Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. High-level RHACS installation overview

Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides security services for your self-managed Red Hat OpenShift Kubernetes systems or platforms such as OpenShift Container Platform, Amazon Elastic Kubernetes Service (Amazon EKS), Google Kubernetes Engine (Google GKE), and Microsoft Azure Kubernetes Service (Microsoft AKS). There are several methods of installation available, depending on the type of platform you are using.

For information about supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix. For life cycle support information for RHACS, see the Red Hat Advanced Cluster Security for Kubernetes Support Policy.

To ensure the best installation experience, follow these guidelines:

  1. Understand the installation platforms and methods that are available.
  2. Understand the Red Hat Advanced Cluster Security for Kubernetes architecture.
  3. Check the default resource requirements.

1.1. Installation methods for different platforms
Copy link

You can perform different types of installations on different platforms.

Note

Not all installation methods are supported for all platforms. See the Red Hat Advanced Cluster Security for Kubernetes Support Matrix for more information.

Expand
Table 1.1. Platforms and recommended installation methods
Platform typePlatformRecommended installation methodsInstallation steps

Managed service platform

Red Hat OpenShift Dedicated (OSD)

Operator (recommended), Helm charts, or roxctl CLI [1]

Azure Red Hat OpenShift (ARO)

Red Hat OpenShift Service on AWS (ROSA)

Red Hat OpenShift on IBM Cloud

Amazon Elastic Kubernetes Service (Amazon EKS)

Helm charts (recommended), or roxctl CLI [1]

Google Kubernetes Engine (Google GKE)

Microsoft Azure Kubernetes Service (Microsoft AKS)

Self-managed platform

Red Hat OpenShift Container Platform (OCP)

Operator (recommended), Helm charts, or roxctl CLI [1]

Red Hat OpenShift Kubernetes Engine (OKE)

  1. Do not use the roxctl installation method unless you have specific requirements for following this installation method.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports the following architectures. For information on supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix. Additionally, the following table gives information about installation methods available for each architecture.

Expand
Table 1.2. Architectures and supported installation methods for each architecture
Supported architecturesSupported installation methods

AMD64

Operator (preferred), Helm charts, or roxctl CLI (not recommended)

ppc64le (IBM Power)

Operator

s390x (IBM Z and IBM® LinuxONE)

AArch64 (ARM64)

Operator (preferred), Helm charts, or roxctl CLI

When you install Red Hat Advanced Cluster Security for Kubernetes (RHACS), you must generate a component that is used between Central and the secured clusters to set up secure communication. Central, also called the Central instance in Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), is the specific service that provides the ACS Console, handles all API interactions, and manages data storage and image scanning. The user interface is called the RHACS portal for RHACS and is called the ACS Console for RHACS Cloud Service.

The original component used to authenticate when establishing the connection between Central and secured clusters is called an init bundle. A later component, called a cluster registration secret (CRS), provides a more secure mechanism to set up this communication. You generate an init bundle or a CRS in the cluster where Central is located, and then you install it onto the secured clusters.

An init bundle is a YAML file that contains security secrets that allow a new Kubernetes cluster to connect securely to Central. This file is used to create the specific Kubernetes secrets of sensor-tls, collector-tls, and admission-control-tls. These services contain certificates and private keys required for mutual TLS (mTLS) authentication. The certificates inside an init bundle are valid for one year by default. If they expire, the secured cluster will disconnect, and you must generate and apply a new bundle.

A single init bundle can be used to connect multiple different clusters to the same Central instance, although using unique bundles for different groups of clusters can make revoking access easier if credentials are compromised. You can reapply an init bundle to a secured cluster to provide an existing secured cluster with new or updated certificates.

Beginning with RHACS version 4.7, RHACS provides a more secure alternative to init bundles, called Cluster Registration Secrets (CRSes). Unlike an init bundle, which contains long-lived certificates, a CRS contains a token that the secured cluster uses to request its own certificates. Therefore, you can revoke the CRS immediately after installation without breaking the cluster’s connection. Unlike init bundles, you cannot put a new CRS on the cluster and have the secured cluster use this CRS to reestablish the communication with Central. You must generate a new CRS in Central and then reapply the new CRS to the secured cluster and reestablish the secured connection.

  1. On the Red Hat OpenShift cluster, install the RHACS Operator into the rhacs-operator project, or namespace.
  2. On the Red Hat OpenShift cluster that will contain Central, called the central cluster, use the RHACS Operator to install Central services into the stackrox project. One central cluster can secure multiple clusters.

  3. Log in to the RHACS web console from the central cluster, and generate a cluster registration secret (CRS) or an init bundle and download it. The CRS or the init bundle is then installed on the cluster that you want to secure, called the secured cluster. The CRS or the init bundle contains the cryptographic artifacts that RHACS uses to establish trusted connections between Central and secured clusters.

    Note

    Init bundles are still supported, but using a CRS is the preferred method for securing your cluster.

  4. For the secured cluster:

    1. Install the RHACS Operator into the rhacs-operator namespace.

    2. Apply the CRS or the init bundle that you generated in RHACS to the secured cluster by performing one of these steps:

      • Use the OpenShift Container Platform web console to import the YAML file of the CRS or the init bundle that you generated. Make sure you are in the stackrox namespace.

      • Use the OpenShift CLI to perform one of the following actions:

        • If you generated a CRS, in the terminal window, run the oc create -f <file_name.yaml> -n <stackrox> command, specifying the path to the downloaded CRS.
        • If you generated an init bundle, in the terminal window, run the oc create -f <init_bundle.yaml> -n <stackrox> command, specifying the path to the downloaded YAML file of the init bundle.
    3. On the secured cluster, use the RHACS Operator to install Secured Cluster services into the stackrox namespace. When creating these services, be sure to enter the address of Central in the Central Endpoint field so that the secured cluster can communicate with Central.
  1. Add the RHACS Helm charts repository.
  2. Install the central-services Helm chart on the Red Hat OpenShift cluster that will contain Central, called the central cluster.
  3. Log in to the RHACS web console on the Central cluster and generate a CRS or an init bundle.
  4. For each cluster that you want to secure, log in to the secured cluster and use the helm install command to install the secured-cluster-services Helm chart, specifying the path to the CRS or the init bundle that you generated.

This installation method is also called the manifest installation method.

  1. Install the roxctl CLI.

  2. On the Red Hat OpenShift cluster that will contain Central, perform these steps:

    1. In the terminal window, run the interactive install command by using the roxctl CLI.
    2. Run the setup shell script.
    3. In the terminal window, create the Central resources by using the oc create command.

  3. Perform one of the following actions:

    • In the RHACS web console, create and download the sensor YAML file and keys.
    • On the secured cluster, use the roxctl sensor generate openshift command.
  4. On the secured cluster, run the sensor installation script.

1.5. Installation steps for RHACS on Kubernetes
Copy link

  1. Add the RHACS Helm charts repository.
  2. Install the central-services Helm chart on the cluster that will contain Central, called the Central cluster.

  3. Log in to the RHACS web console from the Central cluster and generate a cluster registration secret (CRS). You need to apply the CRS to the cluster that you want to secure, called the secured cluster. The CRS contains the cryptographic artifacts that RHACS uses to establish trusted connections between Central and secured clusters.

    Note

    Init bundles are still supported, but using a CRS is the preferred method for securing your cluster.

  4. For each secured cluster, install the secured-cluster-services Helm chart by running one of the following commands:

    • For a CRS, run the following command: 

      $ helm install -n stackrox \
  --create-namespace stackrox-secured-cluster-services rhacs/secured-cluster-services \
  --set-file crs.file=<crs_file_name.yaml> \
  -f <path_to_values_public.yaml> \
  -f <path_to_values_private.yaml> \
  --set imagePullSecrets.username=<username> \
  --set imagePullSecrets.password=<password>

      where:

      <crs_file_name.yaml>
      Specifies the name of the file in which the generated CRS has been stored.
      <path_to_values_public.yaml>
      Specifies the path to your public YAML configuration file.
      <path_to_values_private.yaml>
      Specifies the path to your private YAML configuration file.
      <username>
      Specifies the user name for your pull secret for Red Hat Container Registry authentication.
      <password>
      Specifies the password for your pull secret for Red Hat Container Registry authentication.

    • For an init bundle, run the following command: 

      $ helm install -n stackrox \
  --create-namespace stackrox-secured-cluster-services rhacs/secured-cluster-services \
  -f <name_of_cluster_init_bundle.yaml> \
  -f <path_to_values_public.yaml> \
  -f <path_to_values_private.yaml> \
  --set imagePullSecrets.username=<username> \
  --set imagePullSecrets.password=<password>

      where:

      <path_to_values_public.yaml>
      Specifies the path to your public YAML configuration file.
      <path_to_values_private.yaml>
      Specifies the path to your private YAML configuration file.
      <username>
      Specifies the user name for your pull secret for Red Hat Container Registry authentication.
      <password>
      Specifies the password for your pull secret for Red Hat Container Registry authentication.

This installation method is also called the manifest installation method.

  1. Install the roxctl CLI.

  2. On the Kubernetes cluster that will contain Central, perform these steps:

    1. In the terminal window, run the interactive install command by using the roxctl CLI.
    2. Run the setup shell script.
    3. In the terminal window, create the Central resources by using the kubectl create command.

  3. Perform one of the following actions:

    • In the RHACS web console, create and download the sensor YAML file and keys.
    • On the cluster that you want to secure, called the secured cluster, use the roxctl sensor generate openshift command.
  4. On the secured cluster, run the sensor installation script.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top