Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 13. Monitoring with Prometheus

Prometheus is an open-source monitoring and alerting platform. You can use it to monitor health and availability of Central and Sensor components of Red Hat Advanced Cluster Security for Kubernetes (RHACS). When you enable monitoring, RHACS creates a new monitoring service on port number 9090 and a network policy allowing inbound connections to that port.

13.1. Monitoring Central services using the RHACS Operator

You can monitor Central services, Central and Scanner, by changing the configuration of the Central custom resource.

Procedure

  1. On the OpenShift Container Platform web console, go to the Operators Installed Operators page.
  2. Select the Red Hat Advanced Cluster Security for Kubernetes Operator from the list of installed Operators.
  3. Click on the Central tab.
  4. From the list of Central instances, click on a Central instance for which you want to enable monitoring for.

  5. Click on the YAML tab and update the YAML configuration:

    • For monitoring Central, enable the central.monitoring.exposeEndpoint configuration option for the Central custom resource.

      Copy to Clipboard Toggle word wrap 
      apiVersion: platform.stackrox.io/v1alpha1
kind: Central
...
spec:
  central:
    monitoring:
      exposeEndpoint: Enabled
...

    • For monitoring Scanner, enable the scanner.monitoring.exposeEndpoint configuration option for the Central custom resource.

      Copy to Clipboard Toggle word wrap 
      apiVersion: platform.stackrox.io/v1alpha1
kind: Central
...
spec:
  scanner:
    monitoring:
      exposeEndpoint: Enabled
...
  6. Click Save.

Additional resources

13.2. Monitoring Central services using Helm charts

You can monitor Central services, Central and Scanner, by changing the configuration options in the central-services Helm chart.

Procedure

  1. Update the values-public.yaml configuration file with the following values:

    Copy to Clipboard Toggle word wrap 
    central.exposeMonitoring: true
scanner.exposeMonitoring: true

  2. Run the helm upgrade command and specify the configuration files using the -f option:

    Copy to Clipboard Toggle word wrap 
    $ helm upgrade -n stackrox \
  stackrox-central-services rhacs/central-services \
  -f <path_to_values_public.yaml>
    Note

    You can also specify configuration values using the --set or --set-file parameters. However, these options are not saved, and it requires you to manually specify all the options again whenever you make changes.

Additional resources

13.3. Monitoring Central using Prometheus service monitor

If you are using the Prometheus Operator, you can use a service monitor to scrape the metrics from Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Note

If you are not using the Prometheus operator, you must edit the Prometheus configuration files to receive the data from RHACS.

Procedure

  1. Create a new servicemonitor.yaml file with the following content:

    Copy to Clipboard Toggle word wrap 
    apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: prometheus-stackrox
  namespace: stackrox
spec:
  endpoints:
    - interval: 30s
      port: monitoring
      scheme: http
  selector:
    matchLabels:
      app.kubernetes.io/name: <stackrox-service>
    1
    1
    The labels must match with the Service resource that you want to monitor. For example, central or scanner.

  2. Apply the YAML to the cluster:

    Copy to Clipboard Toggle word wrap 
    $ oc apply -f servicemonitor.yaml
    1
    1
    If you use Kubernetes, enter kubectl instead of oc.

Verification

  • Run the following command to check the status of service monitor:

    Copy to Clipboard Toggle word wrap 
    $ oc get servicemonitor --namespace stackrox
    1
    1
    If you use Kubernetes, enter kubectl instead of oc.

13.4. Manually enable monitoring

Important

If you have already enabled monitoring using central.monitoring.exposeEndpoint: Enabled or by using the central.exposeMonitoring: true Helm chart customization option, do not run the commands in this section.

Before you can monitor Red Hat Advanced Cluster Security for Kubernetes, you must enable monitoring.

Procedure

  1. Patch the services to expose the port number 9090.

    1. Patch the Sensor service:

      Copy to Clipboard Toggle word wrap 
      $ oc -n stackrox patch svc/sensor -p '{"spec":{"ports":[{"name":"monitoring","port":9090,"protocol":"TCP","targetPort":9090}]}}'
      1
      1
      If you use Kubernetes, enter kubectl instead of oc.

    2. Patch the Central service:

      Copy to Clipboard Toggle word wrap 
      $ oc -n stackrox patch svc/central -p '{"spec":{"ports":[{"name":"monitoring","port":9090,"protocol":"TCP","targetPort":9090}]}}'

  2. Modify network policies to allow ingress.

    Copy to Clipboard Toggle word wrap 
    $ oc apply -f - <<EOF
    1 
    
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    app.kubernetes.io/name: stackrox
  name: allow-monitoring
  namespace: stackrox
spec:
  ingress:
  - ports:
    - port: 9090
      protocol: TCP
  podSelector:
    matchExpressions:
    - {key: app, operator: In, values: [central, sensor, collector]}
  policyTypes:
  - Ingress
EOF
    1
    If you use Kubernetes, enter kubectl instead of oc.

13.5. Customizing the default port

To customize the port used for Prometheus metrics in Red Hat Advanced Cluster Security for Kubernetes Central and Sensor, you can use the ROX_METRICS_PORT environment variable.

Procedure

  • Set the ROX_METRICS_PORT environment variable:

    Copy to Clipboard Toggle word wrap 
    $ oc -n stackrox set env deploy/central ROX_METRICS_PORT=<value>
    1
    1
    If you use Kubernetes, enter kubectl instead of oc.
Note

You can specify the <value> for the ROX_METRICS_PORT environment variable as:

  • disabled to disable monitoring.
  • :<port_number> to bind it to a wildcard address.
  • <address>:<port_number> to use specific address and port number. You can also specify an IPv6 address by using square brackets, for example, [2001:db8::1234]:9090.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.