Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 2. Adding trusted certificate authorities


Learn how to add custom trusted certificate authorities to Red Hat Advanced Cluster Security for Kubernetes.

If you are using an enterprise certificate authority (CA) on your network, or self-signed certificates, you must add the CA’s root certificate to Red Hat Advanced Cluster Security for Kubernetes as a trusted root CA.

Adding trusted root CAs allows:

  • Central and Scanner to trust remote servers when you integrate with other tools.
  • Sensor to trust custom certificates you use for Central.

You can add additional CAs during the installation or on an existing deployment.

Note

You must first configure your trusted CAs in the cluster where you have deployed Central and then propagate the changes to Scanner and Sensor.

2.1. Configuring additional CAs

To add custom CAs:

Procedure

  1. Download the ca-setup.sh script.

    Note
    • If you are doing a new installation, you can find the ca-setup.sh script in the scripts directory at central-bundle/central/scripts/ca-setup.sh.
    • You must run the ca-setup.sh script in the same terminal from which you logged into your OpenShift Container Platform cluster.
  2. Make the ca-setup.sh script executable:

    $ chmod +x ca-setup.sh
  3. To add:

    1. A single certificate, use the -f (file) option:

      $ ./ca-setup.sh -f <certificate>
      Note
      • You must use a PEM-encoded certificate file (with any extension).
      • You can also use the -u (update) option along with the -f option to update any previously added certificate.
    2. Multiple certificates at once, move all certificates in a directory, and then use the -d (directory) option:

      $ ./ca-setup.sh -d <directory_name>
      Note
      • You must use PEM-encoded certificate files with a .crt or .pem extension.
      • Each file must only contain a single certificate.
      • You can also use the -u (update) option along with the -d option to update any previously added certificates.

2.2. Propagating changes

After you configure trusted CAs, you must make Red Hat Advanced Cluster Security for Kubernetes services trust them.

  • If you have configured trusted CAs after the installation, you must restart Central.
  • Additionally, if you are also adding certificates for integrating with image registries, you must restart both Central and Scanner.

2.2.1. Restarting the Central container

You can restart the Central container by killing the Central container or by deleting the Central pod.

Procedure

  • Run the following command to kill the Central container:

    Note

    You must wait for at least 1 minute, until OpenShift Container Platform propagates your changes and restarts the Central container.

    $ oc -n stackrox exec deploy/central -c central -- kill 1
  • Or, run the following command to delete the Central pod:

    $ oc -n stackrox delete pod -lapp=central

2.2.2. Restarting the Scanner container

You can restart the Scanner container by deleting the pod.

Procedure

  • Run the following command to delete the Scanner pod:

    • On OpenShift Container Platform:

      $ oc delete pod -n stackrox -l app=scanner
    • On Kubernetes:

      $ kubectl delete pod -n stackrox -l app=scanner
Important

After you have added trusted CAs and configured Central, the CAs are included in any new Sensor deployment bundles that you create.

  • If an existing Sensor reports problems while connecting to Central, you must generate a Sensor deployment YAML file and update existing clusters.
  • If you are deploying a new Sensor using the sensor.sh script, run the following command before you run the sensor.sh script:

    $ ./ca-setup-sensor.sh -d ./additional-cas/
  • If you are deploying a new Sensor using Helm, you do not have to run any additional scripts.
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.