Red Hat SummitChapter 7. Enabling offline mode
You can use Red Hat Advanced Cluster Security for Kubernetes for clusters that are not connected to the internet by enabling the offline mode. In offline mode, Red Hat Advanced Cluster Security for Kubernetes components do not connect to addresses or hosts on the internet.
Red Hat Advanced Cluster Security for Kubernetes does not determine if the user-supplied hostnames, IP addresses, or other resources are on the internet. For example, if you try to integrate with a Docker registry hosted on the internet, Red Hat Advanced Cluster Security for Kubernetes will not block this request.
To deploy and operate Red Hat Advanced Cluster Security for Kubernetes in offline mode:
- Download RHACS images and install them in your clusters. If you are using OpenShift Container Platform, you can use Operator Lifecycle Manager (OLM) and the Software Catalog to download images to a workstation that is connected to the internet. The workstation then pushes images to a mirror registry that is also connected to your secured cluster. For other platforms, you can use a program such as Skopeo or Docker to pull the images from the remote registry and push them to your own private registry, as described in Downloading images for offline use.
- Enable offline mode during installation.
- Update the vulnerability list for Scanner by uploading a new definitions file at least once per day.
You can only enable offline mode during the installation, and not during an upgrade.
7.1. Downloading images for offline use
Before you can use RHACS in offline mode, you must download the required container images and make them available in your environment. The method you use depends on your platform and infrastructure.
If you are using OpenShift Container Platform, you can use Operator Lifecycle Manager (OLM) and the Software Catalog to download images to a workstation that is connected to the internet. The workstation then pushes images to a mirror registry that is also connected to your secured cluster.
For other platforms, you can use a program such as Skopeo or Docker to pull the images from the remote registry and push them to your own private registry.
7.1.1. Image versions
You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes (RHACS) images to your registry. The current version includes the following images:
| Image | Description | Current version |
|---|---|---|
| Main |
Includes Central, Sensor, Admission controller, and Compliance components. Also includes |
|
| Central DB | PostgreSQL instance that provides the database storage for Central. |
|
| Scanner | Scans images and nodes. |
|
| Scanner DB | Stores image scan results and vulnerability definitions. |
|
| Scanner V4 | Scans images. |
|
| Scanner V4 DB | Stores image scan results and vulnerability definitions for Scanner V4. |
|
| Collector | Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|
7.1.1.1. Retagging images
You can download and retag images using the Docker command-line interface.
When you retag an image, you must maintain the name of the image and the tag. For example, use:
$ docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.10.0 <your_registry>/rhacs-main-rhel8:4.10.0and do not retag like the following example:
$ docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.10.0 <your_registry>/other-name:latestProcedure
Log in to the registry:
$ docker login registry.redhat.ioPull the image:
$ docker pull <image>Retag the image:
$ docker tag <image> <new_image>Push the updated image to your registry:
$ docker push <new_image>
7.2. Enabling offline mode during installation
You can enable offline mode during the installation of Red Hat Advanced Cluster Security for Kubernetes. After offline mode is enabled, RHACS components do not connect to addresses or hosts on the internet.
7.2.1. Enabling offline mode when installing by using the Operator
You can enable offline mode when installing Red Hat Advanced Cluster Security for Kubernetes (RHACS) by using the Operator method. In offline mode, RHACS components do not connect to addresses or hosts on the internet.
Prerequisites
- You have configured a private container or mirror registry with the required RHACS images. See "Using Operator Lifecycle Manager in disconnected environments".
Procedure
- Install the Red Hat Advanced Cluster Security for Kubernetes Operator following the instructions in "Installing the Red Hat Advanced Cluster Security for Kubernetes Operator".
-
On the OpenShift Container Platform web console, go to the Ecosystem
Installed Operators page. - Select the Red Hat Advanced Cluster Security for Kubernetes Operator from the list of installed Operators.
If you have installed the Operator in the recommended namespace, OpenShift Container Platform lists the project as
rhacs-operator. Select Project: rhacs-operatorCreate project. NoteIf you installed the Operator in a different namespace, OpenShift Container Platform lists the name of that namespace instead of
rhacs-operator.-
Enter the new project name (for example,
stackrox), and click Create. Red Hat recommends that you usestackroxas the project name. - Under the Provided APIs section, select Central. Click Create Central.
Take one of the following actions to configure offline mode. In this mode, RHACS does not automatically download or update vulnerability definitions or other data. You must manually download these and provide them to RHACS if you have configured it to run in offline mode.
To configure offline mode by using the portal, select Form view in the Configure via field.
- Locate the Egress setting. This setting indicates if the system allows outgoing network traffic.
- In the Connectivity Policy field, select Offline to indicate that RHACS should run in offline (disconnected) mode.
To configure offline mode by editing the YAML CR, select YAML view in the Configure via field.
Add
egress.connectivityPolicy: Offlineto the file as shown in the following example:apiVersion: platform.stackrox.io/v1alpha1 kind: Central metadata: name: stackrox-central-services namespace: stackrox spec: egress: connectivityPolicy: Offline
- Click Create.
7.2.2. Enabling offline mode by using Helm configuration
You can enable offline mode during the installation when you are installing Red Hat Advanced Cluster Security for Kubernetes by using a Helm chart.
Procedure
-
When installing the central-services Helm chart, set the value of the
env.offlineModeenvironmental variable totruein thevalues-public.yamlconfiguration file. -
When installing the secured-cluster-services Helm chart, set the value of the
config.offlineModeparameter totruein thevalues-public.yamlconfiguration file.
7.2.3. Enabling offline mode by using the roxctl CLI
You can enable offline mode when you are installing Red Hat Advanced Cluster Security for Kubernetes by using the roxctl CLI.
Procedure
If you are using a registry other than the default internet-connected registry (
registry.redhat.io), provide the locations where you have pushed the Red Hat Advanced Cluster Security for Kubernetes images when answering theimage to useprompts:Enter main image to use (if unset, the default will be used): <your_registry>/rhacs-main-rhel8:4.10.0NoteThe default image depends on your answer for the prompt
Enter default container images settings:. If you enteredrhacs, the default option, the default image will beregistry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.10.0.Enter Scanner DB image to use (if unset, the default will be used): <your_registry>/rhacs-scanner-db-rhel8:4.10.0Enter Scanner image to use (if unset, the default will be used): <your_registry>/rhacs-scanner-rhel8:4.10.0To enable the offline mode, enter
truewhen answering theEnter whether to run StackRox in offline modeprompt:Enter whether to run StackRox in offline mode, which avoids reaching out to the internet (default: "false"): true-
Later, when you add Sensor to a remote cluster in the Platform Configuration
Clusters view in the RHACS portal, you must specify your the Collector image name in the Collector Image Repository field.
7.3. Updating Scanner definitions in offline mode
Scanner maintains a database of vulnerabilities. When Red Hat Advanced Cluster Security for Kubernetes (RHACS) runs in normal mode, Central retrieves the latest vulnerability data from the internet, and Scanner retrieves vulnerability data from Central.
However, if you are using RHACS in offline mode, you must manually update the vulnerability data. To manually update the vulnerability data, you must upload a definitions file to Central, and Scanner then retrieves the vulnerability data from Central.
In both online and offline mode, Scanner checks for new data from Central every 5 minutes by default. In online mode, Central also checks for new data from the internet approximately every 5-20 minutes.
The offline data source is updated approximately every 3 hours. After the data has been uploaded to Central, Scanner downloads the data and updates its local vulnerability database.
To update the definitions in offline mode, you must download the definitions and then upload them to Central.
7.3.1. Downloading Scanner definitions
If you are running Red Hat Advanced Cluster Security for Kubernetes in offline mode, you can download the vulnerability definitions database that Scanner uses and then upload it to Central.
Prerequisites
- To download Scanner definitions, you need a system with internet access.
Procedure
To download the definitions, perform one of the following actions:
-
Recommended: Beginning with RHACS version 4.4, use the
roxctl scanner download-db --scanner-db-file scanner-vuln-updates.zipcommand to download the definitions. - Go to https://install.stackrox.io/scanner/scanner-vuln-updates.zip to download the definitions.
-
Recommended: Beginning with RHACS version 4.4, use the
7.3.2. Uploading definitions to Central
To upload Scanner definitions to Central, you can either use an API token or your administrator password. Red Hat recommends using an authentication token in a production environment because each token is assigned specific access control permissions.
7.3.2.1. Uploading definitions to Central by using an API token
You can upload the vulnerability definitions database that Scanner uses to Central by using an API token.
Prerequisites
- You must have an API token with the administrator role.
-
You must have installed the
roxctlcommand-line interface (CLI).
Procedure
Set the
ROX_API_TOKENand theROX_CENTRAL_ADDRESSenvironment variables:$ export ROX_API_TOKEN=<api_token>$ export ROX_CENTRAL_ADDRESS=<address>:<port_number>Run the following command to upload the definitions file:
$ roxctl scanner upload-db \ -e "$ROX_CENTRAL_ADDRESS" \ --scanner-db-file=<compressed_scanner_definitions.zip>
7.3.2.2. Uploading definitions to Central by using the administrator password
You can upload the vulnerability definitions database that Scanner uses to Central by using your Red Hat Advanced Cluster Security for Kubernetes administrator password.
Prerequisites
- You must have the administrator password.
-
You must have installed the
roxctlcommand-line interface (CLI).
Procedure
Set the
ROX_CENTRAL_ADDRESSenvironment variable:$ export ROX_CENTRAL_ADDRESS=<address>:<port_number>Run the following command to upload the definitions file:
$ roxctl scanner upload-db \ -p <your_administrator_password> \ -e "$ROX_CENTRAL_ADDRESS" \ --scanner-db-file=<compressed_scanner_definitions.zip>
7.4. Updating kernel support packages in offline mode
Support packages are deprecated and have no effect on secured clusters running version 4.5 or later. Support package uploads only affect secured clusters on version 4.4 and earlier.
Collector monitors the runtime activity for each node in your secured clusters. To monitor the activities, Collector requires probes in the form of eBPF programs.
With the CORE_BPF collection method, the probe is not specific to any kernel version, and can still be used after the underlying kernel has been updated. This collection method does not require you to provide or update a support package.
Instead, when you use the collection method EBPF, the probes are specific to the Linux kernel version installed on the host. The Collector image contains a set of built-in probes for the kernels supported at release time. However, later kernels will require newer probes.
When Red Hat Advanced Cluster Security for Kubernetes runs in normal mode (connected to the internet), Collector automatically downloads a new probe if the required probe is not built in.
In offline mode, you can manually download packages containing probes for all recent and supported Linux kernel versions and upload them to Central. Collectors then download these probes from Central.
Collector checks for the new probes in the following order. It checks:
- The existing Collector image.
- The kernel support package (if you have uploaded one to Central).
- A Red Hat-operated server available on the internet. Collector uses Central’s network connection to check and download the probes.
If Collector does not get new probes after checking, it reports a CrashLoopBackoff event.
If your network configuration restricts outbound traffic, you can manually download packages containing probes for all recent and supported Linux kernel versions and upload them to Central. Collectors then download these probes from Central, thus avoiding any outbound internet access.
7.4.1. Downloading kernel support packages
Support packages are deprecated and have no effect on secured clusters running version 4.5 or later. Support package uploads only affect secured clusters on version 4.4 and earlier.
If you are running Red Hat Advanced Cluster Security for Kubernetes in offline mode, you can download packages containing probes for all recent and supported Linux kernel versions and then upload them to Central.
Procedure
- View and download available support packages from https://install.stackrox.io/collector/support-packages/index.html. The kernel support packages list categorizes support packages based on Red Hat Advanced Cluster Security for Kubernetes version.
7.4.2. Uploading kernel support packages to Central
You can upload the kernel support packages containing probes for all recent and supported Linux kernel versions to Central.
When uploading packages, consider the following guidance:
- When you upload a new support package that includes content uploaded to Central previously, only new files are uploaded.
-
When you upload a new support package that includes files with the same name but different contents than those present on the Central,
roxctlshows a warning message and does not overwrite files. -
You can use the
--overwriteoption with the upload command to overwrite the files. - When you upload a support package that contains a required probe, Central does not make any outbound requests to the internet for downloading this probe. Central uses the probe from the support package.
Prerequisites
- You must have an API token with the administrator role.
-
You must have installed the
roxctlcommand-line interface (CLI).
Procedure
Set the
ROX_API_TOKENand theROX_CENTRAL_ADDRESSenvironment variables:$ export ROX_API_TOKEN=<api_token>$ export ROX_CENTRAL_ADDRESS=<address>:<port_number>Run the following command to upload the kernel support packages:
$ roxctl collector support-packages upload <package_file> \ -e "$ROX_CENTRAL_ADDRESS"
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}