This is a cache of https://docs.openshift.com/acs/4.1/cli/managing-secured-clusters.html. It is a snapshot of the page at 2024-11-05T17:48:35.030+0000.
Managing secured <strong>cluster</strong>s | roxctl CLI | Red Hat Advanced <strong>cluster</strong> Security for Kubernetes 4.1
×

To secure a Kubernetes or an OpenShift Container Platform cluster, you must deploy Red Hat Advanced cluster Security for Kubernetes (RHACS) services into the cluster. You can generate deployment files in the RHACS portal by navigating to the Platform Configuration → clusters view, or you can use the roxctl CLI.

Prerequisites

  • You have configured the ROX_ENDPOINT environment variable using the following command:

    $ export ROX_ENDPOINT=<host:port> (1)
    1 The host and port information that you want to store in the ROX_ENDPOINT environment variable.

Generating Sensor deployment files

Generating files for Kubernetes systems

Procedure
  • Generate the required sensor configuration for your Kubernetes cluster and associate it with your Central instance by running the following command:

    $ roxctl sensor generate k8s --name <cluster_name> --central "$ROX_ENDPOINT"

Generating files for OpenShift Container Platform systems

Procedure
  • Generate the required sensor configuration for your OpenShift Container Platform cluster and associate it with your Central instance by running the following command:

    $ roxctl sensor generate openshift --openshift-version <ocp_version> --name <cluster_name> --central "$ROX_ENDPOINT" (1)
    1 For the --openshift-version option, specify the major OpenShift Container Platform version number for your cluster. For example, specify 3 for OpenShift Container Platform version 3.x and specify 4 for OpenShift Container Platform version 4.x.

    Read the --help output to see other options that you might need to use depending on your system architecture.

    Verify that the endpoint you provide for --central can be reached from the cluster where you are deploying Red Hat Advanced cluster Security for Kubernetes services.

    If you are using a non-gRPC capable load balancer, such as HAProxy, AWS Application Load Balancer (ALB), or AWS Elastic Load Balancing (ELB), follow these guidelines:

    • Use the WebSocket Secure (wss) protocol. To use wss, prefix the address with wss://, and

    • Add the port number after the address, for example:

      $ roxctl sensor generate k8s --central wss://stackrox-central.example.com:443

Installing Sensor by using the sensor.sh script

When you generate the Sensor deployment files, roxctl creates a directory called sensor-<cluster_name> in your working directory. The script to install Sensor is located in this directory.

Procedure
  • Run the sensor installation script to install Sensor:

    $ ./sensor-<cluster_name>/sensor.sh

    If you get a warning that you do not have the required permissions to install Sensor, follow the on-screen instructions, or contact your cluster administrator for help.

Downloading Sensor bundles for existing clusters

Procedure
  • Run the following command to download Sensor bundles for existing clusters by specifying a cluster name or ID:

    $ roxctl sensor get-bundle <cluster_name_or_id>

Deleting cluster integration

Procedure
  • Before deleting the cluster, ensure you have the correct cluster name that you want to remove from Central:

    $ roxctl cluster delete --name=<cluster_name>

    Deleting the cluster integration does not remove the RHACS services running in the cluster, depending on the installation method. You can remove the services by running the delete-sensor.sh script from the Sensor installation bundle.