Red Hat Summitこのコンテンツは選択した言語では利用できません。
Chapter 4. Reissuing internal certificates
Each component of Red Hat Advanced Cluster Security for Kubernetes uses an X.509 certificate to authenticate itself to other components. These certificates have expiration dates, and you must reissue, or rotate, certificates before they expire. You can view the certificate expiration dates by selecting Platform Configuration
4.1. Reissuing internal certificates for Central services
The Central services contain the Central, Central DB, Scanner, and Scanner V4 components. The Central services use a built-in server certificate for authentication when communicating with other Red Hat Advanced Cluster Security for Kubernetes (RHACS) services. This certificate is unique to your Central service installation. The RHACS portal shows an informational banner when a Central service certificate is about to expire.
The informational banner only appears 15 days before the certificate expiration date.
Beginning with RHACS 4.3.4, the Operator automatically rotates the service transport layer security (TLS) certificates for all of the Central components 6 months before they expire.
- The automated rotation of the TLS certificates applies only to Operator-based installations. For all other installation methods, you must manually rotate the TLS certificates.
- The rotation of the TLS certificates within the secrets does not automatically trigger the components to reload them. If the corresponding pods are not restarted at least every 6 months, you must manually restart the pods to load the new certificates before the old ones expire.
- Certificate authority (CA) certificates are not updated. They are valid for 5 years.
4.1.1. Reissuing internal certificates for Central
You can maintain a secure communication between Central and other Red Hat Advanced Cluster Security for Kubernetes (RHACS) components by reissuing the internal certificates.
Prerequisites
-
You have
writepermission for theAdministrationresource.
Procedure
- In the RHACS portal, click the link in the banner that announces the certificate expiration to download a YAML configuration file, which contains a new secret. The secret includes the certificate and key values.
To apply the new YAML configuration file to the cluster where you have installed Central, run the following command:
oc apply -f <secret_file.yaml>
$ oc apply -f <secret_file.yaml>Copy to Clipboard Copied! Toggle word wrap Toggle overflow - To apply the changes, restart Central.
4.1.1.1. Restarting the Central container
You can restart the Central container by deleting the Central pod.
If you use Kubernetes, enter kubectl instead of oc.
Procedure
To delete the Central pod, run the following command:
oc -n stackrox delete pod -lapp=central
$ oc -n stackrox delete pod -lapp=centralCopy to Clipboard Copied! Toggle word wrap Toggle overflow
4.1.2. Reissuing internal certificates for Central DB
You can maintain a secure communication between Central DB and other Red Hat Advanced Cluster Security for Kubernetes (RHACS) components by reissuing the internal certificates.
Prerequisites
-
You have
writepermission for theAdministrationresource.
Procedure
- In the RHACS portal, click the link in the banner that announces the certificate expiration to download a YAML configuration file, which contains a new secret. The secret includes the certificate and key values.
To apply the new YAML configuration file to the cluster where you have installed Central DB, run the following command:
oc apply -f <secret_file.yaml>
$ oc apply -f <secret_file.yaml>Copy to Clipboard Copied! Toggle word wrap Toggle overflow - To apply the changes, restart Central DB.
4.1.2.1. Restarting the Central DB container
You can restart the Central DB container by deleting the Central DB pod.
If you use Kubernetes, enter kubectl instead of oc.
Procedure
To delete the Central DB pod, run the following command:
oc -n stackrox delete pod -lapp=central-db
$ oc -n stackrox delete pod -lapp=central-dbCopy to Clipboard Copied! Toggle word wrap Toggle overflow
4.1.3. Reissuing internal certificates for Scanner
You can maintain a secure communication between Scanner and other Red Hat Advanced Cluster Security for Kubernetes (RHACS) components by reissuing the internal certificates.
Prerequisites
-
You have
writepermission for theAdministrationresource.
Procedure
- Click the link in the banner to download a YAML configuration file, which contains a new OpenShift Container Platform secret, including the certificate and key values.
To apply the new YAML configuration file to the cluster where you have installed Scanner, run the following command:
oc apply -f <secret_file.yaml>
$ oc apply -f <secret_file.yaml>Copy to Clipboard Copied! Toggle word wrap Toggle overflow - To apply the changes, restart Scanner.
4.1.3.1. Restarting the Scanner and Scanner DB containers
You can restart the Scanner and Scanner DB containers by deleting the pods.
If you use Kubernetes, enter kubectl instead of oc.
Procedure
To delete the Scanner pods, run the following command:
oc delete pod -n stackrox -l app=scanner
$ oc delete pod -n stackrox -l app=scannerCopy to Clipboard Copied! Toggle word wrap Toggle overflow To delete the Scanner DB pods, run the following command:
oc -n stackrox delete pod -l app=scanner-db
$ oc -n stackrox delete pod -l app=scanner-dbCopy to Clipboard Copied! Toggle word wrap Toggle overflow
4.1.4. Reissuing internal certificates for Scanner V4
You can maintain a secure communication between Scanner V4 and other Red Hat Advanced Cluster Security for Kubernetes (RHACS) components by reissuing the internal certificates.
Prerequisites
-
You have
writepermission for theAdministrationresource.
Procedure
- Click the link in the banner to download a YAML configuration file, which contains a new OpenShift Container Platform secret, including the certificate and key values.
To apply the new YAML configuration file to the cluster where you have installed Scanner V4, run the following command:
oc apply -f <secret_file.yaml>
$ oc apply -f <secret_file.yaml>Copy to Clipboard Copied! Toggle word wrap Toggle overflow - To apply the changes, restart Scanner V4.
4.1.4.1. Restarting the Scanner V4 containers
You can restart the Scanner V4 Matcher, Indexer and DB containers by deleting their corresponding pods.
If you use Kubernetes, enter kubectl instead of oc.
Procedure
To delete the Scanner V4 Matcher pod, run the following command:
oc delete pod -n stackrox -l app=scanner-v4-matcher
$ oc delete pod -n stackrox -l app=scanner-v4-matcherCopy to Clipboard Copied! Toggle word wrap Toggle overflow To delete the Scanner V4 Indexer pod, run the following command:
oc delete pod -n stackrox -l app=scanner-v4-indexer
$ oc delete pod -n stackrox -l app=scanner-v4-indexerCopy to Clipboard Copied! Toggle word wrap Toggle overflow To delete the Scanner V4 DB pod, run the following command:
oc delete pod -n stackrox -l app=scanner-v4-db
$ oc delete pod -n stackrox -l app=scanner-v4-dbCopy to Clipboard Copied! Toggle word wrap Toggle overflow
4.2. Reissuing internal certificates for secured clusters
Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. These components communicate with each other, and with Central by using certificates.
Choose the appropriate method to reissue the internal certificates:
- Use the automatic certificate renewal feature. This is the recommended method for Operator and Helm deployments. It is the only supported method for installations if you used a cluster registration secret (CRS) to set up communication between Central and secured clusters.
-
Generate, download, and install an init bundle on the secured cluster. You must have the
Adminuser role to generate an init bundle. This method is only recommended for Operator and Helm deployments if the certificates have already expired and the secured cluster can no longer connect to Central. -
Use the automatic upgrades feature, which is only available for static manifest deployments by using the
roxctlCLI. This method is only recommended if you have a specific installation requirement that necessitates the use of this method.
4.2.1. Reissuing internal certificates for secured clusters by using automatic certificate renewal
Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. You can reissue internal certificates for these components by using automatic certificate renewal.
TLS certificates are automatically renewed several months in advance but are only loaded when RHACS pods restart, for example, during an upgrade.
4.2.1.1. Verifying the status of automatic certificate renewal
By viewing the Clusters page, you can verify that the automatic certificate renewal is active.
Procedure
-
In the RHACS portal, click Platform Configuration
Clusters. - Verify that Auto-refresh enabled appears in the Credential Expiration column.
If a secured cluster displays a warning about soon-to-expire credentials even though auto-refresh is enabled, you must manually restart the pods of the affected cluster to apply the latest certificates and prevent downtime.
For more information, see "Applying the latest internal certificates".
4.2.1.2. Applying the latest internal certificates
By manually restarting the pods of the affected cluster, you can apply the latest certificates and prevent downtime.
If you use Kubernetes, use kubectl instead of oc.
Prerequisites
-
You have
writepermission for theAdministrationresource.
Procedure
To manually restart the pods of the affected cluster, run the following command:
oc -n <namespace> delete pods --all
$ oc -n <namespace> delete pods --allCopy to Clipboard Copied! Toggle word wrap Toggle overflow where:
<namespace>-
Specifies the namespace where you installed the secured cluster. For example,
stackrox.
4.2.2. Reissuing internal certificates for secured clusters by using init bundles
Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. These components use a built-in server certificate for authentication when communicating with other Red Hat Advanced Cluster Security for Kubernetes (RHACS) components.
The RHACS portal shows an information banner when the Central certificate is about to expire.
The information banner only appears 15 days before the certificate expiry date.
Prerequisites
-
You have
writepermission for theAdministrationresource. -
You have the
Adminuser role to create init bundles.
Store the init bundle securely because it contains secrets. You can use the same bundle to set up more than one secured cluster.
Procedure
-
Generate an init bundle by using the RHACS portal or by using the
roxctl CLI, and then apply the bundle to the secured cluster. For more information, see "Generating and applying a cluster registration secret or an init bundle for RHACS on Red Hat OpenShift" or "Generating and applying a cluster registration secret or an init bundle for RHACS on other platforms".
4.2.3. Reissuing internal certificates for secured clusters by using automatic upgrades
Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. You can reissue internal certificates for these components by using automatic upgrades.
Automatic upgrades are only applicable to static manifest-based deployments by using the roxctl CLI.
For more information, see "Install Central using the roxctl CLI".
Prerequisites
- You have enabled automatic upgrades for all the clusters.
-
You have
writepermission for theAdministrationresource.
Procedure
-
In the RHACS portal, click Platform Configuration
Clusters. - Select a cluster to view its details.
From the cluster details panel, select the link to Apply credentials by using an automatic upgrade.
NoteWhen you apply an automatic upgrade, Red Hat Advanced Cluster Security for Kubernetes (RHACS) creates new credentials in the selected cluster. However, you continue to see a notification. The notification disappears when each RHACS service uses the new credentials after the service restarts.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}