This is a cache of https://docs.openshift.com/acs/4.5/cli/command-reference/roxctl-central.html. It is a snapshot of the page at 2024-11-25T18:10:36.644+0000.
roxctl c<strong>e</strong>ntral - roxctl CLI command r<strong>e</strong>f<strong>e</strong>r<strong>e</strong>nc<strong>e</strong> | roxctl CLI | R<strong>e</strong>d Hat Advanc<strong>e</strong>d Clust<strong>e</strong>r S<strong>e</strong>curity for Kub<strong>e</strong>rn<strong>e</strong>t<strong>e</strong>s 4.5
&times;

Commands related to the Central service.

Usage
$ roxctl central [command] [flags]
Table 1. Available commands
Command Description

backup

Create a backup of the Red Hat Advanced Cluster Security for Kubernetes (RHACS) database and the certificates.

cert

Download the certificate chain for the Central service.

db

Control the database operations.

debug

Debug the Central service.

generate

Generate the required YAML configuration files containing the orchestrator objects for the deployment of Central.

init-bundles

Initialize bundles for Central.

login

Log in to the Central instance to obtain a token.

userpki

Manage the user certificate authorization providers.

whoami

Display information about the current user and their authentication method.

roxctl central command options inherited from the parent command

The roxctl central command supports the following options inherited from the parent roxctl command:

Option Description

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CeRT_FILe environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIReCT_GRPC_CLIeNT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_eNDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIeNT_FORCe_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

enable insecure connection options. Alternatively, by setting the ROX_INSeCURe_CLIeNT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSeCURe_CLIeNT_SKIP_TLS_VeRIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTeXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SeRVeR_NAMe environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKeN environment variable.

These options are applicable to all the sub-commands of the roxctl central command.

roxctl central backup

Create a backup of the RHACS database and certificates.

Usage
$ roxctl central backup [flags]
Table 2. Options
Option Description

--certs-only

Specify to only back up the certificates. When using an external database, this option is used to generate a backup bundle with certificates. The default value is false.

--output string

Specify where you want to save the backup. The behavior depends on the specified path:

  • If the path is a file path, the backup is written to the file and overwrites it if it already exists. The directory must exist.

  • If the path is a directory, the backup is saved in this directory under the file name that the server specifies.

  • If this argument is omitted, the backup is saved in the current working directory under the file name that the server specifies.

-t, --timeout duration

Specify the timeout for API requests. It represents the maximum duration of a request. The default value is 1h0m0s.

roxctl central cert

Download the certificate chain for the Central service.

Usage
$ roxctl central cert [flags]
Table 3. Options
Option Description

--output string

Specify the file name to which you want to save the PeM certificate. You can generate a standard output by using -. The default value is -.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

roxctl central login

Login to the Central instance to obtain a token.

Usage
$ roxctl central login [flags]
Table 4. Options
Option Description

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 5m0s.

roxctl central whoami

Display information about the current user and their authentication method.

Usage
$ roxctl central whoami [flags]
Table 5. Options
Option Description

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

roxctl central db

Control the database operations.

Usage
$ roxctl central db [flags]
Table 6. Options
Option Description

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1h0m0s.

roxctl central db restore

Restore the RHACS database from a previous backup.

Usage
$ roxctl central db restore <file> [flags] (1)
1 For <file>, specify the database backup file that you want to restore.
Table 7. Options
Option Description

-f, --force

If set to true, the restoration is performed without confirmation. The default value is false.

--interrupt

If set to true, it interrupts the running restore process to allow it to continue. The default value is false.

roxctl central db generate

Generate a Central database bundle.

Usage
$ roxctl central db generate [flags]
Table 8. Options
Option Description

--debug

If set to true, templates are read from the local file system. The default value is false.

--debug-path string

Specify the path to the Helm templates in your local file system. For more details, run the roxctl central db generate command.

--enable-pod-security-policies

If set to true, PodSecurityPolicy resources are created. The default value is true.

roxctl central db generate k8s

Generate Kubernetes YAML files for deploying Central’s database components.

Usage
$ roxctl central db generate k8s [flags]
Table 9. Options
Option Description

--central-db-image string

Specify the Central database image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--image-defaults string

Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is development_build.

--output-dir output directory

Specify the directory to which you want to save the deployment bundle. The default value is central-db-bundle.

roxctl central db restore cancel

Cancel the ongoing Central database restore process.

Usage
$ roxctl central db restore cancel [flags]
Table 10. Options
Option Description

f, --force

If set to true, proceed with the cancellation without confirmation. The default value is false.

roxctl central db restore status

Display information about the ongoing database restore process.

Usage
$ roxctl central db restore status [flags]

roxctl central db generate k8s pvc

Generate Kubernetes YAML files for persistent volume claims (PVCs) in Central.

Usage
$ roxctl central db generate k8s pvc [flags]
Table 11. Options
Option Description

--name string

Specify the external volume name for the Central database. The default value is central-db.

--size uint32

Specify the external volume size in gigabytes for the Central database. The default value is 100.

--storage-class string

Specify the storage class name for the Central database. This is optional if you have a default storage class configured.

roxctl central db generate openshift

Generate an OpenShift YAML manifest for deploying a Central database instance on a Red Hat OpenShift cluster.

Usage
$ roxctl central db generate openshift [flags]
Table 12. Options
Option Description

--central-db-image string

Specify the Central database image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--image-defaults string

Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is development_build.

--openshift-version int

Specify the Red Hat OpenShift major version 3 or 4 for the deployment. The default value is 3.

--output-dir output-directory

Specify the directory to which you want to save the deployment bundle. The default value is central-db-bundle.

roxctl central db generate k8s hostpath

Generate a Kubernetes YAML manifest for a database deployment with a hostpath volume type in Central.

Usage
$ roxctl central db generate k8s hostpath [flags]
Table 13. Options
Option Description

--hostpath string

Specify the path on the host. The default value is /var/lib/stackrox-central-db.

--node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname.

--node-selector-value string

Specify the node selector value.

roxctl central db generate openshift pvc

Generate an OpenShift YAML manifest for a database deployment with a persistent volume claim (PVC) in Central.

Usage
$ roxctl central db generate openshift pvc [flags]
Table 14. Options
Option Description

--name string

Specify the external volume name for the Central database. The default value is central-db.

--size uint32

Specify the external volume size in gigabytes for the Central database. The default value is 100.

--storage-class string

Specify the storage class name for the Central database. This is optional if you have a default storage class configured.

roxctl central db generate openshift hostpath

Add a hostpath external volume to the Central database.

Usage
$ roxctl central db generate openshift hostpath [flags]
Table 15. Options
Option Description

--hostpath string

Specify the path on the host. The default value is /var/lib/stackrox-central-db.

--node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname.

--node-selector-value string

Specify the node selector value.

roxctl central debug

Debug the Central service.

Usage
$ roxctl central debug [flags]

roxctl central debug db

Control the debugging of the database.

Usage
$ roxctl central debug db [flags]
Table 16. Options
Option Description

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

roxctl central debug log

Retrieve the current log level.

Usage
$ roxctl central debug log [flags]
Table 17. Options
Option Description

-l, --level string

Specify the log level to which you want to set the modules. Valid values include Debug, Info, Warn, error, Panic, and Fatal.

-m, --modules strings

Specify the modules to which you want to apply the command.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests, which is the maximum duration of a request. The default value is 1m0s.

roxctl central debug dump

Download a bundle containing the debug information for Central.

Usage
$ roxctl central debug dump [flags]
Table 18. Options
Option Description

--logs

If set to true, logs are included in the Central dump. The default value is false.

--output-dir string

Specify the output directory for the bundle content. The default value is an automatically generated directory name within the current directory.

-t, --timeout duration

Specify the timeout for API requests, which is the maximum duration of a request. The default value is 5m0s.

roxctl central debug db stats

Control the statistics of the Central database.

Usage
$ roxctl central debug db stats [flags]

roxctl central debug authz-trace

enable or disable authorization tracing in Central for debugging purposes.

Usage
$ roxctl central debug authz-trace [flags]
Table 19. Options
Option Description

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 20m0s.

roxctl central debug db stats reset

Reset the statistics of the Central database.

Usage
$ roxctl central debug db stats reset [flags]

roxctl central debug download-diagnostics

Download a bundle containing a snapshot of diagnostic information about the platform.

Usage
$ roxctl central debug download-diagnostics [flags]
Table 20. Options
Option Description

--clusters strings

Specify a comma-separated list of the Sensor clusters from which you want to collect the logs.

--output-dir string

Specify the output directory in which you want to save the diagnostic bundle.

--since string

Specify the timestamp from which you want to collect the logs from the Sensor clusters.

-t, --timeout duration

Specify the timeout for API requests, which specifies the maximum duration of a request. The default value is 5m0s.

roxctl central generate

Generate the required YAML configuration files that contain the orchestrator objects to deploy Central.

Usage
$ roxctl central generate [flags]
Table 21. Options
Option Description

--backup-bundle string

Specify the path to the backup bundle from which you want to restore the keys and certificates.

--debug

If set to true, templates are read from the local file system. The default value is false.

--debug-path string

Specify the path to Helm templates on your local file system. For more details, run the roxctl central generate --help command.

--default-tls-certfile

Specify the PeM certificate bundle file that you want to use as the default.

--default-tls-keyfile

Specify the PeM private key file that you want to use as the default.

--enable-pod-security-policies

If set to true, PodSecurityPolicy resources are created. The default value is true.

-p, --password string

Specify the administrator password. The default value is automatically generated.

--plaintext-endpoints string

Specify the ports or endpoints you want to use for unencrypted exposure as a comma-separated list.

roxctl central generate k8s

Generate the required YAML configuration files to deploy Central into a Kubernetes cluster.

Usage
$ roxctl central generate k8s [flags]
Table 22. Options
Option Description

--central-db-image string

Specify the Central database image you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--declarative-config-config-maps strings

Specify a list of configuration maps that you want to add as declarative configuration mounts in Central.

--declarative-config-secrets strings

Specify a list of secrets that you want to add as declarative configuration mounts in Central.

--enable-telemetry

Specify whether you want to enable telemetry. The default value is false.

--image-defaults string

Specify the default settings for container images. The specified settings control the repositories from which the images are downloaded, the image names and the format of the tags. The default value is development_build.

--istio-support version

Generate deployment files that support the specified Istio version. Valid values include 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, and 1.7.

--lb-type load balancer type

Specify the method in which you want to suspend Central. Valid values include lb, np and none. The default value is none.

-i, --main-image string

Specify the main image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--offline

Specify whether you want to run RHACS in offline mode, avoiding a connection to the Internet. The default value is false.

--output-dir output directory

Specify the directory to which you want to save the deployment bundle. The default value is central-bundle.

--output-format output format

Specify the deployment tool that you want to use. Valid values include kubectl, helm, and helm-values. The default value is kubectl.

--scanner-db-image string

Specify the Scanner database image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--scanner-image string

Specify the Scanner image that you want to use. If not specified, a default value corresponding to the `--image-defaults" is used.

roxctl central generate k8s pvc

Generate Kubernetes YAML files for persistent volume claims (PVCs) in Central.

Usage
$ roxctl central generate k8s pvc [flags]
Table 23. Options
Option Description

--db-name string

Specify the external volume name for the Central database. The default value is central-db.

--db-size uint32

Specify the external volume size in gigabytes for the Central database. The default value is 100.

--db-storage-class string

Specify the storage class name for the Central database. This is optional if you have a default storage class configured.

--name string

Specify the external volume name for Central. The default value is stackrox-db.

--size uint32

Specify the external volume size in gigabytes for Central. The default value is 100.

--storage-class string

Specify the storage class name for Central. This is optional if you have a default storage class configured.

roxctl central generate openshift

Generate the required YAML configuration files to deploy Central in a Red Hat OpenShift cluster.

Usage
$ roxctl central generate openshift [flags]
Table 24. Options
Option Description

--central-db-image string

Specify the Central database image that you want to use. If not specified, a default value is created corresponding to the --image-defaults.

--declarative-config-config-maps strings

Specify a list of configuration maps that you want to add as declarative configuration mounts in Central.

--declarative-config-secrets strings

Specify a list of secrets that you want to add as declarative configuration mounts in Central.

--enable-telemetry

Specify whether you want to enable telemetry. The default value is false.

--image-defaults string

Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is development_build.

--istio-support version

Generate deployment files that support the specified Istio version. Valid values include 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, and 1.7.

--lb-type load balancer type

Specify the method of exposing Central. Valid values include route, lb, np and none. The default value is none.

-i, --main-image string

Specify the main image that you want to use. If not specified, a default value corresponding to --image-defaults is used.

--offline

Specify whether you want to run RHACS in offline mode, avoiding a connection to the Internet. The default value is false.

--openshift-monitoring false|true|auto[=true]

Specify integration with Red Hat OpenShift 4 monitoring. The default value is auto.

--openshift-version int

Specify the Red Hat OpenShift major version 3 or 4 for the deployment.

--output-dir output directory

Specify the directory to which you want to save the deployment bundle. The default value is central-bundle.

--output-format output format

Specify the deployment tool that you want to use. Valid values include kubectl, helm and helm-values. The default value is kubectl.

--scanner-db-image string

Specify the Scanner database image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--scanner-image string

Specify the Scanner image that you want to use. If not specified, a default value corresponding to --image-defaults is used.

roxctl central generate interactive

Generate interactive resources in Central.

Usage
$ roxctl central generate interactive [flags]

roxctl central generate k8s hostpath

Generate a Kubernetes YAML manifest for deploying a Central instance by using the hostpath volume type.

Usage
$ roxctl central generate k8s hostpath [flags]
Table 25. Options
Option Description

--db-hostpath string

Specify the path on the host for the Central database. The default value is /var/lib/stackrox-central.

--db-node-selector-key string

Specify the node selector key for the Central database. Valid values include kubernetes.io and hostname.

--db-node-selector-value string

Specify the node selector value for the Central database.

--hostpath string

Specify the path on the host. The default value is /var/lib/stackrox.

--node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname.

--node-selector-value string

Specify the node selector value.

roxctl central generate openshift pvc

Generate a OpenShift YAML manifest for deploying a persistent volume claim (PVC) in Central.

Usage
$ roxctl central generate openshift pvc [flags]
Table 26. Options
Option Description

--db-name string

Specify the external volume name for the Central database. The default value is central-db.

--db-size uint32

Specify the external volume size in gigabytes for the Central database. The default value is 100.

--db-storage-class string

Specify the storage class name for the Central database. This is optional if you have a default storage class configured.

--name string

Specify the external volume name for Central. The default value is stackrox-db.

--size uint32

Specify the external volume size in gigabytes for Central. The default value is 100.

--storage-class string

Specify the storage class name for Central. This is optional if you have a default storage class configured.

roxctl central generate openshift hostpath

Add a hostpath external volume to the deployment definition in Red Hat OpenShift.

Usage
$ roxctl central generate openshift hostpath [flags]
Table 27. Options
Option Description

--db-hostpath string

Specify the path on the host for the Central database. The default value is /var/lib/stackrox-central.

--db-node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname for the Central database.

--db-node-selector-value string

Specify the node selector value for the Central database.

--hostpath string

Specify the path on the host. The default value is /var/lib/stackrox.

--node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname.

--node-selector-value string

Specify the node selector value.

roxctl central init-bundles

Initialize bundles in Central.

Usage
$ roxctl central init-bundles [flag]
Table 28. Options
Option Description

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of 0s means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

roxctl central init-bundles list

List the available initialization bundles in Central.

Usage
$ roxctl central init-bundles list [flags]

roxctl central init-bundles revoke

Revoke one or more cluster initialization bundles in Central.

Usage
$ roxctl central init-bundles revoke <init_bundle_ID or name> [<init_bundle_ID or name> ...] [flags] (1)
1 For <init_bundle_ID or name>, specify the ID or the name of the initialization bundle that you want to revoke. You can provide multiple IDs or names separated by using spaces.

roxctl central init-bundles fetch-ca

Fetch the certificate authority (CA) bundle from Central.

Usage
$ roxctl central init-bundles fetch-ca [flags]
Table 29. Options
Option Description

--output string

Specify the file that you want to use for storing the CA configuration.

roxctl central init-bundles generate

Generate a new cluster initialization bundle.

Usage
$ roxctl central init-bundles generate <init_bundle_name> [flags] (1)
1 For <init_bundle_name>, specify the name for the initialization bundle you want to generate.
Table 30. Options
Option Description

--output string

Specify the file you want to use for storing the newly generated initialization bundle in the Helm configuration form. You can generate a standard output by using -.

--output-secrets string

Specify the file that you want to use for storing the newly generated initialization bundle in Kubernetes secret form. You can generate a standard by using -.

roxctl central userpki

Manage the user certificate authorization providers.

Usage
$ roxctl central userpki [flags]

roxctl central userpki list

Display all the user certificate authentication providers.

Usage
$ roxctl central userpki list [flags]
Table 31. Options
Option Description

-j, --json

enable the JSON output. The default value is false.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

roxctl central userpki create

Create a new user certificate authentication provider.

Usage
$ roxctl central userpki create name [flags]
Table 32. Options
Option Description

-c, --cert strings

Specify the PeM files of the root CA certificates. You can specify several certificate files.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-r, --role string

Specify the minimum access role for users of this provider.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

roxctl central userpki delete

Delete a user certificate authentication provider.

Usage
$ roxctl central userpki delete id|name [flags]
Table 33. Options
Option Description

-f, --force

If set to true, proceed with the deletion without confirmation. The default value is false.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.