×

You must complete prerequisites before installing Red Hat Advanced Cluster Security Cloud Service for Red Hat OpenShift on secured clusters.

General requirements

RHACS has some system requirements that must be met before installing.

You must not install Red Hat Advanced Cluster Security for Kubernetes on:

  • Amazon Elastic File System (Amazon EFS). Use the Amazon Elastic Block Store (Amazon EBS) with the default gp2 volume type instead.

  • Older CPUs that do not have the Streaming SIMD Extensions (SSE) 4.2 instruction set. For example, Intel processors older than Sandy Bridge and AMD processors older than Bulldozer. (These processors were released in 2011.)

To install Red Hat Advanced Cluster Security for Kubernetes, you must have:

  • Cluster nodes with a supported operating system. For more information, see the Red Hat Advanced Cluster Security for Kubernetes Support Policy.

    • Operating system: Amazon Linux, CentOS, Container-Optimized OS from Google, Red Hat Enterprise Linux CoreOS (RHCOS), Debian, Red Hat Enterprise Linux (RHEL), or Ubuntu.

    • Processor and memory: 2 CPU cores and at least 3GiB of RAM.

      For deploying Central, use a machine type with four or more cores and apply scheduling policies to launch Central on such nodes.

    • Architectures: AMD64 or ppc64le.

      You can only install RHACS Secured cluster services on {ibm-power}, {ibm-zsystems}, and {ibm-linuxone} clusters. Central is not supported at this time.

  • Persistent storage by using persistent volume claim (PVC).

    You must not use Ceph FS storage with Red Hat Advanced Cluster Security for Kubernetes. Red Hat recommends using RBD block mode PVCs for Red Hat Advanced Cluster Security for Kubernetes.

    • Use Solid-State Drives (SSDs) for best performance. However, you can use another storage type if you do not have SSDs available.

To install using Helm charts:

  • You must have Helm command-line interface (CLI) v3.2 or newer, if you are installing or configuring Red Hat Advanced Cluster Security for Kubernetes using Helm charts. Use the helm version command to verify the version of Helm you have installed.

  • You must have access to the Red Hat Container Registry. For information about downloading images from registry.redhat.io, see Red Hat Container Registry Authentication.

Prerequisites for installing Scanner

Red Hat Advanced Cluster Security for Kubernetes includes an image vulnerability scanner called Scanner. This service scans images that are not already scanned by scanners integrated into image registries.

Memory and storage requirements

Scanner CPU Memory

Request

1.2 cores

2700 MiB

Limit

5 cores

8000 MiB

Prerequisites for installing Sensor

Sensor monitors your Kubernetes and OpenShift Container Platform clusters. These services currently deploy in a single deployment, which handles interactions with the Kubernetes API and coordinates with Collector.

Memory and storage requirements

Sensor CPU Memory

Request

1 core

1 GiB

Limit

2 cores

4 GiB

Prerequisites for installing Admission controller

The Admission controller prevents users from creating workloads that violate policies you configure.

Memory and storage requirements

By default, the admission control service runs 3 replicas. The following table lists the request and limits for each replica.

Admission controller CPU Memory

Request

.05 cores

100 MiB

Limit

.5 cores

500 MiB

Prerequisites for installing Collector

Collector monitors runtime activity on each node in your secured clusters. It connects to Sensor to report this information.

To install Collector on systems that have Unified Extensible Firmware Interface (UEFI) and that have Secure Boot enabled, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages. Collector identifies Secure Boot status at the start and switches to eBPF probes if required.

Memory and storage requirements

Collector CPU Memory

Request

.05 cores

320 MiB

Limit

.75 cores

1 GiB

Collector uses a mutable image tag (<version>-latest), so you get support for newer Linux kernel versions more easily. There is no change in code, pre-existing kernel modules, or eBPF programs for image updates. Updates only add a single image layer with support for new kernel versions published after the initial release.