Chapter 3. Managing secured clusters
To secure a Kubernetes or an OpenShift Container Platform cluster, you must deploy Red Hat Advanced Cluster Security for Kubernetes (RHACS) services into the cluster. You can generate deployment files in the RHACS portal by navigating to the Platform Configuration roxctl
CLI.
3.1. Prerequisites
You have configured the
ROX_ENDPOINT
environment variable using the following command:$ export ROX_ENDPOINT=<host:port> 1
- 1
- The host and port information that you want to store in the
ROX_ENDPOINT
environment variable.
3.2. Generating Sensor deployment files
Generating files for Kubernetes systems
Procedure
Generate the required sensor configuration for your Kubernetes cluster and associate it with your Central instance by running the following command:
$ roxctl sensor generate k8s --name <cluster_name> --central "$ROX_ENDPOINT"
Generating files for OpenShift Container Platform systems
Procedure
Generate the required sensor configuration for your OpenShift Container Platform cluster and associate it with your Central instance by running the following command:
$ roxctl sensor generate openshift --openshift-version <ocp_version> --name <cluster_name> --central "$ROX_ENDPOINT" 1
- 1
- For the
--openshift-version
option, specify the major OpenShift Container Platform version number for your cluster. For example, specify3
for OpenShift Container Platform version3.x
and specify4
for OpenShift Container Platform version4.x
.
Read the
--help
output to see other options that you might need to use depending on your system architecture.Verify that the endpoint you provide for
--central
can be reached from the cluster where you are deploying Red Hat Advanced Cluster Security for Kubernetes services.ImportantIf you are using a non-gRPC capable load balancer, such as HAProxy, AWS Application Load Balancer (ALB), or AWS Elastic Load Balancing (ELB), follow these guidelines:
-
Use the WebSocket Secure (
wss
) protocol. To usewss
, prefix the address withwss://
, and Add the port number after the address, for example:
$ roxctl sensor generate k8s --central wss://stackrox-central.example.com:443
3.3. Installing Sensor by using the sensor.sh script
When you generate the Sensor deployment files, roxctl
creates a directory called sensor-<cluster_name>
in your working directory. The script to install Sensor is located in this directory.
Procedure
Run the sensor installation script to install Sensor:
$ ./sensor-<cluster_name>/sensor.sh
If you get a warning that you do not have the required permissions to install Sensor, follow the on-screen instructions, or contact your cluster administrator for help.
3.4. Downloading Sensor bundles for existing clusters
Procedure
Run the following command to download Sensor bundles for existing clusters by specifying a
cluster name
orID
:$ roxctl sensor get-bundle <cluster_name_or_id>
3.5. Deleting cluster integration
Procedure
Before deleting the cluster, ensure you have the correct cluster name that you want to remove from Central:
$ roxctl cluster delete --name=<cluster_name>
ImportantDeleting the cluster integration does not remove the RHACS services running in the cluster, depending on the installation method. You can remove the services by running the
delete-sensor.sh
script from the Sensor installation bundle.