Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 3. Reissuing internal certificates

Each component of Red Hat Advanced Cluster Security for Kubernetes uses an X.509 certificate to authenticate itself to other components. These certificates have expiration dates, and you must reissue them before they expire. You can view the certificate expiry dates in the Platform Configuration Clusters view from the RHACS portal.

3.1. Reissuing internal certificates for Central
Link kopieren

Central uses a built-in server certificate for authentication when communicating with other Red Hat Advanced Cluster Security for Kubernetes services. This certificate is unique to your Central installation. The RHACS portal shows an information banner when the Central certificate is about to expire.

Note

The information banner only appears 15 days before the certificate expiry date.

Prerequisites

  • To reissue certificates, you must have write permission for the ServiceIdentity resource.

Procedure

  1. Click on the link in the banner to download a YAML configuration file, which contains a new OpenShift Container Platform secret, including the certificate and key values.

  2. Apply the new YAML configuration file to the cluster where you have installed Central. 

    $ oc apply -f <secret_file.yaml>
    Copy to Clipboard Toggle word wrap
  3. Restart Central to apply the changes.

3.1.1. Restarting the Central container
Link kopieren

You can restart the Central container by killing the Central container or by deleting the Central pod.

Procedure

  • Run the following command to kill the Central container:

    Note

    You must wait for at least 1 minute, until OpenShift Container Platform propagates your changes and restarts the Central container. 

    $ oc -n stackrox exec deploy/central -c central -- kill 1
    Copy to Clipboard Toggle word wrap

  • Or, run the following command to delete the Central pod: 

    $ oc -n stackrox delete pod -lapp=central
    Copy to Clipboard Toggle word wrap

3.2. Reissuing internal certificates for Scanner
Link kopieren

Scanner has a built-in certificate that it uses to communicate with Central.

The RHACS portal shows an information banner when the Scanner certificate is about to expire.

Note

The information banner only appears 15 days before the certificate expiry date.

Prerequisites

  • To reissue certificates, you must have write permission for the ServiceIdentity resource.

Procedure

  1. Click on the link in the banner to download a YAML configuration file, which contains a new OpenShift Container Platform secret, including the certificate and key values.

  2. Apply the new YAML configuration file to the cluster where you installed Scanner. 

    $ oc apply -f <secret_file.yaml>
    Copy to Clipboard Toggle word wrap
  3. Restart Scanner to apply the changes.

3.2.1. Restarting the Scanner and Scanner DB containers
Link kopieren

You can restart the Scanner and Scanner DB container by deleting the pods.

Procedure

  • To delete the Scanner and Scanner DB pods, run the following command:

    • On OpenShift Container Platform: 

      $ oc delete pod -n stackrox -l app=scanner; oc -n stackrox delete pod -l app=scanner-db
      Copy to Clipboard Toggle word wrap

    • On Kubernetes: 

      $ kubectl delete pod -n stackrox -l app=scanner; kubectl -n stackrox delete pod -l app=scanner-db
      Copy to Clipboard Toggle word wrap

Sensor, Collector, and Admission controller use certificates to communicate with each other, and with Central.

To replace the certificates, use one of the following methods:

  • Create, download, and install an init bundle on the secured cluster. You must have the Admin user role to create an init bundle.
  • Use the automatic upgrades functionality. Automatic upgrades are available only for static manifest deployments using the roxctl CLI.

Secured clusters contain the Collector, Sensor, and Admission Control components. These components use a built-in server certificate for authentication when communicating with other Red Hat Advanced Cluster Security for Kubernetes components.

The RHACS portal shows an information banner when the Central certificate is about to expire.

Note

The information banner only appears 15 days before the certificate expiry date.

Prerequisites

  • To reissue certificates, you must have write permission for the ServiceIdentity resource.
Important

Store this bundle securely because it contains secrets. You can use the same bundle on multiple secured clusters. You must have the Admin user role to create init bundles.

Procedure

  • To generate an init bundle using the RHACS portal:

    1. Select Platform Configuration Clusters.
    2. Click Manage Tokens.
    3. Navigate to the Authentication Tokens section, and click Cluster Init Bundle.
    4. Click Generate bundle.
    5. Enter a name for the cluster init bundle and click Generate.
    6. To download the generated bundle, click Download Kubernetes secrets file.

  • To generate an init bundle using the roxctl CLI, run the following command: 

    $ roxctl -e <endpoint> -p <admin_password> central init-bundle generate <bundle_name> --output-secrets init-bundle.yaml
    Copy to Clipboard Toggle word wrap

Next steps

  • To create the necessary resources on each secured cluster, run the following command: 

    $ oc -n stackrox apply -f <init-bundle.yaml>
    Copy to Clipboard Toggle word wrap

You can reissue internal certificates for Sensor, Collector, and Admission controller by using automatic upgrades.

Note

Automatic upgrades are only applicable to static manifest-based deployments using the roxctl CLI. See "Installing Central" in the "Installing by using the roxctl CLI" section of the Installing chapter.

Prerequisites

  • You must have enabled automatic upgrades for all clusters.
  • To reissue certificates, you must have write permission for the ServiceIdentity resource.

Procedure

  1. In the RHACS portal, navigate to Platform Configuration Clusters.
  2. In the Clusters view, select a Cluster to view its details.
  3. From the cluster details panel, select the link to Apply credentials by using an automatic upgrade.
Note

When you apply an automatic upgrade, Red Hat Advanced Cluster Security for Kubernetes creates new credentials in the selected cluster. However, you will still see a notification. The notification goes away when each Red Hat Advanced Cluster Security for Kubernetes service begins using the new credentials after the service restarts.

Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat