红帽全球峰会此内容没有您所选择的语言版本。
Chapter 2. Adding trusted certificate authorities
Learn how to add custom trusted certificate authorities to Red Hat Advanced Cluster Security for Kubernetes.
If you are using an enterprise certificate authority (CA) on your network, or self-signed certificates, you must add the CA’s root certificate to Red Hat Advanced Cluster Security for Kubernetes as a trusted root CA.
Adding trusted root CAs allows:
- Central and Scanner to trust remote servers when you integrate with other tools.
- Sensor to trust custom certificates you use for Central.
You can add additional CAs during the installation or on an existing deployment.
You must first configure your trusted CAs in the cluster where you have deployed Central and then propagate the changes to Scanner and Sensor.
2.1. Configuring additional CAs
To add custom CAs:
Procedure
Download the
ca-setup.shscript.Note-
If you are doing a new installation, you can find the
ca-setup.shscript in thescriptsdirectory atcentral-bundle/central/scripts/ca-setup.sh. -
You must run the
ca-setup.shscript in the same terminal from which you logged into your OpenShift Container Platform cluster.
-
If you are doing a new installation, you can find the
Make the
ca-setup.shscript executable:chmod +x ca-setup.sh
$ chmod +x ca-setup.shCopy to Clipboard Copied! Toggle word wrap Toggle overflow To add:
A single certificate, use the
-f(file) option:./ca-setup.sh -f <certificate>
$ ./ca-setup.sh -f <certificate>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note- You must use a PEM-encoded certificate file (with any extension).
-
You can also use the
-u(update) option along with the-foption to update any previously added certificate.
Multiple certificates at once, move all certificates in a directory, and then use the
-d(directory) option:./ca-setup.sh -d <directory_name>
$ ./ca-setup.sh -d <directory_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note-
You must use PEM-encoded certificate files with a
.crtor.pemextension. - Each file must only contain a single certificate.
-
You can also use the
-u(update) option along with the-doption to update any previously added certificates.
-
You must use PEM-encoded certificate files with a
2.2. Propagating changes
After you configure trusted CAs, you must make Red Hat Advanced Cluster Security for Kubernetes services trust them.
- If you have configured trusted CAs after the installation, you must restart Central.
- Additionally, if you are also adding certificates for integrating with image registries, you must restart both Central and Scanner.
2.2.1. Restarting the Central container
You can restart the Central container by deleting the Central pod.
If you use Kubernetes, enter kubectl instead of oc.
Procedure
To delete the Central pod, run the following command:
oc -n stackrox delete pod -lapp=central
$ oc -n stackrox delete pod -lapp=centralCopy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2.2. Restarting the Scanner container
You can restart the Scanner container by deleting the pod.
Procedure
Run the following command to delete the Scanner pod:
On OpenShift Container Platform:
oc delete pod -n stackrox -l app=scanner
$ oc delete pod -n stackrox -l app=scannerCopy to Clipboard Copied! Toggle word wrap Toggle overflow On Kubernetes:
kubectl delete pod -n stackrox -l app=scanner
$ kubectl delete pod -n stackrox -l app=scannerCopy to Clipboard Copied! Toggle word wrap Toggle overflow
After you have added trusted CAs and configured Central, the CAs are included in any new Sensor deployment bundles that you create.
- If an existing Sensor reports problems while connecting to Central, you must generate a Sensor deployment YAML file and update existing clusters.
If you are deploying a new Sensor using the
sensor.shscript, run the following command before you run thesensor.shscript:./ca-setup-sensor.sh -d ./additional-cas/
$ ./ca-setup-sensor.sh -d ./additional-cas/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - If you are deploying a new Sensor using Helm, you do not have to run any additional scripts.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}