Optional - Configuring Secured cluster configuration options for RHACS using the Operator - Installing RHACS on Red Hat OpenShift | Installing | Red Hat Advanced Cluster Security for Kubernetes 4.1

Secured cluster configuration options

This topic provides information about optional configuration settings that you can make using the Operator.

Secured cluster configuration options

When you create a Central instance, the Operator lists the following configuration options for the Central custom resource.

Required Configuration Settings

Parameter Description

Parameter	Description
`centralEndpoint`	The endpoint of Central instance to connect to, including the port number. If using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with `wss://`. If you do not specify a value for this paramter, Sensor attempts to connect to a Central instance running in the same namespace.
`clusterName`	The unique name of this cluster, which shows up in the RHACS portal. After the name is set by using this parameter, you cannot change it again. To change the name, you must delete and recreate the object.

centralEndpoint

The endpoint of Central instance to connect to, including the port number. If using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with wss://. If you do not specify a value for this paramter, Sensor attempts to connect to a Central instance running in the same namespace.

clusterName

The unique name of this cluster, which shows up in the RHACS portal. After the name is set by using this parameter, you cannot change it again. To change the name, you must delete and recreate the object.

Admission controller settings

Parameter Description

Parameter	Description
`admissionControl.listenOnCreates`	Specify `true` to enable preventive policy enforcement for object creations. The default value is `false`.
`admissionControl.listenOnEvents`	Specify `true` to enable monitoring and enforcement for Kubernetes events, such as `port-forward` and `exec` events. It is used to control access to resources through the Kubernetes API. The default value is `true`.
`admissionControl.listenOnUpdates`	Specify `true` to enable preventive policy enforcement for object updates. It will not have any effect unless `Listen On Creates` is set to `true` as well. The default value is `false`.
`admissionControl.nodeSelector`	If you want this component to only run on specific nodes, you can configure a node selector using this parameter.
`admissionControl.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Admission Control. This parameter is mainly used for infrastructure nodes.
`admissionControl.resources.limits`	Use this parameter to override the default resource limits for the admission controller.
`admissionControl.resources.requests`	Use this parameter to override the default resource requests for the admission controller.
`admissionControl.bypass`	Use one of the following values to configure the bypassing of admission controller enforcement: `BreakGlassAnnotation` to enable bypassing the admission controller via the `admission.stackrox.io/break-glass` annotation. `Disabled` to disable the ability to bypass admission controller enforcement for the secured cluster. The default value is `BreakGlassAnnotation`.
`admissionControl.contactImageScanners`	Use one of the following values to specify if the admission controller must connect to the image scanner: `ScanIfMissing` if the scan results for the image are missing. `DoNotScanInline` to skip scanning the image when processing the admission request. The default value is `DoNotScanInline`.
`admissionControl.timeoutSeconds`	Use this parameter to specify the maximum number of seconds Red Hat Advanced Cluster Security for Kubernetes must wait for an admission review before marking it as fail open.

admissionControl.listenOnCreates

Specify true to enable preventive policy enforcement for object creations. The default value is false.

admissionControl.listenOnEvents

Specify true to enable monitoring and enforcement for Kubernetes events, such as port-forward and exec events. It is used to control access to resources through the Kubernetes API. The default value is true.

admissionControl.listenOnUpdates

Specify true to enable preventive policy enforcement for object updates. It will not have any effect unless Listen On Creates is set to true as well. The default value is false.

admissionControl.nodeSelector

If you want this component to only run on specific nodes, you can configure a node selector using this parameter.

admissionControl.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Admission Control. This parameter is mainly used for infrastructure nodes.

admissionControl.resources.limits

Use this parameter to override the default resource limits for the admission controller.

admissionControl.resources.requests

Use this parameter to override the default resource requests for the admission controller.

admissionControl.bypass

Use one of the following values to configure the bypassing of admission controller enforcement:

BreakGlassAnnotation to enable bypassing the admission controller via the admission.stackrox.io/break-glass annotation.
Disabled to disable the ability to bypass admission controller enforcement for the secured cluster.

The default value is BreakGlassAnnotation.

admissionControl.contactImageScanners

Use one of the following values to specify if the admission controller must connect to the image scanner:

ScanIfMissing if the scan results for the image are missing.
DoNotScanInline to skip scanning the image when processing the admission request.

The default value is DoNotScanInline.

admissionControl.timeoutSeconds

Use this parameter to specify the maximum number of seconds Red Hat Advanced Cluster Security for Kubernetes must wait for an admission review before marking it as fail open.

Scanner configuration

Use Scanner configuration settings to modify the local cluster scanner for the OpenShift Container Registry (OCR).

Parameter Description

Parameter	Description
`scanner.analyzer.nodeSelector`	Specify a node selector label as `label-key: label-value` to force Scanner to only schedule on nodes with the specified label.
`scanner.analyzer.resources.requests.memory`	The memory request for the Scanner container. Use this parameter to override the default value.
`scanner.analyzer.resources.requests.cpu`	The CPU request for the Scanner container. Use this parameter to override the default value.
`scanner.analyzer.resources.limits.memory`	The memory limit for the Scanner container. Use this parameter to override the default value.
`scanner.analyzer.resources.limits.cpu`	The CPU limit for the Scanner container. Use this parameter to override the default value.
`scanner.scaling.autoscaling`	If you set this option to `Disabled`, Red Hat Advanced Cluster Security for Kubernetes disables autoscaling on the Scanner deployment. The default value is `Enabled`.
`scanner.scaling.minReplicas`	The minimum number of replicas for autoscaling. The default value is `2`.
`scanner.scaling.maxReplicas`	The maximum number of replicas for autoscaling. The default value is `5`.
`scanner.scaling.replicas`	The default number of replicas. The default value is `3`.
`scanner.Tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner.
`scanner.db.nodeSelector`	Specify a node selector label as `label-key: label-value` to force Scanner DB to only schedule on nodes with the specified label.
`scanner.db.resources.requests.memory`	The memory request for the Scanner DB container. Use this parameter to override the default value.
`scanner.db.resources.requests.cpu`	The CPU request for the Scanner DB container. Use this parameter to override the default value.
`scanner.db.resources.limits.memory`	The memory limit for the Scanner DB container. Use this parameter to override the default value.
`scanner.db.resources.limits.cpu`	The CPU limit for the Scanner DB container. Use this parameter to override the default value.
`scanner.db.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB.
`scanner.scannerComponent`	If you set this option to `Disabled`, Red Hat Advanced Cluster Security for Kubernetes does not deploy the Scanner deployment. Do not disable the Scanner on OpenShift Container Platform clusters. The default value is `AutoSense`.

scanner.analyzer.nodeSelector

Specify a node selector label as label-key: label-value to force Scanner to only schedule on nodes with the specified label.

scanner.analyzer.resources.requests.memory

The memory request for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.requests.cpu

The CPU request for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.limits.memory

The memory limit for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.limits.cpu

The CPU limit for the Scanner container. Use this parameter to override the default value.

scanner.scaling.autoscaling

If you set this option to Disabled, Red Hat Advanced Cluster Security for Kubernetes disables autoscaling on the Scanner deployment. The default value is Enabled.

scanner.scaling.minReplicas

The minimum number of replicas for autoscaling. The default value is 2.

scanner.scaling.maxReplicas

The maximum number of replicas for autoscaling. The default value is 5.

scanner.scaling.replicas

The default number of replicas. The default value is 3.

scanner.Tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner.

scanner.db.nodeSelector

Specify a node selector label as label-key: label-value to force Scanner DB to only schedule on nodes with the specified label.

scanner.db.resources.requests.memory

The memory request for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.requests.cpu

The CPU request for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.limits.memory

The memory limit for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.limits.cpu

The CPU limit for the Scanner DB container. Use this parameter to override the default value.

scanner.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB.

scanner.scannerComponent

If you set this option to Disabled, Red Hat Advanced Cluster Security for Kubernetes does not deploy the Scanner deployment. Do not disable the Scanner on OpenShift Container Platform clusters. The default value is AutoSense.

Image configuration

Use image configuration settings when you are using a custom registry.

Parameter Description

Parameter	Description
`imagePullSecrets.name`	Additional image pull secrets to be taken into account for pulling images.

imagePullSecrets.name

Additional image pull secrets to be taken into account for pulling images.

Per node settings

Per node settings define the configuration settings for components that run on each node in a cluster to secure the cluster. These components are Collector and Compliance.

Parameter Description

Parameter	Description
`perNode.collector.collection`	The method for system-level data collection. The default value is `EBPF`. Red Hat recommends using `EBPF` for data collection. If you select `NoCollection`, Collector does not report any information about the network activity and the process executions. Available options are `NoCollection`, `EBPF`, and `CORE_BPF`. The `CORE_BPF` collection method is a Technology Preview feature only.
`perNode.collector.imageFlavor`	The image type to use for Collector. You can specify it as `Regular` or `Slim`. `Regular` images are bigger in size, but contain kernel modules for most kernels. If you use the `Slim` image type, you must ensure that your Central instance is connected to the internet, or regularly receives Collector support package updates. The default value is `Slim`.
`perNode.collector.resources.limits`	Use this parameter to override the default resource limits for Collector.
`perNode.collector.resources.requests`	Use this parameter to override the default resource requests for Collector.
`perNode.compliance.resources.requests`	Use this parameter to override the default resource requests for Compliance.
`perNode.compliance.resources.limits`	Use this parameter to override the default resource limits for Compliance.

perNode.collector.collection

The method for system-level data collection. The default value is EBPF. Red Hat recommends using EBPF for data collection. If you select NoCollection, Collector does not report any information about the network activity and the process executions. Available options are NoCollection, EBPF, and CORE_BPF. The CORE_BPF collection method is a Technology Preview feature only.

perNode.collector.imageFlavor

The image type to use for Collector. You can specify it as Regular or Slim. Regular images are bigger in size, but contain kernel modules for most kernels. If you use the Slim image type, you must ensure that your Central instance is connected to the internet, or regularly receives Collector support package updates. The default value is Slim.

perNode.collector.resources.limits

Use this parameter to override the default resource limits for Collector.

perNode.collector.resources.requests

Use this parameter to override the default resource requests for Collector.

perNode.compliance.resources.requests

Use this parameter to override the default resource requests for Compliance.

perNode.compliance.resources.limits

Use this parameter to override the default resource limits for Compliance.

The CORE_BPF collection method is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Taint Tolerations settings

Parameter Description

Parameter	Description
`taintToleration`	To ensure comprehensive monitoring of your cluster activity, Red Hat Advanced Cluster Security for Kubernetes runs services on every node in the cluster, including tainted nodes by default. If you do not want this behavior, specify `AvoidTaints` for this parameter.

taintToleration

To ensure comprehensive monitoring of your cluster activity, Red Hat Advanced Cluster Security for Kubernetes runs services on every node in the cluster, including tainted nodes by default. If you do not want this behavior, specify AvoidTaints for this parameter.

Sensor configuration

This configuration defines the settings of the Sensor components, which runs on one node in a cluster.

Parameter Description

Parameter	Description
`sensor.nodeSelector`	If you want Sensor to only run on specific nodes, you can configure a node selector.
`sensor.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Sensor. This parameter is mainly used for infrastructure nodes.
`sensor.resources.limits`	Use this parameter to override the default resource limits for Sensor.
`sensor.resources.requests`	Use this parameter to override the default resource requests for Sensor.

sensor.nodeSelector

If you want Sensor to only run on specific nodes, you can configure a node selector.

sensor.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Sensor. This parameter is mainly used for infrastructure nodes.

sensor.resources.limits

Use this parameter to override the default resource limits for Sensor.

sensor.resources.requests

Use this parameter to override the default resource requests for Sensor.

General and miscellaneous settings

Parameter Description

Parameter	Description
`tls.additionalCAs`	Additional trusted CA certificates for the secured cluster. These certificates are used when integrating with services using a private certificate authority.
`misc.createSCCs`	Set this to `true` to create SCCs for Central. It may cause issues in some environments.
`customize.annotations`	Allows specifying custom annotations for the Central deployment.
`customize.envVars`	Advanced settings to configure environment variables.
`egress.connectivityPolicy`	Configures whether Red Hat Advanced Cluster Security for Kubernetes should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.

tls.additionalCAs

Additional trusted CA certificates for the secured cluster. These certificates are used when integrating with services using a private certificate authority.

misc.createSCCs

Set this to true to create SCCs for Central. It may cause issues in some environments.

customize.annotations

Allows specifying custom annotations for the Central deployment.

customize.envVars

Advanced settings to configure environment variables.

egress.connectivityPolicy

Configures whether Red Hat Advanced Cluster Security for Kubernetes should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.