$ oc -n stackrox get secret central-htpasswd -o go-template='{{index .data "password" | base64decode}}'
Central is the resource that contains the RHACS application management interface and services. It handles data persistence, API interactions, and RHACS portal access. You can use the same Central instance to secure multiple OpenShift Container Platform or Kubernetes clusters.
You can install Central on your OpenShift Container Platform or Kubernetes cluster by using one of the following methods:
Install using the Operator
Install using Helm charts
Install using the roxctl
CLI (do not use this method unless you have a specific installation need that requires using it)
Using the OperatorHub provided with OpenShift Container Platform is the easiest way to install Red Hat Advanced Cluster Security for Kubernetes.
You have access to an OpenShift Container Platform cluster using an account with Operator installation permissions.
You must be using OpenShift Container Platform 4.6 or later.
Navigate in the web console to the Operators → OperatorHub page.
If Red Hat Advanced Cluster Security for Kubernetes is not displayed, enter Advanced Cluster Security into the Filter by keyword box to find the Red Hat Advanced Cluster Security for Kubernetes Operator.
Select the Red Hat Advanced Cluster Security for Kubernetes Operator to view the details page.
Read the information about the Operator and click Install.
On the Install Operator page:
Keep the default value for Installation mode as All namespaces on the cluster.
Choose a specific namespace in which to install the Operator for the Installed namespace field. Red Hat recommends installing the Red Hat Advanced Cluster Security for Kubernetes Operator in the rhacs-operator namespace.
Select automatic or manual updates for Update approval.
If you choose automatic updates, when a new version of the Operator is available, Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator.
If you choose manual updates, when a newer version of the Operator is available, OLM creates an update request. As a cluster administrator, you must manually approve the update request to update the Operator to the latest version.
If you choose manual updates, you must update the RHACS Operator in all secured clusters when you update the RHACS Operator in the cluster where Central is installed. The secured clusters and the cluster where Central is installed must have the same version to ensure optimal functionality. |
Click Install.
After the installation completes, navigate to Operators → Installed Operators to verify that the Red Hat Advanced Cluster Security for Kubernetes Operator is listed with the status of Succeeded.
Install, configure, and deploy the Central
custom resource.
The main component of Red Hat Advanced Cluster Security for Kubernetes is called Central. You can install Central on OpenShift Container Platform by using the Central
custom resource. You deploy Central only once, and you can monitor multiple separate clusters by using the same Central installation.
When you install Red Hat Advanced Cluster Security for Kubernetes for the first time, you must first install the |
You must be using OpenShift Container Platform 4.6 or later.
On the OpenShift Container Platform web console, navigate to the Operators → Installed Operators page.
Select the Red Hat Advanced Cluster Security for Kubernetes Operator from the list of installed Operators.
If you have installed the Operator in the recommended namespace, OpenShift Container Platform lists the project as rhacs-operator
. Select Project: rhacs-operator → Create project.
|
Enter the new project name (for example, stackrox
), and click Create. Red Hat recommends that you use stackrox
as the project name.
Under the Provided APIs section, select Central. Click Create Central.
Enter a name for your Central
custom resource and add any labels you want to apply. Otherwise, accept the default values for the available options.
Click Create.
If you are using the cluster-wide proxy, Red Hat Advanced Cluster Security for Kubernetes uses that proxy configuration to connect to the external services. |
Verify Central installation.
Optional: Configure Central options.
Generate an init bundle containing the cluster secrets that allows communication between the Central
and SecuredCluster
resources. You need to download this bundle, use it to generate resources on the clusters you want to secure, and securely store it.
Install secured cluster services on each cluster you want to monitor.
After Central finishes installing, log in to the RHACS portal to verify the successful installation of Central.
On the OpenShift Container Platform web console, navigate to the Operators → Installed Operators page.
Select the Red Hat Advanced Cluster Security for Kubernetes Operator from the list of installed Operators.
Select the Central tab.
From the Centrals list, select stackrox-central-services
to view its details.
To get the password for the admin
user, you can either:
Click the link under Admin Password Secret Reference.
Use the Red Hat OpenShift CLI to enter the command listed under Admin Credentials Info:
$ oc -n stackrox get secret central-htpasswd -o go-template='{{index .data "password" | base64decode}}'
Find the link to the RHACS portal by using the Red Hat OpenShift CLI command:
$ oc -n stackrox get route central -o jsonpath="{.status.ingress[0].host}"
Alternatively, you can use the Red Hat Advanced Cluster Security for Kubernetes web console to find the link to the RHACS portal by performing the following commands:
Navigate to Networking → Routes.
Find the central Route and click on the RHACS portal link under the Location column.
Log in to the RHACS portal using the username admin and the password that you retrieved in a previous step. Until RHACS is completely configured (for example, you have the Central
resource and at least one SecuredCluster
resource installed and configured), no data is available in the dashboard. The SecuredCluster
resource can be installed and configured on the same cluster as the Central
resource. Clusters with the SecuredCluster
resource are similar to managed clusters in Red Hat Advanced Cluster Management (RHACM).
Optional: Configure central settings.
Generate an init bundle containing the cluster secrets that allows communication between the Central
and SecuredCluster
resources. You need to download this bundle, use it to generate resources on the clusters you want to secure, and securely store it.
Install secured cluster services on each cluster you want to monitor.
You can install Central using Helm charts without any customization, using the default values, or by using Helm charts with additional customizations of configuration parameters.
You can install RHACS on your cluster without any customizations. You must add the Helm chart repository and install the central-services
Helm chart to install the centralized components of Central and Scanner.
Add the RHACS charts repository.
$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes Helm charts for installing different components, including:
Central services Helm chart (central-services
) for installing the centralized components (Central and Scanner).
You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation. |
Secured Cluster Services Helm chart (secured-cluster-services
) for installing the per-cluster (Sensor and Admission controller) and per-node (Collector) components.
Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor. |
Run the following command to verify the added chart repository:
$ helm search repo -l rhacs/
Use the following instructions to install the central-services
Helm chart to deploy the centralized components (Central and Scanner).
You must have access to the Red Hat Container Registry. For information about downloading images from registry.redhat.io
, see Red Hat Container Registry Authentication.
Run the following command to install Central services and expose Central using a route:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \
--set imagePullSecrets.password=<password> \
--set central.exposure.route.enabled=true
Or, run the following command to install Central services and expose Central using a load balancer:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \
--set imagePullSecrets.password=<password> \
--set central.exposure.loadBalancer.enabled=true
Or, run the following command to install Central services and expose Central using port forward:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \
--set imagePullSecrets.password=<password>
|
The output of the installation command includes:
An automatically generated administrator password.
Instructions on storing all the configuration values.
Any warnings that Helm generates.
You can install RHACS on your Red Hat OpenShift cluster with customizations by using Helm chart configuration parameters with the helm install
and helm upgrade
commands. You can specify these parameters by using the --set
option or by creating YAML configuration files.
Create the following files for configuring the Helm chart for installing Red Hat Advanced Cluster Security for Kubernetes:
Public configuration file values-public.yaml
: Use this file to save all non-sensitive configuration options.
Private configuration file values-private.yaml
: Use this file to save all sensitive configuration options. Ensure that you store this file securely.
This section lists the configurable parameters of the values-private.yaml
file.
There are no default values for these parameters.
The credentials that are required for pulling images from the registry depend on the following factors:
If you are using a custom registry, you must specify these parameters:
imagePullSecrets.username
imagePullSecrets.password
image.registry
If you do not use a username and password to log in to the custom registry, you must specify one of the following parameters:
imagePullSecrets.allowNone
imagePullSecrets.useExisting
imagePullSecrets.useFromDefaultServiceAccount
Parameter | Description |
---|---|
|
The username of the account that is used to log in to the registry. |
|
The password of the account that is used to log in to the registry. |
|
Use |
|
A comma-separated list of secrets as values.
For example, |
|
Use |
If you are installing Red Hat Advanced Cluster Security for Kubernetes in a cluster that requires a proxy to connect to external services, you must specify your proxy configuration by using the proxyConfig
parameter.
For example:
env:
proxyConfig: |
url: http://proxy.name:port
username: username
password: password
excludes:
- some.domain
Parameter | Description |
---|---|
|
Your proxy configuration. |
Configurable parameters for Central.
For a new installation, you can skip the following parameters:
central.jwtSigner.key
central.serviceTLS.cert
central.serviceTLS.key
central.adminPassword.value
central.adminPassword.htpasswd
When you do not specify values for these parameters the Helm chart autogenerates values for them.
If you want to modify these values you can use the helm upgrade
command and specify the values using the --set
option.
For setting the administrator password, you can only use either |
Parameter | Description |
---|---|
|
A private key which Red Hat Advanced Cluster Security for Kubernetes should use for signing JSON web tokens (JWTs) for authentication. |
|
An internal certificate that the Central service should use for deploying Central. |
|
The private key of the internal certificate that the Central service should use. |
|
The user-facing certificate that Central should use. Red Hat Advanced Cluster Security for Kubernetes uses this certificate for RHACS portal.
|
|
The private key of the user-facing certificate that Central should use.
|
|
Administrator password for logging into Red Hat Advanced Cluster Security for Kubernetes. |
|
Administrator password for logging into Red Hat Advanced Cluster Security for Kubernetes. This password is stored in hashed format using bcrypt. |
If you are using
|
Configurable parameters for Scanner.
For a new installation, you can skip the following parameters and the Helm chart autogenerates values for them. Otherwise, if you are upgrading to a new version, specify the values for the following parameters:
scanner.dbPassword.value
scanner.serviceTLS.cert
scanner.serviceTLS.key
scanner.dbServiceTLS.cert
scanner.dbServiceTLS.key
Parameter | Description |
---|---|
|
The password to use for authentication with Scanner database. Do not modify this parameter because Red Hat Advanced Cluster Security for Kubernetes automatically creates and uses its value internally. |
|
An internal certificate that the Scanner service should use for deploying Scanner. |
|
The private key of the internal certificate that the Scanner service should use. |
|
An internal certificate that the Scanner-db service should use for deploying Scanner database. |
|
The private key of the internal certificate that the Scanner-db service should use. |
This section lists the configurable parameters of the values-public.yaml
file.
Image pull secrets are the credentials required for pulling images from your registry.
Parameter | Description |
---|---|
|
Use |
|
A comma-seprated list of secrets as values.
For example, |
|
Use |
Image declares the configuration to set up the main registry, which the Helm chart uses to resolve images for the central.image
, scanner.image
, and scanner.dbImage
parameters.
Parameter | Description |
---|---|
|
Address of your image registry.
Either use a hostname, such as |
Red Hat Advanced Cluster Security for Kubernetes automatically detects your cluster environment and sets values for env.openshift
, env.istio
, and env.platform
.
Only set these values to override the automatic cluster environment detection.
Parameter | Description |
---|---|
|
Use |
|
Use |
|
The platform on which you are installing Red Hat Advanced Cluster Security for Kubernetes.
Set its value to |
|
Use |
The Red Hat Advanced Cluster Security for Kubernetes automatically references the system root certificates to trust. When Central or Scanner must reach out to services that use certificates issued by an authority in your organization or a globally trusted partner organization, you can add trust for these services by specifying the root certificate authority to trust by using the following parameter:
Parameter | Description |
---|---|
|
Specify the PEM encoded certificate of the root certificate authority to trust. |
Configurable parameters for Central.
You must specify a persistent storage option as either hostPath
or persistentVolumeClaim
.
For exposing Central deployment for external access.
You must specify one parameter, either central.exposure.loadBalancer
, central.exposure.nodePort
, or central.exposure.route
.
When you do not specify any value for these parameters, you must manually expose Central or access it by using port-forwarding.
Parameter | Description |
---|---|
|
The endpoint configuration options for Central. |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes. |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes. |
|
Specify |
|
A custom registry that overrides the global |
|
The custom image name that overrides the default Central image name ( |
|
The custom image tag that overrides the default tag for Central image.
If you specify you own image tag during a new installation, you must manually increment this tag when you to upgrade to a new version by running the |
|
Full reference including registry address, image name, and image tag for the Central image.
Setting a value for this parameter overrides the |
|
The memory request for Central to override the default value. |
|
The CPU request for Central to override the default value. |
|
The memory limit for Central to override the default value. |
|
The CPU limit for Central to override the default value. |
|
The path on the node where Red Hat Advanced Cluster Security for Kubernetes should create a database volume. Red Hat does not recommend using this option. |
|
The name of the persistent volume claim (PVC) you are using. |
|
Use |
|
The size (in GiB) of the persistent volume managed by the specified claim. |
|
Use |
|
The port number on which to expose Central. The default port number is 443. |
|
Use |
|
The port number on which to expose Central. When you skip this parameter, OpenShift Container Platform automatically assigns a port number. Red Hat recommends that you do not specify a port number if you are exposing Red Hat Advanced Cluster Security for Kubernetes by using a node port. |
|
Use |
Configurable parameters for Scanner.
Parameter | Description |
---|---|
|
Use |
|
Specify |
|
The number of replicas to create for the Scanner deployment.
When you use it with the |
|
Configure the log level for Scanner.
Red Hat recommends that you not change the log level’s default value ( |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner. This parameter is mainly used for infrastructure nodes. |
|
Use |
|
The minimum number of replicas for autoscaling. |
|
The maximum number of replicas for autoscaling. |
|
The memory request for Scanner to override the default value. |
|
The CPU request for Scanner to override the default value. |
|
The memory limit for Scanner to override the default value. |
|
The CPU limit for Scanner to override the default value. |
|
The memory request for Scanner database deployment to override the default values. |
|
The CPU request for Scanner database deployment to override the default values. |
|
The memory limit for Scanner database deployment to override the default values. |
|
The CPU limit for Scanner database deployment to override the default values. |
|
A custom registry for the Scanner image. |
|
The custom image name that overrides the default Scanner image name ( |
|
A custom registry for the Scanner DB image. |
|
The custom image name that overrides the default Scanner DB image name ( |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. This parameter is mainly used for infrastructure nodes. |
Use these parameters to specify additional attributes for all objects that Red Hat Advanced Cluster Security for Kubernetes creates.
Parameter | Description |
---|---|
|
A custom label to attach to all objects. |
|
A custom annotation to attach to all objects. |
|
A custom label to attach to all deployments. |
|
A custom annotation to attach to all deployments. |
|
A custom environment variable for all containers in all objects. |
|
A custom label to attach to all objects that Central creates. |
|
A custom annotation to attach to all objects that Central creates. |
|
A custom label to attach to all Central deployments. |
|
A custom annotation to attach to all Central deployments. |
|
A custom environment variable for all Central containers. |
|
A custom label to attach to all objects that Scanner creates. |
|
A custom annotation to attach to all objects that Scanner creates. |
|
A custom label to attach to all Scanner deployments. |
|
A custom annotation to attach to all Scanner deployments. |
|
A custom environment variable for all Scanner containers. |
|
A custom label to attach to all objects that Scanner DB creates. |
|
A custom annotation to attach to all objects that Scanner DB creates. |
|
A custom label to attach to all Scanner DB deployments. |
|
A custom annotation to attach to all Scanner DB deployments. |
|
A custom environment variable for all Scanner DB containers. |
You can also use:
the customize.other.service/*.labels
and the customize.other.service/*.annotations
parameters, to specify labels and annotations for all objects.
or, provide a specific service name, for example, customize.other.service/central-loadbalancer.labels
and customize.other.service/central-loadbalancer.annotations
as parameters and set their value.
The parameters specified in this section are for information only. Red Hat does not support Red Hat Advanced Cluster Security for Kubernetes instances with modified namespace and release names. |
Parameter | Description |
---|---|
|
Use |
|
Use |
After you configure the values-public.yaml
and values-private.yaml
files, install the central-services
Helm chart to deploy the centralized components (Central and Scanner).
Run the following command:
$ helm install -n stackrox --create-namespace \
stackrox-central-services rhacs/central-services \
-f <path_to_values_public.yaml> -f <path_to_values_private.yaml> (1)
1 | Use the -f option to specify the paths for your YAML configuration files. |
You can make changes to any configuration options after you have deployed the central-services
Helm chart.
Update the values-public.yaml
and values-private.yaml
configuration files with new values.
Run the helm upgrade
command and specify the configuration files using the -f
option:
$ helm upgrade -n stackrox \
stackrox-central-services rhacs/central-services \
-f <path_to_values_public.yaml> \
-f <path_to_values_private.yaml>
You can also specify configuration values using the |
For production environments, Red Hat recommends using the Operator or Helm charts to install RHACS. Do not use the |
To install Red Hat Advanced Cluster Security for Kubernetes you must install the roxctl
CLI by downloading the binary.
You can install roxctl
on Linux, Windows, or macOS.
You can install the roxctl
CLI binary on Linux by using the following procedure.
Download the latest version of the roxctl
CLI:
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.74.9/bin/Linux/roxctl
Make the roxctl
binary executable:
$ chmod +x roxctl
Place the roxctl
binary in a directory that is on your PATH
:
To check your PATH
, execute the following command:
$ echo $PATH
Verify the roxctl
version you have installed:
$ roxctl version
You can install the roxctl
CLI binary on macOS by using the following procedure.
Download the latest version of the roxctl
CLI:
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.74.9/bin/Darwin/roxctl
Remove all extended attributes from the binary:
$ xattr -c roxctl
Make the roxctl
binary executable:
$ chmod +x roxctl
Place the roxctl
binary in a directory that is on your PATH
:
To check your PATH
, execute the following command:
$ echo $PATH
Verify the roxctl
version you have installed:
$ roxctl version
You can install the roxctl
CLI binary on Windows by using the following procedure.
Download the latest version of the roxctl
CLI:
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.74.9/bin/Windows/roxctl.exe
Verify the roxctl
version you have installed:
$ roxctl version
Use the interactive installer to generate the required secrets, deployment configurations, and deployment scripts for your environment.
Run the interactive install command:
$ roxctl central generate interactive
Installing Red Hat Advanced Cluster Security for Kubernetes using |
Press Enter to accept the default value for a prompt or enter custom values as required.
Enter path to the backup bundle from which to restore keys and certificates (optional):
Enter PEM cert bundle file (optional): (1)
Enter administrator password (default: autogenerated):
Enter orchestrator (k8s, openshift): openshift
Enter the directory to output the deployment bundle to (default: "central-bundle"):
Enter the OpenShift major version (3 or 4) to deploy on (default: "0"): 4
Enter Istio version when deploying into an Istio-enabled cluster (leave empty when not running Istio) (optional):
Enter the method of exposing Central (route, lb, np, none) (default: "none"): route (2)
Enter main image to use (default: "stackrox.io/main:3.0.61.1"):
Enter whether to run StackRox in offline mode, which avoids reaching out to the Internet (default: "false"):
Enter whether to enable telemetry (default: "true"):
Enter the deployment tool to use (kubectl, helm, helm-values) (default: "kubectl"):
Enter Scanner DB image to use (default: "stackrox.io/scanner-db:2.15.2"):
Enter Scanner image to use (default: "stackrox.io/scanner:2.15.2"):
Enter Central volume type (hostpath, pvc): pvc (3)
Enter external volume name (default: "stackrox-db"):
Enter external volume size in Gi (default: "100"):
Enter storage class name (optional if you have a default StorageClass configured):
1 | If you want to add a custom TLS certificate, provide the file path for the PEM-encoded certificate. When you specify a custom certificate the interactive installer also prompts you to provide a PEM private key for the custom certificate you are using. |
2 | To use the RHACS portal, you must expose Central by using a route, a load balancer or a node port. |
3 | If you plan to install Red Hat Advanced Cluster Security for Kubernetes on OpenShift Container Platform with a hostPath volume, you must modify the SELinux policy. |
On OpenShift Container Platform, for using a hostPath volume, you must modify the SELinux policy to allow access to the directory, which the host and the container share. It is because SELinux blocks directory sharing by default. To modify the SELinux policy, run the following command:
However, Red Hat does not recommend modifying the SELinux policy, instead use PVC when installing on OpenShift Container Platform. |
On completion, the installer creates a folder named central-bundle, which contains the necessary YAML manifests and scripts to deploy Central. In addition, it shows on-screen instructions for the scripts you need to run to deploy additional trusted certificate authorities, Central and Scanner, and the authentication instructions for logging into the RHACS portal along with the autogenerated password if you did not provide one when answering the prompts.
After you run the interactive installer, you can run the setup.sh
script to install Central.
Run the setup.sh
script to configure image registry access:
$ ./central-bundle/central/scripts/setup.sh
Create the necessary resources:
$ oc create -R -f central-bundle/central
Check the deployment progress:
$ oc get pod -n stackrox -w
After Central is running, find the RHACS portal IP address and open it in your browser. Depending on the exposure method you selected when answering the prompts, use one of the following methods to get the IP address.
Exposure method | Command | Address | Example |
---|---|---|---|
Route |
|
The address under the |
|
Node Port |
|
IP or hostname of any node, on the port shown for the service |
|
Load Balancer |
|
EXTERNAL-IP or hostname shown for the service, on port 443 |
|
None |
|
|
|
If you have selected autogenerated password during the interactive install, you can run the following command to see it for logging into Central:
|