Chapter 7. Setting up RHACS Cloud Service with Red Hat OpenShift secured clusters
7.1. Creating a RHACS Cloud instance on Red Hat Cloud
Access Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) by selecting an instance in the Red Hat Hybrid Cloud Console. An ACS instance contains the RHACS Cloud Service management interface and services that Red Hat configures and manages for you. The management interface connects to your secured clusters, which contain the services that scan and collect information about vulnerabilities. One instance can connect to and monitor many clusters.
7.1.1. Creating an instance in the console
In the Red Hat Hybrid Cloud Console, create an ACS instance to connect to your secured clusters.
Procedure
To create an ACS instance:
- Log in to the Red Hat Hybrid Cloud Console.
-
From the navigation menu, select Advanced Cluster Security
ACS Instances. Select Create ACS instance and enter information into the displayed fields or select the appropriate option from the drop-down list:
- Name: Enter the name of your ACS instance. An ACS instance contains the RHACS Central component, also referred to as "Central", which includes the RHACS Cloud Service management interface and services that are configured and managed by Red Hat. You manage your secured clusters that communicate with Central. You can connect many secured clusters to one instance.
- Cloud provider: The cloud provider where Central is located. Select AWS.
Cloud region: The region for your cloud provider where Central is located. Select one of the following regions:
- US-East, N. Virginia
- Europe, Ireland
- Availability zones: Use the default value (Multi).
- Click Create instance.
7.1.2. Next steps
-
On each Red Hat OpenShift cluster you want to secure, create a project named
stackrox
. This project will contain the resources for RHACS Cloud Service secured clusters.
7.2. Creating a project on your Red Hat OpenShift secured cluster
Create a project on each Red Hat OpenShift cluster that you want to secure. You then use this project to install RHACS Cloud Service resources by using the Operator or Helm charts.
7.2.1. Creating a project on your cluster
Procedure
-
In your OpenShift Container Platform cluster, go to Home
Projects and create a project for RHACS Cloud Service. Use stackrox
as the project Name.
7.2.2. Next steps
- In the ACS Console, create an init bundle. The init bundle contains secrets that allow communication between RHACS Cloud Service secured clusters and the ACS Console.
7.3. Generating an init bundle for secured clusters
Before you install the SecuredCluster
resource on a cluster, you must create an init bundle. The cluster that has SecuredCluster
installed and configured then uses this bundle to authenticate with Central. You can create an init bundle by using either the RHACS portal or the roxctl
CLI. You then apply the init bundle by using it to create resources.
You must have the Admin
user role to create an init bundle.
7.3.1. Generating an init bundle
7.3.1.1. Generating an init bundle by using the RHACS portal
You can create an init bundle containing secrets by using the RHACS portal.
You must have the Admin
user role to create an init bundle.
Procedure
- Find the address of the RHACS portal as described in "Verifying Central installation using the Operator method".
- Log in to the RHACS portal.
-
If you do not have secured clusters, the Platform Configuration
Clusters page appears. - Click Create init bundle.
- Enter a name for the cluster init bundle.
- Select your platform.
- Select the installation method you will use for your secured clusters: Operator or Helm chart.
Click Download to generate and download the init bundle, which is created in the form of a YAML file. You can use one init bundle and its corresponding YAML file for all secured clusters if you are using the same installation method.
ImportantStore this bundle securely because it contains secrets.
- Apply the init bundle by using it to create resources on the secured cluster.
- Install secured cluster services on each cluster.
7.3.1.2. Generating an init bundle by using the roxctl CLI
You can create an init bundle with secrets by using the roxctl
CLI.
You must have the Admin
user role to create init bundles.
Prerequisites
You have configured the
ROX_API_TOKEN
and theROX_CENTRAL_ADDRESS
environment variables:Set the
ROX_API_TOKEN
by running the following command:$ export ROX_API_TOKEN=<api_token>
Set the
ROX_CENTRAL_ADDRESS
environment variable by running the following command:$ export ROX_CENTRAL_ADDRESS=<address>:<port_number>
In RHACS Cloud Service, when using roxctl
commands that require the Central address, use the Central instance address as displayed in the Instance Details section of the Red Hat Hybrid Cloud Console. For example, use acs-ABCD12345.acs.rhcloud.com
instead of acs-data-ABCD12345.acs.rhcloud.com
.
Procedure
To generate a cluster init bundle containing secrets for Helm installations, run the following command:
$ roxctl -e "$ROX_CENTRAL_ADDRESS" \ central init-bundles generate --output \ <cluster_init_bundle_name> cluster_init_bundle.yaml
To generate a cluster init bundle containing secrets for Operator installations, run the following command:
$ roxctl -e "$ROX_CENTRAL_ADDRESS" \ central init-bundles generate --output-secrets \ <cluster_init_bundle_name> cluster_init_bundle.yaml
ImportantEnsure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters.
7.3.2. Next steps
7.4. Applying an init bundle for secured clusters
Apply the init bundle by using it to create resources.
You must have the Admin
user role to apply an init bundle.
7.4.1. Applying the init bundle on the secured cluster
Before you configure a secured cluster, you must apply the init bundle by using it to create the required resources on the secured cluster. Applying the init bundle allows the services on the secured cluster to communicate with RHACS Cloud Service.
If you are installing by using Helm charts, do not perform this step. Complete the installation by using Helm; See "Installing RHACS on secured clusters by using Helm charts" in the additional resources section.
Prerequisites
- You must have generated an init bundle containing secrets.
-
You must have created the
stackrox
project, or namespace, on the cluster where secured cluster services will be installed. Usingstackrox
for the project is not required, but ensures that vulnerabilities for RHACS processes are not reported when scanning your clusters.
Procedure
To create resources, perform only one of the following steps:
-
Create resources using the OpenShift Container Platform web console: In the OpenShift Container Platform web console, make sure that you are in the
stackrox
namespace. In the top menu, click + to open the Import YAML page. You can drag the init bundle file or copy and paste its contents into the editor, and then click Create. When the command is complete, the display shows that thecollector-tls
,sensor-tls
, and admission-control-tls` resources were created. Create resources using the Red Hat OpenShift CLI: Using the Red Hat OpenShift CLI, run the following command to create the resources:
$ oc create -f <init_bundle>.yaml \1 -n <stackrox> 2
Verification
Restart Sensor to pick up the new certificates.
For more information about how to restart Sensor, see "Restarting the Sensor container" in the "Additional resources" section.
7.4.2. Next steps
- On each Red Hat OpenShift cluster, install the RHACS Operator.
- Install RHACS secured cluster services in all clusters that you want to monitor.
7.4.3. Additional resources
7.5. Installing the Operator
Install the RHACS Operator on your secured clusters.
7.5.1. Installing the RHACS Operator for RHACS Cloud Service
Using the OperatorHub provided with OpenShift Container Platform is the easiest way to install the RHACS Operator.
Prerequisites
- You have access to an OpenShift Container Platform cluster using an account with Operator installation permissions.
- You must be using OpenShift Container Platform 4.12 or later. For information about supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix.
Procedure
-
In the web console, go to the Operators
OperatorHub page. - If Red Hat Advanced Cluster Security for Kubernetes is not displayed, enter Advanced Cluster Security into the Filter by keyword box to find the Red Hat Advanced Cluster Security for Kubernetes Operator.
- Select the Red Hat Advanced Cluster Security for Kubernetes Operator to view the details page.
- Read the information about the Operator, and then click Install.
On the Install Operator page:
- Keep the default value for Installation mode as All namespaces on the cluster.
- Select a specific namespace in which to install the Operator for the Installed namespace field. Install the Red Hat Advanced Cluster Security for Kubernetes Operator in the rhacs-operator namespace.
Select automatic or manual updates for Update approval.
If you select automatic updates, when a new version of the Operator is available, Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator.
If you select manual updates, when a newer version of the Operator is available, OLM creates an update request. As a cluster administrator, you must manually approve the update request to update the Operator to the latest version.
Red Hat recommends enabling automatic upgrades for Operator in RHACS Cloud Service. See the Red Hat Advanced Cluster Security for Kubernetes Support Matrix for more information.
- Click Install.
Verification
-
After the installation completes, go to Operators
Installed Operators to verify that the Red Hat Advanced Cluster Security for Kubernetes Operator is listed with the status of Succeeded.
7.5.2. Next steps
-
On each Red Hat OpenShift cluster, install secured cluster resources in the
stackrox
project.
7.6. Installing secured cluster resources from RHACS Cloud Service
You can install RHACS Cloud Service on your secured clusters by using the Operator or Helm charts. You can also use the roxctl
CLI to install it, but do not use this method unless you have a specific installation need that requires using it.
Prerequisites
- You have created your Red Hat OpenShift cluster and installed the Operator on it.
- In the ACS Console in RHACS Cloud Service, you have created and downloaded the init bundle.
-
You applied the init bundle by using the
oc create
command. -
During installation, you noted the Central API Endpoint address. You can view this information by choosing Advanced Cluster Security
ACS Instances from the cloud console navigation menu, and then clicking the ACS instance you created.
7.6.1. Installing RHACS on secured clusters by using the Operator
7.6.1.1. Installing secured cluster services
You can install Secured Cluster services on your clusters by using the Operator, which creates the SecuredCluster
custom resource. You must install the Secured Cluster services on every cluster in your environment that you want to monitor.
When you install Red Hat Advanced Cluster Security for Kubernetes:
-
If you are installing RHACS for the first time, you must first install the
Central
custom resource because theSecuredCluster
custom resource installation is dependent on certificates that Central generates. -
Do not install
SecuredCluster
in projects whose names start withkube
,openshift
, orredhat
, or in theistio-system
project. -
If you are installing RHACS
SecuredCluster
custom resource on a cluster that also hosts Central, ensure that you install it in the same namespace as Central. -
If you are installing Red Hat Advanced Cluster Security for Kubernetes
SecuredCluster
custom resource on a cluster that does not host Central, Red Hat recommends that you install the Red Hat Advanced Cluster Security for KubernetesSecuredCluster
custom resource in its own project and not in the project in which you have installed the Red Hat Advanced Cluster Security for Kubernetes Operator.
Prerequisites
- If you are using OpenShift Container Platform, you must install version 4.12 or later.
- You have installed the RHACS Operator on the cluster that you want to secure, called the secured cluster.
- You have generated an init bundle and applied it to the cluster.
Procedure
-
On the OpenShift Container Platform web console for the secured cluster, go to the Operators
Installed Operators page. - Click the RHACS Operator.
If you have installed the Operator in the recommended namespace, OpenShift Container Platform lists the project as
rhacs-operator
. Select Project: rhacs-operatorCreate project. Note-
If you installed the Operator in a different namespace, OpenShift Container Platform lists the name of that namespace instead of
rhacs-operator
.
-
If you installed the Operator in a different namespace, OpenShift Container Platform lists the name of that namespace instead of
-
Enter the new project name (for example,
stackrox
), and click Create. Red Hat recommends that you usestackrox
as the project name. - Click Secured Cluster from the central navigation menu in the Operator details page.
- Click Create SecuredCluster.
Select one of the following options in the Configure via field:
- Form view: Use this option if you want to use the on-screen fields to configure the secured cluster and do not need to change any other fields.
- YAML view: Use this view to set up the secured cluster by using the YAML file. The YAML file is displayed in the window and you can edit fields in it. If you select this option, when you are finished editing the file, click Create.
- If you are using Form view, enter the new project name by accepting or editing the default name. The default value is stackrox-secured-cluster-services.
- Optional: Add any labels for the cluster.
-
Enter a unique name for your
SecuredCluster
custom resource. For Central Endpoint, enter the address of your Central instance. For example, if Central is available at
https://central.example.com
, then specify the central endpoint ascentral.example.com
.-
For RHACS Cloud Service use the Central API Endpoint address. You can view this information by choosing Advanced Cluster Security
ACS Instances from the Red Hat Hybrid Cloud Console navigation menu, then clicking the RHACS instance you created. -
Use the default value of
central.stackrox.svc:443
only if you are installing secured cluster services in the same cluster where Central is installed. - Do not use the default value when you are configuring multiple clusters. Instead, use the hostname when configuring the Central Endpoint value for each cluster.
-
For RHACS Cloud Service use the Central API Endpoint address. You can view this information by choosing Advanced Cluster Security
- For the remaining fields, accept the default values or configure custom values if needed. For example, you might need to configure TLS if you are using custom certificates or untrusted CAs. See "Configuring Secured Cluster services options for RHACS using the Operator" for more information.
- Click Create.
After a brief pause, the SecuredClusters page displays the status of
stackrox-secured-cluster-services
. You might see the following conditions:- Conditions: Deployed, Initialized: The secured cluster services have been installed and the secured cluster is communicating with Central.
- Conditions: Initialized, Irreconcilable: The secured cluster is not communicating with Central. Make sure that you applied the init bundle you created in the RHACS web portal to the secured cluster.
Next steps
- Configure additional secured cluster settings (optional).
- Verify installation.
7.6.2. Installing RHACS Cloud Service on secured clusters by using Helm charts
You can install RHACS on secured clusters by using Helm charts with no customization, using the default values, or with customizations of configuration parameters.
First, ensure that you add the Helm chart repository.
7.6.2.1. Adding the Helm chart repository
Procedure
Add the RHACS charts repository.
$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes Helm charts for installing different components, including:
Central services Helm chart (
central-services
) for installing the centralized components (Central and Scanner).NoteYou deploy centralized components only once and you can monitor multiple separate clusters by using the same installation.
Secured Cluster Services Helm chart (
secured-cluster-services
) for installing the per-cluster and per-node components (Sensor, Admission Controller, Collector, and Scanner-slim).NoteDeploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor.
Verification
Run the following command to verify the added chart repository:
$ helm search repo -l rhacs/
7.6.2.2. Installing RHACS Cloud Service on secured clusters by using Helm charts without customizations
7.6.2.2.1. Installing the secured-cluster-services Helm chart without customization
Use the following instructions to install the secured-cluster-services
Helm chart to deploy the per-cluster and per-node components (Sensor, Admission controller, Collector, and Scanner-slim).
Prerequisites
- You must have generated an RHACS init bundle for your cluster.
-
You must have access to the Red Hat Container Registry and a pull secret for authentication. For information about downloading images from
registry.redhat.io
, see Red Hat Container Registry Authentication. - You must have the address that you are exposing the Central service on.
Procedure
Run the following command on your Kubernetes based clusters:
$ helm install -n stackrox --create-namespace \ stackrox-secured-cluster-services rhacs/secured-cluster-services \ -f <path_to_cluster_init_bundle.yaml> \1 -f <path_to_pull_secret.yaml> \2 --set clusterName=<name_of_the_secured_cluster> \ --set centralEndpoint=<endpoint_of_central_service> 3 --set imagePullSecrets.username=<your redhat.com username> \4 --set imagePullSecrets.password=<your redhat.com password>5
- 1
- Use the
-f
option to specify the path for the init bundle. - 2
- Use the -f option to specify the path for the pull secret for Red Hat Container Registry authentication.
- 3
- Specify the address and port number for Central. For example,
acs.domain.com:443
. - 4
- Include the user name for your pull secret for Red Hat Container Registry authentication.
- 5
- Include the password for your pull secret for Red Hat Container Registry authentication.
Run the following command on OpenShift Container Platform clusters:
$ helm install -n stackrox --create-namespace \ stackrox-secured-cluster-services rhacs/secured-cluster-services \ -f <path_to_cluster_init_bundle.yaml> \1 -f <path_to_pull_secret.yaml> \2 --set clusterName=<name_of_the_secured_cluster> \ --set centralEndpoint=<endpoint_of_central_service> 3 --set scanner.disable=false 4
- 1
- Use the
-f
option to specify the path for the init bundle. - 2
- Use the -f option to specify the path for the pull secret for Red Hat Container Registry authentication.
- 3
- Specify the address and port number for Central. For example,
acs.domain.com:443
. - 4
- Set the value of the
scanner.disable
parameter tofalse
, which means that Scanner-slim will be enabled during the installation. In Kubernetes, the secured cluster services now include Scanner-slim as an optional component.
7.6.2.3. Configuring the secured-cluster-services Helm chart with customizations
You can use Helm chart configuration parameters with the helm install
and helm upgrade
commands. Specify these parameters by using the --set
option or by creating YAML configuration files.
Create the following files for configuring the Helm chart for installing Red Hat Advanced Cluster Security for Kubernetes:
-
Public configuration file
values-public.yaml
: Use this file to save all non-sensitive configuration options. -
Private configuration file
values-private.yaml
: Use this file to save all sensitive configuration options. Ensure that you store this file securely.
When using the secured-cluster-services
Helm chart, do not change the values.yaml
file that is part of the chart.
7.6.2.3.1. Configuration parameters
Parameter | Description |
---|---|
| Name of your cluster. |
|
Address of the Central endpoint. If you are using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with |
| Address of the Sensor endpoint including port number. |
| Image pull policy for the Sensor container. |
| The internal service-to-service TLS certificate that Sensor uses. |
| The internal service-to-service TLS certificate key that Sensor uses. |
| The memory request for the Sensor container. Use this parameter to override the default value. |
| The CPU request for the Sensor container. Use this parameter to override the default value. |
| The memory limit for the Sensor container. Use this parameter to override the default value. |
| The CPU limit for the Sensor container. Use this parameter to override the default value. |
|
Specify a node selector label as |
| If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Sensor. This parameter is mainly used for infrastructure nodes. |
|
The name of the |
| The name of the Collector image. |
| The address of the registry you are using for the main image. |
| The address of the registry you are using for the Collector image. |
| The address of the registry you are using for the Scanner image. |
| The address of the registry you are using for the Scanner DB image. |
| The address of the registry you are using for the Scanner V4 image. |
| The address of the registry you are using for the Scanner V4 DB image. |
|
Image pull policy for |
| Image pull policy for the Collector images. |
|
Tag of |
|
Tag of |
|
Either |
| Image pull policy for the Collector container. |
| Image pull policy for the Compliance container. |
|
If you specify |
| The memory request for the Collector container. Use this parameter to override the default value. |
| The CPU request for the Collector container. Use this parameter to override the default value. |
| The memory limit for the Collector container. Use this parameter to override the default value. |
| The CPU limit for the Collector container. Use this parameter to override the default value. |
| The memory request for the Compliance container. Use this parameter to override the default value. |
| The CPU request for the Compliance container. Use this parameter to override the default value. |
| The memory limit for the Compliance container. Use this parameter to override the default value. |
| The CPU limit for the Compliance container. Use this parameter to override the default value. |
| The internal service-to-service TLS certificate that Collector uses. |
| The internal service-to-service TLS certificate key that Collector uses. |
|
This setting controls whether Kubernetes is configured to contact Red Hat Advanced Cluster Security for Kubernetes with |
|
When you set this parameter as |
|
This setting controls whether the cluster is configured to contact Red Hat Advanced Cluster Security for Kubernetes with |
| This setting controls whether Red Hat Advanced Cluster Security for Kubernetes evaluates policies; if it is disabled, all AdmissionReview requests are automatically accepted. |
|
This setting controls the behavior of the admission control service. You must specify |
|
If you set this option to |
|
Set it to |
|
Use this parameter to specify the maximum number of seconds RHACS must wait for an admission review before marking it as fail open. If the admission webhook does not receive information that it is requesting before the end of the timeout period, it fails, but in fail open status, it still allows the operation to succeed. For example, the admission controller would allow a deployment to be created even if a scan had timed out and RHACS could not determine if the deployment violated a policy. Beginning in release 4.5, Red Hat reduced the default timeout setting for the RHACS admission controller webhooks from 20 seconds to 10 seconds, resulting in an effective timeout of 12 seconds within the |
| The memory request for the Admission Control container. Use this parameter to override the default value. |
| The CPU request for the Admission Control container. Use this parameter to override the default value. |
| The memory limit for the Admission Control container. Use this parameter to override the default value. |
| The CPU limit for the Admission Control container. Use this parameter to override the default value. |
|
Specify a node selector label as |
| If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Admission Control. This parameter is mainly used for infrastructure nodes. |
| The internal service-to-service TLS certificate that Admission Control uses. |
| The internal service-to-service TLS certificate key that Admission Control uses. |
|
Use this parameter to override the default |
|
If you specify |
|
Specify |
|
Specify |
|
Deprecated. Specify |
| Resource specification for Sensor. |
| Resource specification for Admission controller. |
| Resource specification for Collector. |
| Resource specification for Collector’s Compliance container. |
|
If you set this option to |
|
If you set this option to |
|
If you set this option to |
| If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. |
| Resource specification for Collector’s Compliance container. |
| Setting this parameter allows you to modify the scanner log level. Use this option only for troubleshooting purposes. |
|
If you set this option to |
| The minimum number of replicas for autoscaling. Defaults to 2. |
| The maximum number of replicas for autoscaling. Defaults to 5. |
|
Specify a node selector label as |
| If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner. |
|
Specify a node selector label as |
| If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. |
| The memory request for the Scanner container. Use this parameter to override the default value. |
| The CPU request for the Scanner container. Use this parameter to override the default value. |
| The memory limit for the Scanner container. Use this parameter to override the default value. |
| The CPU limit for the Scanner container. Use this parameter to override the default value. |
| The memory request for the Scanner DB container. Use this parameter to override the default value. |
| The CPU request for the Scanner DB container. Use this parameter to override the default value. |
| The memory limit for the Scanner DB container. Use this parameter to override the default value. |
| The CPU limit for the Scanner DB container. Use this parameter to override the default value. |
|
If you set this option to |
|
To provide security at the network level, RHACS creates default Warning Disabling creation of default network policies can break communication between RHACS components. If you disable creation of default policies, you must create your own network policies to allow this communication. |
7.6.2.3.1.1. Environment variables
You can specify environment variables for Sensor and Admission controller in the following format:
customize: envVars: ENV_VAR1: "value1" ENV_VAR2: "value2"
The customize
setting allows you to specify custom Kubernetes metadata (labels and annotations) for all objects created by this Helm chart and additional pod labels, pod annotations, and container environment variables for workloads.
The configuration is hierarchical, in the sense that metadata defined at a more generic scope (for example, for all objects) can be overridden by metadata defined at a narrower scope (for example, only for the Sensor deployment).
7.6.2.3.2. Installing the secured-cluster-services Helm chart with customizations
After you configure the values-public.yaml
and values-private.yaml
files, install the secured-cluster-services
Helm chart to deploy the following per-cluster and per-node components:
- Sensor
- Admission controller
- Collector
- Scanner: optional for secured clusters when the StackRox Scanner is installed
- Scanner DB: optional for secured clusters when the StackRox Scanner is installed
- Scanner V4 Indexer and Scanner V4 DB: optional for secured clusters when Scanner V4 is installed
Prerequisites
- You must have generated an RHACS init bundle for your cluster.
-
You must have access to the Red Hat Container Registry and a pull secret for authentication. For information about downloading images from
registry.redhat.io
, see Red Hat Container Registry Authentication. - You must have the address and the port number that you are exposing the Central service on.
Procedure
Run the following command:
$ helm install -n stackrox \ --create-namespace stackrox-secured-cluster-services rhacs/secured-cluster-services \ -f <name_of_cluster_init_bundle.yaml> \ -f <path_to_values_public.yaml> -f <path_to_values_private.yaml> \1 --set imagePullSecrets.username=<username> \2 --set imagePullSecrets.password=<password> 3
To deploy secured-cluster-services
Helm chart by using a continuous integration (CI) system, pass the init bundle YAML file as an environment variable to the helm install
command:
$ helm install ... -f <(echo "$INIT_BUNDLE_YAML_SECRET") 1
- 1
- If you are using base64 encoded variables, use the
helm install … -f <(echo "$INIT_BUNDLE_YAML_SECRET" | base64 --decode)
command instead.
7.6.2.4. Changing configuration options after deploying the secured-cluster-services Helm chart
You can make changes to any configuration options after you have deployed the secured-cluster-services
Helm chart.
When using the helm upgrade
command to make changes, the following guidelines and requirements apply:
-
You can also specify configuration values using the
--set
or--set-file
parameters. However, these options are not saved, and you must manually specify all the options again whenever you make changes. Some changes, such as enabling a new component like Scanner V4, require new certificates to be issued for the component. Therefore, you must provide a CA when making these changes.
-
If the CA was generated by the Helm chart during the initial installation, you must retrieve these automatically generated values from the cluster and provide them to the
helm upgrade
command. The post-installation notes of thecentral-services
Helm chart include a command for retrieving the automatically generated values. -
If the CA was generated outside of the Helm chart and provided during the installation of the
central-services
chart, then you must perform that action again when using thehelm upgrade
command, for example, by using the--reuse-values
flag with thehelm upgrade
command.
-
If the CA was generated by the Helm chart during the initial installation, you must retrieve these automatically generated values from the cluster and provide them to the
Procedure
-
Update the
values-public.yaml
andvalues-private.yaml
configuration files with new values. Run the
helm upgrade
command and specify the configuration files using the-f
option:$ helm upgrade -n stackrox \ stackrox-secured-cluster-services rhacs/secured-cluster-services \ --reuse-values \1 -f <path_to_values_public.yaml> \ -f <path_to_values_private.yaml>
- 1
- If you have modified values that are not included in the
values_public.yaml
andvalues_private.yaml
files, include the--reuse-values
parameter.
7.6.3. Installing RHACS on secured clusters by using the roxctl CLI
To install RHACS on secured clusters by using the CLI, perform the following steps:
-
Install the
roxctl
CLI. - Install Sensor.
7.6.3.1. Installing the roxctl CLI
You must first download the binary. You can install roxctl
on Linux, Windows, or macOS.
7.6.3.1.1. Installing the roxctl CLI on Linux
You can install the roxctl
CLI binary on Linux by using the following procedure.
roxctl
CLI for Linux is available for amd64
, arm64
, ppc64le
, and s390x
architectures.
Procedure
Determine the
roxctl
architecture for the target operating system:$ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
Download the
roxctl
CLI:$ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.6.2/bin/Linux/roxctl${arch}"
Make the
roxctl
binary executable:$ chmod +x roxctl
Place the
roxctl
binary in a directory that is on yourPATH
:To check your
PATH
, execute the following command:$ echo $PATH
Verification
Verify the
roxctl
version you have installed:$ roxctl version
7.6.3.1.2. Installing the roxctl CLI on macOS
You can install the roxctl
CLI binary on macOS by using the following procedure.
roxctl
CLI for macOS is available for amd64
and arm64
architectures.
Procedure
Determine the
roxctl
architecture for the target operating system:$ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
Download the
roxctl
CLI:$ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.6.2/bin/Darwin/roxctl${arch}"
Remove all extended attributes from the binary:
$ xattr -c roxctl
Make the
roxctl
binary executable:$ chmod +x roxctl
Place the
roxctl
binary in a directory that is on yourPATH
:To check your
PATH
, execute the following command:$ echo $PATH
Verification
Verify the
roxctl
version you have installed:$ roxctl version
7.6.3.1.3. Installing the roxctl CLI on Windows
You can install the roxctl
CLI binary on Windows by using the following procedure.
roxctl
CLI for Windows is available for the amd64
architecture.
Procedure
Download the
roxctl
CLI:$ curl -f -O https://mirror.openshift.com/pub/rhacs/assets/4.6.2/bin/Windows/roxctl.exe
Verification
Verify the
roxctl
version you have installed:$ roxctl version
7.6.3.2. Installing Sensor
To monitor a cluster, you must deploy Sensor. You must deploy Sensor into each cluster that you want to monitor. This installation method is also called the manifest installation method.
To perform an installation by using the manifest installation method, follow only one of the following procedures:
- Use the RHACS web portal to download the cluster bundle, and then extract and run the sensor script.
-
Use the
roxctl
CLI to generate the required sensor configuration for your OpenShift Container Platform cluster and associate it with your Central instance.
Prerequisites
- You must have already installed Central services, or you can access Central services by selecting your ACS instance on Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service).
7.6.3.2.1. Manifest installation method by using the web portal
Procedure
-
On your secured cluster, in the RHACS portal, go to Platform Configuration
Clusters. -
Select Secure a cluster
Legacy installation method. - Specify a name for the cluster.
Provide appropriate values for the fields based on where you are deploying the Sensor.
- If you are deploying Sensor in the same cluster, accept the default values for all the fields.
-
If you are deploying into a different cluster, replace
central.stackrox.svc:443
with a load balancer, node port, or other address, including the port number, that is accessible from the other cluster. If you are using a non-gRPC capable load balancer, such as HAProxy, AWS Application Load Balancer (ALB), or AWS Elastic Load Balancing (ELB), use the WebSocket Secure (
wss
) protocol. To usewss
:-
Prefix the address with
wss://
. -
Add the port number after the address, for example,
wss://stackrox-central.example.com:443
.
-
Prefix the address with
- Click Next to continue with the Sensor setup.
Click Download YAML File and Keys to download the cluster bundle (zip archive).
ImportantThe cluster bundle zip archive includes unique configurations and keys for each cluster. Do not reuse the same files in another cluster.
From a system that has access to the monitored cluster, extract and run the
sensor
script from the cluster bundle:$ unzip -d sensor sensor-<cluster_name>.zip
$ ./sensor/sensor.sh
If you get a warning that you do not have the required permissions to deploy Sensor, follow the on-screen instructions, or contact your cluster administrator for help.
After Sensor is deployed, it contacts Central and provides cluster information.
7.6.3.2.2. Manifest installation by using the roxctl CLI
Procedure
Generate the required sensor configuration for your OpenShift Container Platform cluster and associate it with your Central instance by running the following command:
$ roxctl sensor generate openshift --openshift-version <ocp_version> --name <cluster_name> --central "$ROX_ENDPOINT" 1
- 1
- For the
--openshift-version
option, specify the major OpenShift Container Platform version number for your cluster. For example, specify3
for OpenShift Container Platform version3.x
and specify4
for OpenShift Container Platform version4.x
.
From a system that has access to the monitored cluster, extract and run the
sensor
script from the cluster bundle:$ unzip -d sensor sensor-<cluster_name>.zip
$ ./sensor/sensor.sh
If you get a warning that you do not have the required permissions to deploy Sensor, follow the on-screen instructions, or contact your cluster administrator for help.
After Sensor is deployed, it contacts Central and provides cluster information.
Verification
Return to the RHACS portal and check if the deployment is successful. If successful, when viewing your list of clusters in Platform Configuration
Clusters, the cluster status displays a green checkmark and a Healthy status. If you do not see a green checkmark, use the following command to check for problems: On OpenShift Container Platform, enter the following command:
$ oc get pod -n stackrox -w
On Kubernetes, enter the following command:
$ kubectl get pod -n stackrox -w
- Click Finish to close the window.
After installation, Sensor starts reporting security information to RHACS and the RHACS portal dashboard begins showing deployments, images, and policy violations from the cluster on which you have installed the Sensor.
7.6.4. Next steps
- Verify installation by ensuring that your secured clusters can communicate with the ACS instance.
7.7. Configuring the proxy for secured cluster services in RHACS Cloud Service
You must configure the proxy settings for secured cluster services within the Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) environment to establish a connection between the Secured Cluster and the specified proxy server. This ensures reliable data collection and transmission.
7.7.1. Specifying the environment variables in the SecuredCluster CR
To configure an egress proxy, you can either use the cluster-wide Red Hat OpenShift proxy or specify the HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
environment variables within the SecuredCluster Custom Resource (CR) configuration file to ensure proper use of the proxy and bypass for internal requests within the specified domain.
The proxy configuration applies to all running services: Sensor, Collector, Admission Controller and Scanner.
Procedure
Specify the
HTTP_PROXY
,HTTPS_PROXY
, andNO_PROXY
environment variables under the customize specification in the SecuredCluster CR configuration file:For example:
# proxy collector customize: envVars: - name: HTTP_PROXY value: http://egress-proxy.stackrox.svc:xxxx 1 - name: HTTPS_PROXY value: http://egress-proxy.stackrox.svc:xxxx 2 - name: NO_PROXY value: .stackrox.svc 3
- 1
- The variable
HTTP_PROXY
is set to the valuehttp://egress-proxy.stackrox.svc:xxxx
. This is the proxy server used for HTTP connections. - 2
- The variable
HTTPS_PROXY
is set to the valuehttp://egress-proxy.stackrox.svc:xxxx
. This is the proxy server used for HTTPS connections. - 3
- The variable
NO _PROXY
is set to.stackrox.svc
. This variable is used to define the hostname or IP address that should not be accessed through the proxy server.
7.8. Verifying installation of secured clusters
After installing RHACS Cloud Service, you can perform some steps to verify that the installation was successful.
To verify installation, access your ACS Console from the Red Hat Hybrid Cloud Console. The Dashboard displays the number of clusters that RHACS Cloud Service is monitoring, along with information about nodes, deployments, images, and violations.
If no data appears in the ACS Console:
- Ensure that at least one secured cluster is connected to your RHACS Cloud Service instance. For more information, see Installing secured cluster resources from RHACS Cloud Service.
- Examine your Sensor pod logs to ensure that the connection to your RHACS Cloud Service instance is successful.
-
In the Red Hat OpenShift cluster, go to Platform Configuration
Clusters to verify that the components are healthy and view additional operational information. -
Examine the values in the
SecuredCluster
API in the Operator on your local cluster to ensure that the Central API Endpoint has been entered correctly. This value should be the same value as shown in the ACS instance details in the Red Hat Hybrid Cloud Console.