Red Hat SummitChapter 8. roxctl CLI command reference
8.1. roxctl
Display the available commands and optional parameters for roxctl CLI. You must have an account with administrator privileges to use these commands.
Usage
roxctl [command] [flags]
$ roxctl [command] [flags]| Command | Description |
|---|---|
|
| Commands related to the Central service. |
|
| Commands related to a cluster. |
|
| Commands related to the Collector service. |
|
| Generate shell completion scripts. |
|
| Manage declarative configuration. |
|
| Commands related to deployments. |
|
| Commands related to Red Hat Advanced Cluster Security for Kubernetes (RHACS) Helm Charts. |
|
| Commands that you can run on a specific image. |
|
| Commands related to network policies. |
|
| Commands related to the Scanner service. |
|
| Deploy RHACS services in secured clusters. |
|
| Display the current roxctl version. |
8.1.1. roxctl command options
The roxctl command supports the following options:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
8.2. roxctl central
Commands related to the Central service.
Usage
roxctl central [command] [flags]
$ roxctl central [command] [flags]| Command | Description |
|---|---|
|
| Create a backup of the Red Hat Advanced Cluster Security for Kubernetes (RHACS) database and the certificates. |
|
| Download the certificate chain for the Central service. |
|
| Control the database operations. |
|
| Debug the Central service. |
|
| Generate the required YAML configuration files containing the orchestrator objects for the deployment of Central. |
|
| Initialize bundles for Central. |
|
| Log in to the Central instance to obtain a token. |
|
| Manage the user certificate authorization providers. |
|
| Display information about the current user and their authentication method. |
8.2.1. roxctl central command options inherited from the parent command
The roxctl central command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl central command.
8.2.2. roxctl central backup
Create a backup of the RHACS database and certificates.
Usage
roxctl central backup [flags]
$ roxctl central backup [flags]| Option | Description |
|---|---|
|
|
Specify to only back up the certificates. When using an external database, this option is used to generate a backup bundle with certificates. The default value is |
|
| Specify where you want to save the backup. The behavior depends on the specified path:
|
|
|
Specify the timeout for API requests. It represents the maximum duration of a request. The default value is |
8.2.3. roxctl central cert
Download the certificate chain for the Central service.
Usage
roxctl central cert [flags]
$ roxctl central cert [flags]| Option | Description |
|---|---|
|
|
Specify the file name to which you want to save the PEM certificate. You can generate a standard output by using |
|
|
Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.4. roxctl central login
Login to the Central instance to obtain a token.
Usage
roxctl central login [flags]
$ roxctl central login [flags]| Option | Description |
|---|---|
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.5. roxctl central whoami
Display information about the current user and their authentication method.
Usage
roxctl central whoami [flags]
$ roxctl central whoami [flags]| Option | Description |
|---|---|
|
|
Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.6. roxctl central db
Control the database operations.
Usage
roxctl central db [flags]
$ roxctl central db [flags]| Option | Description |
|---|---|
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.6.1. roxctl central db restore
Restore the RHACS database from a previous backup.
Usage
roxctl central db restore <file> [flags]
$ roxctl central db restore <file> [flags] - 1
- For
<file>, specify the database backup file that you want to restore.
| Option | Description |
|---|---|
|
|
If set to |
|
|
If set to |
8.2.6.2. roxctl central db generate
Generate a Central database bundle.
Usage
roxctl central db generate [flags]
$ roxctl central db generate [flags]| Option | Description |
|---|---|
|
|
If set to |
|
|
Specify the path to the Helm templates in your local file system. For more details, run the |
|
|
If set to |
8.2.6.3. roxctl central db generate k8s
Generate Kubernetes YAML files for deploying Central’s database components.
Usage
roxctl central db generate k8s [flags]
$ roxctl central db generate k8s [flags]| Option | Description |
|---|---|
|
|
Specify the Central database image that you want to use. If not specified, a default value corresponding to the |
|
|
Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is |
|
|
Specify the directory to which you want to save the deployment bundle. The default value is |
8.2.6.4. roxctl central db restore cancel
Cancel the ongoing Central database restore process.
Usage
roxctl central db restore cancel [flags]
$ roxctl central db restore cancel [flags]| Option | Description |
|---|---|
|
|
If set to |
8.2.6.5. roxctl central db restore status
Display information about the ongoing database restore process.
Usage
roxctl central db restore status [flags]
$ roxctl central db restore status [flags]8.2.6.6. roxctl central db generate k8s pvc
Generate Kubernetes YAML files for persistent volume claims (PVCs) in Central.
Usage
roxctl central db generate k8s pvc [flags]
$ roxctl central db generate k8s pvc [flags]| Option | Description |
|---|---|
|
|
Specify the external volume name for the Central database. The default value is |
|
|
Specify the external volume size in gigabytes for the Central database. The default value is |
|
| Specify the storage class name for the Central database. This is optional if you have a default storage class configured. |
8.2.6.7. roxctl central db generate openshift
Generate an OpenShift YAML manifest for deploying a Central database instance on a Red Hat OpenShift cluster.
Usage
roxctl central db generate openshift [flags]
$ roxctl central db generate openshift [flags]| Option | Description |
|---|---|
|
|
Specify the Central database image that you want to use. If not specified, a default value corresponding to the |
|
|
Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is |
|
|
Specify the Red Hat OpenShift major version 3 or 4 for the deployment. The default value is |
|
|
Specify the directory to which you want to save the deployment bundle. The default value is |
8.2.6.8. roxctl central db generate k8s hostpath
Generate a Kubernetes YAML manifest for a database deployment with a hostpath volume type in Central.
Usage
roxctl central db generate k8s hostpath [flags]
$ roxctl central db generate k8s hostpath [flags]| Option | Description |
|---|---|
|
|
Specify the path on the host. The default value is |
|
|
Specify the node selector key. Valid values include |
|
| Specify the node selector value. |
8.2.6.9. roxctl central db generate openshift pvc
Generate an OpenShift YAML manifest for a database deployment with a persistent volume claim (PVC) in Central.
Usage
roxctl central db generate openshift pvc [flags]
$ roxctl central db generate openshift pvc [flags]| Option | Description |
|---|---|
| --name string |
Specify the external volume name for the Central database. The default value is |
| --size uint32 |
Specify the external volume size in gigabytes for the Central database. The default value is |
| --storage-class string | Specify the storage class name for the Central database. This is optional if you have a default storage class configured. |
8.2.6.10. roxctl central db generate openshift hostpath
Add a hostpath external volume to the Central database.
Usage
roxctl central db generate openshift hostpath [flags]
$ roxctl central db generate openshift hostpath [flags]| Option | Description |
|---|---|
|
|
Specify the path on the host. The default value is |
|
|
Specify the node selector key. Valid values include |
|
| Specify the node selector value. |
8.2.7. roxctl central debug
Debug the Central service.
Usage
roxctl central debug [flags]
$ roxctl central debug [flags]8.2.7.1. roxctl central debug db
Control the debugging of the database.
Usage
roxctl central debug db [flags]
$ roxctl central debug db [flags]| Option | Description |
|---|---|
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.7.2. roxctl central debug log
Retrieve the current log level.
Usage
roxctl central debug log [flags]
$ roxctl central debug log [flags]| Option | Description |
|---|---|
|
|
Specify the log level to which you want to set the modules. Valid values include |
|
| Specify the modules to which you want to apply the command. |
|
|
Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
|
Specify the timeout for API requests, which is the maximum duration of a request. The default value is |
8.2.7.3. roxctl central debug dump
Download a bundle containing the debug information for Central.
Usage
roxctl central debug dump [flags]
$ roxctl central debug dump [flags]| Option | Description |
|---|---|
|
|
If set to |
|
| Specify the output directory for the bundle content. The default value is an automatically generated directory name within the current directory. |
|
|
Specify the timeout for API requests, which is the maximum duration of a request. The default value is |
8.2.7.4. roxctl central debug db stats
Control the statistics of the Central database.
Usage
roxctl central debug db stats [flags]
$ roxctl central debug db stats [flags]8.2.7.5. roxctl central debug authz-trace
Enable or disable authorization tracing in Central for debugging purposes.
Usage
roxctl central debug authz-trace [flags]
$ roxctl central debug authz-trace [flags]| Option | Description |
|---|---|
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.7.6. roxctl central debug db stats reset
Reset the statistics of the Central database.
Usage
roxctl central debug db stats reset [flags]
$ roxctl central debug db stats reset [flags]8.2.7.7. roxctl central debug download-diagnostics
Download a bundle containing a snapshot of diagnostic information about the platform.
Usage
roxctl central debug download-diagnostics [flags]
$ roxctl central debug download-diagnostics [flags]| Option | Description |
|---|---|
|
| Specify a comma-separated list of the Sensor clusters from which you want to collect the logs. |
|
| Specify the output directory in which you want to save the diagnostic bundle. |
|
| Specify the timestamp from which you want to collect the logs from the Sensor clusters. |
|
|
Specify the timeout for API requests, which specifies the maximum duration of a request. The default value is |
8.2.8. roxctl central generate
Generate the required YAML configuration files that contain the orchestrator objects to deploy Central.
Usage
roxctl central generate [flags]
$ roxctl central generate [flags]| Option | Description |
|---|---|
|
| Specify the path to the backup bundle from which you want to restore the keys and certificates. |
|
|
If set to |
|
|
Specify the path to Helm templates on your local file system. For more details, run the |
|
| Specify the PEM certificate bundle file that you want to use as the default. |
|
| Specify the PEM private key file that you want to use as the default. |
|
|
If set to |
|
| Specify the administrator password. The default value is automatically generated. |
|
| Specify the ports or endpoints you want to use for unencrypted exposure as a comma-separated list. |
8.2.8.1. roxctl central generate k8s
Generate the required YAML configuration files to deploy Central into a Kubernetes cluster.
Usage
roxctl central generate k8s [flags]
$ roxctl central generate k8s [flags]| Option | Description |
|---|---|
|
|
Specify the Central database image you want to use. If not specified, a default value corresponding to the |
|
| Specify a list of configuration maps that you want to add as declarative configuration mounts in Central. |
|
| Specify a list of secrets that you want to add as declarative configuration mounts in Central. |
|
|
Specify whether you want to enable telemetry. The default value is |
|
|
Specify the default settings for container images. The specified settings control the repositories from which the images are downloaded, the image names and the format of the tags. The default value is |
|
|
Generate deployment files that support the specified Istio version. Valid values include |
|
|
Specify the method in which you want to suspend Central. Valid values include |
|
|
Specify the main image that you want to use. If not specified, a default value corresponding to the |
|
|
Specify whether you want to run RHACS in offline mode, avoiding a connection to the Internet. The default value is |
|
|
Specify the directory to which you want to save the deployment bundle. The default value is |
|
|
Specify the deployment tool that you want to use. Valid values include |
|
|
Specify the Scanner database image that you want to use. If not specified, a default value corresponding to the |
|
| Specify the Scanner image that you want to use. If not specified, a default value corresponding to the `--image-defaults" is used. |
8.2.8.2. roxctl central generate k8s pvc
Generate Kubernetes YAML files for persistent volume claims (PVCs) in Central.
Usage
roxctl central generate k8s pvc [flags]
$ roxctl central generate k8s pvc [flags]| Option | Description |
|---|---|
|
|
Specify the external volume name for the Central database. The default value is |
|
|
Specify the external volume size in gigabytes for the Central database. The default value is |
|
| Specify the storage class name for the Central database. This is optional if you have a default storage class configured. |
8.2.8.3. roxctl central generate openshift
Generate the required YAML configuration files to deploy Central in a Red Hat OpenShift cluster.
Usage
roxctl central generate openshift [flags]
$ roxctl central generate openshift [flags]| Option | Description |
|---|---|
|
|
Specify the Central database image that you want to use. If not specified, a default value is created corresponding to the |
|
| Specify a list of configuration maps that you want to add as declarative configuration mounts in Central. |
|
| Specify a list of secrets that you want to add as declarative configuration mounts in Central. |
|
|
Specify whether you want to enable telemetry. The default value is |
|
|
Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is |
|
|
Generate deployment files that support the specified Istio version. Valid values include |
|
|
Specify the method of exposing Central. Valid values include |
|
|
Specify the main image that you want to use. If not specified, a default value corresponding to |
|
|
Specify whether you want to run RHACS in offline mode, avoiding a connection to the Internet. The default value is |
|
|
Specify integration with Red Hat OpenShift 4 monitoring. The default value is |
|
| Specify the Red Hat OpenShift major version 3 or 4 for the deployment. |
|
|
Specify the directory to which you want to save the deployment bundle. The default value is |
|
|
Specify the deployment tool that you want to use. Valid values include |
|
|
Specify the Scanner database image that you want to use. If not specified, a default value corresponding to the |
|
|
Specify the Scanner image that you want to use. If not specified, a default value corresponding to |
8.2.8.4. roxctl central generate interactive
Generate interactive resources in Central.
Usage
roxctl central generate interactive [flags]
$ roxctl central generate interactive [flags]8.2.8.5. roxctl central generate k8s hostpath
Generate a Kubernetes YAML manifest for deploying a Central instance by using the hostpath volume type.
Usage
roxctl central generate k8s hostpath [flags]
$ roxctl central generate k8s hostpath [flags]| Option | Description |
|---|---|
|
|
Specify the path on the host for the Central database. The default value is |
|
|
Specify the node selector key for the Central database. Valid values include |
|
| Specify the node selector value for the Central database. |
8.2.8.6. roxctl central generate openshift pvc
Generate a OpenShift YAML manifest for deploying a persistent volume claim (PVC) in Central.
Usage
roxctl central generate openshift pvc [flags]
$ roxctl central generate openshift pvc [flags]| Option | Description |
|---|---|
|
|
Specify the external volume name for the Central database. The default value is |
|
|
Specify the external volume size in gigabytes for the Central database. The default value is |
|
| Specify the storage class name for the Central database. This is optional if you have a default storage class configured. |
8.2.8.7. roxctl central generate openshift hostpath
Add a hostpath external volume to the deployment definition in Red Hat OpenShift.
Usage
roxctl central generate openshift hostpath [flags]
$ roxctl central generate openshift hostpath [flags]| Option | Description |
|---|---|
|
|
Specify the path on the host for the Central database. The default value is |
|
|
Specify the node selector key. Valid values include |
|
| Specify the node selector value for the Central database. |
8.2.9. roxctl central init-bundles
Initialize bundles in Central.
Usage
roxctl central init-bundles [flag]
$ roxctl central init-bundles [flag]| Option | Description |
|---|---|
|
|
Specify the timeout after which API requests are retried. A value of |
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.9.1. roxctl central init-bundles list
List the available initialization bundles in Central.
Usage
roxctl central init-bundles list [flags]
$ roxctl central init-bundles list [flags]8.2.9.2. roxctl central init-bundles revoke
Revoke one or more cluster initialization bundles in Central.
Usage
roxctl central init-bundles revoke <init_bundle_ID or name> [<init_bundle_ID or name> ...] [flags]
$ roxctl central init-bundles revoke <init_bundle_ID or name> [<init_bundle_ID or name> ...] [flags] - 1
- For
<init_bundle_ID or name>, specify the ID or the name of the initialization bundle that you want to revoke. You can provide multiple IDs or names separated by using spaces.
8.2.9.3. roxctl central init-bundles fetch-ca
Fetch the certificate authority (CA) bundle from Central.
Usage
roxctl central init-bundles fetch-ca [flags]
$ roxctl central init-bundles fetch-ca [flags]| Option | Description |
|---|---|
|
| Specify the file that you want to use for storing the CA configuration. |
8.2.9.4. roxctl central init-bundles generate
Generate a new cluster initialization bundle.
Usage
roxctl central init-bundles generate <init_bundle_name> [flags]
$ roxctl central init-bundles generate <init_bundle_name> [flags] - 1
- For
<init_bundle_name>, specify the name for the initialization bundle you want to generate.
| Option | Description |
|---|---|
|
|
Specify the file you want to use for storing the newly generated initialization bundle in the Helm configuration form. You can generate a standard output by using |
|
|
Specify the file that you want to use for storing the newly generated initialization bundle in Kubernetes secret form. You can generate a standard by using |
8.2.10. roxctl central userpki
Manage the user certificate authorization providers.
Usage
roxctl central userpki [flags]
$ roxctl central userpki [flags]8.2.10.1. roxctl central userpki list
Display all the user certificate authentication providers.
Usage
roxctl central userpki list [flags]
$ roxctl central userpki list [flags]| Option | Description |
|---|---|
|
|
Enable the JSON output. The default value is |
|
|
Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.10.2. roxctl central userpki create
Create a new user certificate authentication provider.
Usage
roxctl central userpki create name [flags]
$ roxctl central userpki create name [flags]| Option | Description |
|---|---|
|
| Specify the PEM files of the root CA certificates. You can specify several certificate files. |
|
|
Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
| Specify the minimum access role for users of this provider. |
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.2.10.3. roxctl central userpki delete
Delete a user certificate authentication provider.
Usage
roxctl central userpki delete id|name [flags]
$ roxctl central userpki delete id|name [flags]| Option | Description |
|---|---|
|
|
If set to |
|
|
Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
|
Specify the timeout for API requests representing the maximum duration of a request. The default value is |
8.3. roxctl cluster
Commands related to a cluster.
Usage
roxctl cluster [command] [flags]
$ roxctl cluster [command] [flags]| Command | Description |
|---|---|
|
| Remove Sensor from Central. |
| Option | Description |
|---|---|
|
|
Set the retry timeout for API requests. A value of zero means the full request duration is awaited without retry. The default value is |
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
8.3.1. roxctl cluster command options inherited from the parent command
The roxctl cluster command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl cluster command.
8.3.2. roxctl cluster delete
Remove Sensor from Central.
Usage
roxctl cluster delete [flags]
$ roxctl cluster delete [flags]| Option | Description |
|---|---|
|
| Specify the cluster name to delete. |
8.4. roxctl collector
Commands related to the Collector service.
Usage
roxctl collector [command] [flags]
$ roxctl collector [command] [flags]| Command | Description |
|---|---|
|
| Upload support packages for Collector. |
8.4.1. roxctl collector command options inherited from the parent command
The roxctl collector command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl collector command.
8.4.2. roxctl collector support-packages
Upload support packages for Collector.
Support packages are deprecated and have no effect on secured clusters running version 4.5 or later. Support package uploads only affect secured clusters on version 4.4 and earlier.
Usage
roxctl collector support-packages [flags]
$ roxctl collector support-packages [flags]8.4.2.1. roxctl collector support-packages upload
Upload files from a Collector support package to Central.
Usage
roxctl collector support-packages upload [flags]
$ roxctl collector support-packages upload [flags]| Option | Description |
|---|---|
|
|
Specify whether you want to overwrite existing but different files. The default value is |
|
|
Set the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
|
Set the timeout for API requests. This option represents the maximum duration of a request. The default value is |
8.5. roxctl completion
Generate shell completion scripts.
Usage
roxctl completion [bash|zsh|fish|powershell]
$ roxctl completion [bash|zsh|fish|powershell]| Shell type | Description |
|---|---|
|
| Generate a completion script for the Bash shell. |
|
| Generate a completion script for the Zsh shell. |
|
| Generate a completion script for the Fish shell. |
|
| Generate a completion script for the PowerShell shell. |
8.5.1. roxctl completion command options inherited from the parent command
The roxctl completion command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
8.6. roxctl declarative-config
Manage the declarative configuration.
Usage
roxctl declarative-config [command] [flags]
$ roxctl declarative-config [command] [flags]| Command | Description |
|---|---|
|
| Create declarative configurations. |
|
| Lint an existing declarative configuration YAML file. |
8.6.1. roxctl declarative-config command options inherited from the parent command
The roxctl declarative-config command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl declarative-config command.
8.6.2. roxctl declarative-config lint
Lint an existing declarative configuration YAML file.
Usage
roxctl declarative-config lint [flags]
$ roxctl declarative-config lint [flags]| Option | Description |
|---|---|
|
|
Read the declarative configuration from the |
|
| File containing the declarative configuration in YAML format. |
|
|
Read the declarative configuration from the |
|
|
Read the declarative configuration from the specified |
8.6.3. roxctl declarative-config create
Create declarative configurations.
Usage
roxctl declarative-config create [flags]
$ roxctl declarative-config create [flags]| Option | Description |
|---|---|
|
|
Write the declarative configuration YAML in the configuration map. If not specified and the |
|
| Required if you want to write the declarative configuration YAML to a configuration map or secret. If not specified, the default namespace in the current Kubernetes configuration is used. |
|
|
Write the declarative configuration YAML in the Secret. You must use secrets for sensitive data. If not specified and the |
8.6.3.1. roxctl declarative-config create role
Create a declarative configuration for a role.
Usage
roxctl declarative-config create role [flags]
$ roxctl declarative-config create role [flags]| Option | Description |
|---|---|
|
| By providing the name, you can specify the referenced access scope. |
|
| Set a description for the role. |
|
| Specify the name of the role. |
|
| By providing the name, you can specify the referenced permission set. |
8.6.3.2. roxctl declarative-config create notifier
Create a declarative configuration for a notifier.
Usage
roxctl declarative-config create notifier [flags]
$ roxctl declarative-config create notifier [flags]| Option | Description |
|---|---|
|
| Specify the name of the notifier. |
8.6.3.3. roxctl declarative-config create access-scope
Create a declarative configuration for an access scope.
Usage
roxctl declarative-config create access-scope [flags]
$ roxctl declarative-config create access-scope [flags]| Option | Description |
|---|---|
|
|
Specify the criteria for creating a label selector based on the cluster’s labels. The key-value pairs represent requirements, and you can use this flag multiple times to create a combination of requirements. The default value is |
|
| Set a description for the access scope. |
|
|
Specify a list of clusters and their namespaces that you want to include in the access scope. The default value is |
|
| Specify the name of the access scope. |
|
|
Specify the criteria for creating a label selector based on the namespace’s labels. Similar to the cluster-label-selector, you can use this flag multiple times for the combination of requirements. For more details, run the |
8.6.3.4. roxctl declarative-config create auth-provider
Create a declarative configuration for an authentication provider.
Usage
roxctl declarative-config create auth-provider [flags]
$ roxctl declarative-config create auth-provider [flags]| Option | Description |
|---|---|
|
|
Specify additional user interface (UI) endpoints from which the authentication provider is used. The expected format is |
|
|
Set the keys of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the |
|
|
Set the role of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the |
|
|
Set the values of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the |
|
| Set the minimum access role of the authentication provider. You can leave this field empty if you do not want to configure the minimum access role by using the declarative configuration. |
|
| Specify the name of the authentication provider. |
|
|
Set a list of attributes that the authentication provider must return during authentication. The default value is |
|
|
Set the UI endpoint from which the authentication provider is used. This is usually the public endpoint where RHACS is available. The expected format is |
8.6.3.5. roxctl declarative-config create permission-set
Create a declarative configuration for a permission set.
Usage
roxctl declarative-config create permission-set [flags]
$ roxctl declarative-config create permission-set [flags]| Option | Description |
|---|---|
|
| Set the description of the permission set. |
|
| Specify the name of the permission set. |
|
|
Set a list of resources with their respective access levels. The default value is |
8.6.3.6. roxctl declarative-config create notifier splunk
Create a declarative configuration for a splunk notifier.
Usage
roxctl declarative-config create notifier splunk [flags]
$ roxctl declarative-config create notifier splunk [flags]| Option | Description |
|---|---|
|
|
Enable audit logging. The default value is |
|
|
Specify Splunk source types as comma-separated |
|
| Specify the Splunk HTTP endpoint. This is a mandatory option. |
|
|
Use an insecure connection to Splunk. The default value is |
|
| Specify the Splunk HTTP token. This is a mandatory option. |
|
|
Specify the Splunk truncate limit. The default value is |
8.6.3.7. roxctl declarative-config create notifier generic
Create a declarative configuration for a generic notifier.
Usage
roxctl declarative-config create notifier generic [flags]
$ roxctl declarative-config create notifier generic [flags]| Option | Description |
|---|---|
|
|
Enable audit logging. The default value is |
|
|
Specify additional fields as comma-separated |
|
|
Specify headers as comma-separated |
|
| Specify the file name of the endpoint CA certificate in PEM format. |
|
| Specify the URL of the webhook endpoint. |
|
|
Specify the password for basic authentication of the webhook endpoint. No authentication if not specified. Requires |
|
|
Skip webhook TLS verification. The default value is |
|
|
Specify the username for basic authentication of the webhook endpoint. No authentication occurs if not specified. Requires |
8.6.3.8. roxctl declarative-config create auth-provider iap
Create a declarative configuration for an authentication provider with the identity-aware proxy (IAP) identifier.
Usage
roxctl declarative-config create auth-provider iap [flags]
$ roxctl declarative-config create auth-provider iap [flags]| Option | Description |
|---|---|
|
| Specify the target group that you want to validate. |
8.6.3.9. roxctl declarative-config create auth-provider oidc
Create a declarative configuration for an OpenID Connect (OIDC) authentication provider.
Usage
roxctl declarative-config create auth-provider oidc [flags]
$ roxctl declarative-config create auth-provider oidc [flags]| Option | Description |
|---|---|
|
|
Specify a list of non-standard claims from the identity provider (IdP) token that you want to include in the authentication provider’s rules. The default value is |
|
| Specify the client ID of the OIDC client. |
|
| Specify the client secret of the OIDC client. |
|
|
Disable the request for the offline_access from the OIDC IdP. You need to use this option if the OIDC IdP limits the number of sessions with the |
|
| Specify the issuer of the OIDC client. |
|
|
Specify the callback mode that you want to use. Valid values include |
8.6.3.10. roxctl declarative-config create auth-provider saml
Create a declarative configuration for a SAML authentication provider.
Usage
roxctl declarative-config create auth-provider saml [flags]
$ roxctl declarative-config create auth-provider saml [flags]| Option | Description |
|---|---|
|
| Specify the file containing the SAML identity provider (IdP) certificate in PEM format. |
|
| Specify the issuer of the IdP. |
|
| Specify the metadata URL of the service provider. |
|
| Specify the format of the name ID. |
|
| Specify the issuer of the service provider. |
|
| Specify the URL of the IdP for single sign-on (SSO). |
8.6.3.11. roxctl declarative-config create auth-provider userpki
Create a declarative configuration for an user PKI authentication provider.
Usage
roxctl declarative-config create auth-provider userpki [flags]
$ roxctl declarative-config create auth-provider userpki [flags]| Option | Description |
|---|---|
|
| Specify the file containing the certification authorities in PEM format. |
8.6.3.12. roxctl declarative-config create auth-provider openshift-auth
Create a declarative configuration for an OpenShift Container Platform OAuth authentication provider.
Usage
roxctl declarative-config create auth-provider openshift-auth [flags]
$ roxctl declarative-config create auth-provider openshift-auth [flags]8.7. roxctl deployment
Commands related to deployments.
Usage
roxctl deployment [command] [flags]
$ roxctl deployment [command] [flags]| Command | Description |
|---|---|
|
| Check the deployments for violations of the deployment time policy. |
| Option | Description |
|---|---|
|
|
Set the timeout for API requests. This option represents the maximum duration of a request. The default value is |
8.7.1. roxctl deployment command options inherited from the parent command
The roxctl deployment command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl deployment command.
8.7.2. roxctl deployment check
Check deployments for violations of the deployment time policy.
Usage
roxctl deployment check [flags]
$ roxctl deployment check [flags]| Option | Description |
|---|---|
|
| Define the policy categories that you want to execute. By default, all policy categories are executed. |
|
| Set the cluster name or ID that you want to use as the context for the evaluation to enable extended deployments with cluster-specific information. |
|
|
Print the JSON output in compact form. The default value is |
|
| Specify the YAML files to send to Central for policy evaluation. |
|
|
Bypass the Central cache for images and force a new pull from Scanner. The default value is |
|
|
Define headers that you want to print in the tabular output. The default values include |
|
|
Print headers as comments in the CSV tabular output. The default value is |
|
|
Set the name of the JUnit test suite. The default value is |
|
|
Merge duplicate cells in the tabular output. The default value is |
|
|
Specify a namespace to enhance deployments with context information such as network policies, RBACs and services for deployments that do not have a namespace in their specification. The namespace defined in the specification is not changed. The default value is |
|
|
Do not print headers for a tabular output. The default value is |
|
|
Choose the output format. Output formats include |
|
|
Set the number of retries before exiting as an error. The default value is |
|
|
Set the time to wait between retries in seconds. The default value is |
|
|
Define the JSON path expressions to create a row from the JSON object. For more details, run the |
8.8. roxctl helm
Commands related to Red Hat Advanced Cluster Security for Kubernetes (RHACS) Helm Charts.
Usage
roxctl helm [command] [flags]
$ roxctl helm [command] [flags]| Command | Description |
|---|---|
|
| Derive local Helm values from the cluster configuration. |
|
| Output a Helm chart. |
8.8.1. roxctl helm command options inherited from the parent command
The roxctl helm command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl helm command.
8.8.2. roxctl helm output
Output a Helm chart.
Usage
roxctl helm output <central_services or secured_cluster_services> [flags]
$ roxctl helm output <central_services or secured_cluster_services> [flags] - 1
- For
<central_services or secured_cluster_services>, specify the path to either the central services or the secured cluster services to generate a Helm chart output.
| Option | Description |
|---|---|
|
|
Read templates from the local filesystem. The default value is |
|
|
Specify the path to the Helm templates on your local filesystem. For more details, run the |
|
|
Set the default container image settings. Image settings include |
|
|
Define the path to the output directory for the Helm chart. The default path is |
|
|
Remove the output directory if it already exists. The default value is |
8.8.3. roxctl helm derive-local-values
Derive local Helm values from the cluster configuration.
Usage
roxctl helm derive-local-values --output <path> \ <central_services> [flags]
$ roxctl helm derive-local-values --output <path> \
<central_services> [flags] | Option | Description |
|---|---|
|
| Specify the path to the file or directory containing the YAML input. |
|
| Define the path to the output file. |
|
| Define the path to the output directory. |
|
|
Set the timeout after which API requests are retried. The timeout value indicates that the entire request duration is waited for without retrying. The default value is |
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
8.9. roxctl image
Commands that you can run on a specific image.
Usage
roxctl image [command] [flags]
$ roxctl image [command] [flags]| Command | Description |
|---|---|
|
| Check images for build time policy violations, and report them. |
|
| Scan the specified image, and return the scan results. |
-t, --timeout duration | Set the timeout for API requests representing the maximum duration of a request. The default value is 10m0s. |
|---|
8.9.1. roxctl image command options inherited from the parent command
The roxctl image command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl image command.
8.9.2. roxctl image scan
Scan the specified image, and return the scan results.
Usage
roxctl image scan [flags]
$ roxctl image scan [flags]| Option | Description |
|---|---|
|
| Specify the cluster name or ID to which you want to delegate the image scan. |
|
|
Print JSON output in a compact format. The default value is |
|
|
Fail if vulnerabilities have been found. The default value is |
|
|
Ignore Central’s cache and force a fresh re-pull from Scanner. The default value is |
|
|
Specify the headers to print in a tabular output. The default values include |
|
|
Print headers as comments in a CSV tabular output. The default value is |
|
|
Specify the image name and reference to scan. For example, |
|
|
Include snoozed and unsnoozed CVEs in the scan results. The default value is |
|
|
Merge duplicate cells in a tabular output. The default value is |
|
|
Do not print headers for a tabular output. The default value is |
|
|
Specify the output format. Output formats include |
|
|
Specify the number of retries before exiting as an error. The default value is |
|
|
Set the time to wait between retries in seconds. The default value is |
|
|
Specify JSON path expressions to create a row from the JSON object. For more details, run the |
|
|
List of severities to include in the output. Use this to filter for specific severities. The default values include |
8.9.3. roxctl image check
Check images for build time policy violations, and report them.
Usage
roxctl image check [flags]
$ roxctl image check [flags]| Option | Description |
|---|---|
|
| List of the policy categories that you want to execute. By default, all the policy categories are used. |
|
| Define the cluster name or ID that you want to use as the context for evaluation. |
|
|
Print JSON output in a compact format. The default value is |
|
|
Bypass the Central cache for the image and force a new pull from the Scanner. The default value is |
|
|
Define headers to print in a tabular output. The default values include |
|
|
Print headers as comments in a CSV tabular output. The default value is |
|
|
Specify the image name and reference. For example, |
|
|
Set the name of the JUnit test suite. Default value is |
|
|
Merge duplicate cells in a tabular output. The default value is |
|
|
Do not print headers for a tabular output. The default value is |
|
|
Choose the output format. Output formats include |
|
|
Set the number of retries before exiting as an error. The default value is |
|
|
Set the time to wait between retries in seconds. The default value is |
|
|
Create a row from the JSON object by using JSON path expression. For more details, run the |
|
|
Define whether you want to send notifications in the event of violations. The default value is |
8.10. roxctl netpol
Commands related to the network policies.
Usage
roxctl netpol [command] [flags]
$ roxctl netpol [command] [flags]| Command | Description |
|---|---|
|
| Connectivity analysis of the network policy resources. |
|
| Recommend network policies based on the deployment information. |
8.10.1. roxctl netpol command options inherited from the parent command
The roxctl netpol command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl netpol command.
8.10.2. roxctl netpol generate
Recommend network policies based on the deployment information.
Usage
roxctl netpol generate <folder_path> [flags]
$ roxctl netpol generate <folder_path> [flags] - 1
- For
<folder_path>, specify the path to the directory containing your Kubernetes deployment and service configuration files.
| Option | Description |
|---|---|
|
|
Specify the DNS port that you want to use in the egress rules of synthesized network policies. The default value is |
|
|
Fail on the first encountered error. The default value is |
|
| Save generated policies into the target folder. |
|
| Save and merge generated policies into a single YAML file. |
|
|
Remove the output path if it already exists. The default value is |
|
|
Treat warnings as errors. The default value is |
8.10.3. roxctl netpol connectivity
Commands related to the connectivity analysis of the network policy resources.
Usage
roxctl netpol connectivity [flags]
$ roxctl netpol connectivity [flags]8.10.3.1. roxctl netpol connectivity map
Analyze connectivity based on the network policies and other resources.
Usage
roxctl netpol connectivity map <folder_path> [flags]
$ roxctl netpol connectivity map <folder_path> [flags] - 1
- For
<folder_path>, specify the path to the directory containing your Kubernetes deployment and service configuration files.
| Option | Description |
|---|---|
|
|
Enhance the analysis of permitted connectivity by using exposure analysis. The default value is |
|
|
Fail on the first encountered error. The default value is |
|
| Focus on connections of the specified workload name in the output. |
|
| Save the connections list output into a specific file. |
|
|
Configure the connections list in a specific format. Supported formats include |
|
|
Remove the output path if it already exists. The default value is |
|
|
Define whether you want to save the output of the connection list in the default file. The default value is |
|
|
Treat warnings as errors. The default value is |
8.10.3.2. roxctl netpol connectivity diff
Report connectivity differences based on two network policy directories and YAML manifests with workload resources.
Usage
roxctl netpol connectivity diff [flags]
$ roxctl netpol connectivity diff [flags]| Option | Description |
|---|---|
|
| Specify the first directory path of the input resources. This value is mandatory. |
|
| Specify the second directory path of the input resources that you want to compare with the first directory path. This value is mandatory. |
|
|
Fail on the first encounter. The default value is |
|
| Save the output of the connectivity difference command into a specific file. |
|
|
Configure the output of the connectivity difference command in a specific format. Supported formats include |
|
|
Remove the output path if it already exists. The default value is |
|
|
Define whether you want to store the output of the connectivity differences in the default file. The default value is |
|
|
Treat warnings as errors. The default value is |
8.11. roxctl scanner
Commands related to the StackRox Scanner and Scanner V4 services.
Usage
roxctl scanner [command] [flags]
$ roxctl scanner [command] [flags]| Command | Description |
|---|---|
|
| Download the offline vulnerability database for StackRox Scanner and Scanner V4. |
|
| Generate the required YAML configuration files to deploy the StackRox Scanner and Scanner V4. |
|
| Upload a vulnerability database for the StackRox Scanner and Scanner V4. |
8.11.1. roxctl scanner command options inherited from the parent command
The roxctl scanner command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl scanner command.
8.11.2. roxctl scanner generate
Generate the required YAML configuration files to deploy Scanner.
Usage
roxctl scanner generate [flags]
$ roxctl scanner generate [flags]| Option | Description |
|---|---|
|
|
Specify the type of cluster on which you want to run Scanner. Cluster types include |
|
|
Create |
|
|
Generate deployment files that support the specified Istio version. Valid versions include |
|
| Specify the output directory for the Scanner bundle. Leave blank to use the default value. |
|
|
Set the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
| Specify the Scanner image that you want to use. Leave blank to use the server default. |
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
8.11.3. roxctl scanner upload-db
Upload a vulnerability database for Scanner.
Usage
roxctl scanner upload-db [flags]
$ roxctl scanner upload-db [flags]| Option | Description |
|---|---|
|
| Specify the file containing the dumped Scanner definitions DB. |
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
8.11.4. roxctl scanner download-db
Download the offline vulnerability database for StackRox Scanner or Scanner V4.
This command downloads version-specific offline vulnerability bundles. The system contacts Central to determine the version if one is not specified. If communication fails, the download defaults to the version embedded within roxctl.
By default, it will attempt to download the database for the determined version and less-specific variants. For example, if version 4.4.1-extra is specified, downloads will be attempted for the following version variants:
- 4.4.1-extra
- 4.4.1
- 4.4
Usage
roxctl scanner download-db [flags]
$ roxctl scanner download-db [flags]| Option | Description |
|---|---|
|
|
Force overwriting the output file if it already exists. The default value is |
|
| Output file to save the vulnerability database to. The default value is the name and path of the remote file that is downloaded. |
|
|
Do not contact Central when detecting the version. The default value is |
|
|
Do not attempt to process variants of the determined version. The default value is |
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
|
| Download a specific version or version variant of the vulnerability database. By default, the version is automatically detected. |
8.12. roxctl sensor
Deploy Red Hat Advanced Cluster Security for Kubernetes (RHACS) services in secured clusters.
Usage
roxctl sensor [command] [flags]
$ roxctl sensor [command] [flags]| Command | Description |
|---|---|
|
| Generate files to deploy RHACS services in secured clusters. |
|
| Download a YAML file with renewed certificates for Sensor, Collector, and Admission controller. |
|
| Download a bundle with the files to deploy RHACS services in a cluster. |
| Option | Description |
|---|---|
|
|
Set the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is |
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
8.12.1. roxctl sensor command options inherited from the parent command
The roxctl sensor command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
These options are applicable to all the sub-commands of the roxctl sensor command.
8.12.2. roxctl sensor generate
Generate files to deploy RHACS services in secured clusters.
Usage
roxctl sensor generate [flags]
$ roxctl sensor generate [flags]| Option | Description |
|---|---|
|
|
Disable the bypass annotations for the admission controller. The default value is |
|
|
Dynamic enable for enforcing on object creation in the admission controller. The default value is |
|
|
Enable dynamic enforcement of object updates in the admission controller. The default value is |
|
|
Configure the admission controller webhook to listen to deployment creation. The default value is |
|
|
Configure the admission controller webhook to listen to deployment updates. The default value is |
|
|
Get scans inline when using the admission controller. The default value is |
|
|
Set the timeout in seconds for the admission controller. The default value is |
|
|
Set the endpoint to which you want to connect Sensor. The default value is |
|
|
Specify the collection method that you want to use for runtime support. Collection methods include |
|
|
Set the image repository that you want to use to deploy Collector. If not specified, a default value corresponding to the effective |
|
|
Continue with downloading the sensor bundle even if the cluster already exists. The default value is |
|
|
Decide whether to create the upgrader service account with |
|
|
Disable tolerations for tainted nodes. The default value is |
|
|
Create |
|
|
Generate deployment files that support the specified Istio version. Valid versions include |
|
| Specify the image repository that you want to use to deploy Sensor. If not specified, a default value is used. |
|
| Set the cluster name to identify the cluster. |
|
| Set the output directory for the bundle contents. The default value is an automatically generated directory name inside the current directory. |
|
|
Use Collector-slim in the deployment bundle. Valid values include |
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
8.12.2.1. roxctl sensor generate k8s
Generate the required files to deploy RHACS services in a Kubernetes cluster.
Usage
roxctl sensor generate k8s [flags]
$ roxctl sensor generate k8s [flags]| Option | Description |
|---|---|
|
|
Enable admission controller webhook to listen to Kubernetes events. The default value is |
8.12.2.2. roxctl sensor generate openshift
Generate the required files to deploy RHACS services in a Red Hat OpenShift cluster.
Usage
roxctl sensor generate openshift [flags]
$ roxctl sensor generate openshift [flags]| Option | Description |
|---|---|
| `--admission-controller-listen-on-events false | true |
| auto[=true]` |
|
| `--disable-audit-logs false | true |
| auto[=true]` |
Enable or disable audit log collection for runtime detection. The default value is |
|
| Specify the Red Hat OpenShift major version for which you want to generate the deployment files. |
8.12.3. roxctl sensor get-bundle
Download a bundle with the files to deploy RHACS services into a cluster.
Usage
roxctl sensor get-bundle <cluster_details> [flags]
$ roxctl sensor get-bundle <cluster_details> [flags] - 1
- For
<cluster_details>, specify the cluster name or ID.
| Option | Description |
|---|---|
|
|
Specify whether to create the upgrader service account with |
|
|
Generate deployment files that support the specified Istio version. Valid versions include |
|
| Specify the output directory for the bundle contents. The default value is an automatically generated directory name inside the current directory. |
|
|
Use Collector-slim in the deployment bundle. Valid values include |
|
|
Set the timeout for API requests representing the maximum duration of a request. The default value is |
8.12.4. roxctl sensor generate-certs
Download a YAML file with renewed certificates for Sensor, Collector, and Admission controller.
Usage
roxctl sensor generate-certs <cluster_details> [flags]
$ roxctl sensor generate-certs <cluster_details> [flags] - 1
- For
<cluster_details>, specify the cluster name or ID.
| Option | Description |
|---|---|
|
|
Specify the output directory for the YAML file. The default value is |
8.13. roxctl version
Display the current roxctl version.
Usage
roxctl version [flags]
$ roxctl version [flags]8.13.1. roxctl version command options
The roxctl version command supports the following option:
| Option | Description |
|---|---|
|
|
Display the extended version information as JSON. The default value is |
8.13.2. roxctl version command options inherited from the parent command
The roxctl version command supports the following options inherited from the parent roxctl command:
| Option | Description |
|---|---|
|
|
Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the |
|
|
Set |
|
|
Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the |
|
|
Force the use of HTTP/1 for all connections. Alternatively, by setting the |
|
|
Enable insecure connection options. Alternatively, by setting the |
|
|
Skip the TLS certificate validation. Alternatively, by setting the |
|
|
Disable the color output. Alternatively, by setting the |
|
|
Specify the password for basic authentication. Alternatively, you can set the password by using the |
|
|
Use an unencrypted connection. Alternatively, by setting the |
|
|
Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the |
|
|
Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}