You are viewing documentation for a release that is no longer maintained. To view the documentation for the most recent version, see the latest RHACS docs.
Este conteúdo não está disponível no idioma selecionado.
Chapter 5. Enabling offline mode
You can use Red Hat Advanced Cluster Security for Kubernetes for clusters that are not connected to the internet by enabling the offline mode. In offline mode, Red Hat Advanced Cluster Security for Kubernetes components do not connect to addresses or hosts on the internet.
Red Hat Advanced Cluster Security for Kubernetes does not determine if the user-supplied hostnames, IP addresses, or other resources are on the internet. For example, if you try to integrate with a Docker registry hosted on the internet, Red Hat Advanced Cluster Security for Kubernetes will not block this request.
To deploy and operate Red Hat Advanced Cluster Security for Kubernetes in offline mode:
- Download RHACS images and install them in your clusters. If you are using OpenShift Container Platform, you can use Operator Lifecycle Manager (OLM) and OperatorHub to download images to a workstation that is connected to the internet. The workstation then pushes images to a mirror registry that is also connected to your secured cluster. For other platforms, you can use a program such as Skopeo or Docker to pull the images from the remote registry and push them to your own private registry, as described in Downloading images directly.
- Enable offline mode during installation.
- (Optional) Routinely update Scanner’s vulnerability list by uploading a new definitions file.
- (Optional) When required, add support for runtime collection on more kernel versions by uploading new kernel support packages.
You can only enable offline mode during the installation, and not during an upgrade.
5.1. Downloading images for offline use
5.1.1. Downloading images directly
You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes images to your registry. The images included in the current version of the image bundles are:
- 
							registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2
- 
							registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.69.2
- 
							registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.69.2
- 
							registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:3.69.2
- 
							registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:3.69.2
5.1.1.1. Retagging images
You can download and retag images using the Docker command-line interface.
When you retag an image, you must maintain the name of the image and the tag. For example, use:
docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 <your_registry>/rhacs-main-rhel8:3.69.2
$ docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 <your_registry>/rhacs-main-rhel8:3.69.2and do not retag like the following example:
docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 <your_registry>/other-name:latest
$ docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 <your_registry>/other-name:latestProcedure
- Log in to the registry: - docker login registry.redhat.io - $ docker login registry.redhat.io- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Pull the image: - docker pull <image> - $ docker pull <image>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Retag the image: - docker tag <image> <new_image> - $ docker tag <image> <new_image>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Push the updated image to your registry: - docker push <new_image> - $ docker push <new_image>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.2. Enabling offline mode during installation
You can enable offline mode during the installation of Red Hat Advanced Cluster Security for Kubernetes.
5.2.1. Enabling offline mode by using Helm configuration
You can enable offline mode during the installation when you are installing Red Hat Advanced Cluster Security for Kubernetes by using a Helm chart.
Procedure
- 
							When installing the central-services Helm chart, set the value of the env.offlineModeenvironmental variable totruein thevalues-public.yamlconfiguration file.
- 
							When installing the secured-cluster-services Helm chart, set the value of the config.offlineModeparameter totruein thevalues-public.yamlconfiguration file.
5.2.2. Enabling offline mode by using the roxctl CLI
					You can enable offline mode when you are installing Red Hat Advanced Cluster Security for Kubernetes by using the roxctl CLI.
				
Procedure
- If you are using a registry other than the default internet-connected registry ( - registry.redhat.io), provide the locations where you have pushed the Red Hat Advanced Cluster Security for Kubernetes images when answering the- image to useprompts:- Enter main image to use (if unset, the default will be used): <your_registry>/rhacs-main-rhel8:3.69.2 - Enter main image to use (if unset, the default will be used): <your_registry>/rhacs-main-rhel8:3.69.2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The default image depends on your answer for the prompt - Enter default container images settings:. If you entered- rhacs, the default option, the default image will be- registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2.- Enter Scanner DB image to use (if unset, the default will be used): <your_registry>/rhacs-scanner-db-rhel8:3.69.2 - Enter Scanner DB image to use (if unset, the default will be used): <your_registry>/rhacs-scanner-db-rhel8:3.69.2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Enter Scanner image to use (if unset, the default will be used): <your_registry>/rhacs-scanner-rhel8:3.69.2 - Enter Scanner image to use (if unset, the default will be used): <your_registry>/rhacs-scanner-rhel8:3.69.2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To enable the offline mode, enter - truewhen answering the- Enter whether to run StackRox in offline modeprompt:- Enter whether to run StackRox in offline mode, which avoids reaching out to the internet (default: "false"): true - Enter whether to run StackRox in offline mode, which avoids reaching out to the internet (default: "false"): true- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Later, when you add Sensor to a remote cluster in the Platform Configuration Clusters view in the RHACS portal, you must specify your the Collector image name in the Collector Image Repository field. 
5.3. Updating Scanner definitions in offline mode
Scanner contains a local vulnerability definitions database. When Red Hat Advanced Cluster Security for Kubernetes runs in normal mode (connected to the internet), Scanner fetches new vulnerability definitions from the internet and updates its database.
However, when you are using Red Hat Advanced Cluster Security for Kubernetes in offline mode, you must manually update Scanner definitions by uploading them to Central.
When Red Hat Advanced Cluster Security for Kubernetes runs in offline mode, Scanner checks for new definitions from Central. If new definitions are available, Scanner downloads the new definitions from Central, marks them as default, and then uses the updated definitions for scanning images.
To update the definitions in offline mode:
- Download the definitions.
- Upload the definitions to Central.
5.3.1. Downloading Scanner definitions
If you are running Red Hat Advanced Cluster Security for Kubernetes in offline mode, you can download the vulnerability definitions database that Scanner uses and then upload it to Central.
Prerequisites
- To download Scanner definitions, you need a system with internet access.
Procedure
- Navigate to https://install.stackrox.io/scanner/scanner-vuln-updates.zip to download the definitions.
5.3.2. Uploading definitions to Central
To upload Scanner definitions to Central, you can either use an API token or your administrator password. Red Hat recommends using an authentication token in a production environment because each token is assigned specific access control permissions.
5.3.2.1. Uploading definitions to Central by using an API token
You can upload the vulnerability definitions database that Scanner uses to Central by using an API token.
Prerequisites
- You must have an API token with the administrator role.
- 
								You must have installed the roxctlcommand-line interface (CLI).
Procedure
- Set the - ROX_API_TOKENand the- ROX_CENTRAL_ADDRESSenvironment variables:- export ROX_API_TOKEN=<api_token> - $ export ROX_API_TOKEN=<api_token>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - export ROX_CENTRAL_ADDRESS=<address>:<port_number> - $ export ROX_CENTRAL_ADDRESS=<address>:<port_number>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the following command to upload the definitions file: - roxctl scanner upload-db \ -e "$ROX_CENTRAL_ADDRESS" \ --scanner-db-file=<compressed_scanner_definitions.zip> - $ roxctl scanner upload-db \ -e "$ROX_CENTRAL_ADDRESS" \ --scanner-db-file=<compressed_scanner_definitions.zip>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.3.2.2. Uploading definitions to Central by using the administrator password
You can upload the vulnerability definitions database that Scanner uses to Central by using your Red Hat Advanced Cluster Security for Kubernetes administrator password.
Prerequisites
- You must have the administrator password.
- 
								You must have installed the roxctlcommand-line interface (CLI).
Procedure
- Set the - ROX_CENTRAL_ADDRESSenvironment variable:- export ROX_CENTRAL_ADDRESS=<address>:<port_number> - $ export ROX_CENTRAL_ADDRESS=<address>:<port_number>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the following command to upload the definitions file: - roxctl scanner upload-db \ -p <your_administrator_password> \ -e "$ROX_CENTRAL_ADDRESS" \ --scanner-db-file=<compressed_scanner_definitions.zip> - $ roxctl scanner upload-db \ -p <your_administrator_password> \ -e "$ROX_CENTRAL_ADDRESS" \ --scanner-db-file=<compressed_scanner_definitions.zip>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4. Updating kernel support packages in offline mode
Collector monitors the runtime activity for each node in your secured clusters. To monitor the activities, Collector requires probes. These probes are kernel modules or eBPF programs specific to the Linux kernel version installed on the host. The Collector image contains a set of built-in probes.
When Red Hat Advanced Cluster Security for Kubernetes runs in normal mode (connected to the internet), Collector automatically downloads a new probe if the required probe is not built in.
In offline mode, you can manually download packages containing probes for all recent and supported Linux kernel versions and upload them to Central. Collectors then download these probes from Central.
Collector checks for the new probes in the following order. It checks:
- The existing Collector image.
- The kernel support package (if you have uploaded one to Central).
- A Red Hat-operated server available on the internet. Collector uses Central’s network connection to check and download the probes.
				If Collector does not get new probes after checking, it reports a CrashLoopBackoff event.
			
If your network configuration restricts outbound traffic, you can manually download packages containing probes for all recent and supported Linux kernel versions and upload them to Central. Collectors then download these probes from Central, thus avoiding any outbound internet access.
5.4.1. Downloading kernel support packages
If you are running Red Hat Advanced Cluster Security for Kubernetes in offline mode, you can download packages containing probes for all recent and supported Linux kernel versions and then upload them to Central.
Procedure
- View and download available support packages from https://install.stackrox.io/collector/support-packages/index.html. The kernel support packages list categorizes support packages based on Red Hat Advanced Cluster Security for Kubernetes version.
5.4.2. Uploading kernel support packages to Central
You can upload the kernel support packages containing probes for all recent and supported Linux kernel versions to Central.
Prerequisites
- You must have an API token with the administrator role.
- 
							You must have installed the roxctlcommand-line interface (CLI).
Procedure
- Set the - ROX_API_TOKENand the- ROX_CENTRAL_ADDRESSenvironment variables:- export ROX_API_TOKEN=<api_token> - $ export ROX_API_TOKEN=<api_token>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - export ROX_CENTRAL_ADDRESS=<address>:<port_number> - $ export ROX_CENTRAL_ADDRESS=<address>:<port_number>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the following command to upload the kernel support packages: - roxctl collector support-packages upload <package_file> \ -e "$ROX_CENTRAL_ADDRESS" - $ roxctl collector support-packages upload <package_file> \ -e "$ROX_CENTRAL_ADDRESS"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- When you upload a new support package that includes content uploaded to Central previously, only new files are uploaded.
- When you upload a new support package that includes files with the same name but different contents than those present on the Central, - roxctlshows a warning message and does not overwrite files.- 
										You can use the --overwriteoption with the upload command to overwrite the files.
 
- 
										You can use the 
- When you upload a support package that contains a required probe, Central does not make any outbound requests (to the internet) for downloading this probe. Central uses the probe from the support package.