Red Hat Advanced Cluster Security Cloud service (RHACS Cloud service) provides security services for your Red Hat OpenShift and Kubernetes clusters. See the Red Hat Advanced Cluster Security for Kubernetes Support Matrix for more information on supported platforms for secured clusters.
Ensure that you can access the Advanced Cluster Security menu option from the Red Hat Hybrid Cloud Console.
To access the RHACS Cloud service console, you need your Red Hat Single Sign-On (SSO) credentials, or credentials for another identity provider if that has been configured. See Default access to the ACS console. |
The following sections provide an overview of installation steps and links to the relevant documentation.
To secure Red Hat OpenShift clusters by using the Operator, perform the following steps:
Verify that the clusters you want to secure meet the requirements.
In the Red Hat Hybrid Cloud Console, create an ACS Instance.
On each Red Hat OpenShift cluster you want to secure, create a project named stackrox
. This project will contain the resources for RHACS Cloud service secured clusters.
In the ACS Console, create an init bundle. The init bundle contains secrets that allow communication between RHACS Cloud service secured clusters and the ACS Console.
On each Red Hat OpenShift cluster, apply the init bundle by using it to create resources.
On each Red Hat OpenShift cluster, install the RHACS Operator.
On each Red Hat OpenShift cluster, install secured cluster resources in the stackrox
project by using the Operator.
Verify installation by ensuring that your secured clusters can communicate with the ACS instance.
To secure Red Hat OpenShift clusters by using Helm charts or the roxctl
CLI, perform the following steps:
Verify that the clusters you want to secure meet the requirements.
In the Red Hat Hybrid Cloud Console, create an ACS Instance.
On each Red Hat OpenShift cluster you want to secure, create a project named stackrox
. This project will contain the resources for RHACS Cloud service secured clusters.
In the ACS Console, create an init bundle. The init bundle contains secrets that allow communication between RHACS Cloud service secured clusters and the ACS Console.
On each Red Hat OpenShift cluster, apply the init bundle by using it to create resources.
On each Red Hat OpenShift cluster, install secured cluster resources in the stackrox
project by using Helm charts or by using the roxctl
CLI.
Verify installation by ensuring that your secured clusters can communicate with the ACS instance.
To secure Kubernetes clusters, perform the following steps:
Verify that the clusters you want to secure meet the requirements.
In the Red Hat Hybrid Cloud Console, create an ACS Instance.
In the ACS Console, create an init bundle. The init bundle contains secrets that allow communication between RHACS Cloud service secured clusters and the ACS Console.
On each Kubernetes cluster, apply the init bundle by using it to create resources.
On each Kubernetes cluster, install secured cluster resources by using Helm charts or the roxctl
CLI.
Verify installation by ensuring that your secured clusters can communicate with the ACS instance.
By default, the authentication mechanism available to users is authentication by using Red Hat Single Sign-On (SSO). You cannot delete or change the Red Hat SSO authentication provider. However, you can change the minimum access role and add additional rules, or add another identity provider.
To learn how authentication providers work in ACS, see Understanding authentication providers. |
A dedicated OIDC client of sso.redhat.com
is created for each ACS Console. All OIDC clients share the same sso.redhat.com
realm.
Claims from the token issued by sso.redhat.com
are mapped to an ACS-issued token as follows:
realm_access.roles
to groups
org_id
to rh_org_id
is_org_admin
to rh_is_org_admin
sub
to userid
The built-in Red Hat SSO authentication provider has the required attribute rh_org_id
set to the organization ID assigned to account of the user who created the RHACS Cloud service instance.
This is the ID of the organizational account the user is a part of. This can be thought of as the "tenant" the user is under and owned by.
Only users with the same organizational account can access the ACS console by using the Red Hat SSO authentication provider.
To gain more control over access to your ACS Console, configure another identity provider instead of relying on the Red Hat SSO authentication provider. For more information, see Understanding authentication providers. To configure the other authentication provider to be the first authentication option on the login page, its name should be lexicographically smaller than |
The minimum access role is set to None
. Assigning a different value to this field gives access to the RHACS Cloud service instance to all users with the same organizational account.
Other rules that are set up in the built-in Red Hat SSO authentication provider include the following:
Rule mapping your userid
to Admin
Rules mapping administrators of the organization to Admin
You can add more rules to grant access to the ACS Console to someone else with the same organizational account. For example, you can use email
as a key.