1. Documentation
    2. history
×

Installing quickly using Helm charts

Red Hat Advanced Cluster Security for Kubernetes installs a set of services on your OpenShift Container Platform cluster. This topic describes the installation procedure for installing Red Hat Advanced Cluster Security for Kubernetes on your OpenShift Container Platform cluster without any customizations.

The following steps represent the high-level installation flow for quickly installing Red Hat Advanced Cluster Security for Kubernetes:

  1. Add the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.

  2. Install the central-services Helm chart to install the centralized components (Central and Scanner).

  3. Generate an init bundle.

  4. Install the secured-cluster-services Helm chart to install the per-cluster and per-node components (Sensor, Admission Controller, and Collector).

Before you install:

Adding the Helm chart repository

Procedure

  • Add Red Hat Advanced Cluster Security for Kubernetes charts repository.

    $ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/

    The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes two Helm charts for installing different components.

    • Central services Helm chart (central-services) for installing the centralized components (Central and Scanner).

      You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation.

    • Secured Cluster Services Helm chart (secured-cluster-services) for installing the per-cluster (Sensor and Admission controller) and per-node (Collector) components.

      Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor.
Verification

  • Run the following command to verify the added chart repository:

    $ helm search repo -l rhacs/

Installing the central-services Helm chart without customization

Use the following instructions to install the central-services Helm chart to deploy the centralized components (Central and Scanner).

Prerequisites
Procedure

  • Run the following command to install Central services and expose Central using a route:

    $ helm install -n stackrox \
  --create-namespace stackrox-central-services rhacs/central-services \
  --set imagePullSecrets.username=<username> \
  --set imagePullSecrets.password=<password> \
  --set central.exposure.route.enabled=true

  • Or, run the following command to install Central services and expose Central using a load balancer:

    $ helm install -n stackrox \
  --create-namespace stackrox-central-services rhacs/central-services \
  --set imagePullSecrets.username=<username> \
  --set imagePullSecrets.password=<password> \
  --set central.exposure.loadBalancer.enabled=true

  • Or, run the following command to install Central services and expose Central using port forward:

    $ helm install -n stackrox \
  --create-namespace stackrox-central-services rhacs/central-services \
  --set imagePullSecrets.username=<username> \
  --set imagePullSecrets.password=<password>

  • If you are installing Red Hat Advanced Cluster Security for Kubernetes in a cluster that requires a proxy to connect to external services, you must specify your proxy configuration by using the proxyConfig parameter. For example:

env:
  proxyConfig: |code modules/install-secured-cluster-services-helm-chart.adoc
    url: http://proxy.name:port
    username: username
    password: password
    excludes:
    - some.domain

  • * If you already created one or more image pull secrets in the namespace in which you are installing, instead of using a username and password, you can use --set imagePullSecrets.useExisting="<pull-secret-1;pull-secret-2>".

  • Do not use image pull secrets:

    • If you are pulling your images from quay.io/stackrox-io or a registry in a private network that does not require authentication. Use use --set imagePullSecrets.allowNone=true instead of specifying a username and password.

    • If you already configured image pull secrets in the default service account in the namespace you are installing. Use --set imagePullSecrets.useFromDefaultServiceAccount=true instead of specifying a username and password.

The output of the installation command includes:

  • An automatically generated administrator password.

  • Instructions on storing all the configuration values.

  • Any warnings that Helm generates.

Generating an init bundle

Before you install the SecuredCluster resource on a cluster, you must create an init bundle. The cluster that has SecuredCluster installed and configured then uses this bundle to authenticate with Central.

Generating an init bundle by using the roxctl CLI

You can create an init bundle with secrets by using the roxctl CLI.

Prerequisites

You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

  • Set the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables:

    $ export ROX_API_TOKEN=<api_token>
    $ export ROX_CENTRAL_ADDRESS=<address>:<port_number>
Procedure

  • Run the following command to generate a cluster init bundle containing secrets:

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" \
  central init-bundles generate <cluster_init_bundle_name> \
  --output cluster_init_bundle.yaml

Make sure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters.
Additional resources

Installing the secured-cluster-services Helm chart without customization

Use the following instructions to install the secured-cluster-services Helm chart to deploy the per-cluster and per-node components (Sensor, Admission Controller, and Collector).

To install Collector on systems that have Unified Extensible Firmware Interface (UEFI) and that have Secure Boot enabled, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages. Collector identifies Secure Boot status at the start and switches to eBPF probes if required.
Prerequisites

  • You must have the address and the port number that you are exposing the Central service on.

Procedure

  • Run the following command on other Kubernetes based clusters:

    $ helm install -n stackrox --create-namespace \
    stackrox-secured-cluster-services rhacs/secured-cluster-services \
    -f <path_to_cluster_init_bundle.yaml> \ (1)
    --set clusterName=<name_of_the_secured_cluster> \
    --set centralEndpoint=<endpoint_of_central_service> (2)
    1 Use the -f option to specify the path for the init bundle.
    2 Specify the address and port number for Central. For example, acs.domain.com:443.

  • Run the following command on OpenShift Container Platform clusters:

    $ helm install -n stackrox --create-namespace \
    stackrox-secured-cluster-services rhacs/secured-cluster-services \
    -f <path_to_cluster_init_bundle.yaml> \ (1)
    --set clusterName=<name_of_the_secured_cluster> \
    --set centralEndpoint=<endpoint_of_central_service> (2)
    --set scanner.disable=false
    1 Use the -f option to specify the path for the init bundle.
    2 Specify the address and port number for Central. For example, acs.domain.com:443.

Verifying installation

After you complete the installation, run a few vulnerable applications and navigate to the RHACS portal to evaluate the results of security assessments and policy violations.

The sample applications listed in the following section contain critical vulnerabilities and they are specifically designed to verify the build and deploy-time assessment features of Red Hat Advanced Cluster Security for Kubernetes.

To verify installation:

  1. Find the address of the RHACS portal based on your exposure method:

    1. For a route:

      $ oc get route central -n stackrox

    2. For a load balancer:

      $ oc get service central-loadbalancer -n stackrox

    3. For port forward:

      1. Run the following command:

        $ oc port-forward svc/central 18443:443 -n stackrox

      2. Navigate to https://localhost:18443/.

  2. Using the OpenShift Container Platform CLI, create a new project:

    $ oc new-project test

  3. Start some applications with critical vulnerabilities:

    $ oc run shell --labels=app=shellshock,team=test-team \
  --image=vulnerables/cve-2014-6271 -n test
$ oc run samba --labels=app=rce \
  --image=vulnerables/cve-2017-7494 -n test

Red Hat Advanced Cluster Security for Kubernetes automatically scans these deployments for security risk and policy violations as soon as they are submitted to the cluster. Navigate to the RHACS portal to view the violations. You can log in to the RHACS portal by using the default username admin and the generated password.

Additional resources