×

Before you install the SecuredCluster resource on a cluster, you must create an init bundle. The cluster that has SecuredCluster installed and configured then uses this bundle to authenticate with Central. You can create an init bundle by using either the RHACS portal or the roxctl CLI. You then apply the init bundle by using it to create resources.

To configure an init bundle for RHACS Cloud Service, see the following resources:

You must have the Admin user role to create an init bundle.

Generating an init bundle

Generating an init bundle by using the RHACS portal

You can create an init bundle containing secrets by using the RHACS portal.

You must have the Admin user role to create an init bundle.

Procedure
  1. Find the address of the RHACS portal as described in "Verifying Central installation using the Operator method".

  2. Log in to the RHACS portal.

  3. If you do not have secured clusters, the Platform ConfigurationClusters page appears.

  4. Click Create init bundle.

  5. Enter a name for the cluster init bundle.

  6. Select your platform.

  7. Select the installation method you will use for your secured clusters: Operator or Helm chart.

  8. Click Download to generate and download the init bundle, which is created in the form of a YAML file. You can use one init bundle and its corresponding YAML file for all secured clusters if you are using the same installation method.

    Store this bundle securely because it contains secrets.

  9. Apply the init bundle by using it to create resources on the secured cluster.

  10. Install secured cluster services on each cluster.

Generating an init bundle by using the roxctl CLI

You can create an init bundle with secrets by using the roxctl CLI.

You must have the Admin user role to create init bundles.

Prerequisites
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables:

    1. Set the ROX_API_TOKEN by running the following command:

      $ export ROX_API_TOKEN=<api_token>
    2. Set the ROX_CENTRAL_ADDRESS environment variable by running the following command:

      $ export ROX_CENTRAL_ADDRESS=<address>:<port_number>
Procedure
  • To generate a cluster init bundle containing secrets for Helm installations, run the following command:

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" \
      central init-bundles generate <cluster_init_bundle_name> \
      --output cluster_init_bundle.yaml
  • To generate a cluster init bundle containing secrets for Operator installations, run the following command:

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" \
      central init-bundles generate <cluster_init_bundle_name> \
      --output-secrets cluster_init_bundle.yaml

    Ensure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters.

Applying the init bundle on the secured cluster

Before you configure a secured cluster, you must apply the init bundle by using it to create the required resources on the cluster. Applying the init bundle allows the services on the secured cluster to communicate with Central.

If you are installing by using Helm charts, do not perform this step. Complete the installation by using Helm; See "Installing RHACS on secured clusters by using Helm charts" in the additional resources section.

Prerequisites
  • You must have generated an init bundle containing secrets.

  • You must have created the stackrox project, or namespace, on the cluster where secured cluster services will be installed. Using stackrox for the project is not required, but ensures that vulnerabilities for RHACS processes are not reported when scanning your clusters.

Procedure

To create resources, perform only one of the following steps:

  • Create resources using the OpenShift Container Platform web console: In the OpenShift Container Platform web console, make sure that you are in the stackrox namespace. In the top menu, click + to open the Import YAML page. You can drag the init bundle file or copy and paste its contents into the editor, and then click Create. When the command is complete, the display shows that the collector-tls, sensor-tls, and admission-control-tls` resources were created.

  • Create resources using the Red Hat OpenShift CLI: Using the Red Hat OpenShift CLI, run the following command to create the resources:

    $ oc create -f <init_bundle>.yaml \(1)
      -n <stackrox> (2)
    1 Specify the file name of the init bundle containing the secrets.
    2 Specify the name of the project where Central services are installed.

Next steps

  • Install RHACS secured cluster services in all clusters that you want to monitor.