$ oc -n stackrox get secret proxy-config \
-o go-template='{{index .data "config.yaml" | \
base64decode}}{{"\n"}}' > /tmp/proxy-config.yaml
If your network configuration restricts outbound traffic through proxies, you can configure proxy settings in Red Hat Advanced Cluster Security for Kubernetes to route traffic through a proxy.
When you use a proxy with Red Hat Advanced Cluster Security for Kubernetes:
All outgoing HTTP, HTTPS, and other TCP traffic from Central and Scanner goes through the proxy.
Traffic between Central and Scanner does not go through the proxy.
The proxy configuration does not affect the other Red Hat Advanced Cluster Security for Kubernetes components.
When you are not using the offline mode, and a Collector running in a secured cluster needs to download an additional eBPF probe or kernel module at runtime:
The collector attempts to download them by contacting Sensor.
The Sensor then forwards this request to Central.
Central uses the proxy to locate the module or probe at https://collector-modules.stackrox.io
.
To configure a proxy in an existing deployment, you must export the proxy-config
secret as a YAML file, update your proxy configuration in that file, and upload it as a secret.
If you have configured a global proxy on your OpenShift Container Platform cluster, the Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. However, you can also configure installed Operators to override the global proxy or inject a custom certificate authority (CA) certificate. For more details, see Configuring proxy support in Operator Lifecycle Manager. |
Save the existing secret as a YAML file:
$ oc -n stackrox get secret proxy-config \
-o go-template='{{index .data "config.yaml" | \
base64decode}}{{"\n"}}' > /tmp/proxy-config.yaml
Edit the fields you want to modify in the YAML configuration file, as specified in the Configure proxy during installation section.
After you save the changes, run the following command to replace the secret:
$ oc -n stackrox create secret generic proxy-config \
--from-file=config.yaml=/tmp/proxy-config.yaml -o yaml --dry-run | \
oc label -f - --local -o yaml app.kubernetes.io/name=stackrox | \
oc apply -f -
|
When you are installing Red Hat Advanced Cluster Security for Kubernetes by using the roxctl
command-line interface (CLI) or Helm, you can specify your proxy configuration during the installation.
When you run the installer by using the roxctl central generate
command, the installer generates the secrets and deployment configuration files for your environment. You can configure a proxy by editing the generated configuration secret (YAML) file. Currently, you cannot configure proxies by using the roxctl
CLI. The configuration is stored in a Kubernetes secret and it is shared by both Central and Scanner.
Open the configuration file central/proxy-config-secret.yaml
from your deployment bundle directory.
If you are using Helm the configuration file is at |
Edit the fields you want to modify in the configuration file:
apiVersion: v1
kind: secret
metadata:
namespace: stackrox
name: proxy-config
type: Opaque
stringData:
config.yaml: |- (4)
# # NOTE: Both central and scanner should be restarted if this secret is changed.
# # While it is possible that some components will pick up the new proxy configuration
# # without a restart, it cannot be guaranteed that this will apply to every possible
# # integration etc.
# url: http://proxy.name:port (2)
# username: username (1)
# password: password (1)
# # If the following value is set to true, the proxy wil NOT be excluded for the default hosts:
# # - *.stackrox, *.stackrox.svc
# # - localhost, localhost.localdomain, 127.0.0.0/8, ::1
# # - *.local
# omitDefaultExcludes: false
# excludes: # hostnames (may include * components) for which you do not (3)
# # want to use a proxy, like in-cluster repositories.
# - some.domain
# # The following configuration sections allow specifying a different proxy to be used for HTTP(S) connections.
# # If they are omitted, the above configuration is used for HTTP(S) connections as well as TCP connections.
# # If only the `http` section is given, it will be used for HTTPS connections as well.
# # Note: in most cases, a single, global proxy configuration is sufficient.
# http:
# url: http://http-proxy.name:port (2)
# username: username (1)
# password: password (1)
# https:
# url: http://https-proxy.name:port (2)
# username: username (1)
# password: password (1)
1 | Adding a username and a password is optional, both at the beginning and in the http and https sections. |
||
2 | The url option supports the following URL schemes:
|
||
3 | The excludes list can contain DNS names (with or without * wildcards), IP addresses, or IP blocks in CIDR notation (for example, 10.0.0.0/8 ).
The values in this list are applied to all outgoing connections, regardless of protocol. |
||
4 | The |- line in the stringData section indicates the start of the configuration data.
|
After editing the configuration file, you can proceed with your usual installation. The updated configuration instructs Red Hat Advanced Cluster Security for Kubernetes to use the proxy running on the provided address and the port number.