Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

3.2. Reissuing internal certificates for secured clusters

Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. These components communicate with each other, and with Central by using certificates.

Choose the appropriate method to reissue the internal certificates:

  • Use the automatic certificate renewal feature. This is the recommended method for Operator and Helm deployments.
  • Create, download, and install an init bundle on the secured cluster. You must have the Admin user role to create an init bundle. This method is only recommended for Operator and Helm deployments if the certificates have already expired and the secured cluster can no longer connect to Central.
  • Use the automatic upgrades feature, which is only available for static manifest deployments by using the roxctl CLI. This method is only recommended if you have a specific installation requirement that necessitates the use of this method.

Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. You can reissue internal certificates for these components by using automatic certificate renewal.

TLS certificates are automatically renewed several months in advance but are only loaded when RHACS pods restart, for example, during an upgrade.

By viewing the Clusters page, you can verify that the automatic certificate renewal is active.

Procedure

  1. In the RHACS portal, click Platform Configuration Clusters.
  2. Verify that Auto-refresh enabled appears in the Credential Expiration column.
重要

If a secured cluster displays a warning about soon-to-expire credentials even though auto-refresh is enabled, you must manually restart the pods of the affected cluster to apply the latest certificates and prevent downtime.

For more information, see "Applying the latest internal certificates".

3.2.1.2. Applying the latest internal certificates
复制链接

By manually restarting the pods of the affected cluster, you can apply the latest certificates and prevent downtime.

注意

If you use Kubernetes, use kubectl instead of oc.

Prerequisites

  • You have write permission for the Administration resource.

Procedure

  • To manually restart the pods of the affected cluster, run the following command: 

    $ oc -n <namespace> delete pods --all

    where:

    <namespace>
    Specifies the namespace where you installed the secured cluster. For example, stackrox.

Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. These components use a built-in server certificate for authentication when communicating with other Red Hat Advanced Cluster Security for Kubernetes (RHACS) components.

The RHACS portal shows an information banner when the Central certificate is about to expire.

注意

The information banner only appears 15 days before the certificate expiry date.

Prerequisites

  • You have write permission for the Administration resource.
  • You have the Admin user role to create init bundles.
重要

Store the init bundle securely because it contains secrets. You can use the same bundle on multiple secured clusters.

Procedure

  1. Choose the appropriate method to generate an init bundle:

    • To generate an init bundle by using the user interface (UI), perform the following steps:

      1. In the RHACS portal, click Platform Configuration Clusters.
      2. Click Init bundles.
      3. To create a new init bundle, click Create bundle.
      4. Enter a name for the cluster init bundle.

      5. Choose the appropriate platform of the secured clusters:

        The following values are associated with the platform of the secured clusters:

        • OpenShift
        • EKS
        • AKS
        • GKE

      6. Choose the appropriate installation method for the secured cluster services from the drop-down list:

        The following values are associated with the installation method for the secured cluster services:

        • Operator (recommended)
        • Helm chart

      7. Click Download.

        重要

        You can only download the YAML file once when you create an init bundle. Store the YAML file securely because it contains secrets.

    • To generate an init bundle by using the roxctl CLI, run the following command: 

      $ roxctl -e <endpoint> -p <admin_password> central \
  init-bundles generate --output-secrets <bundle_name> \
  init-bundle.yaml

  2. To create the necessary resources on each secured cluster, run the following command: 

    $ oc -n stackrox apply -f <init-bundle.yaml>

Secured clusters contain the Collector, Sensor, Admission Control, and local Scanner components. You can reissue internal certificates for these components by using automatic upgrades.

重要

Automatic upgrades are only applicable to static manifest-based deployments by using the roxctl CLI.

For more information, see "Install Central using the roxctl CLI".

Prerequisites

  • You have enabled automatic upgrades for all the clusters.
  • You have write permission for the Administration resource.

Procedure

  1. In the RHACS portal, click Platform Configuration Clusters.
  2. Select a cluster to view its details.

  3. From the cluster details panel, select the link to Apply credentials by using an automatic upgrade.

    注意

    When you apply an automatic upgrade, Red Hat Advanced Cluster Security for Kubernetes (RHACS) creates new credentials in the selected cluster. However, you continue to see a notification. The notification disappears when each RHACS service uses the new credentials after the service restarts.

Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

Legal Notice

Theme

© 2026 Red Hat返回顶部