Optional - Configuring Central configuration options for RHACS using the Operator - Installing RHACS on Red Hat OpenShift | Installing | Red Hat Advanced Cluster Security for Kubernetes 3.74

Central configuration options using the Operator

This topic provides information about optional configuration options that you can configure using the Operator.

Central configuration options using the Operator

When you create a Central instance, the Operator lists the following configuration options for the Central custom resource.

Central settings

Parameter Description

Parameter	Description
`central.adminPasswordSecret`	Specify a secret that contains the administrator password in the `password` data item. If omitted, the operator autogenerates a password and stores it in the `password` item in the `central-htpasswd` secret.
`central.defaultTLSSecret`	By default, Central only serves an internal TLS certificate, which means that you need to handle TLS termination at the ingress or load balancer level. If you want to terminate TLS in Central and serve a custom server certificate, you can specify a secret containing the certificate and private key.
`central.adminPasswordGenerationDisabled`	Set this parameter to `true` to disable the automatic administrator password generation. Use this only after you perform the first-time setup of alternative authentication methods. Do not use this for initial installation. Otherwise, you must reinstall the custom resource to log back in.
`central.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes.
`central.exposure.loadBalancer.enabled`	Set this to `true` to expose Central through a load balancer.
`central.exposure.loadBalancer.port`	Use this parameter to specify a custom port for your load balancer.
`central.exposure.loadBalancer.ip`	Use this parameter to specify a static IP address reserved for your load balancer.
`central.exposure.route.enabled`	Set this to `true` to expose Central through an OpenShift route. The default value is `false`.
`central.exposure.route.host`	Specify a custom hostname to use for Central’s route. Leave this unset to accept the default value that OpenShift Container Platform provides.
`central.exposure.nodeport.enabled`	Set this to `true` to expose Central through a node port. The default value is `false`.
`central.exposure.nodeport.port`	Use this to specify an explicit node port.
`central.monitoring.exposeEndpoint`	Use `Enabled` to enable monitoring for Central. When you enable monitoring, RHACS creates a new monitoring service on port number `9090`. The default value is `Disabled`.
`central.nodeSelector`	If you want this component to only run on specific nodes, you can configure a node selector by using this parameter.
`central.persistence.hostPath.path`	Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.
`central.persistence.persistentVolumeClaim.claimName`	The name of the PVC to manage persistent data. If no PVC with the given name exists, it will be created. The default value is `stackrox-db` if not set. To prevent data losses the PVC is not removed automatically with Central`s deletion.
`central.persistence.persistentVolumeClaim.size`	The size of the persistent volume when created through the claim. This is automatically generated by default.
`central.persistence.persistentVolumeClaim.storageClassName`	The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.
`central.resources.limits`	Use this parameter to override the default resource limits for the Central.
`central.resources.requests`	Use this parameter to override the default resource requests for the Central.
`central.imagePullSecrets`	Use this parameter to specify the image pull secrets for the Central image.

central.adminPasswordSecret

Specify a secret that contains the administrator password in the password data item. If omitted, the operator autogenerates a password and stores it in the password item in the central-htpasswd secret.

central.defaultTLSSecret

By default, Central only serves an internal TLS certificate, which means that you need to handle TLS termination at the ingress or load balancer level. If you want to terminate TLS in Central and serve a custom server certificate, you can specify a secret containing the certificate and private key.

central.adminPasswordGenerationDisabled

Set this parameter to true to disable the automatic administrator password generation. Use this only after you perform the first-time setup of alternative authentication methods. Do not use this for initial installation. Otherwise, you must reinstall the custom resource to log back in.

central.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes.

central.exposure.loadBalancer.enabled

Set this to true to expose Central through a load balancer.

central.exposure.loadBalancer.port

Use this parameter to specify a custom port for your load balancer.

central.exposure.loadBalancer.ip

Use this parameter to specify a static IP address reserved for your load balancer.

central.exposure.route.enabled

Set this to true to expose Central through an OpenShift route. The default value is false.

central.exposure.route.host

Specify a custom hostname to use for Central’s route. Leave this unset to accept the default value that OpenShift Container Platform provides.

central.exposure.nodeport.enabled

Set this to true to expose Central through a node port. The default value is false.

central.exposure.nodeport.port

Use this to specify an explicit node port.

central.monitoring.exposeEndpoint

Use Enabled to enable monitoring for Central. When you enable monitoring, RHACS creates a new monitoring service on port number 9090. The default value is Disabled.

central.nodeSelector

If you want this component to only run on specific nodes, you can configure a node selector by using this parameter.

central.persistence.hostPath.path

Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.

central.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data. If no PVC with the given name exists, it will be created. The default value is stackrox-db if not set. To prevent data losses the PVC is not removed automatically with Central`s deletion.

central.persistence.persistentVolumeClaim.size

The size of the persistent volume when created through the claim. This is automatically generated by default.

central.persistence.persistentVolumeClaim.storageClassName

The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.

central.resources.limits

Use this parameter to override the default resource limits for the Central.

central.resources.requests

Use this parameter to override the default resource requests for the Central.

central.imagePullSecrets

Use this parameter to specify the image pull secrets for the Central image.

Scanner settings

Parameter Description

Parameter	Description
`scanner.analyzer.nodeSelector`	If you want this scanner to only run on specific nodes, you can configure a node selector by using this parameter.
`scanner.analyzer.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner. This parameter is mainly used for infrastructure nodes.
`scanner.analyzer.resources.limits`	Use this parameter to override the default resource limits for the scanner.
`scanner.analyzer.resources.requests`	Use this parameter to override the default resource requests for the scanner.
`scanner.analyzer.scaling.autoScaling`	When enabled, the number of analyzer replicas is managed dynamically based on the load, within the limits specified.
`scanner.analyzer.scaling.maxReplicas`	Specifies the maximum replicas to be used the analyzer autoscaling configuration
`scanner.analyzer.scaling.minReplicas`	Specifies the minimum replicas to be used the analyzer autoscaling configuration
`scanner.analyzer.scaling.replicas`	When autoscaling is disabled, the number of replicas will always be configured to match this value.
`scanner.db.nodeSelector`	If you want this component to only run on specific nodes, you can configure a node selector by using this parameter.
`scanner.db.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. This parameter is mainly used for infrastructure nodes.
`scanner.db.resources.limits`	Use this parameter to override the default resource limits for the scanner.
`scanner.db.resources.requests`	Use this parameter to override the default resource requests for the scanner.
`scanner.monitoring.exposeEndpoint`	Use `Enabled` to enable monitoring for Scanner. When you enable monitoring, RHACS creates a new monitoring service on port number `9090`. The default value is `Disabled`.
`scanner.scannerComponent`	If you do not want to deploy Scanner, you can disable it by using this parameter. If you disable Scanner, all other settings in this section have no effect. Red Hat does not recommend disabling Red Hat Advanced Cluster Security for Kubernetes Scanner.

scanner.analyzer.nodeSelector

If you want this scanner to only run on specific nodes, you can configure a node selector by using this parameter.

scanner.analyzer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner. This parameter is mainly used for infrastructure nodes.

scanner.analyzer.resources.limits

Use this parameter to override the default resource limits for the scanner.

scanner.analyzer.resources.requests

Use this parameter to override the default resource requests for the scanner.

scanner.analyzer.scaling.autoScaling

When enabled, the number of analyzer replicas is managed dynamically based on the load, within the limits specified.

scanner.analyzer.scaling.maxReplicas

Specifies the maximum replicas to be used the analyzer autoscaling configuration

scanner.analyzer.scaling.minReplicas

Specifies the minimum replicas to be used the analyzer autoscaling configuration

scanner.analyzer.scaling.replicas

When autoscaling is disabled, the number of replicas will always be configured to match this value.

scanner.db.nodeSelector

If you want this component to only run on specific nodes, you can configure a node selector by using this parameter.

scanner.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB. This parameter is mainly used for infrastructure nodes.

scanner.db.resources.limits

Use this parameter to override the default resource limits for the scanner.

scanner.db.resources.requests

Use this parameter to override the default resource requests for the scanner.

scanner.monitoring.exposeEndpoint

Use Enabled to enable monitoring for Scanner. When you enable monitoring, RHACS creates a new monitoring service on port number 9090. The default value is Disabled.

scanner.scannerComponent

If you do not want to deploy Scanner, you can disable it by using this parameter. If you disable Scanner, all other settings in this section have no effect. Red Hat does not recommend disabling Red Hat Advanced Cluster Security for Kubernetes Scanner.

General and miscellaneous settings

Parameter Description

Parameter	Description
`tls.additionalCAs`	Additional Trusted CA certificates for the secured cluster to trust. These certificates are typically used when integrating with services using a private certificate authority.
`misc.createSCCs`	Specify `true` to create `SecurityContextConstraints` (SCCs) for Central. Setting to `true` might cause issues in some environments.
`customize.annotations`	Allows specifying custom annotations for the Central deployment.
`customize.envVars`	Advanced settings to configure environment variables.
`egress.connectivityPolicy`	Configures whether RHACS should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.

tls.additionalCAs

Additional Trusted CA certificates for the secured cluster to trust. These certificates are typically used when integrating with services using a private certificate authority.

misc.createSCCs

Specify true to create SecurityContextConstraints (SCCs) for Central. Setting to true might cause issues in some environments.

customize.annotations

Allows specifying custom annotations for the Central deployment.

customize.envVars

Advanced settings to configure environment variables.

egress.connectivityPolicy

Configures whether RHACS should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.