red Hat Advanced Cluster Security for Kubernetes with other vulnerability scanners, Scanner checks and uses the scanning results from the integrated scanner if available.
30 | 
31 | [#dashboard_acs]
32 | == RHACS Dashboard
33 | 
34 | When login in RHACS we will get the RHACS Dashboard:
35 | 
36 | image::dashboard/acs_dashboard.png[ACS Dashboard, 800]
37 | 
38 | In the RHACS Dashboard we have three main sections:
39 | 
40 | * The header.
41 | * The menu.
42 | * The information.
43 | 
44 | [#dashboard_acs_header]
45 | === Dashboard Header
46 | 
47 | image::dashboard/acs_dashboard_header.png[ACS Dashboard, 800]
48 | 
49 | [#dashboard_acs_menu]
50 | === Dashboard Left Menu
51 | 
52 | image::dashboard/acs_dashboard_menu.png[ACS Dashboard, 150]
53 | 
54 | NOTE: **Network Graph (1.0)** will be deprecated and will be replaced by the **Network Graph 2.0** version which is included as a https://access.redhat.com/support/offerings/techpreview[Technology Preview].
55 | 
56 | In the left part of the dashboard we can see the different sections we can access in RHACS to gather information about the security in the clusters we have configured in RHACS.
57 | 
58 | Later we will go deeper in each of them. For the time being, we will introduce each of these:
59 | 
60 | * **Dashboard**, where we are in this moment. We can get a summarize vision of our environment.
61 | * **Network Graph**, we can get information about the configured network flows and the real ones. We can use to create Network Policies to implement network segmentation.
62 | * **Violations**, we can get all the events that do not match the defined security policies.
63 | * **Compliance**, we can get the compliance of out environment according to several indistry and regulatory security standards such as **PCI DSS**.
64 | * **Vulnerability Management**, get information about known vulnerabilities which are affecting your environment. Not only deployed workloads but infrastructure as well.
65 | * **Configuration Management**, review configuration to prevent possible misconfigurations which can lead to security issues.
66 | * **Risk**, review risks affecting your environment such as suspicious executions.
67 | * **Platform Configuration**, ACS configuration and integrations.
68 | 
69 | [#dashboard_acs_information]
70 | === Dashboard Information
71 | 
72 | image::dashboard/acs_dashboard_information.png[RHACS Dashboard, 800]
73 | 
74 | We can get a summary about the security state of the whole environment.
75 | 
76 | You can browse and click in each part to get more information.
77 | 
78 | You can spend a time browsing the information in Dashboard to get familiarized to. In the following sections we will go deeper in each one of them.
79 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/04-vulnerabilities.adoc:
--------------------------------------------------------------------------------
  1 | = Vulnerability Management in ACS
  2 | include::_attributes.adoc[]
  3 | :profile: acs
  4 | 
  5 | [#vulnerability_management_panel]
  6 | == Vulnerability Management main panel
  7 | 
  8 | Let’s start with Vulnerability Management, a familiar topic for most security teams.
  9 | 
 10 | The overview provides several important reports - where the vulnerabilities are, which are the most widespread or the most recent, where my Docker images are coming from, and important vulnerabilities in OpenShift itself. 
 11 | 
 12 | image::vulnerabilities/40_vuln.png[ACS Vulnerabilities, 800]
 13 | 
 14 | More important than fixing any one vulnerability is establishing a process to keep container images updated and to prevent the promotion through the pipeline for images that have serious, fixable vulnerabilities.
 15 | 
 16 | * In the upper right, you’ll see buttons to link you to all policies, CVEs, and images, and a menu to bring you to reports by cluster, namespace, deployment, and component.
 17 | * Point out the **Top Riskiest Images** panel in the upper right
 18 | 
 19 | WARNING: For the following sections, please note that the order in which the images appear or the number of components affected may vary depending on the version of the demo app (changes prone).
 20 | 
 21 | [#image_overview_image_details]
 22 | == Image overview and image details
 23 | 
 24 | In **Top Riskiest Images** panel, click on ``VIEW ALL`` button. 
 25 | Now you will see that the images are listed here in order of risk, based on the number and severity of the vulnerabilities present in the components in the images.
 26 | 
 27 | * Lets see it:
 28 | +
 29 | image::vulnerabilities/top-riskiest-images.png[Top Riskies Images, 600]
 30 | +
 31 | We can see the images which are more exposed. Not only we can see the number of CVEs affecting the images but which of them are fixable. You can click and get information about the CVEs and the fixable ones.
 32 | 
 33 | * In the Top Riskiest Images, click on #4, mastercard-processor:latest.
 34 | +
 35 | image::vulnerabilities/02-vuln.png[Vuln 2, 800]
 36 | +
 37 | NOTE: if you don't have the exact image in the Top Riskiest Images, go to "View All" button, and filter by the name of Mastercard processor.
 38 | +
 39 | RHACS built-in vulnerability scanner breaks down images into layers and components - where components can be operating-system installed packages, or dependencies installed by programming languages like Python, Javascript, or Java.
 40 | +
 41 | The Image Summary provides the important security details of the image overall, with links to the components. For example, in the **DETAILS & METADATA → Image OS** panel, the information you see there tells you that this image has a serious security problem - the base image was imported several years ago (Debian 8 - 2015).
 42 | +
 43 | You can also see, at the top, the warning that CVE data is stale - that this image has a base OS version whose distribution has stopped providing security information on, and has likely stopped publishing security fixes for. 
 44 | +
 45 | At the bottom, the Image Findings section focuses on Fixable vulnerabilities, sorted by CVSS.
 46 | 
 47 | * Under the Image Findings section, Click on Dockerfile tab:
 48 | +
 49 | image::vulnerabilities/03-vuln.png[Vuln 3, 700]
 50 | +
 51 | The Dockerfile tab view shows the layer-by-layer view and, as you can see, the most recent layers are also several years old.
 52 | +
 53 | Time is not kind to images and components - as vulnerabilities are discovered, RHACS will display newly discovered CVEs.
 54 | 
 55 | [#scanning_images]
 56 | == Scanning images for vulnerabilities
 57 | 
 58 | By default information about vulnerabilities is show for all the images:
 59 | 
 60 | * Active images, which are those images that are deployed.
 61 | * Inactive images, which are those images that are not deployed.
 62 | 
 63 | image::vulnerabilities/active_inactive.png[ActiveInactive, 700]
 64 | 
 65 | Only active images will be scanned for vulnerabilities. If we want to scan inactive images we will need to mark the image as watched, so you will need to click on **Manage Watches**:
 66 | 
 67 | image::vulnerabilities/01-inactive.png[ActiveInactive, 700]
 68 | 
 69 | Add the inactive image you want to scan for vulnerabilities:
 70 | 
 71 | image::vulnerabilities/02-inactive.png[ActiveInactive, 700]
 72 | 
 73 | [#filtering_vulnerabilities_scans]
 74 | == Filtering vulnerabilities scans
 75 | 
 76 | Using the search box we can filter the results for the vulnerabilities scan:
 77 | 
 78 | image::vulnerabilities/01-filter.png[ActiveInactive, 700]
 79 | 
 80 | As usual que can use some tags to filter, as **CVE**, **CVE Type**, ...
 81 | 
 82 | image::vulnerabilities/02-filter.png[ActiveInactive, 700]
 83 | 
 84 | We can use regular expresions as well. For instance, we are not usually interested in inactive images vulnerabilities because there is no deployment using it. For this reason we are not probably interested in checking the vulneratilities for the inactive images. We can filter them using **Deployment r/.+** as filter. That filter means to list all the images where the deployment field is not empty, i.e. active images:
 85 | 
 86 | image::vulnerabilities/03-filter.png[ActiveInactive, 700]
 87 | 
 88 | As you can see only the active images are displayed to check the vulnerabilities.
 89 | 
 90 | [#review_cve_images]
 91 | == Image CVE Vulnerability Analysis
 92 | 
 93 | * Click back to the Fixable CVEs tab.
 94 | +
 95 | The CVE list for each image focuses on the severe - CVSS >7 - and the “fixable,” where the upstream package maintainers have published a fix. 
 96 | 
 97 | * We don’t think it’s practical to ask your teams to fix Linux or Javascript - but we think it’s reasonable to ask them to pick up fixes published by those communities.
 98 | +
 99 | image::vulnerabilities/04-vuln.png[Vuln 4, 700]
100 | 
101 | * Click on a Fixable CVE in the list, like CVE-2018-14618
102 | +
103 | image::vulnerabilities/05-vuln.png[Vuln 5, 700]
104 | +
105 | This CVE for example is very serious - scoring 9.8/10 - and fixable. 
106 | +
107 | It’s a vulnerability in curl and libcurl - and these packages are present either because it was part of a base image, or it was deliberately added by a developer in one of the Dockerfile layers.
108 | 
109 | NOTE: RHACS scanner uses to fetch and update the vulnerability definitions from http://definitions.stackrox.io/. On the other hand collector-modules.stackrox.io is the other FQDN that will be used in online mode.
110 | These two are used by Central in RHACS to fetch vulnerability details and collector modules.
111 | 
112 | [#image_correlation_deployments]
113 | == Image CVE correlation with Deployments
114 | 
115 | All of this CVE detail is well and good, but it’s a bit noisy.
116 | 
117 | How do we judge the true risk - which vulnerabilities are likely to be exploited?
118 | 
119 | In other words. Which vulnerabilities do we really have to fix first?
120 | 
121 | RHACS can use other sources of information in OpenShift to judge the risk that a given vulnerability would be exploited, and hence to set priorities for fixes.
122 | 
123 | The first risk factor - is the vulnerable component actually in a running deployment?
124 | 
125 | * Click on the 6 Deployments button in the Related Entities column on the right.
126 | +
127 | image::vulnerabilities/06-vuln.png[Vuln 6, 700]
128 | +
129 | These are the five deployments running right now with containers that come from images with this vulnerability present.
130 | “Up and running” is a risk factor - vulnerabilities are only going to be exploited if they’re in a running container somewhere in the cluster.
131 | +
132 | We display the critical information here - so you can see that we have this present in the Production cluster, in Namespaces like Payments, which starts to provide context to the security team.
133 | +
134 | The last column on the right is the Risk priority - which RHACS has already determined from configuration and runtime activity in the deployment.
135 | So - of these five deployments, the visa-processor is most likely to be exploited. How is this determined?
136 | 
137 | Continue to the next section - Risks for find out!


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/05-risk.adoc:
--------------------------------------------------------------------------------
  1 | = Risk Management in RHACS
  2 | include::_attributes.adoc[]
  3 | :profile: acs
  4 | 
  5 | [#risk_dashboard]
  6 | == Risks main dashboard
  7 | 
  8 | Let’s take a look at the Risk view, where we go beyond the basics of vulnerabilities to understand how deployment configuration and runtime activity impact the likelihood of an exploit occurring and how successful those exploits will be.
  9 | 
 10 | image::risks/01-risks.png[RHACS Risks 1, 800]
 11 | 
 12 | This list view shows all deployments, in all clusters and namespaces, ordered by Risk priority.
 13 | 
 14 | Risk is also influenced by runtime activity - and Deployments that have activity that could indicate a breach in progress have a red dot on the left.
 15 | Obviously - the first one in the list should be our first focus.
 16 | 
 17 | The reality of security is that it’s just not possible to tackle all sources of Risk, so organizations end up prioritizing their efforts. We want RHACS to help inform that prioritization.  
 18 | 
 19 | [#risk_single_deployment_details]
 20 | == Single Deployment Details
 21 | 
 22 | * Click on the number 1 deployment, **visa-processor** to bring up the ``RISK INDICATORS``
 23 | +
 24 | image::risks/02-risks.png[RHACS Risks 2, 350]
 25 | +
 26 | The details tab shows why this deployment is considered such a high risk.
 27 | +
 28 | The deployment has serious, fixable vulnerabilities, but it also has configurations like network ports and service exposure outside the cluster, making it more likely to be attacked.
 29 | +
 30 | In addition, other configurations like privileged containers mean that a successful attacker has access to the underlying host network and filesystem, including other containers running on that host.
 31 | 
 32 | * Navigate to the bottom of the ``RISK INDICATORS`` page to the RBAC configuration section
 33 | +
 34 | image::risks/03-risks.png[RHACS Risks 3, 400]
 35 | +
 36 | At the bottom, we see another serious problem: the service account associated with this deployment has been given ``cluster admin`` privileges, which means that a successful attacker gains full control over this entire OpenShift cluster which could result in compromise of the entire cluster.
 37 | 
 38 | All of these configurations are gleaned automatically by RHACS from OpenShift, and the built-in policies assign a risk score to each, meaning that this Risk report is available as soon as you start running RHACS.
 39 | 
 40 | [#risk_process_discovery]
 41 | == Process Discovery / Runtime
 42 | 
 43 | Navigate to the ``PROCESS DISCOVERY`` tab of the details page.
 44 | 
 45 | Even a perfectly configured application has the potential for an attacker to gain access and cause havoc.
 46 | 
 47 | Here we show how RHACS continuously monitors runtime activity within pods in the deployment, building a baseline of observed behavior, and tracking deviations from that baseline.
 48 | 
 49 | * Click on the header bar within the ``Event Timeline`` section ( in the picture, at any point on the surface covered by the red rectangle )
 50 | +
 51 | image::risks/04-risks.png[RHACS Risks 4, 500]
 52 | +
 53 | The event timeline shows us, for each pod, the process activity that has occurred over time. 
 54 | 
 55 | * Click on the squares / circles for process activity
 56 | +
 57 | image::risks/05-risks.png[RHACS Risks 5, 700]
 58 | +
 59 | If you click in the __greater than__ symbol (pointed by the red arrow in the above picture) you can expand the activity and see the containers inside the pod.
 60 | +
 61 | image::risks/05_1-risks.png[RHACS Risks 51, 700]
 62 | 
 63 | We can take advantage of the constrained lifecycle of containers for better runtime incident detection and response.
 64 | 
 65 | Containers should be pretty boring - they’re not general purpose Virtual machines. They typically have a period of startup, with some initialization, and then settle down to a small number of processes running continuously and making or receiving connections.
 66 | 
 67 | Deviations from the baseline can be used to take enforcement action and alert team members. Runtime activity rules can be combined with other activity
 68 | 
 69 | [#risk_filtering]
 70 | == Filtering
 71 | 
 72 | Most UI pages have a filters section at the top that allows you to narrow the reporting view to matching or non-matching criteria.
 73 | 
 74 | Almost all of the attributes that RHACS gathers are filterable
 75 | 
 76 | It’s really useful here in Risk when you know what you’re looking for - when you want answers to questions like “what applications have CVE-2020-1008 present".
 77 | 
 78 | For example, let's use the following filters: 
 79 | [.console-input]
 80 | [source,bash,subs="attributes+,+macros"]	
 81 | ----	
 82 | Filtering 
 83 | Process Name - Java
 84 | CVE - CVE-2017-7376 (libxml2)
 85 | ----
 86 | 
 87 | **Translated:** "Finding deployments that are running ``java`` processes and are affected by the ``CVE-2017-7376`` vulnerability".
 88 | 
 89 | * Click in the ``Filters`` bar (at the top, red rectangle). Start Typing "Process Name" and select the ``Process Name`` key ones it appears / autocompletes. Then type ``java``, press enter and click away to get the filters dropdown to clear.
 90 | +
 91 | image::risks/06-risks.png[RHACS Risks 6, 800]
 92 | +
 93 | Do the same to add the ``CVE`` filter (is one of the keys shown by default).
 94 | 
 95 | [TIP]
 96 | ====
 97 | Now that we’ve searched for interesting criteria, we can create a policy from the search filter to automatically identify our criteria going forward.
 98 | We can do that by clicking the ``Create Policy`` button, at the upper right (indicated by the red arrow in the above picture) and following the form steps.
 99 | ====
100 | 
101 | Now let's review the Network Graph and the Network Policies in RHACS!


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/06-network_graph-2.0.adoc:
--------------------------------------------------------------------------------
 1 | = Network Graph 2.0 (TP)
 2 | include::_attributes.adoc[]
 3 | :profile: acs
 4 | 
 5 | [#network_graph_overview-2]
 6 | == Network Graph Overview
 7 | 
 8 | IMPORTANT: **Network Graph 2.0** is in Technology Preview and will replace xref:06-network_graph.adoc[Network Graph].
 9 | 
10 | The Network Graph is a flow diagram, firewall diagram, and firewall rule builder in one.
11 | 
12 | image::network-flow/03-network.png[Network Flow 1, 800]
13 | 
14 | In the upper left you’ll see the dropdown for clusters so I can easily navigate between any of the clusters that are connected to RHACS.
15 | 
16 | * The default view, Active, shows me actual traffic for the Past Hour between the deployments in all of the namespaces.
17 | 
18 | image::network-flow/00-network.png[Network Flow 1, 600]
19 | 
20 | You can change the time frame in the upper right dropdown, and the legend at bottom left 
21 | 
22 | * Zoom in on Backend Namespace
23 | 
24 | As we zoom in, the namespace boxes show the individual deployment names
25 | 
26 | * Click on ```api-server``` deployment.
27 | 
28 | * Clicking on a deployment brings up details of the types of traffic observed including source or destination and ports.
29 | 
30 | image::network-flow/01-network.png[Network Flow 1, 800]
31 | 
32 | [#network_graph_views-2]
33 | == Network Graph Views
34 | 
35 | In the Network Graph view, you can configure the type of connections you want to see. In the Flows section (upper left), select:
36 | 
37 | * **Active** to view only active connections.
38 | * **Allowed** to view only allowed network connections.
39 | * **All** to view both active and allowed network connections.
40 | 
41 | * Let’s switch the view from active connections to the firewall view - Allowed.
42 | 
43 | image::network-flow/02-network.png[Network Flow 2, 800]
44 | 
45 | This allows us to quickly see the disconnect between what we’ve actually seen happening, versus the wide-open view we see here
46 | 
47 | The red dots indicate an unrestricted deployment that is an open network.
48 | 
49 | The dashed lines indicate a namespace with no restrictions on egress and in conflict with best practices required under several compliance standards.
50 | 
51 | [#network_policy_simulator-2]
52 | == Network Policy Simulator
53 | 
54 | * Click on Network Policy Simulator button in the top right
55 | 
56 | image::network-flow/04-network.png[Network Flow 4, 400]
57 | 
58 | The Network Policy Simulator is designed to help solve this problem by using the history of observed traffic to build firewall rules.
59 | Click on Generate and Simulate
60 | 
61 | You’ll notice, though, that the firewall rules we’re generating are not proprietary rules, but OpenShift-native Network Policy objects.
62 | This feature, more than any other, illustrates the philosophy that RHACS represents: Security through platform-native features, with fixes supplied as configuration for OpenShift.
63 | 
64 | By implementing stronger security through declarative code we believe this avoids the anti-pattern of having configuration rules in a separate system - this code becomes part of your application, ensuring the consistency of “single source of truth” from your codebase.
65 | 
66 | This approach also reduces operational risk since there is no proprietary firewall in your cluster or in your pods that could fail, causing an application outage.
67 | RHACS is leveraging the firewall that’s already in your OpenShift cluster.
68 | 
69 | image::network-flow/05-network.png[Network Flow 5, 800]
70 | 
71 | You’ll see this approach - “fix it in the code,” “leverage the platform,” - everywhere throughout the product - and we’ll take a look at what those policies look like, with examples of policy violations.


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/06-network_graph.adoc:
--------------------------------------------------------------------------------
 1 | = Network Graph
 2 | include::_attributes.adoc[]
 3 | :profile: acs
 4 | 
 5 | [#network_graph_overview]
 6 | == Network Graph Overview
 7 | 
 8 | IMPORTANT: **Network Graph 1.0** will be deprecated and will be replaced by xref:06-network_graph-2.0.adoc[Network Graph 2.0].
 9 | 
10 | The Network Graph is a flow diagram, firewall diagram, and firewall rule builder in one.
11 | 
12 | image::network-flow/03-network.png[Network Flow 1, 800]
13 | 
14 | In the upper left you’ll see the dropdown for clusters so I can easily navigate between any of the clusters that are connected to RHACS.
15 | 
16 | * The default view, Active, shows me actual traffic for the Past Hour between the deployments in all of the namespaces.
17 | 
18 | image::network-flow/00-network.png[Network Flow 1, 600]
19 | 
20 | You can change the time frame in the upper right dropdown, and the legend at bottom left 
21 | 
22 | * Zoom in on Backend Namespace
23 | 
24 | As we zoom in, the namespace boxes show the individual deployment names
25 | 
26 | * Click on ```api-server``` deployment.
27 | 
28 | * Clicking on a deployment brings up details of the types of traffic observed including source or destination and ports.
29 | 
30 | image::network-flow/01-network.png[Network Flow 1, 800]
31 | 
32 | [#network_graph_views]
33 | == Network Graph Views
34 | 
35 | In the Network Graph view, you can configure the type of connections you want to see. In the Flows section (upper left), select:
36 | 
37 | * **Active** to view only active connections.
38 | * **Allowed** to view only allowed network connections.
39 | * **All** to view both active and allowed network connections.
40 | 
41 | * Let’s switch the view from active connections to the firewall view - Allowed.
42 | 
43 | image::network-flow/02-network.png[Network Flow 2, 800]
44 | 
45 | This allows us to quickly see the disconnect between what we’ve actually seen happening, versus the wide-open view we see here
46 | 
47 | The red dots indicate an unrestricted deployment that is an open network.
48 | 
49 | The dashed lines indicate a namespace with no restrictions on egress and in conflict with best practices required under several compliance standards.
50 | 
51 | [#network_policy_simulator]
52 | == Network Policy Simulator
53 | 
54 | * Click on Network Policy Simulator button in the top right
55 | 
56 | image::network-flow/04-network.png[Network Flow 4, 400]
57 | 
58 | The Network Policy Simulator is designed to help solve this problem by using the history of observed traffic to build firewall rules.
59 | Click on Generate and Simulate
60 | 
61 | You’ll notice, though, that the firewall rules we’re generating are not proprietary rules, but OpenShift-native Network Policy objects.
62 | This feature, more than any other, illustrates the philosophy that RHACS represents: Security through platform-native features, with fixes supplied as configuration for OpenShift.
63 | 
64 | By implementing stronger security through declarative code we believe this avoids the anti-pattern of having configuration rules in a separate system - this code becomes part of your application, ensuring the consistency of “single source of truth” from your codebase.
65 | 
66 | This approach also reduces operational risk since there is no proprietary firewall in your cluster or in your pods that could fail, causing an application outage.
67 | RHACS is leveraging the firewall that’s already in your OpenShift cluster.
68 | 
69 | image::network-flow/05-network.png[Network Flow 5, 800]
70 | 
71 | You’ll see this approach - “fix it in the code,” “leverage the platform,” - everywhere throughout the product - and we’ll take a look at what those policies look like, with examples of policy violations.
72 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/07-violations.adoc:
--------------------------------------------------------------------------------
 1 | = Violations
 2 | include::_attributes.adoc[]
 3 | :profile: acs
 4 | 
 5 | Using Red Hat Advanced Cluster Security for Kubernetes you can view policy violations, drill down to the actual cause of the violation, and take corrective actions.
 6 | 
 7 | Red Hat Advanced Cluster Security for Kubernetes built-in policies identify a variety of security findings, including vulnerabilities (CVEs), violations of DevOps best practices, high-risk build and deployment practices, and suspicious runtime behaviors. Whether you use the default out-of-box security policies or use your own custom policies, Red Hat Advanced Cluster Security for Kubernetes reports a violation when an enabled policy fails.
 8 | 
 9 | [#violations_overview]
10 | == Violations Dashboard Overview
11 | 
12 | Violations record all of the specific times where a policy criteria has been met by any of the objects in your cluster - images and their components, deployments, runtime activity.
13 | 
14 | Think of it as the “stream” of events that have occurred, although we don’t want this to just be a “to-do” list for incident response folks.
15 | 
16 | image::violations/01-violations.png[Violations 1, 600]
17 | 
18 | [#violations_example]
19 | == Violations Build & Deploy Example
20 | 
21 | * Click on a Violation of the "Fixable Severity at least Important". You may have to look for one! The violation details appear on the right.
22 | 
23 | image::violations/02-violations.png[Violations 2, 800]
24 | 
25 | Here’s an example of the details recorded for a policy violated at deployment time.
26 | 
27 | You’ll see that it’s the same information presented in a CI/CD tool or developer console when using the build-time integration.
28 | 
29 | [#violations_runtime]
30 | == Violations Runtime Example
31 | 
32 | * Click on a Violation of the "Netcat Execution Detected" in Image policy. Again, you may have to look or search (filter) for it. The violation details appear on the right.
33 | 
34 | image::violations/03-violations.png[Violations 3, 600]
35 | 
36 | This violation is a runtime incident - so it has a different set of details and actions available.
37 | 
38 | The forensic data recorded will be familiar to most incident response team - the “who, what, when, where, and why” of the activity, including process names, arguments, UIDs, container IDs
39 | 
40 | In this case, for our demo, there’s been no enforcement of the action, just a notification, and the team has options to resolve or suppress these notifications in the future.
41 | 
42 | IMPORTANT: The violations are per Deployment, not per pod! 
43 | 
44 | [#violations_behaviour]
45 | == Violations Behaviour
46 | 
47 | What happens if you not resolve a Violation in a Deployment, or if the same violation happened again (with the same parameters)?
48 | 
49 | A unique violation is not always generated per event, but those events and details are summarized in the violation details itself.
50 | 
51 | This behavior is expected. Since it is the same running deployment that you are updating through your pipeline, and this first violation is not resolved.  
52 | If new CVEs present themselves, those are of course updated based on any changes to the image. 
53 | 
54 | But a violation will not trigger if we have already analyzed it is currently violating that policy from the original 
55 | time stamp of when it was detected, and nothing else has changed
56 | 
57 | If the change to the deployment represented new violations, then those would appear. Or, if you deleted the deployment and redeployed a new one for example.
58 | 
59 | For example, "Ubuntu Package Manager Execution". If I had an outstanding violation present from Time X, when it was first detected, and the same pod executes 24 hours later at time Y, the result would be additive, where I would see the details of those executions (First Occurrence, Last Occurrence and then each individual event execution) under the same violation summary
60 | 
61 | [#policy_summary]
62 | == Policy Summary
63 | 
64 | RHACS has a number of built-in policies to detect activity that’s related to attacker goals: gain a foothold, maintain a presence, move laterally, and exfiltrate data.
65 | The continuous runtime monitoring observes all container activity and will automatically respond to events with appropriate enforcement and notification
66 | 
67 | * In the right hand side details of the Violation, click on the Policy tab
68 | 
69 | image::violations/04-violations.png[Violations 4, 500]
70 | 
71 | But that would be missing out on an opportunity - RHACS wants to go one step further, to take advantage of the ephemeral, immutable nature of containers to improve security in a measurable way going forward.
72 | 
73 | We are, essentially, using runtime incidents as a learning opportunity to improve security going forward by constraining how our containers can act.


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/08-compliance.adoc:
--------------------------------------------------------------------------------
  1 | = Compliance Operator and Compliance in ACS
  2 | include::_attributes.adoc[]
  3 | :profile: acs
  4 | 
  5 | The OpenShift Compliance Operator allows OpenShift Container Platform administrators to define the desired compliance state of a cluster and provides an overview of gaps and ways to remediate any non-compliant policy.
  6 | 
  7 | The OpenShift Compliance Operator assesses both Kubernetes API resources and OpenShift Container Platform resources, as well as the nodes running the cluster. The Compliance Operator uses OpenSCAP, a NIST-certified tool, to scan and enforce security policies provided by the content.
  8 | 
  9 | Red Hat Advanced Cluster Security for Kubernetes supports OpenShift Container Platform configuration compliance standards through an integration with the OpenShift Container Platform Compliance Operator. In addition, it allows you to measure and report on configuration security best practices for OpenShift Container Platform.
 10 | 
 11 | [#compliance_dashboard]
 12 | == Review Compliance Dashboard
 13 | 
 14 | [#compliance_dashboard_scan]
 15 | === Execute the first Compliance Scan
 16 | 
 17 | Once the RHACS is installed the first compliance scan needs to be executed to ensure that the Compliance results are available. So let's execute our first Compliance Scan.
 18 | 
 19 | Compliance Dashboard without the First Compliance Scan 
 20 | 
 21 | image::compliance/00_compliance_dash.png[ACS 1, 800]
 22 | 
 23 | Run compliance scanner
 24 | 
 25 | image::compliance/01_compliance_scan.png[ACS 2, 300]
 26 | 
 27 | Compliance Result
 28 | 
 29 | image::compliance/02_compliance_result.png[ACS 3, 800]
 30 | 
 31 | TODO: Add more descriptions in compliance dashboard scan
 32 | 
 33 | [#compliance_dashboard_review]
 34 | === Review the Compliance Reports in the Compliance Dashboard
 35 | 
 36 | The compliance reports gather information for configuration, industry standards, and best practices for container-based workloads running in OpenShift.
 37 | 
 38 | In many ways, you’ve already seen the compliance features - because they’re tied to controls that we saw in Risk, in the Network Graph, and in Policies
 39 | 
 40 | Each standard represents a series of controls, with guidance provided by StackRox on the specific OpenShift configuration or DevOps process required to meet that control.
 41 | 
 42 | * Click on PCI, or the PCI percentage bar, in the upper-left “Passing Standards Across Clusters” graph
 43 | 
 44 | * Click on Control 1.1.4, “Requirements for a firewall…”
 45 | 
 46 | image::compliance/00_compliance_pci.png[ACS 4, 800]
 47 | 
 48 | For example, PCI-DSS has controls that refer to firewalls and DMZ - not exactly cloud-native
 49 | 
 50 | In OpenShift, that requirement, and other isolation requirements, is met by Network Policies, and the 32% compliance score here indicates that only about one third of my deployments have correctly defined policies.
 51 | 
 52 | * Click on Compliance tab from the left hand side menu
 53 | 
 54 | * Click on NIST SP 800-190. Click on Control 4.1.1, “Image vulnerabilities…”
 55 | 
 56 | * Similarly - NIST 800-190, the application containers security standard, requires a pipeline-based build approach to mitigating vulnerabilities in images.
 57 | 
 58 | image::compliance/00_compliance_pci2.png[ACS 4_2, 800]
 59 | 
 60 | Because we added enforcement to the CVSS >7 policy, we now meet the requirement dictated by control 4.1.1, and the 0% score changes to 100% because we now have the control in place to prevent known vulnerabilities from being deployed
 61 | 
 62 | [#compliance_dashboard_ns]
 63 | === Namespace Compliance Details
 64 | 
 65 | * Click on Compliance tab on the left hand side menu
 66 | * Click on Namespaces in the top toolbar of the compliance page
 67 | 
 68 | Of course, like every other report - it’s also valuable to break this data down by Clusters, Namespaces, and Deployments.
 69 | 
 70 | Namespaces in particular - being able to see, application-by-application, or team-by-team, where the gaps in compliance are.
 71 | 
 72 | [#compliance_dashboard_report]
 73 | === Evidence Export
 74 | 
 75 | * Click on Compliance tab on the left hand side menu
 76 | * Last thing about compliance - you’re only as compliant as you can prove!
 77 | * Click on the Export button in the upper right to show the “Evidence as CSV” option
 78 | 
 79 | This is the evidence export that your auditors will want to see for proof that the security controls mandated are actually in place.
 80 | 
 81 | 
 82 | [#compliance_operator]
 83 | == Integrating the OpenShift Compliance Operator with ACS 
 84 | 
 85 | Red Hat Advanced Cluster Security for Kubernetes supports OpenShift Container Platform configuration compliance standards through an integration with the OpenShift Container Platform Compliance Operator. 
 86 | 
 87 | Follow the next steps to install and integrate the Compliance Operator with Advanced Cluster Security.
 88 | 
 89 | * Create a Namespace object YAML file by running:
 90 | 
 91 | [.console-input]
 92 | [source,bash,subs="attributes+,+macros"]	
 93 | ----	
 94 | oc apply -f co-ns.yaml
 95 | ----
 96 | 
 97 | [.console-output]
 98 | [source,bash,subs="attributes+,+macros"]	
 99 | ----	
100 | apiVersion: v1
101 | kind: Namespace
102 | metadata:
103 |   name: openshift-compliance	
104 | ----
105 | 
106 | * Create the Compliance Operator OperatorGroup object YAML file by running:
107 | 
108 | [.console-output]
109 | [source,bash,subs="attributes+,+macros"]	
110 | ----	
111 | apiVersion: operators.coreos.com/v1
112 | kind: OperatorGroup
113 | metadata:
114 |   name: compliance-operator
115 |   namespace: openshift-compliance
116 | spec:
117 |   targetNamespaces:
118 |   - openshift-compliance	
119 | ----
120 | 
121 | [.console-input]
122 | [source,bash,subs="attributes+,+macros"]	
123 | ----	
124 | oc apply -f co-og.yaml
125 | ----
126 | 
127 | * Create the Compliance Operator Subscription object YAML file by running:
128 | 
129 | [.console-output]
130 | [source,bash,subs="attributes+,+macros"]	
131 | ----	
132 | apiVersion: operators.coreos.com/v1alpha1
133 | kind: Subscription
134 | metadata:
135 |   name: compliance-operator-sub
136 |   namespace: openshift-compliance
137 | spec:
138 |   channel: "release-0.1"
139 |   installPlanApproval: Automatic
140 |   name: compliance-operator
141 |   source: redhat-operators
142 |   sourceNamespace: openshift-marketplace
143 | ----
144 | 
145 | [.console-input]
146 | [source,bash,subs="attributes+,+macros"]	
147 | ----	
148 | oc apply -f co-subs.yaml
149 | ----
150 | 
151 | * Verify the installation succeeded by inspecting the CSV file:
152 | 
153 | [.console-input]
154 | [source,bash,subs="attributes+,+macros"]	
155 | ----	
156 | oc get csv -n openshift-compliance | grep compliance
157 | ----
158 | 
159 | [.console-output]
160 | [source,bash,subs="attributes+,+macros"]	
161 | ----	
162 | oc get csv -n openshift-compliance | grep compliance
163 | compliance-operator.v0.1.39   Compliance Operator   0.1.39   Succeeded
164 | ----
165 | 
166 | * Verify that the Compliance Operator is up and running:
167 | 
168 | [.console-input]
169 | [source,bash,subs="attributes+,+macros"]	
170 | ----	
171 | oc get pod -n openshift-compliance
172 | ----
173 | 
174 | [.console-output]
175 | [source,bash,subs="attributes+,+macros"]	
176 | ----	
177 | oc get pod -n openshift-compliance
178 | NAME                                            READY   STATUS    RESTARTS   AGE
179 | compliance-operator-5989ff994b-mrhc9            1/1     Running   1          4m42s
180 | ocp4-openshift-compliance-pp-6d7c7db4bd-2gnrf   1/1     Running   0          3m2s
181 | rhcos4-openshift-compliance-pp-c7b548bd-k4sz2   1/1     Running   0          3m2s
182 | ----
183 | 
184 | [#compliance_operator_scan]
185 | === Running compliance scans
186 | 
187 | We now want to make sure that the nodes are scanned appropiately. For this, we’ll need a ScanSettingsBinding, this bind a profile with scan settings in order to get scans to run.
188 | 
189 | * Create a ScanSettingBinding object that binds to the default ScanSetting object and scans the cluster using the cis and cis-node profiles.
190 | 
191 | [.console-input]
192 | [source,bash,subs="attributes+,+macros"]	
193 | ----	
194 | oc apply -f co-scan.yaml
195 | ----
196 | 
197 | [.console-output]
198 | [source,bash,subs="attributes+,+macros"]	
199 | ----	
200 | apiVersion: compliance.openshift.io/v1alpha1
201 | kind: ScanSettingBinding
202 | metadata:
203 |   name: cis-scan
204 |   namespace: openshift-compliance
205 | profiles:
206 | - apiGroup: compliance.openshift.io/v1alpha1
207 |   kind: Profile
208 |   name: ocp4-cis
209 | settingsRef:
210 |   apiGroup: compliance.openshift.io/v1alpha1
211 |   kind: ScanSetting
212 |   name: default
213 | ----
214 | 
215 | * Check the scansettingbinding generated:
216 | 
217 | [.console-input]
218 | [source,bash,subs="attributes+,+macros"]	
219 | ----	
220 | oc get scansettingbinding cis-scan -n openshift-compliance -o yaml
221 | ----
222 | 
223 | * With this the scan will start as you can check with the CRD of ComplianceScan.
224 | 
225 | [.console-input]
226 | [source,bash,subs="attributes+,+macros"]	
227 | ----	
228 | oc get compliancescan -n openshift-compliance ocp4-cis
229 | ----
230 | 
231 | [.console-output]
232 | [source,bash,subs="attributes+,+macros"]	
233 | ----	
234 |  oc get compliancescan -n openshift-compliance
235 | NAME       PHASE     RESULT
236 | ocp4-cis   RUNNING   NOT-AVAILABLE
237 | ----
238 | 
239 | * After the scan is done, you'll see it was persistent in the relevant namespace:
240 | 
241 | [.console-input]
242 | [source,bash,subs="attributes+,+macros"]	
243 | ----	
244 | oc get compliancescan -n openshift-compliance
245 | 
246 | ----
247 | 
248 | [.console-output]
249 | [source,bash,subs="attributes+,+macros"]	
250 | ----	
251 | NAME       PHASE   RESULT
252 | ocp4-cis   DONE    NON-COMPLIANT
253 | ----
254 | 
255 | [#compliance_operator_acs_review]
256 | === Review Compliance Scans of the Compliance Operator in RHACS
257 | 
258 | After completing the previous steps, you will be able to find the results from the Compliance Operator compliance reports in RHACS.
259 | 
260 | * If RHACS was installed prior to the Compliance Operator, we'll need to restart the ACS sensor in the OpenShift cluster to see these results.
261 | 
262 | [.console-input]
263 | [source,bash,subs="attributes+,+macros"]	
264 | ----	
265 | oc delete pods -l app.kubernetes.io/component=sensor -n stackrox
266 | ----
267 | 
268 | * With the Sensor restarted, kick off a compliance scan in ACS to see the updated results:
269 | 
270 | image::compliance/01_compliance_scan.png[ACS 4, 300]
271 | 
272 | In the ACS User Interface, select Compliance from the left menu, and click Scan Environment in the top menu bar.
273 | The scan should only take a few seconds; once it's complete you should see entries for both the ACS built-in and compliance operator standards:
274 | 
275 | * Check that the ocp4-cis report from the Compliance Operator is shown in ACS Compliance Dashboard:
276 | 
277 | image::compliance/03_compliance_operator_in_acs.png[ACS 5, 500]
278 | 
279 | * To see the detailed results, click on the name or bar of any of the standards. To investigate the results of the OpenShift CIS benchmark scan, for example, click ocp4-cis: 
280 | 
281 | image::compliance/04_co_acs_detail.png[ACS 6, 800]
282 | 
283 | For more information check the https://docs.openshift.com/container-platform/4.8/security/compliance_operator/compliance-scans.html[Compliance Operator guide]
284 | 
285 | [#acs_policy_compliance]
286 | == Configure Policy in RHACS to Invoke Compliance related Controls
287 | 
288 | The Built-in standards in RHACS Compliance provide guidance on required configurations to meet each individual control. Standards like PCI, HIPAA, and NIST 800-190 are focused on workloads visible to RHACS, and apply to all workloads running in any Kubernetes cluster that RHACS is installed in.
289 | 
290 | Much of the control guidance can be implemented using RHACS policies, and providing appropriate policy with enforcement in RHACS can change compliance scores.
291 | 
292 | As an example, we'll look at a control in the NIST 800-190 that requires that container images be kept up to date, and to use meaningful version tags: "practices should emphasize accessing images using immutable names that specify discrete versions of images to be used."
293 | 
294 | WARNING: This configuration will change the behavior of your Kubernetes clusters and possibly result in preventing new deployments from being created. After testing, you can quickly revert the changes using the instructions at the end of this section.
295 | 
296 | * Inspect the NIST 800-190 Guidance for Control 4.2.2
297 | * Navigate back to the RHACS Compliance page.
298 | * In the section labeled "PASSING STANDARDS ACROSS CLUSTERS", click on NIST 800-190.
299 | * Scroll down to control 4.2.2 and examine the control guidance on the right.
300 | 
301 | The control guidance reads:
302 | "StackRox continuously monitors the images being used by active deployments. StackRox provides
303 | built-in policies that detects if images with insecure tags are being used or if the image being used is pretty old.
304 | Therefore, the cluster is compliant if there are policies that are being enforced that discourages such images from being
305 | deployed."
306 | 
307 | image::compliance/05_nist0.png[RHACS 7, 700]
308 | 
309 | [#acs_policy_compliance_nist]
310 | === Enforce Policies that Meet Guidance for NIST Control 4.2.2
311 | 
312 | There are two separate default system policies that, together, meet this control's guidance, "90-day Image Age," and "Latest tag". Both must have enforcement enabled for this control to be satisfied.
313 | 
314 | 1. Navigate to Platform Configuration -> Policy Management
315 | 1. Find and click on the policy named, "90-day Image Age" which by default is second in the list. We're not going to change this policy other than to enable enforcement.
316 | 1. Click Actions -> Edit Policy to get to the Policy settings.
317 | 1. Click Next at the bottom panel to get to the Policy Behavior page.
318 | 1. On the response method options, click Inform and Enforce.
319 | 1. Click on for both Build and Deploy enforcement. 
320 | 1. Click Next at the bottom panel until you get to Review Policy page.
321 | 1. Click Save.
322 | 1. At the main Policy Management page, find the Policy named, "Latest tag" and repeat steps 3 - 8 to enable enforcement and save the policy.
323 | 
324 | image::compliance/06_nist1.png[RHACS 8, 400]
325 | 
326 | [#acs_policy_compliance_nist_view]
327 | === View Updated Compliance Scan Results in RHACS
328 | 
329 | * In order to see the impact on NIST 800-190 scores:
330 | * Navigate back to the compliance page.
331 | * Click "Scan Environment" in the upper right.
332 | * In the section labeled "PASSING STANDARDS ACROSS CLUSTERS", click on NIST 800-190.
333 | * Scroll down to control 4.2.2 and verify that the control now reports 100% compliance.
334 | 
335 | image::compliance/07_nist2.png[RHACS 9, 700]
336 | 
337 | [#acs_policy_compliance_nist_revert]
338 | === Revert the Policy Changes
339 | 
340 | To avoid rejecting any other deployments to the cluster, you should disable the enforcement after viewing the updated RHACS results.
341 | 
342 | Navigate to Platform Configuration -> Policy Management
343 | Find and click on the policy named, "90-day Image Age" which by default is second in the list. Click Edit to get to the Policy settings.
344 | 
345 | * Click Actions -> Edit Policy to get to the Policy settings.
346 | * Click Next at the bottom panel to get to the Policy Behavior page.
347 | * On the response method options, click Inform.
348 | * Click Next at the bottom panel until you get to Review Policy page.
349 | * Click Save.
350 | * At the main Policy Management page, find the Policy named, "Latest tag" and repeat the steps to disable enforcement and save the policy.
351 | 
352 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/09-configuration_management.adoc:
--------------------------------------------------------------------------------
 1 | = Configuration Management
 2 | include::_attributes.adoc[]
 3 | :profile: acs
 4 | 
 5 | Learn how to use the Configuration Management view and understand the correlation between various entities in your cluster to manage your cluster configuration efficiently.
 6 | 
 7 | [#conf_management_overview]
 8 | == Configuration Management Overview
 9 | 
10 | Every OpenShift Container Platform cluster includes many different entities distributed throughout the cluster, which makes it more challenging to understand and act on the available information.
11 | 
12 | Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides efficient configuration management that combines all these distributed entities on a single page. It brings together information about all your clusters, namespaces, nodes, deployments, images, secrets, users, groups, service accounts, and roles in a single Configuration Management view, helping you visualize different entities and the connections between them.
13 | 
14 | * To open the Configuration Management view, select Configuration Management from the left-hand navigation menu. Similar to the Dashboard, it displays some useful widgets.
15 | 
16 | image::configmgmt/01-config.png[Config 1, 800]
17 | 
18 | These widgets are interactive and show the following information:
19 | 
20 | * Security policy violations by severity
21 | * The state of CIS (Center for Information Security) Docker and Kubernetes benchmark controls
22 | * Users with administrator rights in the most clusters
23 | * Secrets used most widely in your clusters
24 | 
25 | [#conf_management_cis]
26 | == Configuration Management CIS
27 | 
28 | The header in the Configuration Management view shows you the number of policies and CIS controls in your cluster. The header includes drop-down menus that allow you to switch between entities. For example, you can:
29 | 
30 | * Click Policies to view all policies and their severity, or select CIS Controls to view detailed information about all controls.
31 | 
32 | image::configmgmt/02-config.png[Config 2, 800]
33 | 
34 | * Click Application and Infrastructure and select clusters, namespaces, nodes, deployments, images, and secrets to view detailed information.
35 | 
36 | image::configmgmt/03-config.png[Config 3, 400]
37 | 
38 | * Click RBAC Visibility and Configuration and select users and groups, service accounts, and roles to view detailed information.
39 | 
40 | image::configmgmt/04-config.png[Config 4, 800]
41 | 
42 | 
43 | 
44 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/10-system_policies.adoc:
--------------------------------------------------------------------------------
 1 | = System Policies in RHACS
 2 | include::_attributes.adoc[]
 3 | :profile: acs
 4 | 
 5 | [#system_policies_overview]
 6 | == System Policies Overview
 7 | 
 8 | Red Hat Advanced Cluster Security for Kubernetes allows you to use out-of-the-box security policies and define custom multi-factor policies for your container environment. 
 9 | 
10 | Configuring these policies enables you to automatically prevent high-risk service deployments in your environment and respond to runtime security incidents.
11 | 
12 | image::policies/00-policies.png[RHACS Policies 0, 800]
13 | 
14 | All of the policies that ship with the product are designed with the goal of providing targeted remediation that improves security hardening.
15 | 
16 | You’ll see this list contains many Build and Deploy time policies to catch misconfigurations early in the pipeline, but also Runtime policies that point back to specific hardening recommendations.
17 | 
18 | These policies come from us at Red Hat - our expertise, our interpretation of industry best practice, and our interpretation of common compliance standards, but you can modify them or create your own.
19 | 
20 | [#system_policies_example]
21 | == System Policies Build and Deploy Example
22 | 
23 | * Click on the Red Hat Package Manager in Image Policy. Highlight the right-hand side policy details.
24 | 
25 | image::policies/01-policies.png[RHACS Policies 1, 800]
26 | 
27 | This is what an RHACS policy looks like - front and center you can see the Rationale and Remediation designed to give the DevOps team some context about why this issue is important for security, and more importantly, what to do about the issue.
28 | 
29 | You might get the impression that we don’t like Package Managers!
30 | 
31 | While useful, in a container context they just represent a tool that an attacker can use to install software, and don’t have a legitimate use - a container should ship with all of the dependencies it requires.
32 | 
33 | image::policies/02-policies.png[RHACS Policies 2, 400]
34 | 
35 | Policy criteria can cross the build, deploy, and runtime lifecycles.
36 | 
37 | For example, policies that highlight vulnerabilities in deployments with privileged containers in that deployment.
38 | 
39 | Another example might runtime criteria - like execution of shell commands - in containers in deployments that have external network exposure.
40 | 
41 | It’s easy to write a policy that prevents use of compilers and other build tools - except in development clusters, in namespaces for CI/CD tools.
42 | 
43 | There are no “silos” - other tools require you to manage policies for vulnerabilities and runtime separately.
44 | 
45 | The unified policy engine allows for targeted conditions and targeted enforcement, easily allowing exceptions for specific applications once approved by security.
46 | 
47 | [#system_policies_enforcement]
48 | == System Policies Enforcement
49 | 
50 | * Click on the Fixable Severity at least important policy in the list. (It’s usually 20-30 rows down. You can also filter for it by typing “fixable” in the filters bar.
51 | 
52 | image::policies/03-policies.png[RHACS Policies 3, 400]
53 | 
54 | As you’ve seen - RHACS focuses on empowering and encouraging developers to understand and resolve security issues in their own deployments.
55 | 
56 | Sometimes we have to balance the carrot with a little stick, because security officers need to know that dangerous misconfigurations won’t be promoted and deployed in certain environments, and that’s where enforcement of policy comes in.
57 | 
58 | * Click Action -> Edit Policy in the upper right of the policy
59 | * Click Next to see Policy Behavior
60 | 
61 | Enforcement is another demonstration of Kubernetes-native security, leveraging the pipeline process to prevent unacceptable risks.
62 | 
63 | In the absence of CI/CD integration, or for images that are promoted without going through CI/CD, we leverage the built-in power of a Kubernetes Admission Controller to decide if a deployment can be created.
64 | 
65 | We’re essentially programming OpenShift to prevent security risk
66 | Security gets their enforcement, and DevOps sees a “normal” failure from the OpenShift API, with clear remediation steps instead of a nebulous error that forces them to go open a ticket or look in another console.
67 | 
68 | * Click ON for both Build and Deploy enforcement.
69 | * Click Next at the bottom panel until you get to Review Policy page.
70 | * Click Save.
71 | 
72 | image::policies/04-policies.png[RHACS Policies 4, 400]
73 | 
74 | NOTE: TODO add new policies section
75 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/11-integrations.adoc:
--------------------------------------------------------------------------------
  1 | = Integrations
  2 | include::_attributes.adoc[]
  3 | :profile: acs
  4 | 
  5 | NOTE: In RHACS the Scanner component only scans those images that are not already scanned by other integrated vulnerability scanners. It means that if you have integrated Red Hat Advanced Cluster Security for Kubernetes with other vulnerability scanners, Scanner checks and uses the scanning results from the integrated scanner if available.
  6 | 
  7 | [#integrate_with_internal_openshift_registry]
  8 | == Integrate RHACS with the Internal Openshift Registry 
  9 | 
 10 | Idea originally posted by Mark Roberts in https://cloud.redhat.com/blog/using-red-hat-advanced-cluster-security-with-the-openshift-registry[this great blog post], and adapt to consume internally 
 11 | 
 12 | Red Hat Advanced Cluster Security can be used to scan images held within OpenShift image streams (the OpenShift registry). 
 13 | 
 14 | This can be helpful within continuous integration processes, to enable organizations to scan images for policy violations and vulnerabilities prior to pushing the image to an external container registry. 
 15 | 
 16 | In this way, the quality of container images that get to the external registry improves, and triggered activities that result from a new image appearing in the registry only happen for a good reason.
 17 | 
 18 | Generate a namespace and extract the token name of the pipeline serviceaccount
 19 | 
 20 | [.console-input]
 21 | [source,bash,subs="attributes+,+macros"]	
 22 | ----	
 23 | export NSINTEGRATION="integration-internal-registry"
 24 | 
 25 | oc new-project $NSINTEGRATION
 26 | 
 27 | SECRET_TOKEN_NAME=$(oc get sa -n $NSINTEGRATION pipeline -o jsonpath='{.secrets[*]}' | jq -r .name | grep token)
 28 | 
 29 | PIPELINE_TOKEN=$(oc get secret -n $NSINTEGRATION $SECRET_TOKEN_NAME -o jsonpath='{.data.token}' | base64 -d)
 30 | echo $PIPELINE_TOKEN
 31 | 
 32 | oc policy add-role-to-user admin system:serviceaccount:$NSINTEGRATION:pipeline -n $NSINTEGRATION
 33 | ----
 34 | 
 35 | NOTE: TODO change the permissions to this - https://github.com/redhat-cop/gitops-catalog/blob/main/advanced-cluster-security-operator/instance/overlays/internal-registry-integration/stackrox-image-puller-sa.yaml
 36 | 
 37 | [#integrate_with_internal_openshift_registry_config_acs]
 38 | === Configure RHACS integration for Internal Openshift Registry
 39 | 
 40 | To allow the roxctl command line interface to scan the images within the OpenShift registry, add an integration of type “Generic Docker Registry'', from the Platform Configuration - Integrations menu.
 41 | 
 42 | Fill in the fields as shown in figure 1, giving the integration a unique name that should include the cluster name for practicality. Paste in the username and token and select Disable TLS certificate validation if you need insecure https communication to a test cluster, for example.
 43 | 
 44 | Press the test button to validate the connection and press “save” when the test is successful.
 45 | 
 46 | image::integrations/03-registry_ocp_internal.png[RHACS Integrations 1, 800]
 47 | 
 48 | TODO: Finish the integration!!
 49 | 
 50 | [#integrate_acs_slack]
 51 | == Integrate RHACS Notifications with Slack
 52 | 
 53 | If you are using Slack, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Slack.
 54 | 
 55 | Create a new Slack app, enable incoming webhooks, and get a webhook URL. 
 56 | 
 57 | To do this step, follow the https://docs.openshift.com/acs/integration/integrate-with-slack.html#configure-slack_integrate-with-slack[Configuration Slack documentation guide] for generate a slack channel and the webhook url into the Slack workspace.
 58 | 
 59 | On the RHACS portal, navigate to Platform Configuration -> Integrations.
 60 | 
 61 | image::integrations/04-integration-slack.png[RHACS Integrations Slack 1, 800]
 62 | 
 63 | Create a new integration in Red Hat Advanced Cluster Security for Kubernetes by using the webhook URL.
 64 | 
 65 | image::integrations/05-integrations-slack.png[RHACS Integrations Slack 2, 600]
 66 | 
 67 | NOTE: the webhook URL will have the format of "https://hooks.slack.com/services/ZZZ/YYY/XXX"
 68 | 
 69 | Click Test and check the Slack Channel:
 70 | 
 71 | image::integrations/07-integrations-slack.png[RHACS Integrations Slack 3, 500]
 72 | 
 73 | NOTE: by default all the notifications in the system policies are disabled. If you have not configured any other integrations, you will see No notifiers configured!.
 74 | 
 75 | For enable the Policy Notifications, select a System Policy and click on Actions, then Enable Notification:
 76 | 
 77 | image::integrations/08-integrations-slack.png[RHACS Integrations Slack 4, 700]
 78 | 
 79 | Then in the System Policy selected, in the Notification will appear the Slack notification that it's enabled.
 80 | 
 81 | image::integrations/06-integrations-slack.png[RHACS Integrations Slack 5, 600]
 82 | 
 83 | When a System Policy is violated, and appears in Violations, will be sent a Notification to Slack though the Slack integration notifier showing the information of the System Policy violated and more details about that:
 84 | 
 85 | image::integrations/09-integrations-slack.png[RHACS Integrations Slack 6, 700]
 86 | 
 87 | [#integrate_acs_oauth]
 88 | == Integrate RHACS with OpenShift OAuth
 89 | 
 90 | Red Hat Advanced Cluster Security (RHACS) Central is installed with one administrator user by default. Typically, customers request an integration with existing Identity Provider(s) (IDP). 
 91 | 
 92 | RHACS offers different options for such integration. In this section we will see the integration with OpenShift OAuth.
 93 | 
 94 | NOTE: It is assumed that RHACS is already installed and login to the Central UI is available. 
 95 | 
 96 | . Login to your RHACS and select “Platform Configuration” > “Access Control”
 97 | +
 98 | image::integrations/01-oauth.png[OAuth 1, 400]
 99 | 
100 | . From the drop down menu Add auth provider select OpenShift Auth
101 | +
102 | image::integrations/02-oauth.png[OAuth 2, 200]
103 | 
104 | . Enter a Name for your provider and select a default role which is assigned to any user who can authenticate.
105 | It is recommended to select the role None, so new accounts will have no privileges in RHACS.
106 | With Rules you can assign roles to specific users, based on their userid, name, mail address or groups.
107 | For example the user with the name admin gets the role Admin assigned. On the other hand the user1 will have the role of Continuous Integration.
108 | +
109 | image::integrations/03-oauth.png[OAuth 3, 800]
110 | 
111 | . After Save the integration will appear as Auth Provider
112 | +
113 | image::integrations/04-oauth.png[OAuth 4, 800]
114 | 
115 | . In a private windows of your browser login into the RHACS portal, and check the OpenShift OAuth auth provider that you set up
116 | +
117 | image::integrations/05-oauth.png[OAuth 5, 400]
118 | 
119 | . Login first with the admin user
120 | +
121 | image::integrations/06-oauth.png[OAuth 6, 400]
122 | 
123 | . Admin user will have the role Admin in RHACS, so will have full privileges in the RHACS console. Check that you have full view of the Violations or Compliance among others.
124 | +
125 | image::integrations/07-oauth.png[OAuth 7, 700]
126 | 
127 | . Logout and login again but this time with the user user1 instead
128 | +
129 | image::integrations/08-oauth.png[OAuth 8, 500]
130 | 
131 | . This user have very limited privileges and for example cannot see the Violations in the cluster neither compliance
132 | +
133 | image::integrations/09-oauth.png[OAuth 9, 800]
134 | 
135 | . This user only have the role of the Continuous Integration, so will only have access to the CVE analysis in the Vulnerability Management among others, but not other actions like the Violations, Policies, etc
136 | +
137 | image::integrations/10-oauth.png[OAuth 10, 800]
138 | 
139 | [#integrate_acs_sso]
140 | == Integrate RHACS with Red Hat Single Sign On
141 | 
142 | The following steps will create some basic example objects to an existing RHSSO or Keycloak to test the authentication at RHACS.
143 | 
144 | . Create the namespace for the single-sign-on
145 | +
146 | [.console-input]
147 | [source,bash,subs="attributes+,+macros"]	
148 | ----	
149 | oc new-project single-sign-on
150 | ----
151 | 
152 | . Create the OperatorGroup for install the RHSSO operator
153 | +
154 | [.console-output]
155 | [source,bash,subs="attributes+,+macros"]	
156 | ----	
157 | apiVersion: operators.coreos.com/v1
158 | kind: OperatorGroup
159 | metadata:
160 |   annotations:
161 |     olm.providedAPIs: Keycloak.v1alpha1.keycloak.org,KeycloakBackup.v1alpha1.keycloak.org,KeycloakClient.v1alpha1.keycloak.org,KeycloakRealm.v1alpha1.keycloak.org,KeycloakUser.v1alpha1.keycloak.org
162 |   generateName: single-sign-on
163 |   name: single-sign-on
164 | spec:
165 |   targetNamespaces:
166 |     - single-sign-on
167 | ----
168 | +
169 | [.console-input]
170 | [source,bash,subs="attributes+,+macros"]	
171 | ----	
172 | oc apply -f sso-og.yaml
173 | ----
174 | 
175 | . Create the Subscription Operator for the RHSSO
176 | +
177 | [.console-output]
178 | [source,bash,subs="attributes+,+macros"]	
179 | ----	
180 | apiVersion: operators.coreos.com/v1alpha1
181 | kind: Subscription
182 | metadata:
183 |   name: rhsso-operator
184 | spec:
185 |   channel: alpha
186 |   installPlanApproval: Manual
187 |   name: rhsso-operator
188 |   source: redhat-operators
189 |   sourceNamespace: openshift-marketplace
190 | ----
191 | +
192 | [.console-input]
193 | [source,bash,subs="attributes+,+macros"]	
194 | ----	
195 | oc apply -f sso-subs.yaml
196 | ----
197 | 
198 | . Create an instance of Keycloak
199 | +
200 | [.console-output]
201 | [source,bash,subs="attributes+,+macros"]	
202 | ----
203 | apiVersion: keycloak.org/v1alpha1
204 | kind: Keycloak
205 | metadata:
206 |   name: rhacs-keycloak
207 |   namespace: single-sign-on
208 | spec:
209 |   externalAccess:
210 |     enabled: true
211 |   instances: 1
212 | ----
213 | +
214 | [.console-input]
215 | [source,bash,subs="attributes+,+macros"]	
216 | ----
217 | oc apply -f sso-instance.yaml
218 | ----
219 | 
220 | . Create the Realm for the installation called **Basic**
221 | +
222 | [.console-output]
223 | [source,bash,subs="attributes+,+macros"]	
224 | ----
225 | apiVersion: keycloak.org/v1alpha1
226 | kind: KeycloakRealm
227 | metadata:
228 |  name: rhacs-keycloakrealm
229 |  namespace: single-sign-on
230 | spec:
231 |  instanceSelector:
232 |    matchLabels:
233 |      app: sso
234 |  realm:
235 |    displayName: Basic Realm
236 |    enabled: true
237 |    id: basic
238 |    realm: basic
239 | ----
240 | +
241 | [.console-input]
242 | [source,bash,subs="attributes+,+macros"]	
243 | ----
244 | oc apply -f sso-realm.yaml
245 | ----
246 | 
247 | . Login into Red Hat SSO. Get the route to your RHSSO instance and log into the Administration Interface.
248 | +
249 | [.console-input]
250 | [source,bash,subs="attributes+,+macros"]	
251 | ----
252 | oc get route keycloak -n single-sign-on --template='{{ .spec.host }}'
253 | ----
254 | 
255 | . Extract the admin password for Keycloak. The secret name is build from "credential"<keycloak-instance-name>
256 | +
257 | [.console-input]
258 | [source,bash,subs="attributes+,+macros"]	
259 | ----
260 | oc extract secret/credential-rhacs-keycloak -n single-sign-on --to=-
261 | ----
262 | +
263 | [.console-output]
264 | [source,bash,subs="attributes+,+macros"]	
265 | ----
266 | # ADMIN_PASSWORD
267 | <you password>
268 | # ADMIN_USERNAME
269 | admin
270 | ----
271 | 
272 | . Be sure to select your Realm (Basic in our case), goto Clients and select a ClientID and enable the option Implicit Flow
273 | +
274 | image::integrations/01-sso.png[SSO 1, 800]
275 | 
276 | . Get the Issuer URL from your realm. This is typically your:
277 | +
278 | image::integrations/02-sso.png[SSO 2, 800]
279 | +
280 | [.console-output]
281 | [source,bash,subs="attributes+,+macros"]	
282 | ----
283 | https://<KEYCLOAK_URL>/auth/realms/<REALM_NAME>;
284 | ----
285 | 
286 | . It's time to Create Test Users to login! 
287 | In RHSSO create 2 user accounts to test the authentication later. Goto Users and create the users:
288 | +
289 | [.console-output]
290 | [source,bash,subs="attributes+,+macros"]	
291 | ----
292 | User: acsadmin
293 | First Name: acsadmin
294 | ----
295 | +
296 | image::integrations/04-sso.png[SSO 3, 800]
297 | +
298 | [.console-output]
299 | [source,bash,subs="attributes+,+macros"]	
300 | ----
301 | User: user1
302 | First Name: user 1
303 | ----
304 | +
305 | You can set any other values for these users. However, be sure to set a password for both, after they have been created.
306 | 
307 | 
308 | . To configure RHACS Authentication: RHSS, login to your RHACS and select “Platform Configuration” > “Access Control”
309 | +
310 | image::integrations/03-sso.png[SSO 3, 800]
311 | 
312 | * Enter a “Name” for your provider i.e. “Single Sign On”
313 | * Leave the “Callback Mode” to the “Auto-Select” setting
314 | * Enter your Issuer URL
315 | * As Client ID enter account (or the ClientID you would like to use)
316 | * Leave the Client Secret empty and select the checkbox Do not use Client Secret which is good enough for our tests.
317 | * Remember the two callback URL from the blue box. They must be configured in Keycloak.
318 | * Select a default role which is assigned to any user who can authenticate.
319 | * It is recommended to select the role None, so new accounts will have no privileges in RHACS.
320 | 
321 | . With Rules you can assign roles to specific users, based on their userid, name, mail address or groups.
322 | +
323 | image::integrations/05-sso.png[SSO 5, 800]
324 | +
325 | For example the user with the name admin (which have been created previously in our RHSSO) gets the role Admin assigned.
326 | 
327 | . What is left to do is the configuration of redirect URLs. These URLs are shown in the RHACS Authentication Provider configuration (see blue field in the image above)
328 | +
329 | image::integrations/06-sso.png[SSO 6, 800]
330 | 
331 | . Log back into RHSSO and select “Clients” > “account”
332 | 
333 | . Into Valid Redirect URLs enter the two URLs which you saved from the blue box in the RHACS configuration.
334 | +
335 | image::integrations/07-sso.png[SSO 7, 800]
336 | 
337 | . Verify Authentication with OpenShift Auth. 
338 | 
339 | . Logout from the Central UI and reload the browser.
340 | 
341 | . Select from the drop down Single Sign On
342 | +
343 | image::integrations/08-sso.png[SSO 8, 800]
344 | 
345 | . Try to login with a valid SSO user.
346 | Depending on the Rules which have been defined during previous steps the appropriate permissions should be assigned.
347 | +
348 | For example: If you login as user acsadmin the role Admin is assigned.
349 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/12-platform_configuration.adoc:
--------------------------------------------------------------------------------
  1 | = RHACS Secure Cluster Management
  2 | include::_attributes.adoc[]
  3 | :profile: acs
  4 | 
  5 | 
  6 | [#secured_clusters]
  7 | == Install additional RHACS Secured Clusters
  8 | 
  9 | To monitor a cluster, you must deploy a Sensor. The following steps describe adding a sensor by using the RHACS portal
 10 | 
 11 | * On the RHACS portal, navigate to Platform Configuration > Clusters.
 12 | * Select + New Cluster.
 13 | * Specify a name for the cluster - production
 14 | 
 15 | image::multicluster/0_multi.png[RHACS Multi 0, 800]
 16 | 
 17 | * Click Next and download the zip:
 18 | 
 19 | [.console-input]
 20 | [source,bash,subs="attributes+,+macros"]	
 21 | ----	
 22 | unzip -d sensor sensor-[cluster-name].zip
 23 | 
 24 | ./sensor/sensor.sh
 25 | ----	
 26 | 
 27 | NOTE: the installation of the sensor will ask you to your dockerhub account, just use one dummy account if you want to avoid the integration with dockerhub registry.
 28 | 
 29 | * Once the process finished without errors, check the pods:
 30 | 
 31 | [.console-input]
 32 | [source,bash,subs="attributes+,+macros"]	
 33 | ----	
 34 | oc get pod -n stackrox
 35 | ----	
 36 | 
 37 | The pods of the admission controllers (one per master), the collectors and the sensor, will be in Running state:
 38 | 
 39 | [.console-output]
 40 | [source,bash,subs="attributes+,+macros"]	
 41 | ----	
 42 |  
 43 | NAME                                 READY   STATUS    RESTARTS   AGE
 44 | admission-control-6b6bcfbf48-bsldm   1/1     Running   0          80s
 45 | admission-control-6b6bcfbf48-rrppt   1/1     Running   0          80s
 46 | admission-control-6b6bcfbf48-w9wv6   1/1     Running   0          80s
 47 | collector-52jlx                      2/2     Running   0          76s
 48 | collector-8pc44                      2/2     Running   0          76s
 49 | collector-lgqqw                      2/2     Running   0          76s
 50 | collector-qdvbq                      2/2     Running   0          76s
 51 | collector-qlst8                      2/2     Running   0          76s
 52 | collector-vr8h6                      2/2     Running   0          76s
 53 | collector-z2frz                      2/2     Running   0          76s
 54 | sensor-6b4d8447b5-bjhbz              1/1     Running   0          75s
 55 | ----
 56 | 
 57 | [.console-input]
 58 | [source,bash,subs="attributes+,+macros"]	
 59 | ----	
 60 | oc get pod -n stackrox
 61 | ----	
 62 | 
 63 | The output should show oc version >=4.7:	
 64 | 
 65 | [.console-output]
 66 | [source,bash,subs="attributes+,+macros"]	
 67 | ----	
 68 |  
 69 | NAME                                 READY   STATUS    RESTARTS   AGE
 70 | admission-control-6b6bcfbf48-bsldm   1/1     Running   0          80s
 71 | admission-control-6b6bcfbf48-rrppt   1/1     Running   0          80s
 72 | admission-control-6b6bcfbf48-w9wv6   1/1     Running   0          80s
 73 | collector-52jlx                      2/2     Running   0          76s
 74 | collector-8pc44                      2/2     Running   0          76s
 75 | collector-lgqqw                      2/2     Running   0          76s
 76 | collector-qdvbq                      2/2     Running   0          76s
 77 | collector-qlst8                      2/2     Running   0          76s
 78 | collector-vr8h6                      2/2     Running   0          76s
 79 | collector-z2frz                      2/2     Running   0          76s
 80 | sensor-6b4d8447b5-bjhbz              1/1     Running   0          75s
 81 | ----
 82 | 
 83 | * Return to the RHACS portal and check if the deployment is successful. If it’s successful, a green checkmark appears under section #2.
 84 | 
 85 | image::multicluster/01_multi.png[RHACS Multi 1, 800]
 86 | 
 87 | For more information check about adding Secured Clusters check https://docs.openshift.com/acs/installing/install-ocp-operator.html#generate-init-bundle[the RHACS Documentation].
 88 | 
 89 | [#secured_clusters_add_vuln]
 90 | === Add vulnerabilities to the Secured Cluster
 91 | 
 92 | Deploy some vulnerabilities in the new Secured Cluster added in the earlier step. 
 93 | 
 94 | [.console-input]
 95 | [source,bash,subs="attributes+,+macros"]	
 96 | ----	
 97 | oc new-project suspicious
 98 | oc run shell --labels=app=shellshock,team=test-team --image=vulnerables/cve-2014-6271 -n suspicious
 99 | oc run samba --labels=app=rce --image=vulnerables/cve-2017-7494 -n suspicious
100 | oc run phpunit --labels=app=phpunit --image=vulhub/phpunit:5.6.2 -n suspicious 
101 | oc run couchdb --labels=app=couchdb --image=vulhub/couchdb:1.6.0 -n suspicious
102 | ----	
103 | 
104 | [#system_configuration]
105 | == RHACS System Configuration
106 | 
107 | Check into the https://docs.openshift.com/acs/3.66/configuration/enable-alert-data-retention.html[official documentation] the different configuration tweaks that you can do in the RHACS cluster:
108 | 
109 | image::multicluster/03_multi.png[RHACS Multi 3, 800]
110 | 
111 | The options are:
112 | 
113 | * https://docs.openshift.com/acs/3.66/configuration/enable-alert-data-retention.html[Data Retention Configuration]
114 | * Header Configuration
115 | * Footer Configuration
116 | * Login Notice Configuration
117 | * Online Telemetry Data Collection
118 | 
119 | [#system_health]
120 | == RHACS System Health
121 | 
122 | The Red Hat Advanced Cluster Security for Kubernetes system health dashboard provides a single interface for viewing health related information about Red Hat Advanced Cluster Security for Kubernetes components.
123 | 
124 | To access the health dashboard:
125 | 
126 | * On the RHACS portal, navigate to Platform Configuration → System Health.
127 | 
128 | image::multicluster/02_multi.png[RHACS Multi 2, 800]
129 | 
130 | The health dashboard organizes information in the following groups:
131 | 
132 | 1. **Cluster Health** - Shows the overall state of Red Hat Advanced Cluster Security for Kubernetes cluster.
133 | 2. **Vulnerability Definitions** - Shows the last update time of vulnerability definitions.
134 | 3. **Image Integrations** - Shows the health of all registries that you have integrated.
135 | 4. **Notifier Integrations** - Shows the health of any notifiers (Slack, email, Jira, or other similar integrations) that you have integrated.
136 | 5. **Backup Integrations** - Shows the health of any backup providers that you have integrated.
137 | 
138 | The dashboard lists the following states for different components:
139 | 
140 | 1. **Healthy** - The component is functional.
141 | 2. **Degraded** - The component is partially unhealthy. This state means the cluster is functional, but some components are unhealthy and require attention.
142 | 3. **Unhealthy** - This component is not healthy and requires immediate attention.
143 | 4. **Uninitialized** - The component has not yet reported back to Central to have its health assessed. An uninitialized state may sometimes require attention, but often components report back the health status after a few minutes or when the integration is used.
144 | 
145 | The Cluster Overview shows information about your Red Hat Advanced Cluster Security for Kubernetes cluster health. It reports the health information about the following:
146 | 
147 | 1. **Collector Status** - It shows whether the Collector pod that Red Hat Advanced Cluster Security for Kubernetes uses is reporting healthy.
148 | 2. **Sensor Status** - It shows whether the Sensor pod that Red Hat Advanced Cluster Security for Kubernetes uses is reporting healthy.
149 | 3. **Sensor Upgrade** - It shows whether the Sensor is running the correct version when compared with Central.
150 | 4. **Credential Expiration** - It shows if the credentials for Red Hat Advanced Cluster Security for Kubernetes are nearing expiration.
151 | 
152 | [#access_control]
153 | == RHACS Access Control
154 | 
155 | Red Hat Advanced Cluster Security for Kubernetes (RHACS) comes with role-based access control (RBAC) that you can use to configure roles and grant various levels of access to Red Hat Advanced Cluster Security for Kubernetes for different users.
156 | 
157 | image::multicluster/04_multi.png[RHACS Multi 4, 400]
158 | 
159 | Red Hat Advanced Cluster Security for Kubernetes 3.63 includes a scoped access control feature that enables you to configure fine-grained and specific sets of permissions that define how a given Red Hat Advanced Cluster Security for Kubernetes user or a group of users can interact with Red Hat Advanced Cluster Security for Kubernetes, which resources they can access, and which actions they can perform.
160 | 
161 | * Roles are a collection of permission sets and access scopes. You can assign roles to users and groups by specifying rules. You can configure these rules when you configure an authentication provider. There are two types of roles in Red Hat Advanced Cluster Security for Kubernetes:
162 | 
163 | 1. **System roles** that are created by Red Hat and cannot be changed.
164 | 2. **Custom roles**, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.
165 | 
166 | image::multicluster/07_multi.png[RHACS Multi 5, 800]
167 | 
168 | * Permission sets are a set of permissions that define what actions a role can perform on a given resource. Resources are the functionalities of Red Hat Advanced Cluster Security for Kubernetes for which you can set view (read) and modify (write) permissions. There are two types of permission sets in Red Hat Advanced Cluster Security for Kubernetes:
169 | 
170 | 1. **System permission sets**, which are created by Red Hat and cannot be changed.
171 | 
172 | 2. **Custom permission sets**, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.
173 | 
174 | image::multicluster/08_multi.png[RHACS Multi 6, 800]
175 | 
176 | * Access scopes are a set of Kubernetes and OpenShift Container Platform resources that users can access. For example, you can define an access scope that only allows users to access information about pods in a given project. There are two types of access scopes in Red Hat Advanced Cluster Security for Kubernetes:
177 | 
178 | 1. **System access scopes**, which are created by Red Hat and cannot be changed.
179 | 2. **Custom access scopes**, which Red Hat Advanced Cluster Security for Kubernetes administrators can create and change at any time.
180 | 
181 | For more information about RBAC and the integration with third parties for https://docs.openshift.com/acs/3.66/operating/manage-user-access/manage-role-based-access-control-3630.html#rbac-system-roles-3630_manage-role-based-access-control[User Access]
182 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/13-cicd.adoc:
--------------------------------------------------------------------------------
 1 | = RHACS DevSecOps Pipelines
 2 | include::_attributes.adoc[]
 3 | :profile: acs
 4 | 
 5 | [#integrate_ocp_pipelines]
 6 | == Integrate Openshift Pipelines with RHACS
 7 | 
 8 | https://cloud.redhat.com/blog/using-openshift-pipelines-to-automate-red-hat-advanced-cluster-security-for-kubernetes[Using OpenShift Pipelines to Automate Red Hat Advanced Cluster Security for Kubernetes]
 9 | 
10 | TODO: finish the writing.
11 | 
12 | [#install_devsecops_pipelines]
13 | == Installing RHACS DevSecOps Pipeline
14 | 
15 | Based in https://github.com/rcarrata/devsecops-demo[DevSecOps Pipeline Repo] we will deploy in our Openshift cluster a full DevSecOps pipeline example to see the integration of RHACS to a CICD Pipeline.
16 | 
17 | image::cicd/00-acs_cicd_overview.png[RHACS CICD 1, 800]
18 | 
19 | Download the demo and install the prereqs:
20 | 
21 | [.console-input]
22 | [source,bash,subs="attributes+,+macros"]	
23 | ----	
24 | git clone https://github.com/rcarrata/devsecops-demo.git
25 | ansible-galaxy collection install community.kubernetes
26 | cd devsecops-demo
27 | ----
28 | 
29 | Install the demo in Stackrox: 
30 | 
31 | [.console-input]
32 | [source,bash,subs="attributes+,+macros"]	
33 | ----	
34 | git clone https://github.com/rcarrata/devsecops-demo.git
35 | ansible-galaxy collection install community.kubernetes
36 | cd devsecops-demo
37 | ----
38 | 
39 | Check the status of the devsecops pipelines demo:
40 | [.console-input]
41 | [source,bash,subs="attributes+,+macros"]	
42 | ----	
43 | ./status.sh
44 | ----
45 | 
46 | [#run_devsecops_pipelines]
47 | == Running the demo of DevSecOps Pipeline
48 | 
49 | Run the demo with:
50 | [.console-input]
51 | [source,bash,subs="attributes+,+macros"]	
52 | ----	
53 | ./demo.sh start
54 | ----
55 | 
56 | Go to the namespace of ```cicd``` and check the Pipelines resources with the PipelineRun like the following:
57 | 
58 | image::cicd/01-devsecops_pipeline.png[RHACS CICD 2, 800]
59 | 
60 | For more information check the https://github.com/rcarrata/devsecops-demo[original repo] or the https://github.com/RedHatDemos/SecurityDemos/blob/master/2021Labs/OpenShiftSecurity/documentation/lab4.adoc[Security Lab guide] that have all the details and caveats.


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/14-apicli.adoc:
--------------------------------------------------------------------------------
 1 | = RHACS API and CLI 
 2 | include::_attributes.adoc[]
 3 | :profile: acs
 4 | 
 5 | [#cli-overview]
 6 | == RHACS CLI Overview
 7 | 
 8 | Within RHACS ecosystem, roxctl is a command-line interface (CLI) for running commands on Red Hat Advanced Cluster Security for Kubernetes. 
 9 | 
10 | You can install the roxctl CLI to interact with Red Hat Advanced Cluster Security for Kubernetes from a command-line interface. You can install roxctl on Linux, Windows, or macOS. Follow the https://docs.openshift.com/acs/3.70/cli/getting-started-cli.html#install-roxctl-cli-binary[guide] for installing roxtctl in your system.
11 | 
12 | For authentication, you can use an authentication token or your administrator password. 
13 | 
14 | NOTE: Red Hat recommends using an authentication token in a production environment because each token is assigned specific access control permissions.
15 | 
16 | [#cli-integration]
17 | == RHACS CLI Integration
18 | 
19 | * Navigate to the RHACS portal.
20 | 
21 | * Go to Platform Configuration → Integrations.
22 | 
23 | * Scroll down to the Authentication Tokens category, and click API Token.
24 | 
25 | * Click Generate Token.
26 | 
27 | * Enter a name for the token and select a role that provides the required level of access (for example, Continuous Integration or Sensor Creator).
28 | 
29 | * Click Generate.
30 | 
31 | image::cli/roxctl1.png[RHACS ROXCTL 1, 600]
32 | 
33 | 
34 | * After you have generated the authentication token, export it as ROX_API_TOKEN variable:
35 | 
36 | [.console-input]
37 | [source,bash,subs="attributes+,+macros"]	
38 | ----	
39 | $ export ROX_API_TOKEN=<api_token>
40 | $ export ROX_CENTRAL_ADDRESS=<address>:<port_number
41 | ----
42 | 
43 | * Test the roxctl image check against a well known image to check the system policies and the CVEs that are detected:
44 | 
45 | [.console-input]
46 | [source,bash,subs="attributes+,+macros"]	
47 | ----	
48 | $ roxctl --insecure-skip-tls-verify image check --endpoint $ROX_CENTRAL_ADDRESS:443 --image quay.io/centos7/httpd-24-centos7:centos7
49 | ----
50 | 
51 | [#api-overview]
52 | == RHACS API Overview
53 | 
54 | TBD


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/15-contributors.adoc:
--------------------------------------------------------------------------------
1 | == Contributors
2 | 
3 | This workshop has been developed and is maintained by https://github.com/rcarrata[Roberto Carratalá] and https://github.com/jadebustos[Jose Angel de Bustos].
4 | 
5 | Also, thanks all the https://github.com/redhat-scholars/acs-workshop/graphs/contributors[contributors], in special https://github.com/josgonza-rh[Jose Antonio Prada] that reviewed and contributed to this workshop!!
6 | 
7 | If you have questions or you want to be involved, reach the maintainers, or open a PR!
8 | 
9 | PR are always welcome :)


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/_attributes.adoc:
--------------------------------------------------------------------------------
1 | :experimental:
2 | :source-highlighter: highlightjs
3 | :branch: main
4 | :github-repo: https://github.com/redhat-scholars/acs-workshop/blob/{branch}
5 | :profile: acs
6 | :minikube-version: v1.20.0
7 | :kubernetes-version: v1.20.2
8 | :argocd-version: v2.0.0
9 | :kustomize-version: v4.1.2


--------------------------------------------------------------------------------
/documentation/modules/ROOT/pages/index.adoc:
--------------------------------------------------------------------------------
 1 | = Welcome to Red Hat Advanced Cluster Security Workshop
 2 | :page-layout: home
 3 | :!sectids:
 4 | 
 5 | image::acs-logo.svg[RHACS Logo, 400]
 6 | 
 7 | [.text-center.strong]
 8 | == Red Hat Advanced Cluster Security for Kubernetes
 9 | 
10 | Red Hat Advanced Cluster Security for Kubernetes (Red Hat Advanced Cluster Security or RHACS) provides the tools and capabilities to address the security needs of a cloud-native development approach on Kubernetes. 
11 | 
12 | The RHACS solution offers visibility into the security of your cluster, vulnerability management, and security compliance through auditing, network segmentation awareness and configuration, security risk profiling, security-related configuration management, threat detection, and incident response. In addition, RHACS grants an ability to pull the actions from that tooling deep into the application code development process through APIs.
13 | 
14 | These security features represent the primary work any developer or administrator faces as they work across a range of environments, including multiple datacenters, private clouds, or public clouds that run Kubernetes clusters.
15 | 
16 | This workshop is based on RHACS 4.x and at this moment the ACS cloud service it is not covered.
17 | 
18 | == RHACS Features
19 | 
20 | image::acs_features.png[RHACS Features, 800]
21 | 
22 | Using Red Hat Advanced Cluster Security for Kubernetes (Red Hat Advanced Cluster Security), you can gain comprehensive Kubernetes security that includes the following use cases:
23 | 
24 | * **Visibility**:  See your entire landscape of images, registries, containers, deployments, and runtime behavior.
25 | * **Vulnerability Management**: Identify and remediate vulnerabilities in both container images and Kubernetes across the entire software development life cycle.
26 | * **Compliance**: Audit your systems against CIS Benchmarks, NIST, PCI, and HIPAA, with interactive dashboards and one-click audit reports.
27 | * **Network Segmentation**: Visualize existing connections and enforce tighter segmentation using Kubernetes-native controls to reduce your blast radius.
28 | * **Risk Profiling**: See all your deployments ranked by risk level, using context from Kubernetes’ declarative data, to prioritize remediation.
29 | * **Configuration Management**: Apply best practices for Docker and Kubernetes to harden your environment for a more secure and stable application.
30 | * **Threat Detection**: Use rules, automated allow lists, and baselining to accurately identify suspicious activity in your running applications.
31 | * **Incident Response**: Take action, from failing builds and blocking deployments to killing pods and thwarting attacks, using Kubernetes for enforcement.
32 | 
33 | IMPORTANT: This is not an official RH Advanced Cluster Security guide or workshop. Please contact with your RH representative if you want more information about Training or Guidelines about this topic / product.
34 | 
35 | == Contributors
36 | 
37 | This workshop has been developed and is maintained by https://github.com/rcarrata[Roberto Carratalá],  https://github.com/jadebustos[Jose Angel de Bustos] and https://github.com/josgonza-rh[Jose Antonio Gonzalez Prada].
38 | 
39 | Thanks all the https://github.com/redhat-scholars/acs-workshop/graphs/contributors[contributors] that reviewed and contributed to this workshop!!
40 | 


--------------------------------------------------------------------------------
/documentation/modules/ROOT/partials/exec_pod.adoc:
--------------------------------------------------------------------------------
 1 | Check that the pod is up and running:
 2 | 
 3 | [.lines_space]
 4 | [.console-input]
 5 | [source,bash, subs="+macros,+attributes"]
 6 | ----
 7 | kubectl get pods
 8 | ----
 9 | 
10 | [.console-output]
11 | [source,bash,subs="+macros,+attributes"]
12 | ----
13 | NAME                        READY   STATUS    RESTARTS   AGE
14 | {podname}   1/1     Running   0          5s
15 | ----
16 | 
17 | Then let's go into the running pod to execute some commands:
18 | 
19 | [.console-input]
20 | [source,bash, subs="+macros,+attributes"]
21 | ----
22 | kubectl exec -ti {podname} /bin/bash
23 | ----
24 | 
25 | NOTE: Change the pod name with your pod name.


--------------------------------------------------------------------------------
/gulpfile.babel.js:
--------------------------------------------------------------------------------
 1 | /*jshint esversion: 6 */
 2 | 
 3 | import { series, watch } from "gulp";
 4 | import { remove } from "fs-extra";
 5 | import { readFileSync } from "fs";
 6 | import {load as yamlLoad} from "yaml-js";
 7 | import generator from "@antora/site-generator-default";
 8 | import browserSync from "browser-sync";
 9 | 
10 | const filename = "dev-site.yml";
11 | const server = browserSync.create();
12 | const args = ["--playbook", filename];
13 | 
14 | //Watch Paths
15 | function watchGlobs() {
16 |   let json_content = readFileSync(`${__dirname}/${filename}`, "UTF-8");
17 |   let yaml_content = yamlLoad(json_content);
18 |   let dirs = yaml_content.content.sources.map(source => [
19 |     `${source.url}/**/**.yml`,
20 |     `${source.url}/**/**.adoc`,
21 |     `${source.url}/**/**.hbs`
22 |   ]); 
23 |   dirs.push(["dev-site.yml"]);
24 |   dirs = [].concat(...dirs);
25 |   //console.log(dirs);
26 |   return dirs;
27 | }
28 | 
29 | const siteWatch = () => watch(watchGlobs(), series(build, reload));
30 | 
31 | const removeSite = done => remove("gh-pages", done);
32 | const removeCache = done => remove(".cache", done);
33 | 
34 | function build(done) {
35 |   generator(args, process.env)
36 |     .then(() => {
37 |       done();
38 |     })
39 |     .catch(err => {
40 |       console.log(err);
41 |       done();
42 |     });
43 | }
44 | 
45 | function workshopSite(done){
46 |   generator(["--pull", "--stacktrace","--playbook","workshop-site.yaml"], process.env)
47 |     .then(() => {
48 |       done();
49 |     })
50 |     .catch(err => {
51 |       console.log(err);
52 |       done();
53 |     });
54 | }
55 | 
56 | function reload(done) {
57 |   server.reload();
58 |   done();
59 | }
60 | 
61 | function serve(done) {
62 |   server.init({
63 |     server: {
64 |       baseDir: "./gh-pages"
65 |     }
66 |   });
67 |   done();
68 | }
69 | 
70 | const _build = build;
71 | export { _build as build };
72 | const _clean = series(removeSite, removeCache);
73 | export { _clean as clean };
74 | const _default = series(_clean, build, serve, siteWatch);
75 | export { _default as default };
76 | //build workshop docs
77 | const _wsite = series(_clean, workshopSite);
78 | export { _wsite as workshopSite };


--------------------------------------------------------------------------------
/lib/remote-include-processor.js:
--------------------------------------------------------------------------------
 1 | module.exports = function () {
 2 |     this.includeProcessor(function () {
 3 |       this.$option('position', '>>')
 4 |       this.handles((target) => target.startsWith('http'))
 5 |       this.process((doc, reader, target, attrs) => {
 6 |         const contents = require('child_process').execFileSync('curl', ['--silent', '-L', target], { encoding: 'utf8' })
 7 |         reader.pushInclude(contents, target, target, 1, attrs)
 8 |       })
 9 |     })
10 |   }
11 |   


--------------------------------------------------------------------------------
/lib/tab-block.js:
--------------------------------------------------------------------------------
 1 | /* Copyright (c) 2018 OpenDevise, Inc.
 2 |  *
 3 |  * This Source Code Form is subject to the terms of the Mozilla Public
 4 |  * License, v. 2.0. If a copy of the MPL was not distributed with this
 5 |  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 6 | 
 7 | /**
 8 |  * Extends the AsciiDoc syntax to support a tabset. The tabset is created from
 9 |  * a dlist enclosed in an example block that is marked with the tabs style.
10 |  *
11 |  * Usage:
12 |  *
13 |  *  [tabs]
14 |  *  ====
15 |  *  Tab A::
16 |  *  +
17 |  *  --
18 |  *  Contents of tab A.
19 |  *  --
20 |  *  Tab B::
21 |  *  +
22 |  *  --
23 |  *  Contents of tab B.
24 |  *  --
25 |  *  ====
26 |  *
27 |  * @author Dan Allen <dan@opendevise.com>
28 |  */
29 | const IdSeparatorCh = "-";
30 | const ExtraIdSeparatorsRx = /^-+|-+$|-(-)+/g;
31 | const InvalidIdCharsRx = /[^a-zA-Z0-9_]/g;
32 | const List = Opal.const_get_local(Opal.module(null, "Asciidoctor"), "List");
33 | const ListItem = Opal.const_get_local(
34 |   Opal.module(null, "Asciidoctor"),
35 |   "ListItem"
36 | );
37 | 
38 | const generateId = (str, idx) =>
39 |   `tabset${idx}_${str
40 |     .toLowerCase()
41 |     .replace(InvalidIdCharsRx, IdSeparatorCh)
42 |     .replace(ExtraIdSeparatorsRx, "$1")}`;
43 | 
44 | function tabsBlock() {
45 |   this.onContext("example");
46 |   this.process((parent, reader, attrs) => {
47 |     const createHtmlFragment = html => this.createBlock(parent, "pass", html);
48 |     const tabsetIdx = parent.getDocument().counter("idx-tabset");
49 |     const nodes = [];
50 |     nodes.push(createHtmlFragment('<div class="tabset is-loading">'));
51 |     const container = this.parseContent(
52 |       this.createBlock(parent, "open"),
53 |       reader
54 |     );
55 |     const sourceTabs = container.getBlocks()[0];
56 |     if (
57 |       !(
58 |         sourceTabs &&
59 |         sourceTabs.getContext() === "dlist" &&
60 |         sourceTabs.getItems().length
61 |       )
62 |     )
63 |       return;
64 |     const tabs = List.$new(parent, "ulist");
65 |     tabs.addRole("tabs");
66 |     const panes = {};
67 |     sourceTabs.getItems().forEach(([[title], details]) => {
68 |       const tab = ListItem.$new(tabs);
69 |       tabs.$append(tab);
70 |       const id = generateId(title.getText(), tabsetIdx);
71 |       tab.text = `[[${id}]]${title.text}`;
72 |       let blocks = details.getBlocks();
73 |       const numBlocks = blocks.length;
74 |       if (numBlocks) {
75 |         if (blocks[0].context === "open" && numBlocks === 1)
76 |           blocks = blocks[0].getBlocks();
77 |         panes[id] = blocks.map(block => (block.parent = parent) && block);
78 |       }
79 |     });
80 |     nodes.push(tabs);
81 |     nodes.push(createHtmlFragment('<div class="content">'));
82 |     Object.entries(panes).forEach(([id, blocks]) => {
83 |       nodes.push(
84 |         createHtmlFragment(`<div class="tab-pane" aria-labelledby="${id}">`)
85 |       );
86 |       nodes.push(...blocks);
87 |       nodes.push(createHtmlFragment("</div>"));
88 |     });
89 |     nodes.push(createHtmlFragment("</div>"));
90 |     nodes.push(createHtmlFragment("</div>"));
91 |     parent.blocks.push(...nodes);
92 |   });
93 | }
94 | 
95 | function register(registry, context) {
96 |   registry.block("tabs", tabsBlock);
97 | }
98 | 
99 | module.exports.register = register;


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "rhs-openshift-admins-devops",
 3 |   "description": "OpenShift Admins Devops Course Documentation Site",
 4 |   "homepage": "https://redhat-scholars.github.io/openshift-admins-devops",
 5 |   "author": {
 6 |     "email": "kamesh.sampath@hotmail.com",
 7 |     "name": "Kamesh Sampath",
 8 |     "url": "https://twitter.com/@kamesh_sampath"
 9 |   },
10 |   "dependencies": {
11 |     "@antora/cli": "^2.3.1",
12 |     "@antora/site-generator-default": "^2.3.1",
13 |     "@babel/cli": "^7.5.5",
14 |     "@babel/core": "^7.5.5",
15 |     "@babel/polyfill": "^7.4.4",
16 |     "@babel/preset-env": "^7.5.5",
17 |     "@babel/register": "^7.5.5",
18 |     "browser-sync": "^2.26.7",
19 |     "fs-extra": "^8.1.0",
20 |     "gulp": "^4.0.0",
21 |     "yaml-js": "^0.2.3"
22 |   },
23 |   "devDependencies": {},
24 |   "scripts": {
25 |     "dev": "gulp",
26 |     "clean": "gulp clean",
27 |     "workshop": "gulp workshopSite"
28 |   },
29 |   "repository": {
30 |     "type": "git",
31 |     "url": "git+https://github.com/redhat-scholars/openshift-admins-devops.git"
32 |   },
33 |   "license": "Apache-2.0",
34 |   "babel": {
35 |     "presets": [
36 |       "@babel/preset-env"
37 |     ]
38 |   }
39 | }
40 | 


--------------------------------------------------------------------------------
/site.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | _CURR_DIR="$( cd "$(dirname "$0")" ; pwd -P )"
4 | rm -rf $_CURR_DIR/gh-pages $_CURR_DIR/.cache
5 | 
6 | antora --pull --stacktrace  site.yml


--------------------------------------------------------------------------------
/site.yml:
--------------------------------------------------------------------------------
 1 | runtime:
 2 |   cache_dir: ./.cache/antora
 3 | 
 4 | site:
 5 |   title: ACS Workshop
 6 |   url: https://redhat-scholars.github.io/acs-workshop
 7 |   start_page: acs-workshop::index.adoc
 8 | 
 9 | content:
10 |   sources:
11 |     - url: ./
12 |       start_path: documentation
13 | 
14 | asciidoc:
15 |   attributes:
16 |     release-version: master
17 |     page-pagination: true
18 |   extensions:
19 |     - ./lib/tab-block.js
20 |     - ./lib/remote-include-processor.js
21 | 
22 | ui:
23 |   bundle:
24 |     url: https://github.com/redhat-scholars/course-ui/releases/download/v0.1.14/ui-bundle.zip
25 |     snapshot: true
26 |   supplemental_files:
27 |     - path: ./supplemental-ui
28 |     - path: .nojekyll
29 |     - path: ui.yml
30 |       contents: "static_files: [ .nojekyll ]"
31 | 
32 | output:
33 |   dir: ./gh-pages
34 | 


--------------------------------------------------------------------------------
/supplemental-ui/.nojekyll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/supplemental-ui/.nojekyll


--------------------------------------------------------------------------------
/supplemental-ui/img/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/redhat-scholars/acs-workshop/3ba508ba8256dd1ebafa04e87312584fd38b0b21/supplemental-ui/img/favicon.ico


--------------------------------------------------------------------------------
/supplemental-ui/partials/footer-nav.hbs:
--------------------------------------------------------------------------------
 1 | <nav class="rhd-footer-nav" aria-label="Secondary Navigation" role="navigation">
 2 |   <ul class="rhd-menu">
 3 |     <li class="menu-item menu-item--expanded">
 4 |       <h3 class="section-toggle">Resources</h3>
 5 |       <ul class="rhd-menu">
 6 |         <li class="menu-item">
 7 |           <a href="https://redhat-developer-demos.github.io/template-tutorial" title="Kubernetes Tutorial">Template
 8 |             Tutorial</a>
 9 |         </li>
10 |         <li class="menu-item">
11 |           <a href="https://redhat-developer-demos.github.io/template-tutorial/issues" title="Issue Tracker">Issue
12 |             Tracker</a>
13 |         </li>
14 |       </ul>
15 |     </li>
16 |   </ul>
17 | </nav>


--------------------------------------------------------------------------------
/supplemental-ui/ui.yml:
--------------------------------------------------------------------------------
1 | static_files:
2 | - .nojekyll


--------------------------------------------------------------------------------
/vscode-asciidoc-extra.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Add Tabs": {
 3 |     "prefix": "tabs",
 4 |     "body": [
 5 |       "[tabs]",
 6 |       "====",
 7 |       "${1:tab1}::",
 8 |       "+",
 9 |       "--",
10 |       "--",
11 |       "${2:tab2}::",
12 |       "+",
13 |       "--",
14 |       "--",
15 |       "===="
16 |     ],
17 |     "description": "Add Tabs macro"
18 |   },
19 |   "Add Navigation": {
20 |     "prefix": "nav",
21 |     "body": [
22 |       "${1|*,**,***|} xref:${2:page.adoc}[${3:Nav Title}]"
23 |     ],
24 |     "description": "Add new navigation"
25 |   },
26 |   "Console Input": {
27 |     "prefix": "input",
28 |     "body": [
29 |       "[.console-input]",
30 |       "[source,${1:bash}]",
31 |       "----",
32 |       "${2:echo \"Hello World\"}",
33 |       "----"
34 |     ],
35 |     "description": "Adds Console Input source fragment"
36 |   },
37 |   "Console Output": {
38 |     "prefix": "output",
39 |     "body": [
40 |       "[.console-output]",
41 |       "[source,${1:bash}]",
42 |       "----",
43 |       "${2:\"Hello World\"}",
44 |       "----"
45 |     ],
46 |     "description": "Adds Console Output source fragment"
47 |   }
48 | }


--------------------------------------------------------------------------------