This is a cache of https://docs.openshift.com/acs/4.0/installing/installing_ocp/install-central-config-options-ocp.html. It is a snapshot of the page at 2024-11-23T17:43:33.355+0000.
Optional - Configuring Central configuration options for RHACS using the Operator - Installing RHACS on Red Hat OpenShift | Installing | Red Hat Advanced Cluster Security for Kubernetes 4.0
×

This topic provides information about optional configuration options that you can configure using the Operator.

Central configuration options using the Operator

When you create a Central instance, the Operator lists the following configuration options for the Central custom resource.

The following table includes settings for an external PostgreSQL database (Technology Preview).

External PostgreSQL support is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Central settings

Parameter Description

central.adminPasswordSecret

Specify a secret that contains the administrator password in the password data item. If omitted, the operator autogenerates a password and stores it in the password item in the central-htpasswd secret.

central.defaultTLSSecret

By default, Central only serves an internal TLS certificate, which means that you need to handle TLS termination at the ingress or load balancer level. If you want to terminate TLS in Central and serve a custom server certificate, you can specify a secret containing the certificate and private key.

central.adminPasswordGenerationDisabled

Set this parameter to true to disable the automatic administrator password generation. Use this only after you perform the first-time setup of alternative authentication methods. Do not use this for initial installation. Otherwise, you must reinstall the custom resource to log back in.

central.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes.

central.exposure.loadBalancer.enabled

Set this to true to expose Central through a load balancer.

central.exposure.loadBalancer.port

Use this parameter to specify a custom port for your load balancer.

central.exposure.loadBalancer.ip

Use this parameter to specify a static IP address reserved for your load balancer.

central.exposure.route.enabled

Set this to true to expose Central through an OpenShift route. The default value is false.

central.exposure.route.host

Specify a custom hostname to use for Central’s route. Leave this unset to accept the default value that OpenShift Container Platform provides.

central.exposure.nodeport.enabled

Set this to true to expose Central through a node port. The default value is false.

central.exposure.nodeport.port

Use this to specify an explicit node port.

central.monitoring.exposeEndpoint

Use Enabled to enable monitoring for Central. When you enable monitoring, RHACS creates a new monitoring service on port number 9090. The default value is Disabled.

central.nodeSelector

If you want this component to only run on specific nodes, you can configure a node selector by using this parameter.

central.persistence.hostPath.path

Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.

central.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data. If no PVC with the given name exists, it will be created. The default value is stackrox-db if not set. To prevent data losses the PVC is not removed automatically with Central`s deletion.

central.persistence.persistentVolumeClaim.size

The size of the persistent volume when created through the claim. This is automatically generated by default.

central.persistence.persistentVolumeClaim.storageClassName

The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.

central.resources.limits

Use this parameter to override the default resource limits for the Central.

central.resources.requests

Use this parameter to override the default resource requests for the Central.

central.imagePullSecrets

Use this parameter to specify the image pull secrets for the Central image.

central.db.passwordSecret.name

Specify a secret that has the database password in the password data item. Only use this parameter if you want to specify a connection string manually. If omitted, the operator auto-generates a password and stores it in the password item in the central-db-password secret.

central.db.connectionString

(Technology Preview): Setting this parameter will not deploy Central DB, and Central will connect using the specified connection string. If you specify a value for this parameter, you must also specify a value for central.db.passwordSecret.name. This parameter has the following constraints:

  • Connection string must be in keyword/value format as described in the PostgreSQL documentation. For more information, see the links in the Additional resources section.

  • Only PostgreSQL 13 is supported.

  • Connections through PGBouncer are not supported.

  • User must be a superuser who can create and delete databases.

central.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central DB. This parameter is mainly used for infrastructure nodes.

central.db.persistence.hostPath.path

Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.

central.db.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data. If no PVC with the given name exists, it will be created. The default value is central-db if not set. To prevent data loss, the PVC is not removed automatically with Central DB’s deletion.

central.db.persistence.persistentVolumeClaim.size

The size of the persistent volume when created through the claim. This is automatically generated by default.

central.db.persistence.persistentVolumeClaim.storageClassName

The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.

central.db.resources.limits

Use this parameter to override the default resource limits for the Central DB.

central.db.resources.requests

Use this parameter to override the default resource requests for the Central DB.

Scanner settings

Parameter Description

scanner.analyzer.nodeSelector

If you want this scanner to only run on specific nodes, you can configure a node selector by using this parameter.

scanner.analyzer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner. This parameter is mainly used for infrastructure nodes.

scanner.analyzer.resources.limits

Use this parameter to override the default resource limits for the scanner.

scanner.analyzer.resources.requests

Use this parameter to override the default resource requests for the scanner.

scanner.analyzer.scaling.autoScaling

When enabled, the number of analyzer replicas is managed dynamically based on the load, within the limits specified.

scanner.analyzer.scaling.maxReplicas

Specifies the maximum replicas to be used the analyzer autoscaling configuration

scanner.analyzer.scaling.minReplicas

Specifies the minimum replicas to be used the analyzer autoscaling configuration

scanner.analyzer.scaling.replicas

When autoscaling is disabled, the number of replicas will always be configured to match this value.

scanner.db.nodeSelector

If you want this component to only run on specific nodes, you can configure a node selector by using this parameter.

scanner.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. This parameter is mainly used for infrastructure nodes.

scanner.db.resources.limits

Use this parameter to override the default resource limits for the scanner.

scanner.db.resources.requests

Use this parameter to override the default resource requests for the scanner.

scanner.monitoring.exposeEndpoint

Use Enabled to enable monitoring for Scanner. When you enable monitoring, RHACS creates a new monitoring service on port number 9090. The default value is Disabled.

scanner.scannerComponent

If you do not want to deploy Scanner, you can disable it by using this parameter. If you disable Scanner, all other settings in this section have no effect. Red Hat does not recommend disabling Red Hat Advanced Cluster Security for Kubernetes Scanner.

General and miscellaneous settings

Parameter Description

tls.additionalCAs

Additional Trusted CA certificates for the secured cluster to trust. These certificates are typically used when integrating with services using a private certificate authority.

misc.createSCCs

Specify true to create SecurityContextConstraints (SCCs) for Central. Setting to true might cause issues in some environments.

customize.annotations

Allows specifying custom annotations for the Central deployment.

customize.envVars

Advanced settings to configure environment variables.

egress.connectivityPolicy

Configures whether RHACS should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.