红帽全球峰会You are viewing documentation for a release that is no longer maintained. To view the documentation for the most recent version, see the latest RHACS docs.
第 5 章 启用离线模式
您可以通过启用离线模式,将 Red Hat Advanced Cluster Security for Kubernetes 用于没有连接到互联网的集群。在离线模式下,Red Hat Advanced Cluster Security for Kubernetes 组件无法连接到互联网上的地址或主机。
Red Hat Advanced Cluster Security for Kubernetes 不会确定用户提供的主机名、IP 地址或其他资源是否在互联网上。例如,如果您尝试与互联网上托管的 Docker registry 集成,Red Hat Advanced Cluster Security for Kubernetes 不会阻断这个请求。
以离线模式部署和操作 Red Hat Advanced Cluster Security for Kubernetes:
- 下载 RHACS 镜像并在您的集群中安装它们。如果使用 OpenShift Container Platform,您可以使用 Operator Lifecycle Manager(OLM) 和 OperatorHub 将镜像下载到连接到互联网的工作站。然后,工作站会将镜像推送到已连接的安全集群的镜像 registry 中。对于其他平台,您可以使用 Skopeo 或 Docker 等程序从远程 registry 中拉取镜像并将其推送到您自己的私有注册表,如 直接下载镜像 中所述。
- 在安装过程中启用离线模式。
- (可选)通过上传新的定义文件,Routinely 更新 Scanner 的漏洞列表。
- (可选)当需要时,通过上传新的内核支持软件包在更多内核版本中添加对运行时集合的支持。
您只能在安装过程中启用离线模式,而不在升级过程中启用。
5.1. 下载镜像以供离线使用
5.1.1. 直接下载镜像
您可以手动拉取、重新标记并将 Red Hat Advanced Cluster Security for Kubernetes 镜像推送到 registry。镜像捆绑包当前版本的镜像有:
-
registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 -
registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.69.2 -
registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.69.2 -
registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:3.69.2 -
registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:3.69.2
5.1.1.1. 重新标记镜像
您可以使用 Docker 命令行界面下载和重新标记镜像。
在重新标记镜像时,您必须维护镜像的名称和标签。例如,使用:
docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 <your_registry>/rhacs-main-rhel8:3.69.2
$ docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 <your_registry>/rhacs-main-rhel8:3.69.2和不要像以下示例一样重新标记:
docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 <your_registry>/other-name:latest
$ docker tag registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.69.2 <your_registry>/other-name:latest流程
登录到 registry:
docker login registry.redhat.io
$ docker login registry.redhat.ioCopy to Clipboard Copied! Toggle word wrap Toggle overflow 拉取镜像:
docker pull <image>
$ docker pull <image>Copy to Clipboard Copied! Toggle word wrap Toggle overflow 重新标记镜像:
docker tag <image> <new_image>
$ docker tag <image> <new_image>Copy to Clipboard Copied! Toggle word wrap Toggle overflow 将更新的镜像推送到 registry:
docker push <new_image>
$ docker push <new_image>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}