$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
Red Hat Advanced Cluster Security for Kubernetes installs a set services on your OpenShift Container Platform cluster. This topic describes the installation procedure for installing Red Hat Advanced Cluster Security for Kubernetes on your OpenShift Container Platform cluster without any customizations.
The following steps represent the high-level installation flow for quickly installing Red Hat Advanced Cluster Security for Kubernetes:
Add the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.
Install the central-services
Helm chart to install the centralized components (Central and Scanner).
Generate an init bundle.
Install the secured-cluster-services
Helm chart to install the per-cluster and per-node components (Sensor, Admission Controller, and Collector).
Before you install:
Add Red Hat Advanced Cluster Security for Kubernetes charts repository.
$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes two Helm charts for installing different components.
Central services Helm chart (central-services
) for installing the centralized components (Central and Scanner).
You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation. |
Secured Cluster Services Helm chart (secured-cluster-services
) for installing the per-cluster (Sensor and Admission controller) and per-node (Collector) components.
Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor. |
Run the following command to verify the added chart repository:
$ helm search repo -l rhacs/
Use the following instructions to install the central-services
Helm chart to deploy the centralized components (Central and Scanner).
Run the following command to install Central services and expose Central using a route:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.allowNone=true \
--set central.exposure.route.enabled=true
Or, run the following command to install Central services and expose Central using a load balancer:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.allowNone=true \
--set central.exposure.loadBalancer.enabled=true
Or, run the following command to install Central services and expose Central using port forward:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.allowNone=true
If you are installing Red Hat Advanced Cluster Security for Kubernetes in a cluster that requires a proxy to connect to external services, you must specify your proxy configuration by using the
|
The output of the installation command includes:
An automatically generated administrator password.
Instructions on storing all the configuration values.
Any warnings that Helm generates.
To create a secured cluster, you must create an init bundle. The secured cluster uses this bundle to authenticate with Central.
You can create an init bundle by using the the roxctl
CLI.
You have configured the ROX_API_TOKEN
and the ROX_CENTRAL_ADDRESS
environment variables.
Run the following command to generate a cluster init bundle:
$ roxctl -e "$ROX_CENTRAL_ADDRESS" \
central init-bundles generate <cluster_init_bundle_name> \
--output cluster_init_bundle.yaml
Make sure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters. |
Use the following instructions to install the secured-cluster-services
Helm chart to deploy the per-cluster and per-node components (Sensor, Admission Controller, and Collector).
To install Collector on systems configured with Unified Extensible Firmware Interface (UEFI) boot, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages. |
You must have the address and the port number that you are exposing the Central service on.
Run the following command:
$ helm install -n stackrox --create-namespace \
stackrox-secured-cluster-services rhacs/secured-cluster-services \
-f <path_to_cluster_init_bundle.yaml> \ (1)
--set clusterName=<name_of_the_secured_cluster> \
--set centralEndpoint=<endpoint_of_central_service> (2)
1 | Use the -f option to specify the path for the init bundle. |
2 | Specify the address and port number for Central. |
After you complete the installation, navigate to the RHACS portal and run a few vulnerable applications to evaluate the results of security assessments and policy violations.
The sample applications listed in the following section contain critical vulnerabilities and they are specifically designed to verify the build and deploy-time assessment features of Red Hat Advanced Cluster Security for Kubernetes. |
Find the address of the RHACS portal based on your exposure method:
For a route:
$ oc get route central -n stackrox
For a load balancer:
$ oc get service central-loadbalancer -n stackrox
For port forward:
Run the following command:
$ oc port-forward svc/central 18443:443 -n stackrox
Navigate to https://localhost:18443/
.
Create a new project:
$ oc new-project test
Start some applications with critical vulnerabilities:
$ oc run shell --labels=app=shellshock,team=test-team \
--image=vulnerables/cve-2014-6271 -n test
$ oc run samba --labels=app=rce \
--image=vulnerables/cve-2017-7494 -n test
Red Hat Advanced Cluster Security for Kubernetes automatically scans these deployments for security risk and policy violations as soon as they are submitted to the cluster.
Navigate to the RHACS portal to view the violations.
You can log in to the RHACS portal by using the default username admin
and the generated password.