Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides security services for your self-managed Red Hat OpenShift Kubernetes systems or platforms such as OpenShift Container Platform, Amazon Elastic Kubernetes service (Amazon EKS), Google Kubernetes Engine (Google GKE), and Microsoft Azure Kubernetes service (Microsoft AKS).
For information about supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix. For life cycle support information for RHACS, see the Red Hat Advanced Cluster Security for Kubernetes Support Policy.
To ensure the best installation experience, follow these guidelines:
Understand the installation platforms and methods described in this module.
Understand Red Hat Advanced Cluster Security for Kubernetes architecture.
Check the default resource requirements.
You can perform different types of installations on different platforms.
Not all installation methods are supported for all platforms. See the Red Hat Advanced Cluster Security for Kubernetes Support Matrix for more information. |
Platform type | Platform | Recommended installation methods | Installation steps |
---|---|---|---|
Managed service platform |
Red Hat OpenShift Dedicated (OSD) |
Operator (recommended), Helm charts, or |
|
Azure Red Hat OpenShift (ARO) |
|||
Red Hat OpenShift service on AWS (ROSA) |
|||
Red Hat OpenShift on IBM Cloud |
|||
Amazon Elastic Kubernetes service (Amazon EKS) |
Helm charts (recommended), or |
||
Google Kubernetes Engine (Google GKE) |
|||
Microsoft Azure Kubernetes service (Microsoft AKS) |
|||
Self-managed platform |
Red Hat OpenShift Container Platform (OCP) |
Operator (recommended), Helm charts, or |
|
Red Hat OpenShift Kubernetes Engine (OKE) |
Do not use the roxctl
installation method unless you have specific requirements for following this installation method.
Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports the following architectures. For information on supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix. Additionally, the following table gives information about installation methods available for each architecture.
Supported architectures | Supported installation methods |
---|---|
AMD64 |
Operator (preferred), Helm charts, or |
ppc64le (IBM Power) |
Operator |
s390x (IBM Z and IBM® LinuxONE) |
On the Red Hat OpenShift cluster, install the RHACS Operator into the rhacs-operator
project, or namespace.
On the Red Hat OpenShift cluster that will contain Central, called the central cluster, use the RHACS Operator to install Central services into the stackrox
project. One central cluster can secure multiple clusters.
Log in to the RHACS web console from the central cluster, and then create an init bundle and download it. The init bundle is then installed on the cluster that you want to secure, called the secured cluster.
For the secured cluster:
Install the RHACS Operator into the rhacs-operator
namespace.
On the secured cluster, apply the init bundle that you created in RHACS by performing one of these steps:
Use the OpenShift Container Platform web console to import the YAML file of the init bundle that you created. Make sure you are in the stackrox
namespace.
In the terminal window, run the oc create -f <init_bundle>.yaml -n <stackrox>
command, specifying the path to the downloaded YAML file of the init bundle.
On the secured cluster, use the RHACS Operator to install Secured Cluster services into the stackrox
namespace. When creating these services, be sure to enter the address of Central in the Central Endpoint field so that the secured cluster can communicate with Central.
Add the RHACS Helm charts repository.
Install the central-services
Helm chart on the Red Hat OpenShift cluster that will contain Central, called the central cluster.
Log in to the RHACS web console on the Central cluster and create an init bundle.
For each cluster that you want to secure, log in to the secured cluster and perform the following steps:
Apply the init bundle you created with RHACS. To apply the init bundle on the secured cluster, perform one of these steps:
Use the OpenShift Container Platform web console to import the YAML file of the init bundle that you created. Make sure you are in the stackrox
namespace.
In the terminal window, run the oc create -f <init_bundle>.yaml -n <stackrox>
command, specifying the path to the downloaded YAML file of the init bundle.
Install the secured-cluster-services
Helm chart on the secured cluster, specifying the path to the init bundle that you created.
roxctl
CLIThis installation method is also called the manifest installation method.
Install the roxctl
CLI.
On the Red Hat OpenShift cluster that will contain Central, perform these steps:
In the terminal window, run the interactive install command by using the roxctl
CLI.
Run the setup shell script.
In the terminal window, create the Central resources by using the oc create
command.
Perform one of the following actions:
In the RHACS web console, create and download the sensor YAML file and keys.
On the secured cluster, use the roxctl sensor generate openshift
command.
On the secured cluster, run the sensor installation script.
Add the RHACS Helm charts repository.
Install the central-services
Helm chart on the cluster that will contain Central, called the Central cluster.
Log in to the RHACS web console from the Central cluster and create an init bundle that you will install on the cluster that you want to secure, called the secured cluster.
For each secured cluster:
Apply the init bundle you created with RHACS. Log in to the secured cluster and run the kubectl create -f <init_bundle>.yaml -n <stackrox>
command, specifying the path to the downloaded YAML file of the init bundle.
Install the secured-cluster-services
Helm chart on the secured cluster, specifying the path to the init bundle that you created earlier.
roxctl
CLIThis installation method is also called the manifest installation method.
Install the roxctl
CLI.
On the Kubernetes cluster that will contain Central, perform these steps:
In the terminal window, run the interactive install command by using the roxctl
CLI.
Run the setup shell script.
In the terminal window, create the Central resources by using the kubectl create
command.
Perform one of the following actions:
In the RHACS web console, create and download the sensor YAML file and keys.
On the cluster that you want to secure, called the secured cluster, use the roxctl sensor generate openshift
command.
On the secured cluster, run the sensor installation script.