You are viewing documentation for a release that is no longer maintained. To view the documentation for the most recent version, see the latest RHACS docs.
Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Integrating
Integrating Red Hat Advanced Cluster Security for Kubernetes
Abstract
Chapter 1. Integrating with image registries
Red Hat Advanced Cluster Security for Kubernetes integrates with a variety of image registries so that you can understand your images and apply security policies for image usage.
When you integrate with image registries, you can view important image details, such as image creation date and Dockerfile details (including image layers).
After you integrate Red Hat Advanced Cluster Security for Kubernetes with your registry, you can scan images, view image components, or apply security policies before you deploy images or to existing images that are already deployed in your clusters.
When you integrate with an image registry, Red Hat Advanced Cluster Security for Kubernetes does not scan all images in your registry. Red Hat Advanced Cluster Security for Kubernetes only scans the images when you:
- Use the images in deployments
- 
						Use the roxctlCLI to check images
- Use a continuous integration (CI) system to enforce security policies
You can integrate Red Hat Advanced Cluster Security for Kubernetes with major image registries, including:
- Amazon Elastic Container Registry (ECR)
- Docker Hub
- Docker Trusted Registry
- Google Container Registry (GCR)
- Google Artifact Registry
- IBM Cloud Container Registry (ICR)
- JFrog Artifactory
- Microsoft Azure Container Registry (ACR)
- Red Hat Quay
- Red Hat container registries
- Sonatype Nexus
- Tenable.io
- Any other registry that uses the Docker Registry HTTP API
1.1. Automatic Configuration
Red Hat Advanced Cluster Security for Kubernetes includes default integrations with standard registries, such as Docker Hub and others. It can also automatically configure integrations based on artifacts found in the monitored clusters, such as image pull secrets. Usually, you do not need to configure registry integrations manually.
If you are using a GCR registry, Red Hat Advanced Cluster Security for Kubernetes does not create a registry integration automatically.
1.2. Amazon ECR integrations
For Amazon ECR integrations, Red Hat Advanced Cluster Security for Kubernetes automatically generates ECR registry integrations if the following conditions are met:
- The cloud provider for the cluster is AWS.
- The nodes in your cluster have an Instance Identity and Access Management (IAM) Role association and the Instance Metadata Service is available in the nodes. For example, when using Amazon Elastic Kubernetes Service (EKS) to manage your cluster, this role is known as the EKS Node IAM role.
- The Instance IAM role has IAM policies granting access to the ECR registries from which you are deploying.
If the listed conditions are met, Red Hat Advanced Cluster Security for Kubernetes monitors deployments that pull from ECR registries and automatically generates ECR integrations for them. You can edit these integrations after they are automatically generated.
1.3. Manually configuring image registries
If you are using GCR, you must manually create image registry integrations.
1.3.1. Manually configuring OpenShift Container Platform registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with OpenShift Container Platform built-in container image registry.
Prerequisites
- You need a username and a password for authentication with the OpenShift Container Platform registry.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Generic Docker Registry.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Endpoint: The address of the registry.
- Username and Password.
 
- If you are not using a TLS certificate when connecting to the registry, select Disable TLS certificate validation (insecure).
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.2. Manually configuring Amazon Elastic Container Registry
You can use Red Hat Advanced Cluster Security for Kubernetes to create and modify Amazon Elastic Container Registry (ECR) integrations manually. If you are deploying from Amazon ECR, integrations for the Amazon ECR registries are usually automatically generated. However, you might want to create integrations on your own to scan images outside deployments. You can also modify the parameters of an automatically-generated integration. For example, you can change the authentication method used by an automatically-generated Amazon ECR integration to use AssumeRole authentication or other authorization models.
To erase changes you made to an automatically-generated ECR integration, delete the integration, and Red Hat Advanced Cluster Security for Kubernetes creates a new integration for you with the automatically-generated parameters when you deploy images from Amazon ECR.
Prerequisites
- 
							You must have an Amazon Identity and Access Management (IAM) access key ID and a secret access key. Alternatively, you can use a node-level IAM proxy such as kiamorkube2iam.
- The access key must have read access to ECR. See How do I create an AWS access key? for more information.
- If you are running Red Hat Advanced Cluster Security for Kubernetes in Amazon Elastic Kubernetes Service (EKS) and want to integrate with an ECR from a separate Amazon account, you must first set a repository policy statement in your ECR. Follow the instructions at Setting a repository policy statement and for Actions, choose the following scopes of the Amazon ECR API operations: - ecr:BatchCheckLayerAvailability
- ecr:BatchGetImage
- ecr:DescribeImages
- ecr:GetDownloadUrlForLayer
- ecr:ListImages
 
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Amazon ECR.
- Click New integration, or click one of the automatically-generated integrations to open it, then click Edit.
- Enter or modify the details for the following fields: - Update stored credentials: Clear this box if you are modifying an integration without updating the credentials such as access keys and passwords.
- Integration name: The name of the integration.
- Registry ID: The ID of the registry.
- Endpoint: The address of the registry. This field is not enabled when the AssumeRole option is selected.
- 
									Region: The region for the registry; for example, us-west-1.
 
- If you are using IAM, select Use Container IAM role. Otherwise, clear the Use Container IAM role box and enter the Access key ID and Secret access key.
- If you are using AssumeRole authentication, select Use AssumeRole and enter the details for the following fields: - AssumeRole ID: The ID of the role to assume.
- AssumeRole External ID (optional): If you are using an external ID with AssumeRole, you can enter it here.
 
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.2.1. Using assumerole with Amazon ECR
You can use AssumeRole to grant access to AWS resources without manually configuring each user’s permissions. Instead, you can define a role with the desired permissions, and the user is granted access to assume that role. AssumeRole enables you to grant, revoke, or otherwise generally manage more fine-grained permissions.
1.3.2.1.1. Configuring AssumeRole with container IAM
Before you can use AssumeRole with Red Hat Advanced Cluster Security for Kubernetes, you must first configure it.
Procedure
- Enable the IAM OIDC provider for your EKS cluster: - eksctl utils associate-iam-oidc-provider --cluster <cluster name> --approve - $ eksctl utils associate-iam-oidc-provider --cluster <cluster name> --approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create an IAM role for your EKS cluster.
- Associate the newly created role with a service account: - kubectl -n stackrox annotate sa central eks.amazonaws.com/role-arn=arn:aws:iam::67890:role/<role-name> - $ kubectl -n stackrox annotate sa central eks.amazonaws.com/role-arn=arn:aws:iam::67890:role/<role-name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Restart Central to apply the changes. - kubectl -n stackrox delete pod -l app=central - $ kubectl -n stackrox delete pod -l app=central- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Assign the role to a policy that allows the role to assume another role as required: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<assumerole-readonly>with the role you want to assume.
 
- Update the trust relationship for the role you want to assume: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The<role-name>should match with the new role you have created earlier.
 
1.3.2.1.2. Configuring AssumeRole without container IAM
To use AssumeRole without container IAM, you must use an access and a secret key to authenticate as an AWS user with programmatic access.
Procedure
- Depending on whether the AssumeRole user is in the same account as the ECR registry or in a different account, you must either: - Create a new role with the desired permissions if the user for which you want to assume role is in the same account as the ECR registry. Note- When creating the role, you can choose any trusted entity as required. However, you must modify it after creation. 
- Or, you must provide permissions to access the ECR registry and define its trust relationship if the user is in a different account than the ECR registry: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<assumerole-readonly>with the role you want to assume.
 
 
- Configure the trust relationship of the role by including the user ARN under the Principal field: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
1.3.2.1.3. Configuring AssumeRole in RHACS
After configuring AssumeRole in ECR, you can integrate Red Hat Advanced Cluster Security for Kubernetes with Amazon Elastic Container Registry (ECR) by using AssumeRole.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Amazon ECR.
- Click New Integration.
- Enter the details for the following fields: - Integration Name: The name of the integration.
- Registry ID: The ID of the registry.
- 
											Region: The region for the registry; for example, us-west-1.
 
- If you are using IAM, select Use container IAM role. Otherwise, clear the Use custom IAM role box and enter the Access key ID and Secret access key.
- If you are using AssumeRole, select Use AssumeRole and enter the details for the following fields: - AssumeRole ID: The ID of the role to assume.
- AssumeRole External ID (optional): If you are using an external ID with AssumeRole, you can enter it here.
 
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.3. Manually configuring Google Container Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Container Registry (GCR).
Prerequisites
- You must have a service account key.
- The associated service account must have access to the registry. See Configuring access control for information about granting users and other projects access to GCR.
- If you are using GCR Container Analysis, you must also grant the following roles to the service account: - Container Analysis Notes Viewer
- Container Analysis Occurrences Viewer
- Storage Object Viewer
 
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Google Container Registry.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Type: Select Registry.
- Registry Endpoint: The address of the registry.
- Project: The Google Cloud project name.
- Service account key (JSON) Your service account key for authentication.
 
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.4. Manually configuring Google Artifact Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Artifact Registry.
Prerequisites
- 
							You need a service account key with the Artifact Registry Reader Identity and Access Management (IAM) role roles/artifactregistry.reader.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Google Artifact Registry.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Registry endpoint: The address of the registry.
- Project: The Google Cloud project name.
- Service account key (JSON) Your service account key for authentication.
 
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.5. Manually configuring Microsoft Azure Container Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Microsoft Azure Container Registry.
Prerequisites
- You must have a username and a password for authentication.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Microsoft Azure Container Registry.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Endpoint: The address of the registry.
- Username and Password.
 
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.6. Manually configuring JFrog Artifactory
You can integrate Red Hat Advanced Cluster Security for Kubernetes with JFrog Artifactory.
Prerequisites
- You must have a username and a password for authentication with JFrog Artifactory.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select JFrog Artifactory.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Endpoint: The address of the registry.
- Username and Password.
 
- If you are not using a TLS certificate when connecting to the registry, select Disable TLS certificate validation (insecure).
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.7. Manually configuring Docker Trusted Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Docker Trusted Registry.
Prerequisites
- You must have a username and a password for authentication with the Docker Trusted Registry.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Docker Trusted Registry.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Type: Select Registry.
- Endpoint: The address of the registry.
- Username and Password.
 
- If you are not using a TLS certificate when connecting to the registry, select Disable TLS certificate validation (insecure).
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.8. Manually configuring Quay Container Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Quay Container Registry.
Prerequisites
- You must have an OAuth token for authentication with the Quay Container Registry.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Red Hat Quay.io.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Type: Select Registry.
- Endpoint: The address of the registry.
- OAuth Token
 
- If you are not using a TLS certificate when connecting to the registry, select Disable TLS certificate validation (insecure).
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.9. Manually configuring IBM Cloud Container Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with IBM Cloud Container Registry.
Prerequisites
- You must have an API key for authentication with the IBM Cloud Container Registry.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select IBM Cloud Container Registry.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Endpoint: The address of the registry.
- API key.
 
- Select Test to test that the integration with the selected registry is working.
- Select Save.
1.3.10. Manually configuring Red Hat Container Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Red Hat Container Registry.
Prerequisites
- You must have a username and a password for authentication with the Red Hat Container Registry.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Red Hat Registry.
- Click New integration.
- Enter the details for the following fields: - Integration name: The name of the integration.
- Endpoint: The address of the registry.
- Username and Password.
 
- Select Create integration without testing to create the integration without testing the connection to the registry.
- Select Test to test that the integration with the selected registry is working.
- Select Save.
Chapter 2. Integrating with CI systems
Red Hat Advanced Cluster Security for Kubernetes (RHACS) integrates with a variety of continuous integration (CI) products and allows you to apply build-time and deploy-time security rules before you deploy images.
Red Hat Advanced Cluster Security for Kubernetes integrates into CI pipelines after images are built and pushed to a registry. Pushing the image first allows developers to continue testing their artifacts while dealing with any policy violations alongside any other CI test failures, linter violations, or other problems.
If possible, you should configure the version control system to block pull or merge requests from being merged if the build stage, which includes Red Hat Advanced Cluster Security for Kubernetes checks, fails.
The integration with your CI product functions by contacting your Red Hat Advanced Cluster Security for Kubernetes installation to check whether the image complies with build-phase policies you have configured. If there are policy violations, a detailed message is displayed on the console log, including the policy description, rationale, and remediation instructions. Each policy includes an optional enforcement setting; if you mark a policy for build-phase enforcement, failure of that policy causes the client to exit with a nonzero error code.
To integrate Red Hat Advanced Cluster Security for Kubernetes with your CI system, follow these steps:
- Configure build policies.
- Configure a registry integration.
- Configure access to your Red Hat Advanced Cluster Security for Kubernetes instance.
- Integrate with your CI pipeline.
2.1. Configuring build policies
To check Red Hat Advanced Cluster Security for Kubernetes policies during builds, you must first configure policies that apply to the build phase of the container lifecycle. And then you must integrate with the registry that images are pushed to during the build.
2.1.1. Checking existing build-phase policies
Use the RHACS portal to check any existing build-phase policies that you have configured in Red Hat Advanced Cluster Security for Kubernetes.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- 
							Use global search to search for Lifecycle Stage:Build.
2.1.2. Creating a new system policy
In addition to using the default policies, you can also create custom policies in Red Hat Advanced Cluster Security for Kubernetes.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Click + New Policy.
- Enter the Name for the policy.
- Select a Severity level for the policy: Critical, High, Medium, or Low.
- Choose the Lifecycle Stages for which the policy is applicable, from Build, Deploy, or Runtime. You can select more than one stage. Note- If you create a new policy for integrating with a CI system, select Build as the lifecycle stage. - Build-time policies apply to image fields such as CVEs and Dockerfile instructions.
- Deploy-time policies can include all build-time policy criteria. They can also have data from your cluster configurations, such as running in privileged mode or mounting the Docker daemon socket.
- Runtime policies can include all build-time and deploy-time policy criteria, as well as data about process executions during runtime.
 
- Enter information about the policy in the Description, Rationale, and Remediation fields. When CI validates the build, the data from these fields is displayed. Therefore, include all information explaining the policy.
- Select a category from the Categories drop-down menu.
- Select a notifier from the Notifications drop-down menu that receives alert notifications when a violation occurs for this policy. Note- You must integrate Red Hat Advanced Cluster Security for Kubernetes with your notification providers, such as webhooks, Jira, or PagerDuty, to receive alert notifications. Notifiers only show up if you have integrated any notification providers with Red Hat Advanced Cluster Security for Kubernetes. 
- Use Restrict to Scope to enable this policy only for a specific cluster, namespace, or label. You can add multiple scopes and also use regular expressions in RE2 Syntax for namespaces and labels.
- Use Exclude by Scope to exclude deployments, clusters, namespaces, and labels. This field indicates that the policy will not apply to the entities that you specify. You can add multiple scopes and also use regular expressions in RE2 Syntax for namespaces and labels. However, you cannot use regular expressions for selecting deployments.
- For Excluded Images (Build Lifecycle only), select all the images from the list for which you do not want to trigger a violation for the policy. Note- The Excluded Images (Build Lifecycle only) setting only applies when you check images in a continuous integration system (the Build lifecycle stage). It does not have any effect if you use this policy to check running deployments (the Deploy lifecycle stage) or runtime activities (the Runtime lifecycle stage). 
- In the Policy Criteria section, configure the attributes that will trigger the policy.
- Select Next on the panel header.
- The new policy panel shows a preview of the violations that are triggered if you enable the policy.
- Select Next on the panel header.
- Choose the enforcement behavior for the policy. Enforcement settings are only available for the stages that you selected for the Lifecycle Stages option. Select ON to enforce policy and report a violation. Select OFF to only report a violation. Note- The enforcement behavior is different for each lifecycle stage. - For the Build stage, Red Hat Advanced Cluster Security for Kubernetes fails your CI builds when images match the conditions of the policy.
- For the Deploy stage, Red Hat Advanced Cluster Security for Kubernetes blocks the creation of deployments that match the conditions of the policy. In clusters with admission controller enforcement, the Kubernetes or OpenShift Container Platform API server blocks all noncompliant deployments. In other clusters, Red Hat Advanced Cluster Security for Kubernetes edits noncompliant deployments to prevent pods from being scheduled.
- For the Runtime stage, Red Hat Advanced Cluster Security for Kubernetes stops all pods that match the conditions of the policy.
 Warning- Policy enforcement can impact running applications or development processes. Before you enable enforcement options, inform all stakeholders and plan how to respond to the automated enforcement actions. 
2.2. Configuring registry integration
To scan images, you must provide Red Hat Advanced Cluster Security for Kubernetes with access to the image registry you are using in your build pipeline.
2.2.1. Checking for existing registry integration
You can use the RHACS portal to check if you have already integrated with a registry.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integration section, look for highlighted Registry tiles. The tiles also list the number of items already configured for that tile.
If none of the Registry tiles are highlighted, you must first integrate with an image registry.
2.3. Configuring access
				Red Hat Advanced Cluster Security for Kubernetes provides a command-line interface (CLI) roxctl to make it easy to integrate Red Hat Advanced Cluster Security for Kubernetes policies into your build pipeline. The roxctl CLI prints detailed information about problems and how to fix them so that developers can maintain high standards in the early phases of the container lifecycle.
			
To securely authenticate to the Red Hat Advanced Cluster Security for Kubernetes API server, you must create an API token.
2.3.1. Authenticating using the roxctl CLI
For authentication, you can use an authentication token or your administrator password. Red Hat recommends using an authentication token in a production environment because each token is assigned specific access control permissions.
Use the following steps to generate an authentication token.
Procedure
- Navigate to the RHACS portal.
- Go to Platform Configuration → Integrations.
- Scroll down to the Authentication Tokens category, and click API Token.
- Click Generate Token.
- Enter a name for the token and select a role that provides the required level of access (for example, Continuous Integration or Sensor Creator).
- Click Generate. Important- Copy the generated token and securely store it. You will not be able to view it again. 
						After you have generated the authentication token, export it as ROX_API_TOKEN variable:
					
export ROX_API_TOKEN=<api_token>
$ export ROX_API_TOKEN=<api_token>
						You can also save the token in a file and use it with the --token-file option. For example:
					
roxctl central debug dump --token-file <token_file>
$ roxctl central debug dump --token-file <token_file>- 
								You cannot use both the -password(-p) and the--token-fileoptions simultaneously.
- 
								If you have already set ROX_API_TOKENvariable, and specify the--token-fileoption, theroxctlCLI uses the specified token file for authentication.
- 
								If you have already set ROX_API_TOKENvariable, and specify the--passwordoption, theroxctlCLI uses the specified password for authentication.
2.3.2. Installing the roxctl CLI by downloading the binary
					You can install the roxctl CLI to interact with Red Hat Advanced Cluster Security for Kubernetes from a command-line interface. You can install roxctl on Linux, Windows, or macOS.
				
2.3.2.1. Installing the roxctl CLI on Linux
						You can install the roxctl CLI binary on Linux by using the following procedure.
					
Procedure
- Download the latest version of the - roxctlCLI:- curl -O https://mirror.openshift.com/pub/rhacs/assets/3.70.2/bin/Linux/roxctl - $ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.70.2/bin/Linux/roxctl- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Make the - roxctlbinary executable:- chmod +x roxctl - $ chmod +x roxctl- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - roxctlbinary in a directory that is on your- PATH:- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify the - roxctlversion you have installed:- roxctl version - $ roxctl version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.3.2.2. Installing the roxctl CLI on macOS
						You can install the roxctl CLI binary on macOS by using the following procedure.
					
Procedure
- Download the latest version of the - roxctlCLI:- curl -O https://mirror.openshift.com/pub/rhacs/assets/3.70.2/bin/Darwin/roxctl - $ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.70.2/bin/Darwin/roxctl- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Remove all extended attributes from the binary: - xattr -c roxctl - $ xattr -c roxctl- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Make the - roxctlbinary executable:- chmod +x roxctl - $ chmod +x roxctl- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - roxctlbinary in a directory that is on your- PATH:- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify the - roxctlversion you have installed:- roxctl version - $ roxctl version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.3.2.3. Installing the roxctl CLI on Windows
						You can install the roxctl CLI binary on Windows by using the following procedure.
					
Procedure
- Download the latest version of the - roxctlCLI:- curl -O https://mirror.openshift.com/pub/rhacs/assets/3.70.2/bin/Windows/roxctl.exe - $ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.70.2/bin/Windows/roxctl.exe- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify the - roxctlversion you have installed:- roxctl version - $ roxctl version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.3.3. Running the roxctl CLI from a container
					The roxctl client is the default entry point in Red Hat Advanced Cluster Security for Kubernetes roxctl image. To run the roxctl client in a container image:
				
Procedure
- Log in to the - registry.redhat.ioregistry.- docker login registry.redhat.io - $ docker login registry.redhat.io- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Pull the latest container image for the - roxctlCLI.- docker pull registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:3.70.2 - $ docker pull registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:3.70.2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
After you install the CLI, you can run it by using the following command:
docker run -e ROX_API_TOKEN=$ROX_API_TOKEN \ -it registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:3.70.2 \ -e $ROX_CENTRAL_ADDRESS <command>
$ docker run -e ROX_API_TOKEN=$ROX_API_TOKEN \
  -it registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:3.70.2 \
  -e $ROX_CENTRAL_ADDRESS <command>Verification
- Verify the - roxctlversion you have installed.- docker run -it registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:3.70.2 version - $ docker run -it registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:3.70.2 version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.4. Integrating with your CI pipeline
After you have finished these procedures, the next step is to integrate with your CI pipeline.
Each CI system might require a slightly different configuration.
2.4.1. Using Jenkins
Use the StackRox Container Image Scanner Jenkins plugin for integrating with Jenkins. You can use this plugin in both Jenkins freestyle projects and pipelines.
2.4.2. Using CircleCI
You can integrate Red Hat Advanced Cluster Security for Kubernetes with CircleCI.
Prerequisetes
- 
							You have a token with readandwritepermissions for theImageresource.
- You have a username and password for your Docker Hub account.
Procedure
- Log in to CircleCI and open an existing project or create a new project.
- Click Project Settings.
- Click Environment variables.
- Click Add variable and create the following three environment variables: - Name: STACKROX_CENTRAL_HOST - The DNS name or IP address of Central.
- Name: ROX_API_TOKEN - The API token to access Red Hat Advanced Cluster Security for Kubernetes.
- Name: DOCKERHUB_PASSWORD - The password for your Docker Hub account.
- Name: DOCKERHUB_USER - The username for your Docker Hub account.
 
- 
							Create a directory called .circleciin the root directory of your local code repository for your selected project, if you do not already have a CircleCI configuration file.
- Create a - config.ymlconfiguration file with the following lines in the- .circlecidirectory:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If you already have a - config.ymlfile for CircleCI in your repository, add a new jobs section with the specified details in your existing configuration file.
- After you commit the configuration file to your repository, navigate to the Jobs queue in your CircleCI dashboard to verify the build policy enforcement.
Chapter 3. Integrating with PagerDuty
If you are using PagerDuty, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to PagerDuty.
The following steps represent a high-level workflow for integrating Red Hat Advanced Cluster Security for Kubernetes with PagerDuty:
- Add a new API service in PagerDuty and get the integration key.
- Use the integration key to set up notifications in Red Hat Advanced Cluster Security for Kubernetes.
- Identify the policies you want to send notifications for, and update the notification settings for those policies.
3.1. Configuring PagerDuty
Start integrating with PagerDuty by creating a new service and by getting the integration key.
Procedure
- Navigate to Configuration → Services.
- Select Add Services.
- Under General Settings, specify a Name and Description.
- Under Integration Setting, click Use our API Directly with Events v2 API selected for the Integration Type drop-down menu.
- Under Incident Settings, select an Escalation Policy, and configure notification settings and incident timeouts.
- Accept default settings for Incident Behavior and Alert Grouping, or configure them as required.
- Click Add Service.
- From the Service Details page, make note of the Integration Key.
3.2. Configuring Red Hat Advanced Cluster Security for Kubernetes
Create a new integration in Red Hat Advanced Cluster Security for Kubernetes by using the integration key.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the Notifier Integrations section and select PagerDuty.
- 
						Click New Integration (addicon).
- Enter a name for Integration Name.
- Enter the integration key in the PagerDuty integration key field.
- 
						Click Test (checkmarkicon) to validate that the integration with PagerDuty is working.
- 
						Click Create (saveicon) to create the configuration.
3.3. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
- In the Enable notification window, select the PagerDuty notifier. Note- If you have not configured any other integrations, the system displays a message that no notifiers are configured. 
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
- Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios: - A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
 
Chapter 4. Integrating with Slack
If you are using Slack, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Slack.
The following steps represent a high-level workflow for integrating Red Hat Advanced Cluster Security for Kubernetes with Slack:
- Create a new Slack app, enable incoming webhooks, and get a webhook URL.
- Use the webhook URL to integrate Slack with Red Hat Advanced Cluster Security for Kubernetes.
- Identify policies for which you want to send notifications, and update the notification settings for those policies.
4.1. Configuring Slack
Start by creating a new Slack app, and get the webhook URL.
Prerequisites
- You need an administrator account or a user account with permissions to create webhooks.
Procedure
- Create a new Slack app: Note- If you want to use an existing Slack app, go to https://api.slack.com/apps and select an app. - Navigate to https://api.slack.com/apps/new.
- Enter the App Name and choose a Development Slack Workspace to install your app.
- Click Create App.
 
- On the settings page, Basic Information section, select Incoming Webhooks (under Add features and functionality).
- Turn on the Activate Incoming Webhooks toggle.
- Select Add New Webhook to Workspace.
- Choose a channel that the app will post to, and then select Authorize. The page refreshes and you are sent back to your app settings page.
- Copy the webhook URL located in the Webhook URLs for Your Workspace section.
For more details, see the Slack documentation topic, Getting started with Incoming Webhooks.
4.1.1. Sending alerts to different Slack channels
You can configure Red Hat Advanced Cluster Security for Kubernetes to send notifications to different Slack channels so that they directly go to the right team.
Procedure
- After you configure incoming webhooks, add an annotation similar to the following in your deployment YAML file: - example.com/slack-webhook: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX - example.com/slack-webhook: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Use the annotation key example.com/slack-webhookin the Label/Annotation Key For Slack Webhook field when you configure Red Hat Advanced Cluster Security for Kubernetes.
After the configuration is complete, if a deployment has the annotation that you configured in the YAML file, Red Hat Advanced Cluster Security for Kubernetes sends the alert to the webhook URL you specified for that annotation. Otherwise, it sends the alert to the default webhook URL.
4.2. Configuring Red Hat Advanced Cluster Security for Kubernetes
Create a new integration in Red Hat Advanced Cluster Security for Kubernetes by using the webhook URL.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the Notifier Integrations section and select Slack.
- 
						Click New Integration (addicon).
- Enter a name for Integration Name.
- Enter the generated webhook URL in the Default Slack Webhook field.
- 
						Select Test (checkmarkicon) to test that the integration with Slack is working.
- 
						Select Create (saveicon) to create the configuration.
4.3. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
- In the Enable notification window, select the Slack notifier. Note- If you have not configured any other integrations, the system displays a message that no notifiers are configured. 
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
- Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios: - A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
 
Chapter 5. Integrating by using generic webhooks
With Red Hat Advanced Cluster Security for Kubernetes, you can send alert notifications as JSON messages to any webhook receiver. When a violation occurs, Red Hat Advanced Cluster Security for Kubernetes makes an HTTP POST request on the configured URL. The POST request body includes JSON-formatted information about the alert.
			The webhook POST request’s JSON data includes a v1.Alert object and any custom fields that you configure, as shown in the following example:
		
You can create multiple webhooks. For example, you can create one webhook for receiving all audit logs and another webhook for alert notifications.
To forward alerts from Red Hat Advanced Cluster Security for Kubernetes to any webhook receiver:
- Set up a webhook URL to receive alerts.
- Use the webhook URL to set up notifications in Red Hat Advanced Cluster Security for Kubernetes.
- Identify the policies you want to send notifications for, and update the notification settings for those policies.
5.1. Configuring Red Hat Advanced Cluster Security for Kubernetes
Create a new integration in Red Hat Advanced Cluster Security for Kubernetes by using the webhook URL.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the Notifier Integrations section and select Generic Webhook.
- Click New integration.
- Enter a name for Integration name.
- Enter the webhook URL in the Endpoint field.
- If your webhook receiver uses an untrusted certificate, enter a CA certificate in the CA certificate field. Otherwise, leave it blank. Note- The server certificate used by the webhook receiver must be valid for the endpoint DNS name. You can click Skip TLS verification to ignore this validation. Red Hat does not suggest turning off TLS verification. Without TLS verification, data could be intercepted by an unintended recipient. 
- Optional: Click Enable audit logging to receive alerts about all the changes made in Red Hat Advanced Cluster Security for Kubernetes. Note- Red Hat suggests using separate webhooks for alerts and audit logs to handle these messages differently. 
- To authenticate with the webhook receiver, enter details for one of the following: - Username and Password for basic HTTP authentication
- 
								Custom Header, for example: Authorization: Bearer <access_token>
 
- 
						Use Extra fields to include additional key-value pairs in the JSON object that Red Hat Advanced Cluster Security for Kubernetes sends. For example, if your webhook receiver accepts objects from multiple sources, you can add "source": "rhacs"as an extra field and filter on this value to identify all alerts from Red Hat Advanced Cluster Security for Kubernetes.
- Select Test to send a test message to verify that the integration with your generic webhook is working.
- Select Save to create the configuration.
5.2. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
- In the Enable notification window, select the webhook notifier. Note- If you have not configured any other integrations, the system displays a message that no notifiers are configured. 
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
- Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios: - A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
 
Chapter 6. Integrating with Sumo Logic
If you are using Sumo Logic, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Sumo Logic.
The following steps represent a high-level workflow for integrating Red Hat Advanced Cluster Security for Kubernetes with Sumo Logic:
- Add a new Custom App in Sumo Logic, set the HTTP source, and get the HTTP URL.
- Use the HTTP URL to integrate Sumo Logic with Red Hat Advanced Cluster Security for Kubernetes.
- Identify the policies you want to send notifications for, and update the notification settings for those policies.
6.1. Configuring Sumo Logic
Use the Setup Wizard to set up Streaming Data and get the HTTP URL.
Procedure
- Log in to your Sumo Logic Home page and select Setup Wizard.
- Move your cursor over to Set Up Streaming Data and select Get Started.
- On the Select Data Type page, select Your Custom App.
- On the Set Up Collection page, select HTTP Source.
- 
						Enter a name for Source Category, for example, rhacsand click Continue.
- Copy the generated URL.
6.2. Configuring Red Hat Advanced Cluster Security for Kubernetes
Create a new integration in Red Hat Advanced Cluster Security for Kubernetes by using the HTTP URL.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the Notifier Integrations section and select Sumo Logic.
- 
						Click New Integration (addicon).
- Enter a name for Integration Name.
- Enter the generated HTTP URL in the HTTP Collector Source Address field.
- 
						Click Test (checkmarkicon) to test that the integration with Sumo Logic is working.
- 
						Click Create (saveicon) to create the configuration.
6.3. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
- In the Enable notification window, select the Sumo Logic notifier. Note- If you have not configured any other integrations, the system displays a message that no notifiers are configured. 
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
- Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios: - A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
 
6.4. Viewing alerts in Sumo Logic
You can view alerts from Red Hat Advanced Cluster Security for Kubernetes in Sumo Logic.
- Log in to your Sumo Logic Home page and click Log Search.
- 
						In the search box, enter _sourceCategory=rhacs. Make sure to use the same Source Category name that you entered while configuring Sumo Logic.
- Select the time and then click Start.
Chapter 7. Integrating with Google Cloud Storage
You can integrate with Google Cloud Storage (GCS) to enable data backups. You can use these backups for data restoration in the case of an infrastructure disaster, or corrupt data. After you integrate with GCS, you can schedule daily or weekly backups and do manual on-demand backups.
The backup includes the Red Hat Advanced Cluster Security for Kubernetes entire database, which includes all configurations, resources, events, and certificates. Make sure that backups are stored securely.
If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.53 or older, the backup does not include certificates.
7.1. Configuring Red Hat Advanced Cluster Security for Kubernetes
To configure data backups on Google Cloud Storage (GCS), create an integration in Red Hat Advanced Cluster Security for Kubernetes.
Prerequisites
- An existing bucket. To create a new bucket, see the official Google Cloud Storage documentation topic Creating storage buckets.
- 
						A service account with the Storage Object AdminIAM role in the storage bucket you want to use. See the official Google Cloud Storage documentation topic Using Cloud IAM permissions.
- A service account key file (JSON) for the Service account you are using. See the official Google Cloud documentation topics Creating a service account and Creating service account keys.
Currently, Red Hat Advanced Cluster Security for Kubernetes does not support using Workload Identity to authenticate to GCS.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the External backups section and select Google Cloud Storage.
- 
						Click New Integration (addicon).
- Enter a name for Integration Name.
- Enter the number of backups to retain in the Backups To Retain box.
- For Schedule, select the backup frequency (daily or weekly) and the time to run the backup process.
- Enter the Bucket name in which you want to store the backup.
- In the Service Account JSON field, enter the contents of your service account key file.
- 
						Select Test (checkmarkicon) to confirm that the integration with GCS is working.
- 
						Select Create (saveicon) to create the configuration.
Once configured, Red Hat Advanced Cluster Security for Kubernetes automatically backs up all data according to the specified schedule.
7.1.1. Perform on-demand backups on Google Cloud Storage
Uses the RHACS portal to trigger manual backups of Red Hat Advanced Cluster Security for Kubernetes on Google Cloud Storage.
Prerequisites
- You must have already integrated Red Hat Advanced Cluster Security for Kubernetes with Google Cloud Storage.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the External backups section, click Google Cloud Storage.
- Select the integration name for the GCS bucket in which you want to do a backup.
- Click Trigger Backup.
Currently, when you select the Trigger Backup option, there is no notification. However, Red Hat Advanced Cluster Security for Kubernetes begins the backup task in the background.
Chapter 8. Integrating by using the syslog protocol
Syslog is an event logging protocol that applications use to send messages to a central location, such as a SIEM or a syslog collector, for data retention and security investigations. With Red Hat Advanced Cluster Security for Kubernetes, you can send alerts and audit events using the syslog protocol.
- Forwarding events by using the syslog protocol requires the Red Hat Advanced Cluster Security for Kubernetes version 3.0.52 or newer.
- When you use the syslog integration, Red Hat Advanced Cluster Security for Kubernetes forwards both violation alerts that you configure and all audit events.
- Currently, Red Hat Advanced Cluster Security for Kubernetes only supports CEF (Common Event Format).
The following steps represent a high-level workflow for integrating Red Hat Advanced Cluster Security for Kubernetes with a syslog events receiver:
- Set up a syslog events receiver to receive alerts.
- Use the receiver’s address and port number to set up notifications in the Red Hat Advanced Cluster Security for Kubernetes.
After the configuration, Red Hat Advanced Cluster Security for Kubernetes automatically sends all violations and audit events to the configured syslog receiver.
8.1. Configuring syslog integration with Red Hat Advanced Cluster Security for Kubernetes
Create a new syslog integration in Red Hat Advanced Cluster Security for Kubernetes.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the Notifier Integrations section and select Syslog.
- Click New Integration (add icon).
- Enter a name for Integration Name.
- 
						Select the Logging Facility value from local0throughlocal7.
- Enter your Receiver Host address and Receiver Port number.
- If you are using TLS, turn on the Use TLS toggle.
- If your syslog receiver uses a certificate that is not trusted, turn on the Disable TLS Certificate Validation (Insecure) toggle. Otherwise, leave this toggle off.
- 
						Select Test (checkmarkicon) to send a test message to verify that the integration with your generic webhook is working.
- 
						Select Create (saveicon) to create the configuration.
Chapter 9. Integrating with Amazon S3
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Amazon S3 to enable data backups. You can use these backups for data restoration in the case of an infrastructure disaster or corrupt data. After you integrate with Amazon S3, you can schedule daily or weekly backups and do manual on-demand backups.
The backup includes the entire Red Hat Advanced Cluster Security for Kubernetes database, which includes all configurations, resources, events, and certificates. Make sure that backups are stored securely.
- If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.53 or older, the backup does not include certificates.
- If your Amazon S3 is part of an air-gapped environment, you must add your AWS root CA as a trusted certificate authority in Red Hat Advanced Cluster Security for Kubernetes.
9.1. Configuring Amazon S3 integration in Red Hat Advanced Cluster Security for Kubernetes
To configure Amazon S3 backups, create a new integration in Red Hat Advanced Cluster Security for Kubernetes.
Prerequisites
- An existing S3 Bucket. To create a new bucket with required permissions, see the Amazon documentation topic Creating a bucket.
- 
						Read,write, anddeletepermissions for the S3 bucket, the Access key ID, and the Secret access key.
- 
						If you are using KIAM, kube2iam or another proxy, then an IAM role that has the read,write, anddeletepermissions.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the External backups section and select Amazon S3.
- 
						Click New Integration (addicon).
- Enter a name for Integration Name.
- Enter the number of backups to retain in the Backups To Retain box.
- For Schedule, select the backup frequency as daily or weekly and the time to run the backup process.
- Enter the Bucket name where you want to store the backup.
- Optionally, enter an Object Prefix if you want to save the backups in a specific folder structure. For more details, see the Amazon documentation topic Working with object metadata.
- Enter the Endpoint for the bucket if you are using a non-public S3 instance, otherwise leave it blank.
- Enter the Region for the bucket.
- Turn on the Use Container IAM Role toggle or enter the Access Key ID, and the Secret Access Key.
- 
						Select Test (checkmarkicon) to confirm that the integration with Amazon S3 is working.
- 
						Select Create (saveicon) to create the configuration.
Once configured, Red Hat Advanced Cluster Security for Kubernetes automatically backs up all data according to the specified schedule.
9.2. Performing on-demand backups on Amazon S3
Uses the RHACS portal to trigger manual backups of Red Hat Advanced Cluster Security for Kubernetes on Amazon S3.
Prerequisites
- You must have already integrated Red Hat Advanced Cluster Security for Kubernetes with Amazon S3.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the External backups section, click Amazon S3.
- Select the integration name for the S3 bucket where you want to do a backup.
- Click Trigger Backup.
Currently, when you select the Trigger Backup option, there is no notification. However, Red Hat Advanced Cluster Security for Kubernetes begins the backup task in the background.
Chapter 10. Integrating with Google Cloud Security Command Center
If you are using Google Cloud Security Command Center (Cloud SCC), you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Cloud SCC. This guide explains how to integrate Red Hat Advanced Cluster Security for Kubernetes with Cloud SCC.
The following steps represent a high-level workflow for integrating Red Hat Advanced Cluster Security for Kubernetes with Cloud SCC.
- Register a new security source with Google Cloud.
- Provide the source ID and service account key to Red Hat Advanced Cluster Security for Kubernetes.
- Identify the policies you want to send notifications for, and update the notification settings for those policies.
10.1. Configuring Google Cloud SCC
Start by adding Red Hat Advanced Cluster Security for Kubernetes as a trusted Cloud SCC source.
Procedure
- Follow the Adding vulnerability and threat sources to Cloud Security Command Center guide and add Red Hat Advanced Cluster Security for Kubernetes as a trusted Cloud SCC source. Make a note of the Source ID that Google Cloud creates for your Red Hat Advanced Cluster Security for Kubernetes integration. If you do not see a source ID after registering, you can find it on the Cloud SCC Security Sources page.
- Create a key for the service account you created, or the existing account you used, in the previous step. See Google Cloud’s guide to creating and managing service account keys for details.
10.2. Configuring Red Hat Advanced Cluster Security for Kubernetes for integrating with Google Cloud SCC
Create a new Google Cloud SCC integration in Red Hat Advanced Cluster Security for Kubernetes by using the Source ID and service account key.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the Notifier Integrations section and select Google Cloud SCC.
- 
						Click New Integration (addicon).
- Enter a name for Integration Name.
- Enter the Cloud SCC Source ID and Service Account Key (JSON).
- 
						Select Create (saveicon) to create the configuration.
10.3. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
- In the Enable notification window, select the Google Cloud SCC notifier. Note- If you have not configured any other integrations, the system displays a message that no notifiers are configured. 
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
- Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios: - A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
 
Chapter 11. Integrating with Splunk
If you are using Splunk, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Splunk and view vulnerability and compliance related data from within Splunk.
Depending on your use case, you can integrate Red Hat Advanced Cluster Security for Kubernetes with Splunk by using the following ways:
- By using an HTTP event collector in Splunk - Use the event collector option to forward alerts and audit log data
 
- By using the StackRox Kubernetes Security Platform add-on - Use the add-on to pull vulnerability detection and compliance data into Splunk Note- The StackRox Kubernetes Security Platform add-on is only available if you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.51.0 or newer. 
 
You can use one or both of these integration options to integrate the Red Hat Advanced Cluster Security for Kubernetes with Splunk.
11.1. Using the HTTP event collector
You can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Splunk by using an HTTP event collector.
To integrate Red Hat Advanced Cluster Security for Kubernetes with Splunk by using the HTTP event collector, follow these steps:
- Add a new HTTP event collector in Splunk and get the token value.
- Use the token value to set up notifications in Red Hat Advanced Cluster Security for Kubernetes.
- Identify policies for which you want to send notifications, and update the notification settings for those policies.
11.1.1. Adding an HTTP event collector in Splunk
Add a new HTTP event collector for your Splunk instance, and get the token.
Procedure
- In your Splunk dashboard, navigate to Settings → Add Data.
- Click Monitor.
- On the Add Data page, click HTTP Event Collector.
- Enter a Name for the event collector and then click Next >.
- Accept the default Input Settings and click Review >.
- Review the event collector properties and click Submit >.
- Copy the Token Value for the event collector. You need this token value to configure integration with Splunk in Red Hat Advanced Cluster Security for Kubernetes.
11.1.1.1. Enabling HTTP event collector
You must enable HTTP event collector tokens before you can receive events.
Procedure
- In your Splunk dashboard, navigate to Settings → Data inputs.
- Click HTTP Event Collector.
- Click Global Settings.
- In the dialog that opens, click Enabled and then click Save.
11.1.2. Configuring Splunk integration in Red Hat Advanced Cluster Security for Kubernetes
Create a new Splunk integration in Red Hat Advanced Cluster Security for Kubernetes by using the token value.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the Notifier Integrations section and select Splunk.
- 
							Click New Integration (addicon).
- Enter a name for Integration Name.
- 
							Enter your Splunk URL in the HTTP Event Collector URL field. You must specify the port number if it is not 443for HTTPS or80for HTTP. You must also add the URL path/services/collector/eventat the end of the URL. For example,https://<splunk-server-path>:8088/services/collector/event.
- Enter your token in the HTTP Event Collector Token field. Note- If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.57 or newer, you can specify custom Source Type for Alert events and Source Type for Audit events. 
- 
							Select Test (checkmarkicon) to send a test message to verify that the integration with Splunk is working.
- 
							Select Create (saveicon) to create the configuration.
11.1.3. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
- In the Enable notification window, select the Splunk notifier. Note- If you have not configured any other integrations, the system displays a message that no notifiers are configured. 
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
- Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios: - A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
 
11.2. Using the StackRox Kubernetes Security Platform add-on
You can use the StackRox Kubernetes Security Platform add-on to forward the vulnerability detection and compliance related data from the Red Hat Advanced Cluster Security for Kubernetes to Splunk.
Begin by generating an API token with read permission for all resources in Red Hat Advanced Cluster Security for Kubernetes and then use that token to install and configure the add-on.
11.2.1. Installing and configuring the Splunk add-on
You can install the StackRox Kubernetes Security Platform add-on from your Splunk instance.
Prerequisites
- 
							You must have an API token with readpermission for all resources of Red Hat Advanced Cluster Security for Kubernetes. You can assign the Analyst system role to grant this level of access. The Analyst role has read permissions for all resources.
Procedure
- Download the StackRox Kubernetes Security Platform add-on from Splunkbase.
- Navigate to the Splunk home page on your Splunk instance.
- Navigate to Apps → Manage Apps.
- Select Install app from file.
- In the Upload app pop-up box, select Choose File and select the StackRox Kubernetes Security Platform add-on file.
- Click Upload.
- Click Restart Splunk, and confirm to restart.
- After Splunk restarts, select StackRox from the Apps menu.
- Click Create New Input.
- Either select StackRox Compliance to pull compliance data or StackRox Vulnerability Management to pull vulnerability data into Splunk.
- Enter a Name for the input.
- Select an Interval to pull data from Red Hat Advanced Cluster Security for Kubernetes. For example, every 14400 seconds.
- Select the Splunk Index to which you want to send the data.
- For Central Endpoint, enter the IP address or the name of your Central instance.
- Enter the API token you have generated for the add-on.
- Click Add.
Chapter 12. Integrating with image vulnerability scanners
Red Hat Advanced Cluster Security for Kubernetes (RHACS) integrates with various vulnerability scanners to enable you to import your container images and monitor them for vulnerabilities. You can set up Red Hat Advanced Cluster Security for Kubernetes to obtain image vulnerability data from many open-source and commercial container image vulnerability scanners, including:
If you are using one of these products in your DevOps workflow, you can use the RHACS portal to configure a connection with Red Hat Advanced Cluster Security for Kubernetes. Once integrated, your image vulnerabilities are surfaced in the RHACS portal and you can triage them easily.
12.1. Integrating with Anchore scanner
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Anchore scanner.
Prerequisites
- You have an Anchore scanner username and password for authentication.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Anchore Scanner. The Configure Anchore scanner image integration modal box opens.
- Click New Integration.
- Enter the details for the following fields: - Integration Name: The name of the integration.
- Types: Select Scanner.
- Endpoint: The address of the scanner.
- Username and Password.
 
- 
						Select Test (checkmarkicon) to test that the integration is working.
- 
						Select Create (saveicon) to create the configuration.
12.2. Integrating with Clair
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Clair for the static analysis of vulnerabilities in your images.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Clair. The Configure Anchore scanner image integration modal box opens.
- Click New Integration.
- Enter the details for the following fields: - Integration Name: The name of the integration.
- Types: Select Scanner.
- Endpoint: The address of the scanner.
 
- 
						Select Test (checkmarkicon) to test that the integration is working.
- 
						Select Create (saveicon) to create the configuration.
12.3. Integrating with Docker Trusted Registry scanner
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Docker Trusted Registry for scanning images.
Prerequisites
- You must have a username and a password for authentication with the Docker Trusted Registry.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Docker Trusted Registry. - The Configure image integration modal box opens. 
- Click New Integration.
- Enter the details for the following fields: - Integration Name: The name of the integration.
- Types: Select Scanner.
- Endpoint: The address of the registry.
- Username and Password.
 
- 
						Select Test (checkmarkicon) to test that the integration with the selected registry is working.
- 
						Select Create (saveicon) to create the configuration.
12.4. Integrating with Google Container Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Container Registry (GCR) for container analysis and vulnerability scanning.
Prerequisites
- You must have a service account key for the Google Container Registry.
- The associated service account has access to the registry. See Configuring access control for information about granting users and other projects access to GCR.
- If you are using GCR Container Analysis, you have granted the following roles to the service account: - Container Analysis Notes Viewer
- Container Analysis Occurrences Viewer
- Storage Object Viewer
 
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Google Container Registry. - The Configure image integration modal box opens. 
- Click New Integration.
- Enter the details for the following fields: - Integration Name: The name of the integration.
- Types: Select Scanner.
- Registry Endpoint: The address of the registry.
- Project: The Google Cloud project name.
- Service Account Key (JSON) Your service account key for authentication.
 
- 
						Select Test (checkmarkicon) to test that the integration with the selected registry is working.
- 
						Select Create (saveicon) to create the configuration.
12.5. Integrating with Quay Container Registry
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Quay Container Registry for scanning images.
Prerequisites
- You must have an OAuth token for authentication with the Quay Container Registry.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Quay Container Registry. - The Configure image integration modal box opens. 
- Click New Integration.
- Fill in the required details for: - Integration Name: The name of the integration.
- Types: Select Scanner.
- Endpoint: The address of the registry.
- OAuth Token: The OAuth token for Quay Container Registry.
 
- 
						Select Test (checkmarkicon) to test that the integration with the selected registry is working.
- 
						Select Create (saveicon) to create the configuration.
12.6. Integrating with Tenable
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Tenable for scanning images.
Prerequisites
- You must have a Tenable access key and a secret key for authentication.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Under the Image Integrations section, select Tenable. The Configure Anchore scanner image integration modal box opens.
- Click New Integration.
- Enter the details for the following fields: - Integration Name: The name of the integration.
- Source Inputs: Select Scanner.
- Access Key: The access key for Tenable.
- Secret Key: The secret key for Tenable.
 
- 
						Select Test (checkmarkicon) to test that the integration is working.
- 
						Select Create (saveicon) to create the configuration.
Chapter 13. Integrating with Jira
If you are using Jira, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Jira.
The following steps represent a high-level workflow for integrating Red Hat Advanced Cluster Security for Kubernetes with Jira:
- Setup a user in Jira.
- Use the Jira URL, username, and password to integrate Jira with Red Hat Advanced Cluster Security for Kubernetes.
- Identify policies for which you want to send notifications, and update the notification settings for those policies.
13.1. Configuring Jira
Start by creating a new user, and assign appropriate roles and permissions.
Prerequisites
- You need a Jira account with permissions to create and edit issues in the project with which you are integrating.
Procedure
- Create a user in Jira which have access to the projects for which you want to create issues: - To create a new user, see the Jira documentation topic Create, edit, or remove a user.
- To give users access to project roles and applications, see the Jira documentation topic Assign users to groups, project roles, and applications. Note- If you are using Jira Software Cloud, after you create the user, you must create a token for the user: - Go to https://id.atlassian.com/manage/api-tokens, to generate a new token.
- Use the token as password when you configure Red Hat Advanced Cluster Security for Kubernetes.
 
 
13.2. Configuring Red Hat Advanced Cluster Security for Kubernetes
Create a new integration in Red Hat Advanced Cluster Security for Kubernetes by using the Jira server URL and user credentials.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Integrations.
- Scroll down to the Notifier Integrations section and select Jira Software.
- Click New Integration.
- Enter a name for Integration Name.
- Enter the user credentials in the Username and Password or API Token boxes.
- For Issue Type, enter a valid Jira Issue Type, for example Task, Sub-task, or Bug.
- Enter the Jira server URL in the Jira URL box.
- Enter the key of the project in which you want to create issues in the Default Project box.
- Use the Annotation Key For Project box to create issues in different Jira projects.
- If you use custom priorities in your Jira project, use the Priority Mapping toggle to configure custom priorities.
- If you use mandatory custom fields in your JIRA project, enter them as JSON values in the Default Fields JSON (Necessary If Required Fields) box. For example: - { "customfield_10004": 3, "customfield_20005": "Alerts", }- { "customfield_10004": 3, "customfield_20005": "Alerts", }- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
						Select Test (checkmarkicon) to test that the integration with Jira is working.
- 
						Select Create (saveicon) to create the configuration.
13.2.1. Creating issues in different Jira projects
You can configure Red Hat Advanced Cluster Security for Kubernetes to to create issues in different Jira projects so that they directly go to the right team.
Prerequisites
- You must have an account with access to each project that you want to send the alerts to.
Procedure
- Add an annotation similar to the following in your deployment YAML file: - jira/project-key: <jira_project_key> - jira/project-key: <jira_project_key>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Use the annotation key jira/project-keyin the Annotation Key For Project field when you configure Red Hat Advanced Cluster Security for Kubernetes.
After the configuration is complete, if a deployment has an annotation in the YAML file, Red Hat Advanced Cluster Security for Kubernetes sends the alert to the project specified for that annotation. Otherwise, an alert is sent to the default project.
13.2.2. Configuring custom priorities in Jira
If you are using custom priorities in your Jira project, you can configure them in Red Hat Advanced Cluster Security for Kubernetes.
Procedure
- While configuring Jira integration in Red Hat Advanced Cluster Security for Kubernetes, turn on the Priority Mapping toggle. Red Hat Advanced Cluster Security for Kubernetes gets the JIRA project schema, and auto fills the values for the CRITICAL_SEVERITY, HIGH_SEVERITY, MEDIUM_SEVERITY, and LOW_SEVERITY fields.
- Verify or update the priority values based on your JIRA project configuration.
- 
							Select Test (checkmarkicon) to test that the integration with Jira is working.
- 
							Select Create (saveicon) to create the configuration.
If you get an error, follow the instructions in the Troubleshooting Jira integration section.
13.3. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
- In the Enable notification window, select the Jira notifier. Note- If you have not configured any other integrations, the system displays a message that no notifiers are configured. 
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
- Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios: - A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
 
13.4. Troubleshooting Jira integration
If you are using custom priorities or mandatory custom fields in your Jira project, you may get an error when you try to integrate Red Hat Advanced Cluster Security for Kubernetes with Jira Software. This error might be because of the mismatch between the severity and the priority field values.
				If you do not know the custom priority values in your JIRA project, use the roxctl CLI to enable debug logging for JIRA integration.
			
Procedure
- To get the custom priority values from your JIRA project, run the following command to turn on debug logging for JIRA integration: - roxctl -e "$ROX_CENTRAL_ADDRESS" central debug log --level Debug --modules notifiers/jira - $ roxctl -e "$ROX_CENTRAL_ADDRESS" central debug log --level Debug --modules notifiers/jira- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Follow the instructions to configure Red Hat Advanced Cluster Security for Kubernetes for Jira integration. When you test the integration, even if the integration test fails, the generated log includes your JIRA project schema and the custom priorities.
- To save the debugging information as a compressed - .zipfile, run the following command:- roxctl -e "$ROX_CENTRAL_ADDRESS" central debug dump - $ roxctl -e "$ROX_CENTRAL_ADDRESS" central debug dump- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
						Unzip the .zipfile to retrieve the custom priority values in use in your JIRA project.
- To turn off debug logging, run the following command: - roxctl -e "$ROX_CENTRAL_ADDRESS" central debug log --level Info - $ roxctl -e "$ROX_CENTRAL_ADDRESS" central debug log --level Info- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure Red Hat Advanced Cluster Security for Kubernetes for Jira integration again and use the priority values to configure custom priorities.
Chapter 14. Integrating with email
Configure Red Hat Advanced Cluster Security for Kubernetes (RHACS) to send alerts to a standard email provider.
			You can use email as a notification method by forwarding alerts from RHACS to a standard email provider. To forward alerts from the RHACS platform to an email address, you can use either the Default Recipients or Deployment Annotations parameter.
		
			You can use default recipients to send email to a standard and centralized team. To send email to a specific team who manages the deployment, use Deployment Annotations. To manage an audience by namespace, use Namespace Annotations.
		
You can define an audience to notify about policy violations that are associated with a deployment or namespace using annotation keys. If the deployment has an annotation, the annotation’s value overrides the default value. If the namespace has an annotation, the namespace’s value overrides the default value.
- If a deployment has an annotation key and a defined audience, an email is sent to the audience who is defined by the key.
- If a deployment does not have an annotation key, the namespace is checked for an annotation key and an email is sent to the defined audience.
- If no annotation keys exist, an email is sent to the default recipient that is defined in the integration.
14.1. Configuring the email plugin on Red Hat Advanced Cluster Security for Kubernetes platform
You can create a new integration in the Red Hat Advanced Cluster Security for Kubernetes platform by using the email notifier.
To use an annotation to dynamically determine an email recipient:
- Add an annotation similar to the following example in your deployment YAML file, where email is the - Annotationkey that you specify in your email integration.- annotations: email: <email_address> - annotations: email: <email_address>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
						Use the annotation key emailin the Annotation key for recipient field when you configure RHACS.
An annotation can be on the deployment or the namespace.
If you have configured the deployment or namespace with annotation, the RHACS platform sends the alert to the email specified in the annotation. Otherwise, it sends the alert to the default recipient.
Procedure
- Navigate to Platform Configuration → Integrations.
- Under the Notifier Integrations section, select Email.
- Select the New Integration icon.
- In the Integration Name field, enter a name for your email integration.
- 
						For Email Server, enter the address of your email server. The email server address is the fully qualified domain name and the port number. An example is smtp.example.com:465.
- Enter a username and password of a service account that is used for authentication.
- Optional: Specify the name of the sender, if it is different from the default value.
- Specify the email address that will receive the notifications in the Default Recipient box, or enter an annotation key for Annotation key for recipient.
- Optional: Turn on the Disable TLS certificate validation (insecure) toggle to send email without TLS. You should not disable TLS unless you are using StartTLS. Note- Use TLS for email notifications. Without TLS, all email is sent unencrypted. 
- Optional: To use StartTLS, select either Login or Plain for the Use STARTTLS (Requires TLS To Be Disabled) drop-down menu. Important- With StartTLS, credentials are passed in plain text to the email server before the session encryption is established. - 
									StartTLS with the login parameter sends authentication credentials in a base64encoded string.
- StartTLS with the plain parameter sends authentication credentials to your mail relay in plain text.
 
- 
									StartTLS with the login parameter sends authentication credentials in a 
14.2. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
- On the RHACS portal, navigate to Platform Configuration → Policies.
- Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
- In the Enable notification window, select the Email notifier. Note- If you have not configured any other integrations, the system displays a message that no notifiers are configured. 
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
- Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios: - A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.