$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
Red Hat Advanced Cluster Security for Kubernetes installs a set of services on your OpenShift Container Platform cluster. This topic describes the installation procedure for installing Red Hat Advanced Cluster Security for Kubernetes on your OpenShift Container Platform cluster without any customizations.
The following steps represent the high-level installation flow for quickly installing Red Hat Advanced Cluster Security for Kubernetes:
Add the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.
Install the central-services
Helm chart to install the centralized components (Central and Scanner).
Generate an init bundle.
Install the secured-cluster-services
Helm chart to install the per-cluster and per-node components (Sensor, Admission Controller, and Collector).
Before you install:
Add Red Hat Advanced Cluster Security for Kubernetes charts repository.
$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes two Helm charts for installing different components.
Central services Helm chart (central-services
) for installing the centralized components (Central and Scanner).
You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation. |
Secured Cluster Services Helm chart (secured-cluster-services
) for installing the per-cluster (Sensor and Admission controller) and per-node (Collector) components.
Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor. |
Run the following command to verify the added chart repository:
$ helm search repo -l rhacs/
Use the following instructions to install the central-services
Helm chart to deploy the centralized components (Central and Scanner).
You must have access to the Red Hat Container Registry. For information about downloading images from registry.redhat.io
, see Red Hat Container Registry Authentication.
Run the following command to install Central services and expose Central using a route:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \
--set imagePullSecrets.password=<password> \
--set central.exposure.route.enabled=true
Or, run the following command to install Central services and expose Central using a load balancer:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \
--set imagePullSecrets.password=<password> \
--set central.exposure.loadBalancer.enabled=true
Or, run the following command to install Central services and expose Central using port forward:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \
--set imagePullSecrets.password=<password>
|
The output of the installation command includes:
An automatically generated administrator password.
Instructions on storing all the configuration values.
Any warnings that Helm generates.
Before you install the SecuredCluster
resource on a cluster, you must create an init bundle. The cluster that has SecuredCluster
installed and configured then uses this bundle to authenticate with Central.
You can create an init bundle with secrets by using the roxctl
CLI.
You have configured the ROX_API_TOKEN
and the ROX_CENTRAL_ADDRESS
environment variables.
Set the ROX_API_TOKEN
and the ROX_CENTRAL_ADDRESS
environment variables:
$ export ROX_API_TOKEN=<api_token>
$ export ROX_CENTRAL_ADDRESS=<address>:<port_number>
Run the following command to generate a cluster init bundle containing secrets:
$ roxctl -e "$ROX_CENTRAL_ADDRESS" \
central init-bundles generate <cluster_init_bundle_name> \
--output cluster_init_bundle.yaml
Make sure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters. |
Use the following instructions to install the secured-cluster-services
Helm chart to deploy the per-cluster and per-node components (Sensor, Admission Controller, and Collector).
To install Collector on systems that have Unified Extensible Firmware Interface (UEFI) and that have Secure Boot enabled, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages. Collector identifies Secure Boot status at the start and switches to eBPF probes if required. |
You must have the address and the port number that you are exposing the Central service on.
Run the following command on other Kubernetes based clusters:
$ helm install -n stackrox --create-namespace \
stackrox-secured-cluster-services rhacs/secured-cluster-services \
-f <path_to_cluster_init_bundle.yaml> \ (1)
--set clusterName=<name_of_the_secured_cluster> \
--set centralEndpoint=<endpoint_of_central_service> (2)
1 | Use the -f option to specify the path for the init bundle. |
2 | Specify the address and port number for Central. For example, acs.domain.com:443 . |
Run the following command on OpenShift Container Platform clusters:
$ helm install -n stackrox --create-namespace \
stackrox-secured-cluster-services rhacs/secured-cluster-services \
-f <path_to_cluster_init_bundle.yaml> \ (1)
--set clusterName=<name_of_the_secured_cluster> \
--set centralEndpoint=<endpoint_of_central_service> (2)
--set scanner.disable=false
1 | Use the -f option to specify the path for the init bundle. |
2 | Specify the address and port number for Central. For example, acs.domain.com:443 . |
After you complete the installation, run a few vulnerable applications and navigate to the RHACS portal to evaluate the results of security assessments and policy violations.
The sample applications listed in the following section contain critical vulnerabilities and they are specifically designed to verify the build and deploy-time assessment features of Red Hat Advanced Cluster Security for Kubernetes. |
To verify installation:
Find the address of the RHACS portal based on your exposure method:
For a route:
$ oc get route central -n stackrox
For a load balancer:
$ oc get service central-loadbalancer -n stackrox
For port forward:
Run the following command:
$ oc port-forward svc/central 18443:443 -n stackrox
Navigate to https://localhost:18443/
.
Using the OpenShift Container Platform CLI, create a new project:
$ oc new-project test
Start some applications with critical vulnerabilities:
$ oc run shell --labels=app=shellshock,team=test-team \
--image=vulnerables/cve-2014-6271 -n test
$ oc run samba --labels=app=rce \
--image=vulnerables/cve-2017-7494 -n test
Red Hat Advanced Cluster Security for Kubernetes automatically scans these deployments for security risk and policy violations as soon as they are submitted to the cluster. Navigate to the RHACS portal to view the violations. You can log in to the RHACS portal by using the default username admin and the generated password.