RHACS has some system requirements that must be met before you can install it.
You must not install Red Hat Advanced Cluster Security for Kubernetes on:
|
To install Red Hat Advanced Cluster Security for Kubernetes, you must have one of the following systems:
OpenShift Container Platform version 4.10 or later, and cluster nodes with a supported operating system of Red Hat Enterprise Linux CoreOS (RHCOS) or Red Hat Enterprise Linux (RHEL).
a supported managed Kubernetes platform, and cluster nodes with a supported operating system of Amazon Linux, CentOS, Container-Optimized OS from Google, Red Hat Enterprise Linux CoreOS (RHCOS), Debian, Red Hat Enterprise Linux (RHEL), or Ubuntu.
For more information, see Red Hat Advanced Cluster Security for Kubernetes Support Policy.
Cluster nodes minimum requirements:
Architecture: amd64, ppc64le, or s390x
For ppc64le, or s390x architectures, you can only install RHACS secured cluster services on IBM Power, IBM Z, and IBM® LinuxONE clusters. Central is not supported at this time. |
Processor: 3 CPU cores
Memory: 6 GiB of RAM
See the default memory and CPU requirements for each component and ensure that the node size can support them. |
Persistent storage by using persistent volume claim (PVC):
Use Solid-State Drives (SSDs) for best performance. However, you can use another storage type if you do not have SSDs available.
You must not use Ceph FS storage with Red Hat Advanced Cluster Security for Kubernetes. Red Hat recommends using RBD block mode PVCs for Red Hat Advanced Cluster Security for Kubernetes. |
To install using helm charts:
You must have helm command-line interface (CLI) v3.2 or newer, if you are installing or configuring Red Hat Advanced Cluster Security for Kubernetes using helm charts.
Use the helm version
command to verify the version of helm you have installed.
You must have access to the Red Hat Container Registry. For information about downloading images from registry.redhat.io
, see Red Hat Container Registry Authentication.
Secured cluster services contain the following components:
Sensor
Admission controller
Collector
Sensor monitors your Kubernetes and OpenShift Container Platform clusters. These services currently deploy in a single deployment, which handles interactions with the Kubernetes API and coordinates with Collector.
The following table lists the minimum memory and storage values required to install and run sensor on secured clusters.
Sensor | CPU | Memory |
---|---|---|
Request |
2 cores |
4 GiB |
Limit |
4 cores |
8 GiB |
The Admission controller prevents users from creating workloads that violate policies you configure.
By default, the admission control service runs 3 replicas. The following table lists the request and limits for each replica.
Admission controller | CPU | Memory |
---|---|---|
Request |
0.05 cores |
100 MiB |
Limit |
0.5 cores |
500 MiB |
Collector monitors runtime activity on each node in your secured clusters. It connects to Sensor to report this information. The collector pod has three containers. The first container is collector, which actually monitors and reports the runtime activity on the node. The other two are compliance and node-inventory.
By default, the admission control service runs 3 replicas. The following table lists the request and limits for each replica.
Collector | CPU | Memory | |
---|---|---|---|
Collector Container |
Request |
0.05 cores |
320 MiB |
Limit |
0.75 cores |
1000 MiB |
|
Compliance Container |
Request |
0.01 cores |
10 MiB |
Limit |
1 core |
2000 MiB |
|
Node-Inventory Container |
Request |
0.01 cores |
10 MiB |
Limit |
1 core |
500 MiB |
|
Total |
Request |
0.07 cores |
340 MiB |
Limit |
2.75 cores |
5000 MiB |