$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
High-level installation flow:
Add Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.
Configure the central-services
Helm chart.
Install the central-services
Helm chart to install the centralized components (Central and Scanner).
Generate an init bundle.
Configure the secured-cluster-services
Helm chart.
Install the secured-cluster-services
Helm chart to install the per-cluster and per-node components (Sensor, Admission Controller, and Collector).
Before you install:
Add Red Hat Advanced Cluster Security for Kubernetes charts repository.
$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes two Helm charts for installing different components.
Central services Helm chart (central-services
) for installing the centralized components (Central and Scanner).
You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation. |
Secured Cluster services Helm chart (secured-cluster-services
) for installing the per-cluster (Sensor and Admission controller) and per-node (Collector) components.
Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor. |
Run the following command to verify the added chart repository:
$ helm search repo -l rhacs/
This section describes Helm chart configuration parameters that you can use with the helm install
and helm upgrade
commands.
You can specify these parameters by using the --set
option or by creating YAML configuration files.
Create the following files for configuring the Helm chart for installing Red Hat Advanced Cluster Security for Kubernetes:
Public configuration file values-public.yaml
: Use this file to save all non-sensitive configuration options.
Private configuration file values-private.yaml
: Use this file to save all sensitive configuration options. Make sure that you store this file securely.
This section lists the configurable parameters of the values-private.yaml
file.
There are no default values for these parameters.
The credentials that are required for pulling images from the registry depend on the following factors:
If you are using a custom registry, you must specify these parameters:
imagePullSecrets.username
imagePullSecrets.password
image.registry
If you do not use a username and password to log in to the custom registry, you must specify one of the following parameters:
imagePullSecrets.allowNone
imagePullSecrets.useExisting
imagePullSecrets.useFromDefaultserviceAccount
Parameter | Description |
---|---|
|
The username of the account that is used to log in to the registry. |
|
The password of the account that is used to log in to the registry. |
|
Use |
|
A comma-separated list of secrets as values.
For example, |
|
Use |
If you are installing Red Hat Advanced Cluster Security for Kubernetes in a cluster that requires a proxy to connect to external services, you must specify your proxy configuration by using the proxyConfig
parameter.
For example:
env:
proxyConfig: |
url: http://proxy.name:port
username: username
password: password
excludes:
- some.domain
Parameter | Description |
---|---|
|
Your proxy configuration. |
Configurable parameters for Central.
For a new installation, you can skip the following parameters:
central.jwtSigner.key
central.serviceTLS.cert
central.serviceTLS.key
central.adminPassword.value
central.adminPassword.htpasswd
When you do not specify values for these parameters the Helm chart autogenerates values for them.
If you want to modify these values you can use the helm upgrade
command and specify the values using the --set
option.
For setting the administrator password, you can only use either |
Parameter | Description |
---|---|
|
A private key which Red Hat Advanced Cluster Security for Kubernetes should use for signing JSON web tokens (JWTs) for authentication. |
|
An internal certificate that the Central service should use for deploying Central. |
|
The private key of the internal certificate that the Central service should use. |
|
The user-facing certificate that Central should use. Red Hat Advanced Cluster Security for Kubernetes uses this certificate for RHACS portal.
|
|
The private key of the user-facing certificate that Central should use.
|
|
Administrator password for logging into Red Hat Advanced Cluster Security for Kubernetes. |
|
Administrator password for logging into Red Hat Advanced Cluster Security for Kubernetes. This password is stored in hashed format using bcrypt. |
If you are using
|
Configurable parameters for Scanner.
For a new installation, you can skip the following parameters and the Helm chart autogenerates values for them. Otherwise, if you are upgrading to a new version, specify the values for the following parameters:
scanner.dbPassword.value
scanner.serviceTLS.cert
scanner.serviceTLS.key
scanner.dbserviceTLS.cert
scanner.dbserviceTLS.key
Parameter | Description |
---|---|
|
The password to use for authentication with Scanner database. Do not modify this parameter because Red Hat Advanced Cluster Security for Kubernetes automatically creates and uses its value internally. |
|
An internal certificate that the Scanner service should use for deploying Scanner. |
|
The private key of the internal certificate that the Scanner service should use. |
|
An internal certificate that the Scanner-db service should use for deploying Scanner database. |
|
The private key of the internal certificate that the Scanner-db service should use. |
This section lists the configurable parameters of the values-public.yaml
file.
Image pull secrets are the credentials required for pulling images from your registry.
Parameter | Description |
---|---|
|
Use |
|
A comma-seprated list of secrets as values.
For example, |
|
Use |
Image declares the configuration to set up the main registry, which the Helm chart uses to resolve images for the central.image
, scanner.image
, and scanner.dbImage
parameters.
Parameter | Description |
---|---|
|
Address of your image registry.
Either use a hostname, such as |
Red Hat Advanced Cluster Security for Kubernetes automatically detects your cluster environment and sets values for env.openshift
, env.istio
, and env.platform
.
Only set these values to override the automatic cluster environment detection.
Parameter | Description |
---|---|
|
Use |
|
Use |
|
The platform on which you are installing Red Hat Advanced Cluster Security for Kubernetes.
Set its value to |
|
Use |
The Red Hat Advanced Cluster Security for Kubernetes automatically references the system root certificates to trust. When Central or Scanner must reach out to services that use certificates issued by an authority in your organization or a globally trusted partner organization, you can add trust for these services by specifying the root certificate authority to trust by using the following parameter:
Parameter | Description |
---|---|
|
Specify the PEM encoded certificate of the root certificate authority to trust. |
Configurable parameters for Central.
You must specify a persistent storage option as either hostPath
or persistentVolumeClaim
.
For exposing Central deployment for external access.
You must specify one parameter, either central.exposure.loadBalancer
, central.exposure.nodePort
, or central.exposure.route
.
When you do not specify any value for these parameters, you must manually expose Central or access it by using port-forwarding.
Parameter | Description |
---|---|
|
Use |
|
The endpoint configuration options for Central. |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes. |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes. |
|
Specify |
|
A custom registry that overrides the global |
|
The custom image name that overrides the default Central image name ( |
|
The custom image tag that overrides the default tag for Central image.
If you specify you own image tag during a new installation, you must manually increment this tag when you to upgrade to a new version by running the |
|
Full reference including registry address, image name, and image tag for the Central image.
Setting a value for this parameter overrides the |
|
The memory request for Central to override the default value. |
|
The CPU request for Central to override the default value. |
|
The memory limit for Central to override the default value. |
|
The CPU limit for Central to override the default value. |
|
The path on the node where Red Hat Advanced Cluster Security for Kubernetes should create a database volume. Red Hat does not recommend using this option. |
|
The name of the persistent volume claim (PVC) you are using. |
|
Use |
|
The size (in GiB) of the persistent volume managed by the specified claim. |
|
Use |
|
The port number on which to expose Central. The default port number is 443. |
|
Use |
|
The port number on which to expose Central. When you skip this parameter, OpenShift Container Platform automatically assigns a port number. Red Hat recommends that you do not specify a port number if you are exposing Red Hat Advanced Cluster Security for Kubernetes by using a node port. |
|
Use |
Configurable parameters for Scanner.
Parameter | Description |
---|---|
|
Use |
|
The number of replicas to create for the Scanner deployment.
When you use it with the |
|
Configure the log level for Scanner.
Red Hat recommends that you not change the log level’s default value ( |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner. This parameter is mainly used for infrastructure nodes. |
|
Use |
|
The minimum number of replicas for autoscaling. |
|
The maximum number of replicas for autoscaling. |
|
The memory request for Scanner to override the default value. |
|
The CPU request for Scanner to override the default value. |
|
The memory limit for Scanner to override the default value. |
|
The CPU limit for Scanner to override the default value. |
|
The memory request for Scanner database deployment to override the default values. |
|
The CPU request for Scanner database deployment to override the default values. |
|
The memory limit for Scanner database deployment to override the default values. |
|
The CPU limit for Scanner database deployment to override the default values. |
|
A custom registry for the Scanner image. |
|
The custom image name that overrides the default Scanner image name ( |
|
A custom registry for the Scanner DB image. |
|
The custom image name that overrides the default Scanner DB image name ( |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. This parameter is mainly used for infrastructure nodes. |
Use these parameters to specify additional attributes for all objects that Red Hat Advanced Cluster Security for Kubernetes creates.
Parameter | Description |
---|---|
|
A custom label to attach to all objects. |
|
A custom annotation to attach to all objects. |
|
A custom label to attach to all deployments. |
|
A custom annotation to attach to all deployments. |
|
A custom environment variable for all containers in all objects. |
|
A custom label to attach to all objects that Central creates. |
|
A custom annotation to attach to all objects that Central creates. |
|
A custom label to attach to all Central deployments. |
|
A custom annotation to attach to all Central deployments. |
|
A custom environment variable for all Central containers. |
|
A custom label to attach to all objects that Scanner creates. |
|
A custom annotation to attach to all objects that Scanner creates. |
|
A custom label to attach to all Scanner deployments. |
|
A custom annotation to attach to all Scanner deployments. |
|
A custom environment variable for all Scanner containers. |
|
A custom label to attach to all objects that Scanner DB creates. |
|
A custom annotation to attach to all objects that Scanner DB creates. |
|
A custom label to attach to all Scanner DB deployments. |
|
A custom annotation to attach to all Scanner DB deployments. |
|
A custom environment variable for all Scanner DB containers. |
You can also use:
the customize.other.service/*.labels
and the customize.other.service/*.annotations
parameters, to specify labels and annotations for all objects.
or, provide a specific service name, for example, customize.other.service/central-loadbalancer.labels
and customize.other.service/central-loadbalancer.annotations
as parameters and set their value.
The parameters specified in this section are for information only. Red Hat does not support Red Hat Advanced Cluster Security for Kubernetes instances with modified namespace and release names. |
Parameter | Description |
---|---|
|
Use |
|
Use |
After you configure the values-public.yaml
and values-private.yaml
files, install the central-services
Helm chart to deploy the centralized components (Central and Scanner).
Run the following command:
$ helm install -n stackrox --create-namespace \
stackrox-central-services rhacs/central-services \
-f <path_to_values_public.yaml> -f <path_to_values_private.yaml> (1)
1 | Use the -f option to specify the paths for your YAML configuration files. |
You can make changes to any configuration options after you have deployed the central-services
Helm chart.
Update the values-public.yaml
and values-private.yaml
configuration files with new values.
Run the helm upgrade
command and specify the configuration files using the -f
option:
$ helm upgrade -n stackrox \
stackrox-central-services rhacs/central-services \
-f <path_to_values_public.yaml> \
-f <path_to_values_private.yaml>
You can also specify configuration values using the |
Before you install the SecuredCluster
resource on a cluster, you must create an init bundle. The cluster that has SecuredCluster
installed and configured then uses this bundle to authenticate with Central.
You can create an init bundle by using the roxctl
CLI or from the RHACS portal.
You can create an init bundle with secrets by using the roxctl
CLI.
You have configured the ROX_API_TOKEN
and the ROX_CENTRAL_ADDRESS
environment variables.
Set the ROX_API_TOKEN
and the ROX_CENTRAL_ADDRESS
environment variables:
$ export ROX_API_TOKEN=<api_token>
$ export ROX_CENTRAL_ADDRESS=<address>:<port_number>
Run the following command to generate a cluster init bundle containing secrets:
$ roxctl -e "$ROX_CENTRAL_ADDRESS" \
central init-bundles generate <cluster_init_bundle_name> \
--output cluster_init_bundle.yaml
Make sure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters. |
You can create an init bundle containing secrets by using the RHACS portal.
Find the address of the RHACS portal based on your exposure method:
For a route:
$ oc get route central -n stackrox
For a load balancer:
$ oc get service central-loadbalancer -n stackrox
For port forward:
Run the following command:
$ oc port-forward svc/central 18443:443 -n stackrox
Navigate to https://localhost:18443/
.
On the RHACS portal, navigate to Platform Configuration → Integrations.
Navigate to the Authentication Tokens section and click on Cluster Init Bundle.
Click Generate bundle.
Enter a name for the cluster init bundle and click Generate.
Click Download Helm Values File to download the generated bundle.
Store this bundle securely because it contains secrets. You can use the same bundle to create multiple secured clusters. |
Use the OpenShift Container Platform CLI to create resources using the init bundle.
Install Red Hat Advanced Cluster Security for Kubernetes in all clusters that you want to monitor.
This section describes Helm chart configuration parameters that you can use with the helm install
and helm upgrade
commands.
You can specify these parameters by using the --set
option or by creating YAML configuration files.
Create the following files for configuring the Helm chart for installing Red Hat Advanced Cluster Security for Kubernetes:
Public configuration file values-public.yaml
: Use this file to save all non-sensitive configuration options.
Private configuration file values-private.yaml
: Use this file to save all sensitive configuration options. Make sure that you store this file securely.
While using the |
Parameter | Description |
---|---|
|
Name of your cluster. |
|
Address of the Central endpoint, including the port number.
If you are using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with |
|
Address of the Sensor endpoint including port number. |
|
Image pull policy for the Sensor container. |
|
The internal service-to-service TLS certificate that Sensor uses. |
|
The internal service-to-service TLS certificate key that Sensor uses. |
|
The memory request for the Sensor container. Use this parameter to override the default value. |
|
The CPU request for the Sensor container. Use this parameter to override the default value. |
|
The memory limit for the Sensor container. Use this parameter to override the default value. |
|
The CPU limit for the Sensor container. Use this parameter to override the default value. |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Sensor. This parameter is mainly used for infrastructure nodes. |
|
The name of the |
|
The name of the Collector image. |
|
Address of the registry you are using for the main image. |
|
Address of the registry you are using for the Collector image. |
|
Image pull policy for |
|
Image pull policy for the Collector images. |
|
Tag of |
|
Tag of |
|
Either |
|
Image pull policy for the Collector container. |
|
Image pull policy for the Compliance container. |
|
If you specify |
|
The memory request for the Collector container. Use this parameter to override the default value. |
|
The CPU request for the Collector container. Use this parameter to override the default value. |
|
The memory limit for the Collector container. Use this parameter to override the default value. |
|
The CPU limit for the Collector container. Use this parameter to override the default value. |
|
The memory request for the Compliance container. Use this parameter to override the default value. |
|
The CPU request for the Compliance container. Use this parameter to override the default value. |
|
The memory limit for the Compliance container. Use this parameter to override the default value. |
|
The CPU limit for the Compliance container. Use this parameter to override the default value. |
|
The internal service-to-service TLS certificate that Collector uses. |
|
The internal service-to-service TLS certificate key that Collector uses. |
|
This setting controls whether Kubernetes is configured to contact Red Hat Advanced Cluster Security for Kubernetes with |
|
When you set this parameter as |
|
This setting controls whether the cluster is configured to contact Red Hat Advanced Cluster Security for Kubernetes with |
|
This setting controls whether Red Hat Advanced Cluster Security for Kubernetes evaluates policies; if it is disabled, all AdmissionReview requests are automatically accepted. |
|
This setting controls the behavior of the admission control service.
You must specify |
|
If you set this option to |
|
Set it to |
|
The maximum time, in seconds, Red Hat Advanced Cluster Security for Kubernetes should wait while evaluating admission review requests. Use this to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, Red Hat Advanced Cluster Security for Kubernetes accepts the request. |
|
The memory request for the Admission Control container. Use this parameter to override the default value. |
|
The CPU request for the Admission Control container. Use this parameter to override the default value. |
|
The memory limit for the Admission Control container. Use this parameter to override the default value. |
|
The CPU limit for the Admission Control container. Use this parameter to override the default value. |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Admission Control. This parameter is mainly used for infrastructure nodes. |
|
The internal service-to-service TLS certificate that Admission Control uses. |
|
The internal service-to-service TLS certificate key that Admission Control uses. |
|
Use this parameter to override the default |
|
If you specify |
|
Specify |
|
Specify |
|
Specify |
|
Resource specification for Sensor. |
|
Resource specification for Admission Controller. |
|
Resource specification for Collector. |
|
Resource specification for Collector’s Compliance container. |
|
If you set this option to |
|
If you set this option to |
|
If you set this option to |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. |
|
Resource specification for Collector’s Compliance container. |
|
Setting this parameter allows you to modify the scanner log level. Use this option only for troubleshooting purposes. |
|
If you set this option to |
|
The minimum number of replicas for autoscaling. Defaults to 2. |
|
The maximum number of replicas for autoscaling. Defaults to 5. |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner. |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. |
|
The memory request for the Scanner container. Use this parameter to override the default value. |
|
The CPU request for the Scanner container. Use this parameter to override the default value. |
|
The memory limit for the Scanner container. Use this parameter to override the default value. |
|
The CPU limit for the Scanner container. Use this parameter to override the default value. |
|
The memory request for the Scanner DB container. Use this parameter to override the default value. |
|
The CPU request for the Scanner DB container. Use this parameter to override the default value. |
|
The memory limit for the Scanner DB container. Use this parameter to override the default value. |
|
The CPU limit for the Scanner DB container. Use this parameter to override the default value. |
You can specify environment variables for Sensor and Admission Controller in the following format:
customize:
envVars:
ENV_VAR1: "value1"
ENV_VAR2: "value2"
The customize
setting allows you to specify custom Kubernetes metadata (labels and annotations) for all objects created by this Helm chart and additional pod labels, pod annotations, and container environment variables for workloads.
The configuration is hierarchical, in the sense that metadata defined at a more generic scope (for example, for all objects) can be overridden by metadata defined at a narrower scope (for example, only for the Sensor deployment).
After you configure the values-public.yaml
and values-private.yaml
files, install the secured-cluster-services
Helm chart to deploy the per-cluster and per-node components (Sensor, Admission Controller, and Collector).
To install Collector on systems that have Unified Extensible Firmware Interface (UEFI) and that have Secure Boot enabled, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages. Collector identifies Secure Boot status at the start and switches to eBPF probes if required. |
You must have generated RHACS init bundle for your cluster.
You must have the address and the port number that you are exposing the Central service on.
Run the following command:
$ helm install -n stackrox --create-namespace \
stackrox-secured-cluster-services rhacs/secured-cluster-services \
-f <name_of_cluster_init_bundle.yaml> \
-f <path_to_values_public.yaml> -f <path_to_values_private.yaml> (1)
1 | Use the -f option to specify the paths for your YAML configuration files. |
To deploy
|
You can make changes to any configuration options after you have deployed the secured-cluster-services
Helm chart.
Update the values-public.yaml
and values-private.yaml
configuration files with new values.
Run the helm upgrade
command and specify the configuration files using the -f
option:
$ helm upgrade -n stackrox \
stackrox-secured-cluster-services rhacs/secured-cluster-services \
--reuse-values \ (1)
-f <path_to_values_public.yaml> \
-f <path_to_values_private.yaml>
1 | You must specify the --reuse-values parameter, otherwise the Helm upgrade command resets all previously configured settings. |
You can also specify configuration values using the |
After you complete the installation, run a few vulnerable applications and navigate to the RHACS portal to evaluate the results of security assessments and policy violations.
The sample applications listed in the following section contain critical vulnerabilities and they are specifically designed to verify the build and deploy-time assessment features of Red Hat Advanced Cluster Security for Kubernetes. |
To verify installation:
Find the address of the RHACS portal based on your exposure method:
For a route:
$ oc get route central -n stackrox
For a load balancer:
$ oc get service central-loadbalancer -n stackrox
For port forward:
Run the following command:
$ oc port-forward svc/central 18443:443 -n stackrox
Navigate to https://localhost:18443/
.
Using the OpenShift Container Platform CLI, create a new project:
$ oc new-project test
Start some applications with critical vulnerabilities:
$ oc run shell --labels=app=shellshock,team=test-team \
--image=vulnerables/cve-2014-6271 -n test
$ oc run samba --labels=app=rce \
--image=vulnerables/cve-2017-7494 -n test
Red Hat Advanced Cluster Security for Kubernetes automatically scans these deployments for security risk and policy violations as soon as they are submitted to the cluster. Navigate to the RHACS portal to view the violations. You can log in to the RHACS portal by using the default username admin and the generated password.