1. Documentation
    2. history
×

Getting started with RHACS Cloud Service

Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) provides security services for your Red Hat OpenShift and Kubernetes clusters. See Supported platforms and installation methods for more information on supported platforms for secured clusters.

Prerequisites

  • Ensure that you can access the Advanced Cluster Security menu option from the Red Hat Hybrid Cloud Console.

    To access the RHACS Cloud Service console, you need your Red Hat Single Sign-On (SSO) credentials, or credentials for another identity provider if that has been configured. See Default access to the ACS console.

High-level overview of installation steps

The following sections provide an overview of installation steps and links to the relevant documentation.

Securing Red Hat OpenShift clusters

To secure Red Hat OpenShift clusters by using the Operator, perform the following steps:

  1. Verify that the clusters you want to secure meet the prerequisites.

  2. In the Red Hat Hybrid Cloud Console, create an ACS Instance.

  3. On each Red Hat OpenShift cluster you want to secure, create a project named stackrox. This project will contain the resources for RHACS Cloud Service secured clusters.

  4. In the ACS Console, create an init bundle. The init bundle contains secrets that allow communication between RHACS Cloud Service secured clusters and the ACS Console.

  5. On each Red Hat OpenShift cluster, apply the init bundle by using it to create resources.

  6. On each Red Hat OpenShift cluster, install the RHACS Operator.

  7. On each Red Hat OpenShift cluster, install secured cluster resources in the stackrox project by using the Operator.

  8. Verify installation by ensuring that your secured clusters can communicate with the ACS instance.

To secure Red Hat OpenShift clusters by using Helm charts or the roxctl CLI, perform the following steps:

  1. Verify that the clusters you want to secure meet the prerequisites.

  2. In the Red Hat Hybrid Cloud Console, create an ACS Instance.

  3. On each Red Hat OpenShift cluster you want to secure, create a project named stackrox. This project will contain the resources for RHACS Cloud Service secured clusters.

  4. In the ACS Console, create an init bundle. The init bundle contains secrets that allow communication between RHACS Cloud Service secured clusters and the ACS Console.

  5. On each Red Hat OpenShift cluster, apply the init bundle by using it to create resources.

  6. On each Red Hat OpenShift cluster, install secured cluster resources in the stackrox project by using Helm charts or by using the roxctl CLI.

  7. Verify installation by ensuring that your secured clusters can communicate with the ACS instance.

Securing Kubernetes clusters

To secure Kubernetes clusters, perform the following steps:

  1. Verify that the clusters you want to secure meet the prerequisites.

  2. In the Red Hat Hybrid Cloud Console, create an ACS Instance.

  3. In the ACS Console, create an init bundle. The init bundle contains secrets that allow communication between RHACS Cloud Service secured clusters and the ACS Console.

  4. On each Kubernetes cluster, apply the init bundle by using it to create resources.

  5. On each Kubernetes cluster, install secured cluster resources by using Helm charts or the roxctl CLI.

  6. Verify installation by ensuring that your secured clusters can communicate with the ACS instance.

Default access to the ACS Console

By default, the authentication mechanism available to users is authentication by using Red Hat Single Sign-On (SSO). You cannot delete or change the Red Hat SSO authentication provider. However, you can change the minimum access role and add additional rules, or add another identity provider.

To learn how authentication providers work in ACS, see Understanding authentication providers.

A dedicated OIDC client of sso.redhat.com is created for each ACS Console. All OIDC clients share the same sso.redhat.com realm. Claims from the token issued by sso.redhat.com are mapped to an ACS-issued token as follows:

  • realm_access.roles to groups

  • org_id to rh_org_id

  • is_org_admin to rh_is_org_admin

  • sub to userid

The built-in Red Hat SSO authentication provider has the required attribute rh_org_id set to the organization ID assigned to account of the user who created the RHACS Cloud Service instance. This is the ID of the organizational account the user is a part of. This can be thought of as the "tenant" the user is under and owned by. Only users with the same organizational account can access the ACS console by using the Red Hat SSO authentication provider.

To gain more control over access to your ACS Console, configure another identity provider instead of relying on the Red Hat SSO authentication provider. For more information, see Understanding authentication providers. To configure the other authentication provider to be the first authentication option on the login page, its name should be lexicographically smaller than Red Hat SSO.

The minimum access role is set to None. Assigning a different value to this field gives access to the RHACS Cloud Service instance to all users with the same organizational account.

Other rules that are set up in the built-in Red Hat SSO authentication provider include the following:

  • Rule mapping your userid to Admin

  • Rules mapping administrators of the organization to Admin

You can add more rules to grant access to the ACS Console to someone else with the same organizational account. For example, you can use email as a key.