Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 2. Integrating with CI systems

Red Hat Advanced Cluster Security for Kubernetes (RHACS) integrates with a variety of continuous integration (CI) products. Before you deploy images, you can use RHACS to apply build-time and deploy-time security rules to your images.

After images are built and pushed to a registry, RHACS integrates into CI pipelines. Pushing the image first allows developers to continue testing their artifacts while dealing with any policy violations alongside any other CI test failures, linter violations, or other problems.

If possible, configure the version control system to block pull or merge requests from being merged if the build stage, which includes RHACS checks, fails.

The integration with your CI product functions by contacting your RHACS installation to check whether the image complies with build-time policies you have configured. If there are policy violations, a detailed message is displayed on the console log, including the policy description, rationale, and remediation instructions.

Each policy includes an optional enforcement setting. If you mark a policy for build-time enforcement, failure of that policy causes the client to exit with a nonzero error code.

To integrate Red Hat Advanced Cluster Security for Kubernetes with your CI system, follow these steps:

  1. Configure build policies.
  2. Configure a registry integration.
  3. Configure access to your RHACS instance.
  4. Integrate with your CI pipeline.

2.1. Configuring build policies
Copiar o link

You can check RHACS policies during builds.

Procedure

  1. Configure policies that apply to the build stage of the container lifecycle.
  2. Integrate with the registry that images are pushed to during the build.

2.1.1. Checking existing build-time policies
Copiar o link

Use the RHACS portal to check any existing build-time policies that you have configured in Red Hat Advanced Cluster Security for Kubernetes.

Procedure

  1. In the RHACS portal, go to Platform Configuration Policy Management.
  2. Use global search to search for Lifecycle Stage:Build.

2.1.1.1. Deploy stage enforcement
Copiar o link

Red Hat Advanced Cluster Security for Kubernetes supports two forms of security policy enforcement for deploy-time policies: hard enforcement through the admission controller and soft enforcement by RHACS Sensor. The admission controller blocks creation or updating of deployments that violate policy. If the admission controller is disabled or unavailable, Sensor can perform enforcement by scaling down replicas for deployments that violate policy to 0.

Warning

Policy enforcement can impact running applications or development processes. Before you enable enforcement options, inform all stakeholders and plan how to respond to the automated enforcement actions.

2.2. Configuring registry integration
Copiar o link

To scan images, you must provide Red Hat Advanced Cluster Security for Kubernetes with access to the image registry you are using in your build pipeline.

2.2.1. Checking for existing registry integration
Copiar o link

You can use the RHACS portal to check if you have already integrated with a registry.

Procedure

  1. In the RHACS portal, go to Platform Configuration Integrations.
  2. Under the Image Integration section, look for highlighted Registry tiles. The tiles also list the number of items already configured for that tile.

If none of the Registry tiles are highlighted, you must first integrate with an image registry.

2.3. Configuring access
Copiar o link

RHACS provides the roxctl command-line interface (CLI) to make it easy to integrate RHACS policies into your build pipeline. The roxctl CLI prints detailed information about problems and how to fix them so that developers can maintain high standards in the early phases of the container lifecycle.

To securely authenticate to the Red Hat Advanced Cluster Security for Kubernetes API server, you must create an API token.

2.3.1. Exporting and saving the API token
Copiar o link

Procedure

  1. After you have generated the authentication token, export it as the ROX_API_TOKEN variable by entering the following command: 

    $ export ROX_API_TOKEN=<api_token>
    Copy to Clipboard Toggle word wrap

  2. (Optional): You can also save the token in a file and use it with the --token-file option by entering the following command: 

    $ roxctl central debug dump --token-file <token_file>
    Copy to Clipboard Toggle word wrap

Note the following guidelines:

  • You cannot use both the -password (-p) and the --token-file options simultaneously.
  • If you have already set the ROX_API_TOKEN variable, and specify the --token-file option, the roxctl CLI uses the specified token file for authentication.
  • If you have already set the ROX_API_TOKEN variable, and specify the --password option, the roxctl CLI uses the specified password for authentication.

2.3.2. Installing the roxctl CLI by downloading the binary
Copiar o link

You can install the roxctl CLI to interact with Red Hat Advanced Cluster Security for Kubernetes from a command-line interface. You can install roxctl on Linux, Windows, or macOS.

2.3.2.1. Installing the roxctl CLI on Linux
Copiar o link

You can install the roxctl CLI binary on Linux by using the following procedure.

Note

roxctl CLI for Linux is available for amd64, arm64, ppc64le, and s390x architectures.

Procedure

  1. Determine the roxctl architecture for the target operating system: 

    $ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
    Copy to Clipboard Toggle word wrap

  2. Download the roxctl CLI: 

    $ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.9.0/bin/Linux/roxctl${arch}"
    Copy to Clipboard Toggle word wrap

  3. Make the roxctl binary executable: 

    $ chmod +x roxctl
    Copy to Clipboard Toggle word wrap

  4. Place the roxctl binary in a directory that is on your PATH:

    To check your PATH, execute the following command: 

    $ echo $PATH
    Copy to Clipboard Toggle word wrap

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard Toggle word wrap

2.3.2.2. Installing the roxctl CLI on macOS
Copiar o link

You can install the roxctl CLI binary on macOS by using the following procedure.

Note

roxctl CLI for macOS is available for amd64 and arm64 architectures.

Procedure

  1. Determine the roxctl architecture for the target operating system: 

    $ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
    Copy to Clipboard Toggle word wrap

  2. Download the roxctl CLI: 

    $ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.9.0/bin/Darwin/roxctl${arch}"
    Copy to Clipboard Toggle word wrap

  3. Remove all extended attributes from the binary: 

    $ xattr -c roxctl
    Copy to Clipboard Toggle word wrap

  4. Make the roxctl binary executable: 

    $ chmod +x roxctl
    Copy to Clipboard Toggle word wrap

  5. Place the roxctl binary in a directory that is on your PATH:

    To check your PATH, execute the following command: 

    $ echo $PATH
    Copy to Clipboard Toggle word wrap

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard Toggle word wrap

2.3.2.3. Installing the roxctl CLI on Windows
Copiar o link

You can install the roxctl CLI binary on Windows by using the following procedure.

Note

roxctl CLI for Windows is available for the amd64 architecture.

Procedure

  • Download the roxctl CLI: 

    $ curl -f -O https://mirror.openshift.com/pub/rhacs/assets/4.9.0/bin/Windows/roxctl.exe
    Copy to Clipboard Toggle word wrap

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard Toggle word wrap

2.3.3. Running the roxctl CLI from a container
Copiar o link

The roxctl client is the default entry point in the RHACS roxctl image. To run the roxctl client in a container image:

Prerequisites

  • You must first generate an authentication token from the RHACS portal.

Procedure

  1. Log in to the registry.redhat.io registry. 

    $ docker login registry.redhat.io
    Copy to Clipboard Toggle word wrap

  2. Pull the latest container image for the roxctl CLI. 

    $ docker pull registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:4.9.0
    Copy to Clipboard Toggle word wrap

After you install the CLI, you can run it by using the following command: 

$ docker run -e ROX_API_TOKEN=$ROX_API_TOKEN \
  -it registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:4.9.0 \
  -e $ROX_CENTRAL_ADDRESS <command>
Copy to Clipboard Toggle word wrap
Note

In Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), when using roxctl commands that require the Central address, use the Central instance address as displayed in the Instance Details section of the Red Hat Hybrid Cloud Console. For example, use acs-ABCD12345.acs.rhcloud.com instead of acs-data-ABCD12345.acs.rhcloud.com.

Verification

  • Verify the roxctl version you have installed. 

    $ docker run -it registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:4.9.0 version
    Copy to Clipboard Toggle word wrap

2.4. Integrating with your CI pipeline
Copiar o link

After you have finished these procedures, the next step is to integrate with your CI pipeline.

Each CI system might require a slightly different configuration.

2.4.1. Using Jenkins
Copiar o link

Use the StackRox Container Image Scanner Jenkins plugin for integrating with Jenkins. You can use this plugin in both Jenkins freestyle projects and pipelines.

2.4.2. Using CircleCI
Copiar o link

You can integrate Red Hat Advanced Cluster Security for Kubernetes with CircleCI.

Prerequisites

  • You have a token with read and write permissions for the Image resource.
  • You have a username and password for your Docker Hub account.

Procedure

  1. Log in to CircleCI and open an existing project or create a new project.
  2. Click Project Settings.
  3. Click Environment variables.

  4. Click Add variable and create the following three environment variables:

    • Name: STACKROX_CENTRAL_HOST - The DNS name or IP address of Central.
    • Name: ROX_API_TOKEN - The API token to access Red Hat Advanced Cluster Security for Kubernetes.
    • Name: DOCKERHUB_PASSWORD - The password for your Docker Hub account.
    • Name: DOCKERHUB_USER - The username for your Docker Hub account.
  5. Create a directory called .circleci in the root directory of your local code repository for your selected project, if you do not already have a CircleCI configuration file.

  6. Create a config.yml configuration file with the following lines in the .circleci directory: 

    version: 2
jobs:
  check-policy-compliance:
    docker:
      - image: 'circleci/node:latest'
        auth:
          username: $DOCKERHUB_USER
          password: $DOCKERHUB_PASSWORD
    steps:
      - checkout
      - run:
          name: Install roxctl
          command: |
              curl -H "Authorization: Bearer $ROX_API_TOKEN" https://$STACKROX_CENTRAL_HOST:443/api/cli/download/roxctl-linux -o roxctl && chmod +x ./roxctl
      - run:
          name: Scan images for policy deviations and vulnerabilities
          command: |
              ./roxctl image check --endpoint "$STACKROX_CENTRAL_HOST:443" --image "<your_registry/repo/image_name>"
    1 
    
      - run:
          name: Scan deployment files for policy deviations
          command: |
              ./roxctl image check --endpoint "$STACKROX_CENTRAL_HOST:443" --image "<your_deployment_file>"
    2 
    
              # Important note: This step assumes the YAML file you'd like to test is located in the project.
workflows:
  version: 2
  build_and_test:
    jobs:
      - check-policy-compliance
    Copy to Clipboard Toggle word wrap
    1
    Replace <your_registry/repo/image_name> with your registry and image path.
    2
    Replace <your_deployment_file> with the path to your deployment file.
    Note

    If you already have a config.yml file for CircleCI in your repository, add a new jobs section with the specified details in your existing configuration file.

  7. After you commit the configuration file to your repository, go to the Jobs queue in your CircleCI dashboard to verify the build policy enforcement.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat