Chapter 16. Using declarative configuration
With declarative configuration, you can update configurations by storing them in files in repositories and apply them to the system. Declarative configuration is useful, for example, if you are using a GitOps workflow. You can currently use declarative configuration in Red Hat Advanced Cluster Security for Kubernetes (RHACS) for authentication and authorization resources such as authentication providers, roles, permission sets, and access scopes.
To use declarative configuration, you create YAML files that contain configuration information about authentication and authorization resources. These files, or configurations, are added to RHACS by using a mount point during Central installation. See the installation documentation in the "Additional references" section for more information on configuring mount points when installing RHACS.
The configuration files used with declarative configuration are stored in config maps or secrets, depending on the type of resource. Store configurations for authentication providers in a secret for greater security. You can store other configurations in config maps.
A single config map or secret can contain more than one configuration of multiple resource types. This allows you to limit the number of volume mounts for the Central instance.
16.1. Restrictions for resources created from declarative configuration
Because resources can reference other resources (for example, a role can reference both a permission set and access scope), the following restrictions for references apply:
- 
						A declarative configuration can only reference a resource that is either also created declaratively or a system RHACS resource; for example, a resource such as the AdminorAnalystsystem role or permission set.
- All references between resources use names to identify the resource; therefore, all names within the same resource type must be unique.
- Resources created from declarative configuration can only be modified or deleted by altering the declarative configuration files. You cannot change these resources by using the RHACS portal or the API.
16.2. Creating declarative configurations
				Use roxctl to create the YAML files that store the configurations, create a config map from the files, and apply the config map.
			
Prerequisites
- You have added the mount for the config map or secret during the installation of Central. In this example, the config map is called "declarative-configs". See the installation documentation listed in the "Additional resources" section for more information.
Procedure
- Create the permission set by entering the following command. This example creates a permission set named "restricted" and is saved as the - permission-set.yamlfile. It sets read and write access for the- Administrationresource and read access to the Access resource.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the role that allows access to the - Administrationand- Accessresources by entering the following command. This example creates a role named "restricted" and is saved as the- role.yamlfile.- roxctl declarative-config create role \ --name="restricted" \ --description="Restricted role that only allows access to Administration and Access" \ --permission-set="restricted" \ --access-scope="Unrestricted" > role.yaml - $ roxctl declarative-config create role \ --name="restricted" \ --description="Restricted role that only allows access to Administration and Access" \ --permission-set="restricted" \ --access-scope="Unrestricted" > role.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a config map from the two YAML files that were created in the earlier steps by entering the following command. This example creates the - declarative-configurationsconfig map.- kubectl create configmap declarative-configurations \ --from-file permission-set.yaml --from-file role.yaml \ -o yaml --namespace=stackrox > declarative-configs.yaml - $ kubectl create configmap declarative-configurations \- 1 - --from-file permission-set.yaml --from-file role.yaml \ -o yaml --namespace=stackrox > declarative-configs.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For OpenShift Container Platform, useoc create.
 
- Apply the config map by entering the following command: - kubectl apply -f declarative-configs.yaml - $ kubectl apply -f declarative-configs.yaml- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For OpenShift Container Platform, useoc apply.
 - After you apply the config map, configuration information extracted from Central creates the resources. Note- Although the watch interval is 5 seconds, as described in the following paragraph, there can be a delay in propagating changes from the config map to the Central mount. - You can configure the following intervals to specify how declarative configurations interact with Central: - 
								Configuration watch interval: The interval for Central to check for changes is every 5 seconds. You can configure this interval by using the ROX_DECLARATIVE_CONFIG_WATCH_INTERVALenvironment variable.
- 
								Reconciliation interval: By default, declarative configuration reconciliation with Central occurs every 20 seconds. You can configure this interval by using the ROX_DECLARATIVE_CONFIG_RECONCILE_INTERVALenvironment variable.
 
				After creating authentication and authorization resources by using declarative configuration, you can view them in the Access Control page in the RHACS web portal. The Origin field indicates Declarative if the resource was created by using declarative configuration.
			
You cannot edit resources created from declarative configurations in the RHACS web portal. You must edit the configuration files directly to make changes to these resources.
				You can view the status of declarative configurations by navigating to Platform Configuration 
16.3. Declarative configuration examples
				You can create declarative configurations by using the following examples as a guide. Use the roxctl declarative-config lint command to verify that your configurations are valid.
			
16.3.1. Declarative configuration authentication provider example
Declarative configuration authentication provider example
- 1
- Identifies the minimum role that will be assigned by default to any user logging in. If left blank, the value isNone.
- 2
- Use the user interface endpoint of your Central instance.
- 3
- If your Central instance is exposed to different endpoints, specify them here.
- 4
- These fields map users to specific roles, based on their attributes.
- 5
- The key can be any claim returned from the authentication provider.
- 6
- Identifies the role that the users are given. You can use a default role or a declaratively-created role.
- 7
- Optional: Use these fields if attributes returned from the authentication provider are required; for example, if the audience is limited to a specific organization or group.
- 8
- This section is required only for OpenID Connect (OIDC) authentication providers.
- 9
- Identifies the expected issuer for the token.
- 10
- Identifies the OIDC callback mode. Possible values areauto,post,query, andfragment. The preferred value isauto.
- 11
- This section is required only for Google Identity-Aware Proxy (IAP) authentication providers.
- 12
- This section is required only for Security Assertion Markup Language (SAML) 2.0 dynamic configuration authentication providers.
- 13
- This section is required only for SAML 2.0 static configuration authentication providers.
- 14
- Include the certificate in Privacy Enhanced Mail (PEM) format.
- 15
- This section is required only for authentication with user certificates.
- 16
- Include the certificate in PEM format.
16.3.2. Declarative configuration permission set example
Declarative configuration permission set example
16.3.3. Declarative configuration access scope example
Declarative configuration access scope example
16.3.4. Declarative configuration role example
Declarative configuration role example
name: A sample role description: A sample role created declaratively permissionSet: A sample permission set accessScope: Unrestricted
name: A sample role
description: A sample role created declaratively
permissionSet: A sample permission set 
accessScope: Unrestricted 16.4. Troubleshooting declarative configuration
				You can use the error messages displayed in the Declarative configuration section of the Platform Configuration roxctl declarative-config command also includes a lint option to validate the configuration file and help you detect errors.
			
				The error messages displayed in the Declarative configuration section of the Platform Configuration 
- The format of the configuration file is not in valid YAML.
- The configuration file contains invalid values, such as invalid access within a permission set.
- Invalid storage constraints exist, such as resource names are not unique or the configuration contains invalid references to a resource.
				To validate configuration files, check for errors in configuration files, and make sure that there are no invalid storage constraints when creating and updating configuration files, use the roxctl declarative-config lint command.
			
				To troubleshoot a storage constraint during deletion, check if the resource has been marked as Declarative Orphaned. This indicates that the declarative configuration referenced by a resource was deleted (for example, if the declarative configuration for a permission set that was referenced by a role was deleted). To correct this error, edit the resource to point to a new permission set, or restore the declarative configuration that was deleted.