Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Getting started with RHACS Cloud Service

Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) provides security services for your Red Hat OpenShift and Kubernetes clusters. See the Red Hat Advanced Cluster Security for Kubernetes Support Matrix for information about supported platforms for secured clusters.

Prerequisites

  • Ensure that you can access the Advanced Cluster Security menu option from the Red Hat Hybrid Cloud Console.

    Note

    To access the RHACS Cloud Service console, you need your Red Hat Single Sign-On (SSO) credentials, or credentials for another identity provider if that has been configured. See Default access to the ACS Console.

4.1. High-level overview of installation steps
Copy link

The following sections provide an overview of installation steps and links to the relevant documentation.

4.1.1. Securing Red Hat OpenShift clusters
Copy link

You can secure Red Hat OpenShift clusters by using the RHACS Operator, Helm charts, or the roxctl CLI.

Procedure

  1. Verify that the clusters you want to secure meet the default requirements.
  2. In the Red Hat Hybrid Cloud Console, create an ACS Instance.
  3. On each Red Hat OpenShift cluster you want to secure, create a project named stackrox. This project will contain the resources for RHACS Cloud Service secured clusters.

  4. Generate a cluster registration secret (CRS) or an init bundle, which contains secrets that are used to establish initial trust between Central and the secured clusters. Using a CRS is the preferred method. Complete only one of the following actions to generate the CRS:

  5. On each Red Hat OpenShift cluster, apply the CRS.
  6. On each Red Hat OpenShift cluster, install the RHACS Operator.
  7. On each Red Hat OpenShift cluster, install secured cluster resources in the stackrox project by using the Operator.
  8. Verify installation by ensuring that your secured clusters can communicate with the ACS instance.

Procedure

  1. Verify that the clusters you want to secure meet the default requirements.
  2. In the Red Hat Hybrid Cloud Console, create an ACS Instance.
  3. On each Red Hat OpenShift cluster you want to secure, create a project named stackrox. This project will contain the resources for RHACS Cloud Service secured clusters.

  4. Generate a cluster registration secret (CRS) or an init bundle, which contains secrets that are used to establish initial trust between Central and the secured clusters. Using a CRS is the preferred method. Complete only one of the following actions to generate the CRS:

    • In the ACS Console, generate a CRS. This file contains the secrets that are used to set up the initial secured communication between RHACS Cloud Service secured clusters and Central.
    • Log in to Central and use the roxctl CLI to generate a CRS.
  5. On each Red Hat OpenShift cluster, run the helm install command to install RHACS by using Helm charts, specifying the path of the CRS.
  6. Verify installation by ensuring that your secured clusters can communicate with the ACS instance.

Procedure

  1. Verify that the clusters you want to secure meet the default requirements.
  2. In the Red Hat Hybrid Cloud Console, create an ACS Instance.
  3. On each Red Hat OpenShift cluster you want to secure, create a project named stackrox. This project will contain the resources for RHACS Cloud Service secured clusters.

  4. Complete only one of the following steps:

  5. Verify installation by ensuring that your secured clusters can communicate with the ACS instance.

4.1.2. Securing Kubernetes clusters
Copy link

You can secure Kubernetes clusters by using Helm charts or the roxctl CLI.

Procedure

  1. Verify that the clusters you want to secure meet the default requirements.
  2. In the Red Hat Hybrid Cloud Console, create an ACS Instance.

  3. Generate a cluster registration secret (CRS) or an init bundle, which contains secrets that are used to establish initial trust between Central and the secured clusters. Using a CRS is the preferred method. Complete only one of the following actions to generate the CRS:

    • In the ACS Console, generate a CRS. This file contains the secrets that are used to set up the initial secured communication between RHACS Cloud Service secured clusters and Central.
    • Log in to Central and use the roxctl CLI to generate a CRS.
  4. On each Kubernetes cluster, run the helm install command to install by using Helm charts, specifying the path of the CRS.
  5. Verify installation by ensuring that your secured clusters can communicate with the ACS instance.
  1. Verify that the clusters you want to secure meet the default requirements.
  2. In the Red Hat Hybrid Cloud Console, create an ACS Instance.
  3. On each cluster you want to secure, create a namespace named stackrox. This namespace will contain the resources for RHACS Cloud Service secured clusters.

  4. Complete only one of the following steps:

  5. Verify installation by ensuring that your secured clusters can communicate with the ACS instance.

4.2. Default access to the ACS Console
Copy link

By default, the authentication mechanism available to users is authentication by using Red Hat Single Sign-On (SSO). You cannot delete or change the Red Hat SSO authentication provider, but you can change the minimum access role and add additional rules, or add another identity provider.

Note

To learn how authentication providers work in ACS, see Understanding authentication providers.

A dedicated OIDC client of sso.redhat.com is created for each ACS Console. All OIDC clients share the same sso.redhat.com realm. Claims from the token issued by sso.redhat.com are mapped to an ACS-issued token as follows:

  • realm_access.roles to groups
  • org_id to rh_org_id
  • is_org_admin to rh_is_org_admin
  • sub to userid

The built-in Red Hat SSO authentication provider has the required attribute rh_org_id set to the organization ID assigned to account of the user who created the RHACS Cloud Service instance. This is the organizational account ID. Only users from the same organizational account can access the ACS Console by using the Red Hat SSO authentication provider.

Note

To gain more control over access to your ACS Console, configure another identity provider instead of relying on the Red Hat SSO authentication provider. For more information, see Understanding authentication providers. To configure another authentication provider to be the first authentication option on the login page, its name should be lexicographically smaller than Red Hat SSO.

The minimum access role is set to None. Assigning a different value to this field gives access to the RHACS Cloud Service instance to all users with the same organizational account.

Other rules that are set up in the built-in Red Hat SSO authentication provider include the following:

  • Rule mapping your userid to Admin
  • Rules mapping administrators of the organization to Admin

You can add more rules to grant access to the ACS Console to someone else with the same organizational account. For example, you can use email as a key.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top