Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Setting up RHACS Cloud Service with Red Hat OpenShift secured clusters

Access Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) by selecting an instance in the Red Hat Hybrid Cloud Console. An ACS instance contains the RHACS Cloud Service management interface and services that Red Hat configures and manages for you. The management interface connects to your secured clusters, which contain the services that scan and collect information about vulnerabilities. One instance can connect to and monitor many clusters.

5.1.1. Creating an instance in the console
Copy link

In the Red Hat Hybrid Cloud Console, create an ACS instance to connect to your secured clusters.

Procedure

To create an ACS instance:

  1. Log in to the Red Hat Hybrid Cloud Console.
  2. From the navigation menu, select Advanced Cluster Security ACS Instances.

  3. Select Create ACS instance and enter information into the displayed fields or select the appropriate option from the drop-down list:

    • Name: Enter the name of your ACS instance. An ACS instance contains the RHACS Central component, also referred to as "Central", which includes the RHACS Cloud Service management interface and services that are configured and managed by Red Hat. You manage your secured clusters that communicate with Central. You can connect many secured clusters to one instance.
    • Cloud provider: The cloud provider where Central is located. Select AWS.

    • Cloud region: The region for your cloud provider where Central is located. Select one of the following regions:

      • US-East, N. Virginia
      • Europe, Ireland
    • Availability zones: Use the default value (Multi).
  4. Click Create instance.

5.1.2. Next steps
Copy link

  • On each Red Hat OpenShift cluster you want to secure, create a project named stackrox. This project will contain the resources for RHACS Cloud Service secured clusters.

Create a project on each Red Hat OpenShift cluster that you want to secure. You then use this project to install RHACS Cloud Service resources by using the Operator or Helm charts.

5.2.1. Creating a project on your cluster
Copy link

Procedure

  • In your OpenShift Container Platform cluster, navigate to Home Projects and create a project for RHACS Cloud Service. Use stackrox as the project Name.

5.2.2. Next steps
Copy link

  • In the ACS Console, create an init bundle. The init bundle contains secrets that allow communication between RHACS Cloud Service secured clusters and the ACS Console.

Before you install the SecuredCluster resource on a cluster, you must create an init bundle. The cluster that has SecuredCluster installed and configured then uses this bundle to authenticate with Central. You can create an init bundle by using either the RHACS portal or the roxctl CLI. You then apply the init bundle by using it to create resources.

Note

You must have the Admin user role to create an init bundle.

5.3.1. Generating an init bundle
Copy link

You can create an init bundle containing secrets by using the RHACS portal.

Note

You must have the Admin user role to create an init bundle.

Procedure

  1. Find the address of the RHACS portal based on your exposure method:

    1. For a route: 

      $ oc get route central -n stackrox
      Copy to Clipboard Toggle word wrap

    2. For a load balancer: 

      $ oc get service central-loadbalancer -n stackrox
      Copy to Clipboard Toggle word wrap

    3. For port forward:

      1. Run the following command: 

        $ oc port-forward svc/central 18443:443 -n stackrox
        Copy to Clipboard Toggle word wrap
      2. Navigate to https://localhost:18443/.
  2. On the RHACS portal, navigate to Platform Configuration Integrations.
  3. Navigate to the Authentication Tokens section and click on Cluster Init Bundle.
  4. Click Generate bundle.

  5. Enter a name for the cluster init bundle and click Generate.

    1. If you are installing using Helm charts, click Download Helm Values File to download the generated bundle.
    2. If you are installing using the Operator, click Download Kubernetes Secret File to download the generated bundle.
Important

Store this bundle securely because it contains secrets. You can use the same bundle to create multiple secured clusters.

Next steps

  1. Apply the init bundle by creating a resource on the secured cluster.
  2. Install secured cluster services on each cluster.

You can create an init bundle with secrets by using the roxctl CLI.

Note

You must have the Admin user role to create init bundles.

Prerequisites

You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

  • Set the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables: 

    $ export ROX_API_TOKEN=<api_token>
    Copy to Clipboard Toggle word wrap 
    $ export ROX_CENTRAL_ADDRESS=<address>:<port_number>
    Copy to Clipboard Toggle word wrap

Procedure

  • Run the following command to generate a cluster init bundle containing secrets:

    For Helm installations: 

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" \
  central init-bundles generate <cluster_init_bundle_name> \
  --output cluster_init_bundle.yaml
    Copy to Clipboard Toggle word wrap

    For Operator installations: 

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" \
  central init-bundles generate <cluster_init_bundle_name> \
  --output-secrets cluster_init_bundle.yaml
    Copy to Clipboard Toggle word wrap
    Important

    Ensure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters.

5.3.2. Next steps
Copy link

Next Step

5.4. Applying an init bundle for secured clusters
Copy link

Apply the init bundle by using it to create resources.

Note

You must have the Admin user role to apply an init bundle.

5.4.1. Creating resources by using the init bundle
Copy link

Before you install secured clusters, you must use the init bundle to create the required resources on the cluster that will allow the services on the secured clusters to communicate with RHACS Cloud Service.

Note

If you are installing by using Helm charts, do not perform this step. Complete the installation by using Helm; See "Installing RHACS on secured clusters by using Helm charts" in the additional resources section.

Prerequisites

  • You must have generated an init bundle containing secrets.

Procedure

To create resources, perform one of the following steps:

  • In the OpenShift Container Platform web console, in the top menu, click + to open the Import YAML page. You can drag the init bundle file or copy and paste its contents into the editor, and then click Create.

  • Using the Red Hat OpenShift CLI, run the following command to create the resources: 

    $ oc create -f <init_bundle>.yaml \
    1 
    
  -n <stackrox>
    2
    Copy to Clipboard Toggle word wrap
    1
    Specify the file name of the init bundle containing the secrets.
    2
    Specify the name of the project where Central services are installed.

Next Step

  • Install RHACS secured cluster services in all clusters that you want to monitor.

5.4.2. Next steps
Copy link

5.5. Installing the Operator
Copy link

Install the RHACS Operator on your secured clusters.

Using the OperatorHub provided with OpenShift Container Platform is the easiest way to install the RHACS Operator.

Prerequisites

Procedure

  1. Navigate in the web console to the Operators OperatorHub page.
  2. If Red Hat Advanced Cluster Security for Kubernetes is not displayed, enter Advanced Cluster Security into the Filter by keyword box to find the Red Hat Advanced Cluster Security for Kubernetes Operator.
  3. Select the Red Hat Advanced Cluster Security for Kubernetes Operator to view the details page.
  4. Read the information about the Operator, and then click Install.

  5. On the Install Operator page:

    • Keep the default value for Installation mode as All namespaces on the cluster.
    • Select a specific namespace in which to install the Operator for the Installed namespace field. Install the Red Hat Advanced Cluster Security for Kubernetes Operator in the rhacs-operator namespace.

    • Select automatic or manual updates for Update approval.

      If you select automatic updates, when a new version of the Operator is available, Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator.

      If you select manual updates, when a newer version of the Operator is available, OLM creates an update request. As a cluster administrator, you must manually approve the update request to update the Operator to the latest version.

  6. Click Install.

Verification

  • After the installation completes, navigate to Operators Installed Operators to verify that the Red Hat Advanced Cluster Security for Kubernetes Operator is listed with the status of Succeeded.

5.5.2. Next steps
Copy link

You can install RHACS Cloud Service on your secured clusters by using the the Operator or Helm charts. You can also use the roxctl CLI to install it, but do not use this method unless you have a specific installation need that requires using it.

Prerequisites

  • You have created your Red Hat OpenShift cluster and installed the Operator on it.
  • In the ACS Console in RHACS Cloud Service, you have created and downloaded the init bundle.
  • You applied the init bundle by using the oc create command.
  • During installation, you noted the Central API Endpoint, including the address and the port number. You can view this information by choosing Advanced Cluster Security ACS Instances from the cloud console navigation menu, and then clicking the ACS instance you created.

5.6.1.1. Installing secured cluster services
Copy link

You can install secured cluster services on your clusters by using the SecuredCluster custom resource. You must install the secured cluster services on every cluster in your environment that you want to monitor.

Important

When you install secured cluster services, Collector is also installed. To install Collector on systems that have Unified Extensible Firmware Interface (UEFI) and that have Secure Boot enabled, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages. Collector identifies Secure Boot status at the start and switches to eBPF probes if required.

Prerequisites

  • If you are using OpenShift Container Platform, you must install version 4.10 or later.
  • You have installed the RHACS Operator.
  • You have generated an init bundle and applied it to the cluster.

Procedure

  1. On the OpenShift Container Platform web console, navigate to the Operators Installed Operators page.
  2. Click the RHACS Operator.
  3. Click Secured Cluster from the central navigation menu in the Operator details page.
  4. Click Create SecuredCluster.

  5. Select one of the following options in the Configure via field:

    • Form view: Use this option if you want to use the on-screen fields to configure the secured cluster and do not need to change any other fields.
    • YAML view: Use this view to set up the secured cluster using the YAML file. The YAML file is displayed in the window and you can edit fields in it. If you select this option, when you are finished editing the file, click Create.
  6. If you are using Form view, enter the new project name by accepting or editing the default name. The default value is stackrox-secured-cluster-services.
  7. Optional: Add any labels for the cluster.
  8. Enter a unique name for your SecuredCluster custom resource.

  9. For Central Endpoint, enter the address and port number of your Central instance. For example, if Central is available at https://central.example.com, then specify the central endpoint as central.example.com:443. The default value of central.stackrox.svc:443 only works when you install secured cluster services and Central in the same cluster. Do not use the default value when you are configuring multiple clusters. Instead, use the hostname when configuring the Central Endpoint value for each cluster.

    • For RHACS Cloud Service use the Central API Endpoint, including the address and the port number. You can view this information by choosing Advanced Cluster Security ACS Instances from the cloud console navigation menu, then clicking the ACS instance you created.
    • Only if you are installing secured cluster services and Central in the same cluster, use central.stackrox.svc:443.
  10. Accept the default values or configure custom values if needed. For example, you may need to configure TLS if you are using custom certificates or untrusted CAs.
  11. Click Create.

Next step

  1. Optional: Configure additional secured cluster settings.
  2. Verify installation.

You can install RHACS on secured clusters by using Helm charts with no customization, using the default values, or with customizations of configuration parameters.

First, ensure that you add the Helm chart repository.

5.6.2.1. Adding the Helm chart repository
Copy link

Procedure

  • Add the RHACS charts repository. 

    $ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
    Copy to Clipboard Toggle word wrap

The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes Helm charts for installing different components, including:

  • Secured Cluster Services Helm chart (secured-cluster-services) for installing the per-cluster and per-node components (Sensor, Admission Controller, Collector, and Scanner-slim).

    Note

    Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor.

Verification

  • Run the following command to verify the added chart repository: 

    $ helm search repo -l rhacs/
    Copy to Clipboard Toggle word wrap

Use the following instructions to install the secured-cluster-services Helm chart to deploy the per-cluster and per-node components (Sensor, Admission controller, Collector, and Scanner-slim).

Important

To install Collector on systems that have Unified Extensible Firmware Interface (UEFI) and that have Secure Boot enabled, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages. Collector identifies Secure Boot status at the start and switches to eBPF probes if required.

Prerequisites

  • You must have generated an RHACS init bundle for your cluster.
  • You must have access to the Red Hat Container Registry and a pull secret for authentication. For information about downloading images from registry.redhat.io, see Red Hat Container Registry Authentication.
  • You must have the Central API Endpoint, including the address and the port number. You can view this information by choosing Advanced Cluster Security ACS Instances from the cloud console navigation menu, then clicking the ACS instance you created.

You can use Helm chart configuration parameters with the helm install and helm upgrade commands. Specify these parameters by using the --set option or by creating YAML configuration files.

Create the following files for configuring the Helm chart for installing Red Hat Advanced Cluster Security for Kubernetes:

  • Public configuration file values-public.yaml: Use this file to save all non-sensitive configuration options.
  • Private configuration file values-private.yaml: Use this file to save all sensitive configuration options. Ensure that you store this file securely.
Important

When using the secured-cluster-services Helm chart, do not change the values.yaml file that is part of the chart.

5.6.2.3.1. Configuration parameters
Copy link
Expand
ParameterDescription

clusterName

Name of your cluster.

centralEndpoint

Address, including port number, of the Central endpoint. If you are using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with wss://. When configuring multiple clusters, use the hostname for the address (for example, central.example.com:443).

sensor.endpoint

Address of the Sensor endpoint including port number.

sensor.imagePullPolicy

Image pull policy for the Sensor container.

sensor.serviceTLS.cert

The internal service-to-service TLS certificate that Sensor uses.

sensor.serviceTLS.key

The internal service-to-service TLS certificate key that Sensor uses.

sensor.resources.requests.memory

The memory request for the Sensor container. Use this parameter to override the default value.

sensor.resources.requests.cpu

The CPU request for the Sensor container. Use this parameter to override the default value.

sensor.resources.limits.memory

The memory limit for the Sensor container. Use this parameter to override the default value.

sensor.resources.limits.cpu

The CPU limit for the Sensor container. Use this parameter to override the default value.

sensor.nodeSelector

Specify a node selector label as label-key: label-value to force Sensor to only schedule on nodes with the specified label.

sensor.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Sensor. This parameter is mainly used for infrastructure nodes.

image.main.name

The name of the main image.

image.collector.name

The name of the Collector image.

image.main.registry

Address of the registry you are using for the main image.

image.collector.registry

Address of the registry you are using for the Collector image.

image.main.pullPolicy

Image pull policy for main images.

image.collector.pullPolicy

Image pull policy for the Collector images.

image.main.tag

Tag of main image to use.

image.collector.tag

Tag of collector image to use.

collector.collectionMethod

Either EBPF, CORE_BPF, or NO_COLLECTION.

collector.imagePullPolicy

Image pull policy for the Collector container.

collector.complianceImagePullPolicy

Image pull policy for the Compliance container.

collector.disableTaintTolerations

If you specify false, tolerations are applied to Collector, and the collector pods can schedule onto all nodes with taints. If you specify it as true, no tolerations are applied, and the collector pods are not scheduled onto nodes with taints.

collector.resources.requests.memory

The memory request for the Collector container. Use this parameter to override the default value.

collector.resources.requests.cpu

The CPU request for the Collector container. Use this parameter to override the default value.

collector.resources.limits.memory

The memory limit for the Collector container. Use this parameter to override the default value.

collector.resources.limits.cpu

The CPU limit for the Collector container. Use this parameter to override the default value.

collector.complianceResources.requests.memory

The memory request for the Compliance container. Use this parameter to override the default value.

collector.complianceResources.requests.cpu

The CPU request for the Compliance container. Use this parameter to override the default value.

collector.complianceResources.limits.memory

The memory limit for the Compliance container. Use this parameter to override the default value.

collector.complianceResources.limits.cpu

The CPU limit for the Compliance container. Use this parameter to override the default value.

collector.serviceTLS.cert

The internal service-to-service TLS certificate that Collector uses.

collector.serviceTLS.key

The internal service-to-service TLS certificate key that Collector uses.

admissionControl.listenOnCreates

This setting controls whether Kubernetes is configured to contact Red Hat Advanced Cluster Security for Kubernetes with AdmissionReview requests for workload creation events.

admissionControl.listenOnUpdates

When you set this parameter as false, Red Hat Advanced Cluster Security for Kubernetes creates the ValidatingWebhookConfiguration in a way that causes the Kubernetes API server not to send object update events. Since the volume of object updates is usually higher than the object creates, leaving this as false limits the load on the admission control service and decreases the chances of a malfunctioning admission control service.

admissionControl.listenOnEvents

This setting controls whether the cluster is configured to contact Red Hat Advanced Cluster Security for Kubernetes with AdmissionReview requests for Kubernetes exec and portforward events. Red Hat Advanced Cluster Security for Kubernetes does not support this feature on OpenShift Container Platform 3.11. For more information, see Red Hat Advanced Cluster Security for Kubernetes Support Policy.

admissionControl.dynamic.enforceOnCreates

This setting controls whether Red Hat Advanced Cluster Security for Kubernetes evaluates policies; if it is disabled, all AdmissionReview requests are automatically accepted.

admissionControl.dynamic.enforceOnUpdates

This setting controls the behavior of the admission control service. You must specify listenOnUpdates as true for this to work.

admissionControl.dynamic.scanInline

If you set this option to true, the admission control service requests an image scan before making an admission decision. Since image scans take several seconds, enable this option only if you can ensure that all images used in your cluster are scanned before deployment (for example, by a CI integration during image build). This option corresponds to the Contact image scanners option in the RHACS Portal.

admissionControl.dynamic.disableBypass

Set it to true to disable bypassing the Admission controller.

admissionControl.dynamic.timeout

The maximum time, in seconds, Red Hat Advanced Cluster Security for Kubernetes should wait while evaluating admission review requests. Use this to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, Red Hat Advanced Cluster Security for Kubernetes accepts the request.

admissionControl.resources.requests.memory

The memory request for the Admission Control container. Use this parameter to override the default value.

admissionControl.resources.requests.cpu

The CPU request for the Admission Control container. Use this parameter to override the default value.

admissionControl.resources.limits.memory

The memory limit for the Admission Control container. Use this parameter to override the default value.

admissionControl.resources.limits.cpu

The CPU limit for the Admission Control container. Use this parameter to override the default value.

admissionControl.nodeSelector

Specify a node selector label as label-key: label-value to force Admission Control to only schedule on nodes with the specified label.

admissionControl.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Admission Control. This parameter is mainly used for infrastructure nodes.

admissionControl.serviceTLS.cert

The internal service-to-service TLS certificate that Admission Control uses.

admissionControl.serviceTLS.key

The internal service-to-service TLS certificate key that Admission Control uses.

registryOverride

Use this parameter to override the default docker.io registry. Specify the name of your registry if you are using some other registry.

collector.disableTaintTolerations

If you specify false, tolerations are applied to Collector, and the Collector pods can schedule onto all nodes with taints. If you specify it as true, no tolerations are applied, and the Collector pods are not scheduled onto nodes with taints.

createUpgraderServiceAccount

Specify true to create the sensor-upgrader account. By default, Red Hat Advanced Cluster Security for Kubernetes creates a service account called sensor-upgrader in each secured cluster. This account is highly privileged but is only used during upgrades. If you do not create this account, you must complete future upgrades manually if the Sensor does not have enough permissions.

createSecrets

Specify false to skip the orchestrator secret creation for the Sensor, Collector, and Admission controller.

collector.slimMode

Specify true if you want to use a slim Collector image for deploying Collector. Using slim Collector images requires Central to provide the matching eBPF probe or kernel module. If you are running Red Hat Advanced Cluster Security for Kubernetes in offline mode, you must download a kernel support package from stackrox.io and upload it to Central for slim Collectors to function. Otherwise, you must ensure that Central can access the online probe repository hosted at https://collector-modules.stackrox.io/.

sensor.resources

Resource specification for Sensor.

admissionControl.resources

Resource specification for Admission controller.

collector.resources

Resource specification for Collector.

collector.complianceResources

Resource specification for Collector’s Compliance container.

exposeMonitoring

If you set this option to true, Red Hat Advanced Cluster Security for Kubernetes exposes Prometheus metrics endpoints on port number 9090 for the Sensor, Collector, and the Admission controller.

auditLogs.disableCollection

If you set this option to true, Red Hat Advanced Cluster Security for Kubernetes disables the audit log detection features used to detect access and modifications to configuration maps and secrets.

scanner.disable

If you set this option to false, Red Hat Advanced Cluster Security for Kubernetes deploys a Scanner-slim and Scanner DB in the secured cluster to allow scanning images on OpenShift Container Registry. Enabling Scanner-slim is supported on OpenShift Container Platform and Kubernetes secured clusters. Defaults to true.

scanner.dbTolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB.

scanner.replicas

Resource specification for Collector’s Compliance container.

scanner.logLevel

Setting this parameter allows you to modify the scanner log level. Use this option only for troubleshooting purposes.

scanner.autoscaling.disable

If you set this option to true, Red Hat Advanced Cluster Security for Kubernetes disables autoscaling on the Scanner deployment.

scanner.autoscaling.minReplicas

The minimum number of replicas for autoscaling. Defaults to 2.

scanner.autoscaling.maxReplicas

The maximum number of replicas for autoscaling. Defaults to 5.

scanner.nodeSelector

Specify a node selector label as label-key: label-value to force Scanner to only schedule on nodes with the specified label.

scanner.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner.

scanner.dbNodeSelector

Specify a node selector label as label-key: label-value to force Scanner DB to only schedule on nodes with the specified label.

scanner.dbTolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB.

scanner.resources.requests.memory

The memory request for the Scanner container. Use this parameter to override the default value.

scanner.resources.requests.cpu

The CPU request for the Scanner container. Use this parameter to override the default value.

scanner.resources.limits.memory

The memory limit for the Scanner container. Use this parameter to override the default value.

scanner.resources.limits.cpu

The CPU limit for the Scanner container. Use this parameter to override the default value.

scanner.dbResources.requests.memory

The memory request for the Scanner DB container. Use this parameter to override the default value.

scanner.dbResources.requests.cpu

The CPU request for the Scanner DB container. Use this parameter to override the default value.

scanner.dbResources.limits.memory

The memory limit for the Scanner DB container. Use this parameter to override the default value.

scanner.dbResources.limits.cpu

The CPU limit for the Scanner DB container. Use this parameter to override the default value.

monitoring.openshift.enabled

If you set this option to false, Red Hat Advanced Cluster Security for Kubernetes will not set up Red Hat OpenShift monitoring. Defaults to true on Red Hat OpenShift 4.

5.6.2.3.1.1. Environment variables
Copy link

You can specify environment variables for Sensor and Admission controller in the following format: 

customize:
  envVars:
    ENV_VAR1: "value1"
    ENV_VAR2: "value2"
Copy to Clipboard Toggle word wrap

The customize setting allows you to specify custom Kubernetes metadata (labels and annotations) for all objects created by this Helm chart and additional pod labels, pod annotations, and container environment variables for workloads.

The configuration is hierarchical, in the sense that metadata defined at a more generic scope (for example, for all objects) can be overridden by metadata defined at a narrower scope (for example, only for the Sensor deployment).

After you configure the values-public.yaml and values-private.yaml files, install the secured-cluster-services Helm chart to deploy the per-cluster and per-node components (Sensor, Admission controller, Collector, and Scanner-slim).

Important

To install Collector on systems that have Unified Extensible Firmware Interface (UEFI) and that have Secure Boot enabled, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages. Collector identifies Secure Boot status at the start and switches to eBPF probes if required.

Prerequisites

  • You must have generated an RHACS init bundle for your cluster.
  • You must have access to the Red Hat Container Registry and a pull secret for authentication. For information about downloading images from registry.redhat.io, see Red Hat Container Registry Authentication.
  • You must have the Central API Endpoint, including the address and the port number. You can view this information by choosing Advanced Cluster Security ACS Instances from the cloud console navigation menu, then clicking the ACS instance you created.

Procedure

  • Run the following command: 

    $ helm install -n stackrox \
  --create-namespace stackrox-secured-cluster-services rhacs/secured-cluster-services \
  -f <name_of_cluster_init_bundle.yaml> \
  -f <path_to_values_public.yaml> -f <path_to_values_private.yaml> \
    1 
    
  --set imagePullSecrets.username=<username> \
    2 
    
  --set imagePullSecrets.password=<password>
    3
    Copy to Clipboard Toggle word wrap
    1
    Use the -f option to specify the paths for your YAML configuration files.
    2
    Include the user name for your pull secret for Red Hat Container Registry authentication.
    3
    Include the password for your pull secret for Red Hat Container Registry authentication.
Note

To deploy secured-cluster-services Helm chart by using a continuous integration (CI) system, pass the init bundle YAML file as an environment variable to the helm install command: 

$ helm install ... -f <(echo "$INIT_BUNDLE_YAML_SECRET")
1
Copy to Clipboard Toggle word wrap
1
If you are using base64 encoded variables, use the helm install …​ -f <(echo "$INIT_BUNDLE_YAML_SECRET" | base64 --decode) command instead.

You can make changes to any configuration options after you have deployed the secured-cluster-services Helm chart.

Procedure

  1. Update the values-public.yaml and values-private.yaml configuration files with new values.

  2. Run the helm upgrade command and specify the configuration files using the -f option: 

    $ helm upgrade -n stackrox \
  stackrox-secured-cluster-services rhacs/secured-cluster-services \
  --reuse-values \
    1 
    
  -f <path_to_values_public.yaml> \
  -f <path_to_values_private.yaml>
    Copy to Clipboard Toggle word wrap
    1
    You must specify the --reuse-values parameter, otherwise the Helm upgrade command resets all previously configured settings.
    Note

    You can also specify configuration values using the --set or --set-file parameters. However, these options are not saved, and it requires you to manually specify all the options again whenever you make changes.

To install RHACS on secured clusters by using the CLI, perform the following steps:

  1. Install the roxctl CLI.
  2. Install Sensor.

5.6.3.1. Installing the roxctl CLI
Copy link

You must first download the binary. You can install roxctl on Linux, Windows, or macOS.

5.6.3.1.1. Installing the roxctl CLI on Linux
Copy link

You can install the roxctl CLI binary on Linux by using the following procedure.

Procedure

  1. Download the latest version of the roxctl CLI: 

    $ curl -O https://mirror.openshift.com/pub/rhacs/assets/4.2.5/bin/Linux/roxctl
    Copy to Clipboard Toggle word wrap

  2. Make the roxctl binary executable: 

    $ chmod +x roxctl
    Copy to Clipboard Toggle word wrap

  3. Place the roxctl binary in a directory that is on your PATH:

    To check your PATH, execute the following command: 

    $ echo $PATH
    Copy to Clipboard Toggle word wrap

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard Toggle word wrap
5.6.3.1.2. Installing the roxctl CLI on macOS
Copy link

You can install the roxctl CLI binary on macOS by using the following procedure.

Procedure

  1. Download the latest version of the roxctl CLI: 

    $ curl -O https://mirror.openshift.com/pub/rhacs/assets/4.2.5/bin/Darwin/roxctl
    Copy to Clipboard Toggle word wrap

  2. Remove all extended attributes from the binary: 

    $ xattr -c roxctl
    Copy to Clipboard Toggle word wrap

  3. Make the roxctl binary executable: 

    $ chmod +x roxctl
    Copy to Clipboard Toggle word wrap

  4. Place the roxctl binary in a directory that is on your PATH:

    To check your PATH, execute the following command: 

    $ echo $PATH
    Copy to Clipboard Toggle word wrap

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard Toggle word wrap
5.6.3.1.3. Installing the roxctl CLI on Windows
Copy link

You can install the roxctl CLI binary on Windows by using the following procedure.

Procedure

  • Download the latest version of the roxctl CLI: 

    $ curl -O https://mirror.openshift.com/pub/rhacs/assets/4.2.5/bin/Windows/roxctl.exe
    Copy to Clipboard Toggle word wrap

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard Toggle word wrap

5.6.3.2. Installing Sensor
Copy link

To monitor a cluster, you must deploy Sensor. You must deploy Sensor into each cluster that you want to monitor. The following steps describe adding Sensor by using the RHACS portal.

Prerequisites

  • You must have already installed Central services, or you can access Central services by selecting your ACS instance on Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service).

Procedure

  1. On your secured cluster, in the RHACS portal, navigate to Platform Configuration Clusters.
  2. Select + New Cluster.
  3. Specify a name for the cluster.

  4. Provide appropriate values for the fields based on where you are deploying the Sensor.

    • Enter the Central API Endpoint, including the address and the port number. You can view this information again in the Red Hat Hybrid Cloud Console by choosing Advanced Cluster Security ACS Instances, and then clicking the ACS instance you created.
  5. Click Next to continue with the Sensor setup.

  6. Click Download YAML File and Keys to download the cluster bundle (zip archive).

    Important

    The cluster bundle zip archive includes unique configurations and keys for each cluster. Do not reuse the same files in another cluster.

  7. From a system that has access to the monitored cluster, unzip and run the sensor script from the cluster bundle: 

    $ unzip -d sensor sensor-<cluster_name>.zip
    Copy to Clipboard Toggle word wrap 
    $ ./sensor/sensor.sh
    Copy to Clipboard Toggle word wrap

    If you get a warning that you do not have the required permissions to deploy Sensor, follow the on-screen instructions, or contact your cluster administrator for assistance.

After Sensor is deployed, it contacts Central and provides cluster information.

Verification

  1. Return to the RHACS portal and check if the deployment is successful. If successful, when viewing your list of clusters in Platform Configuration Clusters, the cluster status displays a green checkmark and a Healthy status. If you do not see a green checkmark, use the following command to check for problems:

    • On OpenShift Container Platform, enter the following command: 

      $ oc get pod -n stackrox -w
      Copy to Clipboard Toggle word wrap

    • On Kubernetes, enter the following command: 

      $ kubectl get pod -n stackrox -w
      Copy to Clipboard Toggle word wrap
  2. Click Finish to close the window.

After installation, Sensor starts reporting security information to RHACS and the RHACS portal dashboard begins showing deployments, images, and policy violations from the cluster on which you have installed the Sensor.

5.6.4. Next steps
Copy link

  • Verify installation by ensuring that your secured clusters can communicate with the ACS instance.

You must configure the proxy settings for secured cluster services within the Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) environment to establish a connection between the Secured Cluster and the specified proxy server. This ensures reliable data collection and transmission.

To configure an egress proxy, you can either use the cluster-wide Red Hat OpenShift proxy or specify the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables within the SecuredCluster Custom Resource (CR) configuration file to ensure proper use of the proxy and bypass for internal requests within the specified domain.

The proxy configuration applies to all running services: Sensor, Collector, Admission Controller and Scanner.

Procedure

  • Specify the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables under the customize specification in the SecuredCluster CR configuration file:

    For example: 

    # proxy collector
customize:
  envVars:
    - name: HTTP_PROXY
      value: http://egress-proxy.stackrox.svc:xxxx
    1 
    
    - name: HTTPS_PROXY
      value: http://egress-proxy.stackrox.svc:xxxx
    2 
    
    - name: NO_PROXY
      value: .stackrox.svc
    3
    Copy to Clipboard Toggle word wrap
    1
    The variable HTTP_PROXY is set to the value http://egress-proxy.stackrox.svc:xxxx. This is the proxy server used for HTTP connections.
    2
    The variable HTTPS_PROXY is set to the value http://egress-proxy.stackrox.svc:xxxx. This is the proxy server used for HTTPS connections.
    3
    The variable NO _PROXY is set to .stackrox.svc. This variable is used to define the hostname or IP address that should not be accessed through the proxy server.

5.8. Verifying installation of secured clusters
Copy link

After installing RHACS Cloud Service, you can perform some steps to verify that the installation was successful.

To verify installation, access your ACS Console from the Red Hat Hybrid Cloud Console. The Dashboard displays the number of clusters that RHACS Cloud Service is monitoring, along with information about nodes, deployments, images, and violations.

If no data appears in the ACS Console:

  • Ensure that at least one secured cluster is connected to your RHACS Cloud Service instance. For more information, see Installing secured cluster resources from RHACS Cloud Service.
  • Examine your Sensor pod logs to ensure that the connection to your RHACS Cloud Service instance is successful.
  • In the Red Hat OpenShift cluster, navigate to Platform Configuration Clusters to verify that the components are healthy and view additional operational information.
  • Examine the values in the SecuredCluster API in the Operator on your local cluster to ensure that the Central API Endpoint has been entered correctly. This value should be the same value as shown in the ACS instance details in the Red Hat Hybrid Cloud Console.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat