Configuring Secured <strong>cluster</strong> services options for RHACS using the Operator - Installing RHACS on Red Hat OpenShift | Installing | Red Hat Advanced <strong>cluster</strong> Security for Kubernetes 4.4

Secured cluster services configuration options
Customizing the installation using the Operator with overlays
- Overlays
- Overlay examples

When installing Secured cluster services by using the Operator, you can configure optional settings.

Secured cluster services configuration options

When you create a Central instance, the Operator lists the following configuration options for the Central custom resource.

Required Configuration Settings

Parameter Description

Parameter	Description
`centralEndpoint`	The endpoint of Central instance to connect to, including the port number. If using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with `wss://`. If you do not specify a value for this parameter, Sensor attempts to connect to a Central instance running in the same namespace.
`clusterName`	The unique name of this cluster, which shows up in the RHACS portal. After you set the name by using this parameter, you cannot change it again. To change the name, you must delete and re-create the object.

centralEndpoint

The endpoint of Central instance to connect to, including the port number. If using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with wss://. If you do not specify a value for this parameter, Sensor attempts to connect to a Central instance running in the same namespace.

clusterName

The unique name of this cluster, which shows up in the RHACS portal. After you set the name by using this parameter, you cannot change it again. To change the name, you must delete and re-create the object.

Admission controller settings

Parameter Description

Parameter	Description
`admissionControl.listenOnCreates`	Specify `true` to enable preventive policy enforcement for object creations. The default value is `true`.
`admissionControl.listenOnEvents`	Specify `true` to enable monitoring and enforcement for Kubernetes events, such as `port-forward` and `exec` events. It is used to control access to resources through the Kubernetes API. The default value is `true`.
`admissionControl.listenOnUpdates`	Specify `true` to enable preventive policy enforcement for object updates. It will not have any effect unless `Listen On Creates` is set to `true` as well. The default value is `true`.
`admissionControl.nodeSelector`	If you want this component to only run on specific nodes, you can configure a node selector using this parameter.
`admissionControl.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Admission Control. This parameter is mainly used for infrastructure nodes.
`admissionControl.resources.limits`	Use this parameter to override the default resource limits for the admission controller.
`admissionControl.resources.requests`	Use this parameter to override the default resource requests for the admission controller.
`admissionControl.bypass`	Use one of the following values to configure the bypassing of admission controller enforcement: `BreakGlassAnnotation` to enable bypassing the admission controller via the `admission.stackrox.io/break-glass` annotation. `Disabled` to disable the ability to bypass admission controller enforcement for the secured cluster. The default value is `BreakGlassAnnotation`.
`admissionControl.contactImageScanners`	Use one of the following values to specify if the admission controller must connect to the image scanner: `ScanIfMissing` if the scan results for the image are missing. `DoNotScanInline` to skip scanning the image when processing the admission request. The default value is `DoNotScanInline`.
`admissionControl.timeoutSeconds`	Use this parameter to specify the maximum number of seconds Red Hat Advanced cluster Security for Kubernetes must wait for an admission review before marking it as fail open.

admissionControl.listenOnCreates

Specify true to enable preventive policy enforcement for object creations. The default value is true.

admissionControl.listenOnEvents

Specify true to enable monitoring and enforcement for Kubernetes events, such as port-forward and exec events. It is used to control access to resources through the Kubernetes API. The default value is true.

admissionControl.listenOnUpdates

Specify true to enable preventive policy enforcement for object updates. It will not have any effect unless Listen On Creates is set to true as well. The default value is true.

admissionControl.nodeSelector

If you want this component to only run on specific nodes, you can configure a node selector using this parameter.

admissionControl.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Admission Control. This parameter is mainly used for infrastructure nodes.

admissionControl.resources.limits

Use this parameter to override the default resource limits for the admission controller.

admissionControl.resources.requests

Use this parameter to override the default resource requests for the admission controller.

admissionControl.bypass

Use one of the following values to configure the bypassing of admission controller enforcement:

BreakGlassAnnotation to enable bypassing the admission controller via the admission.stackrox.io/break-glass annotation.
Disabled to disable the ability to bypass admission controller enforcement for the secured cluster.

The default value is BreakGlassAnnotation.

admissionControl.contactImageScanners

Use one of the following values to specify if the admission controller must connect to the image scanner:

ScanIfMissing if the scan results for the image are missing.
DoNotScanInline to skip scanning the image when processing the admission request.

The default value is DoNotScanInline.

admissionControl.timeoutSeconds

Use this parameter to specify the maximum number of seconds Red Hat Advanced cluster Security for Kubernetes must wait for an admission review before marking it as fail open.

Scanner configuration

Use Scanner configuration settings to modify the local cluster scanner for the integrated OpenShift image registry.

Parameter Description

Parameter	Description
`scanner.analyzer.nodeSelector`	Specify a node selector label as `label-key: label-value` to force Scanner to only schedule on nodes with the specified label.
`scanner.analyzer.resources.requests.memory`	The memory request for the Scanner container. Use this parameter to override the default value.
`scanner.analyzer.resources.requests.cpu`	The CPU request for the Scanner container. Use this parameter to override the default value.
`scanner.analyzer.resources.limits.memory`	The memory limit for the Scanner container. Use this parameter to override the default value.
`scanner.analyzer.resources.limits.cpu`	The CPU limit for the Scanner container. Use this parameter to override the default value.
`scanner.analyzer.scaling.autoscaling`	If you set this option to `Disabled`, Red Hat Advanced cluster Security for Kubernetes disables autoscaling on the Scanner deployment. The default value is `Enabled`.
`scanner.analyzer.scaling.minReplicas`	The minimum number of replicas for autoscaling. The default value is `2`.
`scanner.analyzer.scaling.maxReplicas`	The maximum number of replicas for autoscaling. The default value is `5`.
`scanner.analyzer.scaling.replicas`	The default number of replicas. The default value is `3`.
`scanner.analyzer.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner.
`scanner.db.nodeSelector`	Specify a node selector label as `label-key: label-value` to force Scanner DB to only schedule on nodes with the specified label.
`scanner.db.resources.requests.memory`	The memory request for the Scanner DB container. Use this parameter to override the default value.
`scanner.db.resources.requests.cpu`	The CPU request for the Scanner DB container. Use this parameter to override the default value.
`scanner.db.resources.limits.memory`	The memory limit for the Scanner DB container. Use this parameter to override the default value.
`scanner.db.resources.limits.cpu`	The CPU limit for the Scanner DB container. Use this parameter to override the default value.
`scanner.db.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB.
`scanner.scannerComponent`	If you set this option to `Disabled`, Red Hat Advanced cluster Security for Kubernetes does not deploy the Scanner deployment. Do not disable the Scanner on OpenShift Container Platform clusters. The default value is `AutoSense`.
`scannerV4.db.nodeSelector`	If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.
`scannerV4.db.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner V4 DB. This parameter is mainly used for infrastructure nodes.
`scannerV4.db.resources.limits`	Use this parameter to override the default resource limits for Scanner V4 DB.
`scannerV4.db.resources.requests`	Use this parameter to override the default resource requests for Scanner V4 DB.
`scannerV4.db.persistence.persistentVolumeClaim.claimName`	The name of the PVC to manage persistent data for Scanner V4. If no PVC with the given name exists, it is created. The default value is `scanner-v4-db` if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.
`scannerV4.indexer.nodeSelector`	If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.
`scannerV4.indexer.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Indexer. This parameter is mainly used for infrastructure nodes.
`scannerV4.indexer.resources.limits`	Use this parameter to override the default resource limits for the Scanner V4 Indexer.
`scannerV4.indexer.resources.requests`	Use this parameter to override the default resource requests for the Scanner V4 Indexer.
`scannerV4.indexer.scaling.autoScaling`	When enabled, the number of Scanner V4 Indexer replicas is managed dynamically based on the load, within the limits specified.
`scannerV4.indexer.scaling.maxReplicas`	Specifies the maximum replicas to be used in the Scanner V4 Indexer autoscaling configuration.
`scannerV4.indexer.scaling.minReplicas`	Specifies the minimum replicas to be used in the Scanner V4 Indexer autoscaling configuration.
`scannerV4.indexer.scaling.replicas`	When autoscaling is disabled for the Scanner V4 Indexer, the number of replicas is always configured to match this value.
`scannerV4.monitoring.exposeEndpoint`	Configures a monitoring endpoint for Scanner V4. The monitoring endpoint allows other services to collect metrics from Scanner V4, provided in a Prometheus-compatible format. Use `Enabled` to expose the monitoring endpoint. When you enable monitoring, RHACS creates a new service, `monitoring`, with port 9090, and a network policy allowing inbound connections to the port. By default, this is not enabled.
`scannerV4.scannerComponent`	Enables Scanner V4. The default value is `default`, which is disabled. To enable Scanner V4, set this parameter to `Enabled`.

scanner.analyzer.nodeSelector

Specify a node selector label as label-key: label-value to force Scanner to only schedule on nodes with the specified label.

scanner.analyzer.resources.requests.memory

The memory request for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.requests.cpu

The CPU request for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.limits.memory

The memory limit for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.limits.cpu

The CPU limit for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.scaling.autoscaling

If you set this option to Disabled, Red Hat Advanced cluster Security for Kubernetes disables autoscaling on the Scanner deployment. The default value is Enabled.

scanner.analyzer.scaling.minReplicas

The minimum number of replicas for autoscaling. The default value is 2.

scanner.analyzer.scaling.maxReplicas

The maximum number of replicas for autoscaling. The default value is 5.

scanner.analyzer.scaling.replicas

The default number of replicas. The default value is 3.

scanner.analyzer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner.

scanner.db.nodeSelector

Specify a node selector label as label-key: label-value to force Scanner DB to only schedule on nodes with the specified label.

scanner.db.resources.requests.memory

The memory request for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.requests.cpu

The CPU request for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.limits.memory

The memory limit for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.limits.cpu

The CPU limit for the Scanner DB container. Use this parameter to override the default value.

scanner.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB.

scanner.scannerComponent

If you set this option to Disabled, Red Hat Advanced cluster Security for Kubernetes does not deploy the Scanner deployment. Do not disable the Scanner on OpenShift Container Platform clusters. The default value is AutoSense.

scannerV4.db.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner V4 DB. This parameter is mainly used for infrastructure nodes.

scannerV4.db.resources.limits

Use this parameter to override the default resource limits for Scanner V4 DB.

scannerV4.db.resources.requests

Use this parameter to override the default resource requests for Scanner V4 DB.

scannerV4.db.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data for Scanner V4. If no PVC with the given name exists, it is created. The default value is scanner-v4-db if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.

scannerV4.indexer.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.indexer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Indexer. This parameter is mainly used for infrastructure nodes.

scannerV4.indexer.resources.limits

Use this parameter to override the default resource limits for the Scanner V4 Indexer.

scannerV4.indexer.resources.requests

Use this parameter to override the default resource requests for the Scanner V4 Indexer.

scannerV4.indexer.scaling.autoScaling

When enabled, the number of Scanner V4 Indexer replicas is managed dynamically based on the load, within the limits specified.

scannerV4.indexer.scaling.maxReplicas

Specifies the maximum replicas to be used in the Scanner V4 Indexer autoscaling configuration.

scannerV4.indexer.scaling.minReplicas

Specifies the minimum replicas to be used in the Scanner V4 Indexer autoscaling configuration.

scannerV4.indexer.scaling.replicas

When autoscaling is disabled for the Scanner V4 Indexer, the number of replicas is always configured to match this value.

scannerV4.monitoring.exposeEndpoint

Configures a monitoring endpoint for Scanner V4. The monitoring endpoint allows other services to collect metrics from Scanner V4, provided in a Prometheus-compatible format. Use Enabled to expose the monitoring endpoint. When you enable monitoring, RHACS creates a new service, monitoring, with port 9090, and a network policy allowing inbound connections to the port. By default, this is not enabled.

scannerV4.scannerComponent

Enables Scanner V4. The default value is default, which is disabled. To enable Scanner V4, set this parameter to Enabled.

Image configuration

Use image configuration settings when you are using a custom registry.

Parameter Description

Parameter	Description
`imagePullSecrets.name`	Additional image pull secrets to be taken into account for pulling images.

imagePullSecrets.name

Additional image pull secrets to be taken into account for pulling images.

Per node settings

Per node settings define the configuration settings for components that run on each node in a cluster to secure the cluster. These components are Collector and Compliance.

Parameter Description

perNode.collector.collection

The method for system-level data collection. The default value is CORE_BPF. Red Hat recommends using CORE_BPF for data collection. If you select NoCollection, Collector does not report any information about the network activity and the process executions. Available options are NoCollection, EBPF, and CORE_BPF.

Red Hat has deprecated the EBPF option and will remove it from future versions. Use CORE_BPF instead.

perNode.collector.imageFlavor

The image type to use for Collector. You can specify it as Regular or Slim. Regular images are bigger, but contain kernel modules for most kernels. If you use the Slim image type, you must ensure that your Central instance is connected to the internet, or regularly receives Collector support package updates. The default value is Slim.

perNode.collector.resources.limits

Use this parameter to override the default resource limits for Collector.

perNode.collector.resources.requests

Use this parameter to override the default resource requests for Collector.

perNode.compliance.resources.requests

Use this parameter to override the default resource requests for Compliance.

perNode.compliance.resources.limits

Use this parameter to override the default resource limits for Compliance.

perNode.taintToleration

To ensure comprehensive monitoring of your cluster activity, Red Hat Advanced cluster Security for Kubernetes runs services on every node in the cluster, including tainted nodes by default. If you do not want this behavior, specify AvoidTaints for this parameter. The default value is TolerateTaints.

Sensor configuration

This configuration defines the settings of the Sensor components, which runs on one node in a cluster.

Parameter Description

Parameter	Description
`sensor.nodeSelector`	If you want Sensor to only run on specific nodes, you can configure a node selector.
`sensor.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Sensor. This parameter is mainly used for infrastructure nodes.
`sensor.resources.limits`	Use this parameter to override the default resource limits for Sensor.
`sensor.resources.requests`	Use this parameter to override the default resource requests for Sensor.

sensor.nodeSelector

If you want Sensor to only run on specific nodes, you can configure a node selector.

sensor.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Sensor. This parameter is mainly used for infrastructure nodes.

sensor.resources.limits

Use this parameter to override the default resource limits for Sensor.

sensor.resources.requests

Use this parameter to override the default resource requests for Sensor.

General and miscellaneous settings

Parameter Description

Parameter	Description
`tls.additionalCAs`	Additional trusted CA certificates for the secured cluster. These certificates are used when integrating with services using a private certificate authority.
`misc.createSCCs`	Set this to `true` to create SCCs for Central. It may cause issues in some environments.
`customize.annotations`	Allows specifying custom annotations for the Central deployment.
`customize.envVars`	Advanced settings to configure environment variables.
`egress.connectivityPolicy`	Configures whether Red Hat Advanced cluster Security for Kubernetes should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.
`overlays`	See Customizing the installation using the operator with overlays

tls.additionalCAs

Additional trusted CA certificates for the secured cluster. These certificates are used when integrating with services using a private certificate authority.

misc.createSCCs

Set this to true to create SCCs for Central. It may cause issues in some environments.

customize.annotations

Allows specifying custom annotations for the Central deployment.

customize.envVars

Advanced settings to configure environment variables.

egress.connectivityPolicy

Configures whether Red Hat Advanced cluster Security for Kubernetes should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.

overlays

See Customizing the installation using the operator with overlays

Customizing the installation using the Operator with overlays

Learn how to tailor the installation of RHACS using the Operator method with overlays.

Overlays

When Central or Securedcluster custom resources don’t expose certain low-level configuration options as parameters, you can use the .spec.overlays field for adjustments. Use this field to amend the Kubernetes resources generated by these custom resources.

The .spec.overlays field comprises a sequence of patches, applied in their listed order. These patches are processed by the Operator on the Kubernetes resources before deployment to the cluster.

The .spec.overlays field in both Central and Securedcluster allows users to modify low-level Kubernetes resources in arbitrary ways. Use this feature only when the desired customization is not available through the Securedcluster or Central custom resources.

Support for the .spec.overlays feature is limited primarily because it grants the ability to make intricate and highly specific modifications to Kubernetes resources, which can vary significantly from one implementation to another. This level of customization introduces a complexity that goes beyond standard usage scenarios, making it challenging to provide broad support. Each modification can be unique, potentially interacting with the Kubernetes system in unpredictable ways across different versions and configurations of the product. This variability means that troubleshooting and guaranteeing the stability of these customizations require a level of expertise and understanding specific to each individual’s setup. Consequently, while this feature empowers tailoring Kubernetes resources to meet precise needs, greater responsibility must also assumed to ensure the compatibility and stability of configurations, especially during upgrades or changes to the underlying product.

The following example shows the structure of an overlay:

overlays:
- apiVersion: v1     (1)
  kind: ConfigMap    (2)
  name: my-configmap (3)
  patches:
    - path: .data    (4)
      value: |       (5)
        key1: data2
        key2: data2

1	Targeted Kubernetes resource ApiVersion, for example `apps/v1`, `v1`, `networking.k8s.io/v1`
2	Resource type (e.g., Deployment, ConfigMap, NetworkPolicy)
3	Name of the resource, for example `my-configmap`
4	JSONPath expression to the field, for example `spec.template.spec.containers[name:central].env[-1]`
5	YAML string for the new field value

Adding an overlay

For customizations, you can add overlays to Central or Securedcluster custom resources. Use the OpenShift CLI (oc) or the OpenShift Container Platform web console for modifications.

If overlays do not take effect as expected, check the RHACS Operator logs for any syntax errors or issues logged.

Overlay examples

Specifying an EKS pod role ARN for the Central ServiceAccount

Add an Amazon Elastic Kubernetes Service (EKS) pod role Amazon Resource Name (ARN) annotation to the central ServiceAccount as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
  # ...
  overlays:
  - apiVersion: v1
    kind: ServiceAccount
    name: central
    patches:
      - path: metadata.annotations.eks\.amazonaws\.com/role-arn
        value: "\"arn:aws:iam:1234:role\""

Injecting an environment variable into the Central deployment

Inject an environment variable into the central deployment as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
  # ...
  overlays:
  - apiVersion: apps/v1
    kind: Deployment
    name: central
    patches:
    - path: spec.template.spec.containers[name:central].env[-1]
      value: |
        name: MY_ENV_VAR
        value: value

Extending network policy with an ingress rule

Add an ingress rule to the allow-ext-to-central network policy for port 999 traffic as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      name: allow-ext-to-central
      patches:
        - path: spec.ingress[-1]
          value: |
            ports:
            - port: 999
              protocol: TCP

Modifying ConfigMap data

Modify the central-endpoints ConfigMap data as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: v1
      kind: ConfigMap
      name: central-endpoints
      patches:
      - path: data
        value: |
          endpoints.yaml: |
            disableDefault: false

Adding a container to the `Central` deployment

Add a new container to the central deployment as shown in the following example:.

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: apps/v1
      kind: Deployment
      name: central
      patches:
        - path: spec.template.spec.containers[-1]
      value: |
        name: nginx
        image: nginx
        ports:
          - containerPort: 8000
            name: http
            protocol: TCP

Configuring Secured cluster services options for RHACS using the Operator

Secured cluster services configuration options

Required Configuration Settings

Admission controller settings

Scanner configuration

Image configuration

Per node settings

Sensor configuration

General and miscellaneous settings

Customizing the installation using the Operator with overlays

Overlays

Adding an overlay

Overlay examples

Specifying an EKS pod role ARN for the Central ServiceAccount

Injecting an environment variable into the Central deployment

Extending network policy with an ingress rule

Modifying ConfigMap data

Adding a container to the Central deployment

Adding a container to the `Central` deployment