| description | resourceType | title | tags | ||
|---|---|---|---|---|---|
The Aqua Cloud Service Definition outlines roles and responsibilities for operating the service. |
Documentation |
BC Government Aqua Cloud Service Definition |
|
The Aqua Cloud service is a security tool that helps secure images and containers by scanning them for vulnerabilities. It also is able to audit and enforce security policies. Read more about Aqua here.
The first iteration of Aqua Vulnerability Scanning Service in Openshift 4 Platform includes container scanning only. At this moment the access to scanning UI is limited to the Platform Services Team only (contact our Security Architect Nick Corcoran at [email protected] to scan your namespaces). Aqua Service on the Platform is currently running in the audit mode producing vulnerability scan results for manual remediation by the product team, the enforcement mode is not enabled at this time.
We are working on opening developer access to the Aqua CLI that will allow the product teams integrate Aqua scanning in app's CI/CD pipeline (coming in summer 2021). Developer Access to the Aqua UI will be rolled out in fall 2021.
The Aqua architecture comprises of several components:
- Aqua Enforcers installed on each node of the Silver Openshift 4 cluster
- A front end service that allows interacting with the Aqua API as well as the console
- Scanners to offload image scanning from the front end service
This service is offered to BC Government development teams building cloud native applications on the Openshift 4 Platform.
This service is available 24/7 with best effort to restart failed systems. We address incidents, issues and requests between 5pm and 9am on Monday to Friday excluding statutory holidays.
The service is not highly available yet.
More detailed SLAs are being developed and will be added in the near future.
The best source of help is the vibrant community of development teams using AQUA for their projects. Contact @NickCorcoran to run a vulnerability scan for your namespaces and also to learn how to address found vulnerabilities.
You can find this highly talented and knowledgeable group in the #devops-aqua channel on RocketChat.
For urgent help beyond this contact one of the Aqua administrators via the #devops-sos channel on RocketChat.
For you my friend, there is no charge for this service.
RocketChat is the primary mode of communication. Specifically the #devops-aqua channel should be used for discussions pertaining to this service.
For cluster wide service notifications that may impact Aqua availability, monitor the #devops-alerts channels in RocketChat.
For teams without RocketChat access, please refer to RC Registration Process, or to talk to a person IRL contact Olena Mitovska, Product Owner for Platform Services, BCDevExchange, Office of the Chief Information Officer.
Any service change will be communicated via the #devops-aqua and #devops-alerts RocketChat channels.
The Aqua Service is in a period of rapid development. Some of our roadmap items include:
- developer access to the Aqua UI for better UX with accessing scan results
- developer access to the AQUA CLI to enable CI/CD pipeline integration
- deploy Aqua in active-active (HA) mode
- create training materials to be delivered in future OCP 20x workshops
TBD
Aqua Service is covered by the existing Openshift PIA and has a STRA complete (contact Nick Corcoran if you need a copy).