Search

Chapter 3. Managing secured clusters

download PDF

To secure a Kubernetes or an OpenShift Container Platform cluster, you must deploy Red Hat Advanced Cluster Security for Kubernetes (RHACS) services into the cluster. You can generate deployment files in the RHACS portal by navigating to the Platform Configuration Clusters view, or you can use the roxctl CLI.

3.1. Prerequisites

  • You have configured the ROX_ENDPOINT environment variable using the following command:

    $ export ROX_ENDPOINT=<host:port> 1
    1
    The host and port information that you want to store in the ROX_ENDPOINT environment variable.

3.2. Generating Sensor deployment files

Generating files for Kubernetes systems

Procedure

  • Generate the required sensor configuration for your Kubernetes cluster and associate it with your Central instance by running the following command:

    $ roxctl sensor generate k8s --name <cluster_name> --central "$ROX_ENDPOINT"

Generating files for OpenShift Container Platform systems

Procedure

  • Generate the required sensor configuration for your OpenShift Container Platform cluster and associate it with your Central instance by running the following command:

    $ roxctl sensor generate openshift --openshift-version <ocp_version> --name <cluster_name> --central "$ROX_ENDPOINT" 1
    1
    For the --openshift-version option, specify the major OpenShift Container Platform version number for your cluster. For example, specify 3 for OpenShift Container Platform version 3.x and specify 4 for OpenShift Container Platform version 4.x.

    Read the --help output to see other options that you might need to use depending on your system architecture.

    Verify that the endpoint you provide for --central can be reached from the cluster where you are deploying Red Hat Advanced Cluster Security for Kubernetes services.

    Important

    If you are using a non-gRPC capable load balancer, such as HAProxy, AWS Application Load Balancer (ALB), or AWS Elastic Load Balancing (ELB), follow these guidelines:

    • Use the WebSocket Secure (wss) protocol. To use wss, prefix the address with wss://, and
    • Add the port number after the address, for example:

      $ roxctl sensor generate k8s --central wss://stackrox-central.example.com:443

3.3. Installing Sensor by using the sensor.sh script

When you generate the Sensor deployment files, roxctl creates a directory called sensor-<cluster_name> in your working directory. The script to install Sensor is located in this directory.

Procedure

  • Run the sensor installation script to install Sensor:

    $ ./sensor-<cluster_name>/sensor.sh

    If you get a warning that you do not have the required permissions to install Sensor, follow the on-screen instructions, or contact your cluster administrator for help.

3.4. Downloading Sensor bundles for existing clusters

Procedure

  • Run the following command to download Sensor bundles for existing clusters by specifying a cluster name or ID:

    $ roxctl sensor get-bundle <cluster_name_or_id>

3.5. Deleting cluster integration

Procedure

  • Before deleting the cluster, ensure you have the correct cluster name that you want to remove from Central:

    $ roxctl cluster delete --name=<cluster_name>
    Important

    Deleting the cluster integration does not remove the RHACS services running in the cluster, depending on the installation method. You can remove the services by running the delete-sensor.sh script from the Sensor installation bundle.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.