×

Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides security services for your self-managed Red Hat OpenShift Kubernetes systems or platforms such as OpenShift Container Platform, Amazon Elastic Kubernetes Service (Amazon EKS), Google Kubernetes Engine (Google GKE), and Microsoft Azure Kubernetes Service (Microsoft AKS).

For information about supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix. For life cycle support information for RHACS, see the Red Hat Advanced Cluster Security for Kubernetes Support Policy.

General installation guidelines

To ensure the best installation experience, follow these guidelines:

  1. Understand the installation platforms and methods described in this module.

  2. Understand Red Hat Advanced Cluster Security for Kubernetes architecture.

  3. Check the default resource requirements.

Installation methods for different platforms

You can perform different types of installations on different platforms.

Not all installation methods are supported for all platforms. See the Red Hat Advanced Cluster Security for Kubernetes Support Matrix for more information.

Table 1. Platforms and recommended installation methods
Platform type Platform Recommended installation methods Installation steps

Managed service platform

Red Hat OpenShift Dedicated (OSD)

Operator (recommended), Helm charts, or roxctl CLI [1]

Azure Red Hat OpenShift (ARO)

Red Hat OpenShift Service on AWS (ROSA)

Red Hat OpenShift on IBM Cloud

Amazon Elastic Kubernetes Service (Amazon EKS)

Helm charts (recommended), or roxctl CLI [1]

Google Kubernetes Engine (Google GKE)

Microsoft Azure Kubernetes Service (Microsoft AKS)

Self-managed platform

Red Hat OpenShift Container Platform (OCP)

Operator (recommended), Helm charts, or roxctl CLI [1]

Red Hat OpenShift Kubernetes Engine (OKE)

  1. Do not use the roxctl installation method unless you have specific requirements for following this installation method.

Installation methods for different architectures

Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports the following architectures. For information on supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix. Additionally, the following table gives information about installation methods available for each architecture.

Table 2. Architectures and supported installation methods for each architecture
Supported architectures Supported installation methods

AMD64

Operator (preferred), Helm charts, or roxctl CLI (not recommended)

ppc64le (IBM Power)

Operator

s390x (IBM Z and IBM® LinuxONE)

Installation steps for RHACS on OpenShift Container Platform

Installing RHACS on Red Hat OpenShift by using the RHACS Operator

  1. On the Red Hat OpenShift cluster, install the RHACS Operator into the rhacs-operator project, or namespace.

  2. On the Red Hat OpenShift cluster that will contain Central, called the central cluster, use the RHACS Operator to install Central services into the stackrox project. One central cluster can secure multiple clusters.

  3. Log in to the RHACS web console from the central cluster, and then create an init bundle and download it. The init bundle is then installed on the cluster that you want to secure, called the secured cluster.

  4. For the secured cluster:

    1. Install the RHACS Operator into the rhacs-operator namespace.

    2. On the secured cluster, apply the init bundle that you created in RHACS by performing one of these steps:

      • Use the OpenShift Container Platform web console to import the YAML file of the init bundle that you created. Make sure you are in the stackrox namespace.

      • In the terminal window, run the oc create -f <init_bundle>.yaml -n <stackrox> command, specifying the path to the downloaded YAML file of the init bundle.

    3. On the secured cluster, use the RHACS Operator to install Secured Cluster services into the stackrox namespace. When creating these services, be sure to enter the address of Central in the Central Endpoint field so that the secured cluster can communicate with Central.

Installing RHACS on Red Hat OpenShift by using Helm charts

  1. Add the RHACS Helm charts repository.

  2. Install the central-services Helm chart on the Red Hat OpenShift cluster that will contain Central, called the central cluster.

  3. Log in to the RHACS web console on the Central cluster and create an init bundle.

  4. For each cluster that you want to secure, log in to the secured cluster and perform the following steps:

    1. Apply the init bundle you created with RHACS. To apply the init bundle on the secured cluster, perform one of these steps:

      • Use the OpenShift Container Platform web console to import the YAML file of the init bundle that you created. Make sure you are in the stackrox namespace.

      • In the terminal window, run the oc create -f <init_bundle>.yaml -n <stackrox> command, specifying the path to the downloaded YAML file of the init bundle.

    2. Install the secured-cluster-services Helm chart on the secured cluster, specifying the path to the init bundle that you created.

Installing RHACS on Red Hat OpenShift by using the roxctl CLI

This installation method is also called the manifest installation method.

  1. Install the roxctl CLI.

  2. On the Red Hat OpenShift cluster that will contain Central, perform these steps:

    1. In the terminal window, run the interactive install command by using the roxctl CLI.

    2. Run the setup shell script.

    3. In the terminal window, create the Central resources by using the oc create command.

  3. Perform one of the following actions:

    • In the RHACS web console, create and download the sensor YAML file and keys.

    • On the secured cluster, use the roxctl sensor generate openshift command.

  4. On the secured cluster, run the sensor installation script.

Installation steps for RHACS on Kubernetes

Installing RHACS on Kubernetes platforms by using Helm charts

  1. Add the RHACS Helm charts repository.

  2. Install the central-services Helm chart on the cluster that will contain Central, called the Central cluster.

  3. Log in to the RHACS web console from the Central cluster and create an init bundle that you will install on the cluster that you want to secure, called the secured cluster.

  4. For each secured cluster:

    1. Apply the init bundle you created with RHACS. Log in to the secured cluster and run the kubectl create -f <init_bundle>.yaml -n <stackrox> command, specifying the path to the downloaded YAML file of the init bundle.

    2. Install the secured-cluster-services Helm chart on the secured cluster, specifying the path to the init bundle that you created earlier.

Installing RHACS on Kubernetes platforms by using the roxctl CLI

This installation method is also called the manifest installation method.

  1. Install the roxctl CLI.

  2. On the Kubernetes cluster that will contain Central, perform these steps:

    1. In the terminal window, run the interactive install command by using the roxctl CLI.

    2. Run the setup shell script.

    3. In the terminal window, create the Central resources by using the kubectl create command.

  3. Perform one of the following actions:

    • In the RHACS web console, create and download the sensor YAML file and keys.

    • On the cluster that you want to secure, called the secured cluster, use the roxctl sensor generate openshift command.

  4. On the secured cluster, run the sensor installation script.