Chapter 10. Configuring a proxy for external network access
If your network configuration restricts outbound traffic through proxies, you can configure proxy settings in Red Hat Advanced Cluster Security for Kubernetes to route traffic through a proxy.
When you use a proxy with Red Hat Advanced Cluster Security for Kubernetes:
- All outgoing HTTP, HTTPS, and other TCP traffic from Central and Scanner goes through the proxy.
- Traffic between Central and Scanner does not go through the proxy.
- The proxy configuration does not affect the other Red Hat Advanced Cluster Security for Kubernetes components.
When you are not using the offline mode, and a Collector running in a secured cluster needs to download an additional eBPF probe at runtime:
- The collector attempts to download them by contacting Sensor.
- The Sensor then forwards this request to Central.
-
Central uses the proxy to locate the module or probe at
https://collector-modules.stackrox.io
.
10.1. Configuring a proxy on an existing deployment
To configure a proxy in an existing deployment, you must export the proxy-config
secret as a YAML file, update your proxy configuration in that file, and upload it as a secret.
If you have configured a global proxy on your OpenShift Container Platform cluster, the Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. However, you can also configure installed Operators to override the global proxy or inject a custom certificate authority (CA) certificate.
For more information, see Configuring proxy support in Operator Lifecycle Manager.
Procedure
Save the existing secret as a YAML file:
$ oc -n stackrox get secret proxy-config \ -o go-template='{{index .data "config.yaml" | \ base64decode}}{{"\n"}}' > /tmp/proxy-config.yaml
- Edit the fields you want to modify in the YAML configuration file, as specified in the Configure proxy during installation section.
After you save the changes, run the following command to replace the secret:
$ oc -n stackrox create secret generic proxy-config \ --from-file=config.yaml=/tmp/proxy-config.yaml -o yaml --dry-run | \ oc label -f - --local -o yaml app.kubernetes.io/name=stackrox | \ oc apply -f -
Important- You must wait for at least 1 minute, until OpenShift Container Platform propagates your changes to Central and Scanner.
- If you see any issues with outgoing connections after changing the proxy configuration, you must restart your Central and Scanner pods.
10.2. Configuring a proxy during installation
When you are installing Red Hat Advanced Cluster Security for Kubernetes by using the roxctl
command-line interface (CLI) or Helm, you can specify your proxy configuration during the installation.
When you run the installer by using the roxctl central generate
command, the installer generates the secrets and deployment configuration files for your environment. You can configure a proxy by editing the generated configuration secret (YAML) file. Currently, you cannot configure proxies by using the roxctl
CLI. The configuration is stored in a Kubernetes secret and it is shared by both Central and Scanner.
Procedure
Open the configuration file
central/proxy-config-secret.yaml
from your deployment bundle directory.NoteIf you are using Helm the configuration file is at
central/templates/proxy-config-secret.yaml
.Edit the fields you want to modify in the configuration file:
apiVersion: v1 kind: Secret metadata: namespace: stackrox name: proxy-config type: Opaque stringData: config.yaml: |- 1 # # NOTE: Both central and scanner should be restarted if this secret is changed. # # While it is possible that some components will pick up the new proxy configuration # # without a restart, it cannot be guaranteed that this will apply to every possible # # integration etc. # url: http://proxy.name:port 2 # username: username 3 # password: password 4 # # If the following value is set to true, the proxy wil NOT be excluded for the default hosts: # # - *.stackrox, *.stackrox.svc # # - localhost, localhost.localdomain, 127.0.0.0/8, ::1 # # - *.local # omitDefaultExcludes: false # excludes: # hostnames (may include * components) for which you do not 5 # # want to use a proxy, like in-cluster repositories. # - some.domain # # The following configuration sections allow specifying a different proxy to be used for HTTP(S) connections. # # If they are omitted, the above configuration is used for HTTP(S) connections as well as TCP connections. # # If only the `http` section is given, it will be used for HTTPS connections as well. # # Note: in most cases, a single, global proxy configuration is sufficient. # http: # url: http://http-proxy.name:port 6 # username: username 7 # password: password 8 # https: # url: http://https-proxy.name:port 9 # username: username 10 # password: password 11
- 3 4 7 8 10 11
- Adding a
username
and apassword
is optional, both at the beginning and in thehttp
andhttps
sections. - 2 6 9
- The
url
option supports the following URL schemes:-
http://
for an HTTP proxy. -
https://
for a TLS-enabled HTTP proxy. -
socks5://
for a SOCKS5 proxy.
-
- 5
- The
excludes
list can contain DNS names (with or without*
wildcards), IP addresses, or IP blocks in CIDR notation (for example,10.0.0.0/8
). The values in this list are applied to all outgoing connections, regardless of protocol. - 1
- The
|-
line in thestringData
section indicates the start of the configuration data.Note-
When you first open the file, all values are commented out (by using the
#
sign at the beginning of the line). Lines starting with double hash signs# #
contain explanation of the configuration keys. -
Make sure that when you edit the fields, you maintain an indentation level of two spaces relative to the
config.yaml: |-
line.
-
When you first open the file, all values are commented out (by using the
- After editing the configuration file, you can proceed with your usual installation. The updated configuration instructs Red Hat Advanced Cluster Security for Kubernetes to use the proxy running on the provided address and the port number.