Chapter 5. Default resource requirements for Red Hat Advanced Cluster Security Cloud Service
5.1. General requirements for RHACS Cloud Service
Before you can install Red Hat Advanced Cluster Security Cloud Service, your system must meet several requirements.
You must not install RHACS Cloud Service on:
- Amazon Elastic File System (Amazon EFS). Use the Amazon Elastic Block Store (Amazon EBS) with the default gp2 volume type instead.
- Older CPUs that do not have the Streaming SIMD Extensions (SSE) 4.2 instruction set. For example, Intel processors older than Sandy Bridge and AMD processors older than Bulldozer. These processors were released in 2011.
To install RHACS Cloud Service, you must have one of the following systems:
- OpenShift Container Platform version 4.12 or later, and cluster nodes with a supported operating system of Red Hat Enterprise Linux CoreOS (RHCOS) or Red Hat Enterprise Linux (RHEL)
A supported managed Kubernetes platform, and cluster nodes with a supported operating system of Amazon Linux, CentOS, Container-Optimized OS from Google, Red Hat Enterprise Linux CoreOS (RHCOS), Debian, Red Hat Enterprise Linux (RHEL), or Ubuntu
For information about supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix.
The following minimum requirements and suggestions apply to cluster nodes.
- Architecture
Supported architectures are
amd64
,ppc64le
, ors390x
.NoteSecured cluster services are supported on IBM Power (
ppc64le
), IBM Z (s390x
), and IBM® LinuxONE (s390x
) clusters.- Processor
- 3 CPU cores are required.
- Memory
6 GiB of RAM is required.
NoteSee the default memory and CPU requirements for each component and ensure that the node size can support them.
- Storage
For RHACS Cloud Service, a persistent volume claim (PVC) is not required. However, a PVC is strongly recommended if you have secured clusters with Scanner V4 enabled. Use Solid-State Drives (SSDs) for best performance. However, you can use another storage type if you do not have SSDs available.
ImportantYou must not use Ceph FS storage with RHACS Cloud Service. Red Hat recommends using RBD block mode PVCs for RHACS Cloud Service.
If you plan to install RHACS Cloud Service by using Helm charts, you must meet the following requirements:
-
You must have Helm command-line interface (CLI) v3.2 or newer, if you are installing or configuring RHACS Cloud Service using Helm charts. Use the
helm version
command to verify the version of Helm you have installed. -
You must have access to the Red Hat Container Registry. For information about downloading images from
registry.redhat.io
, see Red Hat Container Registry Authentication.
5.2. Secured cluster services
Secured cluster services contain the following components:
- Sensor
- Admission controller
- Collector
- Scanner (optional)
- Scanner V4 (optional)
If you use a web proxy or firewall, you must ensure that secured clusters and Central can communicate on HTTPS port 443.
5.2.1. Sensor
Sensor monitors your Kubernetes and OpenShift Container Platform clusters. These services currently deploy in a single deployment, which handles interactions with the Kubernetes API and coordinates with the other Red Hat Advanced Cluster Security for Kubernetes components.
CPU and memory requirements
The following table lists the minimum CPU and memory values required to install and run sensor on secured clusters.
Sensor | CPU | Memory |
---|---|---|
Request | 2 cores | 4 GiB |
Limit | 4 cores | 8 GiB |
5.2.2. Admission controller
The Admission controller prevents users from creating workloads that violate policies you configure.
CPU and memory requirements
By default, the admission control service runs 3 replicas. The following table lists the request and limits for each replica.
Admission controller | CPU | Memory |
---|---|---|
Request | 0.05 cores | 100 MiB |
Limit | 0.5 cores | 500 MiB |
5.2.3. Collector
Collector monitors runtime activity on each node in your secured clusters as a DaemonSet. It connects to Sensor to report this information. The collector pod has three containers. The first container is collector, which monitors and reports the runtime activity on the node. The other two are compliance and node-inventory.
Collection requirements
To use the CORE_BPF
collection method, the base kernel must support BTF, and the BTF file must be available to collector. In general, the kernel version must be later than 5.8 (4.18 for RHEL nodes) and the CONFIG_DEBUG_INFO_BTF
configuration option must be set.
Collector looks for the BTF file in the standard locations shown in the following list:
Example 5.1. BTF file locations
/sys/kernel/btf/vmlinux /boot/vmlinux-<kernel-version> /lib/modules/<kernel-version>/vmlinux-<kernel-version> /lib/modules/<kernel-version>/build/vmlinux /usr/lib/modules/<kernel-version>/kernel/vmlinux /usr/lib/debug/boot/vmlinux-<kernel-version> /usr/lib/debug/boot/vmlinux-<kernel-version>.debug /usr/lib/debug/lib/modules/<kernel-version>/vmlinux
If any of these files exists, it is likely that the kernel has BTF support and CORE_BPF
is configurable.
CPU and memory requirements
By default, the collector pod runs 3 containers. The following tables list the request and limits for each container and the total for each collector pod.
Collector container
Type | CPU | Memory |
---|---|---|
Request | 0.06 cores | 320 MiB |
Limit | 0.9 cores | 1000 MiB |
Compliance container
Type | CPU | Memory |
---|---|---|
Request | 0.01 cores | 10 MiB |
Limit | 1 core | 2000 MiB |
Node-inventory container
Type | CPU | Memory |
---|---|---|
Request | 0.01 cores | 10 MiB |
Limit | 1 core | 500 MiB |
Total collector pod requirements
Type | CPU | Memory |
---|---|---|
Request | 0.07 cores | 340 MiB |
Limit | 2.75 cores | 3500 MiB |
5.2.4. Scanner
CPU and memory requirements
The requirements in this table are based on the default of 3 replicas.
StackRox Scanner | CPU | Memory |
---|---|---|
Request | 3 cores | 4500 MiB |
Limit | 6 cores | 12 GiB |
The StackRox Scanner requires Scanner DB (PostgreSQL 15) to store data. The following table lists the minimum memory and storage values required to install and run Scanner DB.
Scanner DB | CPU | Memory |
---|---|---|
Request | 0.2 cores | 512 MiB |
Limit | 2 cores | 4 GiB |
5.2.5. Scanner V4
Scanner V4 is optional. If Scanner V4 is installed on secured clusters, the following requirements apply.
CPU, memory, and storage requirements
Scanner V4 Indexer
The requirements in this table are based on the default of 2 replicas.
Scanner V4 Indexer | CPU | Memory |
---|---|---|
Request | 2 cores | 3000 MiB |
Limit | 4 cores | 6 GiB |
Scanner V4 DB
Scanner V4 requires Scanner V4 DB (PostgreSQL 15) to store data. The following table lists the minimum CPU, memory, and storage values required to install and run Scanner V4 DB. For Scanner V4 DB, a PVC is not required, but it is strongly recommended because it ensures optimal performance.
Scanner V4 DB | CPU | Memory | Storage |
---|---|---|---|
Request | 0.2 cores | 2 GiB | 10 GiB |
Limit | 2 cores | 4 GiB | 10 GiB |