Red Hat SummitChapter 3. Managing secured clusters
To secure a Kubernetes or an OpenShift Container Platform cluster, you must deploy Red Hat Advanced Cluster Security for Kubernetes (RHACS) services into the cluster. You can generate deployment files in the RHACS portal by navigating to the Platform Configuration roxctl CLI.
3.1. Prerequisites
You have configured the
ROX_ENDPOINTenvironment variable using the following command:export ROX_ENDPOINT=<host:port>
$ export ROX_ENDPOINT=<host:port>1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- The host and port information that you want to store in the
ROX_ENDPOINTenvironment variable.
3.2. Generating Sensor deployment files
Generating files for Kubernetes systems
Procedure
Generate the required sensor configuration for your Kubernetes cluster and associate it with your Central instance by running the following command:
roxctl sensor generate k8s --name <cluster_name> --central "$ROX_ENDPOINT"
$ roxctl sensor generate k8s --name <cluster_name> --central "$ROX_ENDPOINT"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Generating files for OpenShift Container Platform systems
Procedure
Generate the required sensor configuration for your OpenShift Container Platform cluster and associate it with your Central instance by running the following command:
roxctl sensor generate openshift --openshift-version <ocp_version> --name <cluster_name> --central "$ROX_ENDPOINT"
$ roxctl sensor generate openshift --openshift-version <ocp_version> --name <cluster_name> --central "$ROX_ENDPOINT"1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- For the
--openshift-versionoption, specify the major OpenShift Container Platform version number for your cluster. For example, specify3for OpenShift Container Platform version3.xand specify4for OpenShift Container Platform version4.x.
Read the
--helpoutput to see other options that you might need to use depending on your system architecture.Verify that the endpoint you provide for
--centralcan be reached from the cluster where you are deploying Red Hat Advanced Cluster Security for Kubernetes services.ImportantIf you are using a non-gRPC capable load balancer, such as HAProxy, AWS Application Load Balancer (ALB), or AWS Elastic Load Balancing (ELB), follow these guidelines:
-
Use the WebSocket Secure (
wss) protocol. To usewss, prefix the address withwss://, and Add the port number after the address, for example:
roxctl sensor generate k8s --central wss://stackrox-central.example.com:443
$ roxctl sensor generate k8s --central wss://stackrox-central.example.com:443Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3. Installing Sensor by using the sensor.sh script
When you generate the Sensor deployment files, roxctl creates a directory called sensor-<cluster_name> in your working directory. The script to install Sensor is located in this directory.
Procedure
Run the sensor installation script to install Sensor:
./sensor-<cluster_name>/sensor.sh
$ ./sensor-<cluster_name>/sensor.shCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you get a warning that you do not have the required permissions to install Sensor, follow the on-screen instructions, or contact your cluster administrator for help.
3.4. Downloading Sensor bundles for existing clusters
Procedure
Run the following command to download Sensor bundles for existing clusters by specifying a
cluster nameorID:roxctl sensor get-bundle <cluster_name_or_id>
$ roxctl sensor get-bundle <cluster_name_or_id>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.5. Deleting cluster integration
Procedure
Before deleting the cluster, ensure you have the correct cluster name that you want to remove from Central:
roxctl cluster delete --name=<cluster_name>
$ roxctl cluster delete --name=<cluster_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantDeleting the cluster integration does not remove the RHACS services running in the cluster, depending on the installation method. You can remove the services by running the
delete-sensor.shscript from the Sensor installation bundle.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}