×

Central configuration options using the Operator

When you create a Central instance, the Operator lists the following configuration options for the Central custom resource.

The following table includes settings for an external PostgreSQL database.

Central settings

Parameter Description

central.adminPasswordSecret

Specify a secret that contains the administrator password in the password data item. If omitted, the operator autogenerates a password and stores it in the password item in the central-htpasswd secret.

central.defaultTLSSecret

By default, Central only serves an internal TLS certificate, which means that you need to handle TLS termination at the ingress or load balancer level. If you want to terminate TLS in Central and serve a custom server certificate, you can specify a secret containing the certificate and private key.

central.adminPasswordGenerationDisabled

Set this parameter to true to disable the automatic administrator password generation. Use this only after you perform the first-time setup of alternative authentication methods. Do not use this for initial installation. Otherwise, you must reinstall the custom resource to log back in.

central.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes.

central.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

central.exposure.loadBalancer.enabled

Set this to true to expose Central through a load balancer.

central.exposure.loadBalancer.port

Use this parameter to specify a custom port for your load balancer.

central.exposure.loadBalancer.ip

Use this parameter to specify a static IP address reserved for your load balancer.

central.exposure.route.enabled

Set this to true to expose Central through a Red Hat OpenShift route. The default value is false.

central.exposure.route.host

Specify a custom hostname to use for Central’s route. Leave this unset to accept the default value that OpenShift Container Platform provides.

central.exposure.nodeport.enabled

Set this to true to expose Central through a node port. The default value is false.

central.exposure.nodeport.port

Use this to specify an explicit node port.

central.monitoring.exposeEndpoint

Use Enabled to enable monitoring for Central. When you enable monitoring, RHACS creates a new monitoring service on port number 9090. The default value is Disabled.

central.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

central.persistence.hostPath.path

Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.

central.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data. If no PVC with the given name exists, it is created. The default value is stackrox-db if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.

central.persistence.persistentVolumeClaim.size

The size of the persistent volume when created through the claim. This is automatically generated by default.

central.persistence.persistentVolumeClaim.storageClassName

The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.

central.resources.limits

Use this parameter to override the default resource limits for the Central.

central.resources.requests

Use this parameter to override the default resource requests for the Central.

central.imagePullSecrets

Use this parameter to specify the image pull secrets for the Central image.

central.db.passwordSecret.name

Specify a secret that has the database password in the password data item. Only use this parameter if you want to specify a connection string manually. If omitted, the operator auto-generates a password and stores it in the password item in the central-db-password secret.

central.db.connectionString

Setting this parameter will not deploy Central DB, and Central will connect using the specified connection string. If you specify a value for this parameter, you must also specify a value for central.db.passwordSecret.name. This parameter has the following constraints:

  • Connection string must be in keyword/value format as described in the PostgreSQL documentation. For more information, see the links in the Additional resources section.

  • Only PostgreSQL 13 is supported.

  • Connections through PGBouncer are not supported.

  • User must be a superuser who can create and delete databases.

central.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central DB. This parameter is mainly used for infrastructure nodes.

central.db.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

central.db.persistence.hostPath.path

Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.

central.db.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data. If no PVC with the given name exists, it is created. The default value is central-db if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.

central.db.persistence.persistentVolumeClaim.size

The size of the persistent volume when created through the claim. This is automatically generated by default.

central.db.persistence.persistentVolumeClaim.storageClassName

The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.

central.db.resources.limits

Use this parameter to override the default resource limits for the Central DB.

central.db.resources.requests

Use this parameter to override the default resource requests for the Central DB.

central.db.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

StackRox Scanner settings

Parameter Description

scanner.analyzer.nodeSelector

If you want this scanner to only run on specific nodes, you can use this parameter to configure a node selector.

scanner.analyzer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the StackRox Scanner. This parameter is mainly used for infrastructure nodes.

scanner.analyzer.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

scanner.analyzer.resources.limits

Use this parameter to override the default resource limits for the StackRox Scanner.

scanner.analyzer.resources.requests

Use this parameter to override the default resource requests for the StackRox Scanner.

scanner.analyzer.scaling.autoScaling

When enabled, the number of analyzer replicas is managed dynamically based on the load, within the limits specified.

scanner.analyzer.scaling.maxReplicas

Specifies the maximum replicas to be used in the analyzer autoscaling configuration

scanner.analyzer.scaling.minReplicas

Specifies the minimum replicas to be used in the analyzer autoscaling configuration

scanner.analyzer.scaling.replicas

When autoscaling is disabled, the number of replicas is always configured to match this value.

scanner.db.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scanner.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the StackRox Scanner DB. This parameter is mainly used for infrastructure nodes.

scanner.db.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

scanner.db.resources.limits

Use this parameter to override the default resource limits for the StackRox Scanner DB.

scanner.db.resources.requests

Use this parameter to override the default resource requests for the StackRox Scanner DB.

scanner.monitoring.exposeEndpoint

Use Enabled to enable monitoring for the StackRox Scanner. When you enable monitoring, RHACS creates a new monitoring service on port number 9090. The default value is Disabled.

scanner.scannerComponent

If you do not want to deploy the StackRox Scanner, you can disable it by using this parameter. If you disable the StackRox Scanner, all other settings in this section have no effect. Red Hat does not recommend disabling Red Hat Advanced Cluster Security for Kubernetes the StackRox Scanner. Do not disable the StackRox Scanner if you have enabled Scanner V4. Scanner V4 requires that the StackRox Scanner is also enabled to provide the necessary scanning capabilities.

Scanner V4 settings

Parameter Description

scannerV4.db.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner V4 DB. This parameter is mainly used for infrastructure nodes.

scannerV4.db.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

scannerV4.db.resources.limits

Use this parameter to override the default resource limits for Scanner V4 DB.

scannerV4.db.resources.requests

Use this parameter to override the default resource requests for Scanner V4 DB.

scannerV4.db.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data for Scanner V4. If no PVC with the given name exists, it is created. The default value is scanner-v4-db if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.

scannerV4.db.persistence.persistentVolumeClaim.size

The size of the PVC to manage persistent data for Scanner V4.

scannerV4.db.persistence.persistentVolumeClaim.storageClassName

The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.

scannerV4.indexer.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.indexer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Indexer. This parameter is mainly used for infrastructure nodes.

scannerV4.indexer.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

scannerV4.indexer.resources.limits

Use this parameter to override the default resource limits for the Scanner V4 Indexer.

scannerV4.indexer.resources.requests

Use this parameter to override the default resource requests for the Scanner V4 Indexer.

scannerV4.indexer.scaling.autoScaling

When enabled, the number of Scanner V4 Indexer replicas is managed dynamically based on the load, within the limits specified.

scannerV4.indexer.scaling.maxReplicas

Specifies the maximum replicas to be used in the Scanner V4 Indexer autoscaling configuration.

scannerV4.indexer.scaling.minReplicas

Specifies the minimum replicas to be used in the Scanner V4 Indexer autoscaling configuration.

scannerV4.indexer.scaling.replicas

When autoscaling is disabled for the Scanner V4 Indexer, the number of replicas is always configured to match this value.

scannerV4.matcher.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.matcher.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Matcher. This parameter is mainly used for infrastructure nodes.

scannerV4.matcher.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

scannerV4.matcher.resources.limits

Use this parameter to override the default resource limits for the Scanner V4 Matcher.

scannerV4.matcher.resources.requests

Use this parameter to override the default resource requests for the Scanner V4 Matcher.

scannerV4.matcher.scaling.autoScaling

When enabled, the number of Scanner V4 Matcher replicas is managed dynamically based on the load, within the limits specified.

scannerV4.matcher.scaling.maxReplicas

Specifies the maximum replicas to be used in the Scanner V4 Matcher autoscaling configuration.

scannerV4.matcher.scaling.minReplicas

Specifies the minimum replicas to be used in the Scanner V4 Matcher autoscaling configuration.

scannerV4.matcher.scaling.replicas

When autoscaling is disabled for the Scanner V4 Matcher, the number of replicas is always configured to match this value.

scannerV4.monitoring.exposeEndpoint

Configures a monitoring endpoint for Scanner V4. The monitoring endpoint allows other services to collect metrics from Scanner V4, provided in a Prometheus-compatible format. Use Enabled to expose the monitoring endpoint. When you enable monitoring, RHACS creates a new service, monitoring, with port 9090, and a network policy allowing inbound connections to the port. By default, this is not enabled.

scannerV4.scannerComponent

Enables Scanner V4. The default value is default, which is disabled. To enable Scanner V4, set this parameter to Enabled.

General and miscellaneous settings

Parameter Description

customize.annotations

Allows specifying custom annotations for the Central deployment.

customize.envVars

Advanced settings to configure environment variables.

egress.connectivityPolicy

Configures whether RHACS should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.

misc.createSCCs

Specify true to create SecurityContextConstraints (SCCs) for Central. Setting to true might cause issues in some environments.

monitoring.openshift.enabled

If you set this option to false, Red Hat Advanced Cluster Security for Kubernetes will not set up Red Hat OpenShift monitoring. Defaults to true on Red Hat OpenShift 4.

network.policies

To provide security at the network level, RHACS creates default NetworkPolicy resources in the namespace where Central is installed. These network policies allow ingress to specific components on specific ports. If you do not want RHACS to create these policies, set this parameter to Disabled. The default value is Enabled.

Disabling creation of default network policies can break communication between RHACS components. If you disable creation of default policies, you must create your own network policies to allow this communication.

overlays

See "Customizing the installation using the Operator with overlays".

tls.additionalCAs

Additional Trusted CA certificates for the secured cluster to trust. These certificates are typically used when integrating with services using a private certificate authority.

Customizing the installation using the Operator with overlays

Learn how to tailor the installation of RHACS using the Operator method with overlays.

Overlays

When Central or SecuredCluster custom resources don’t expose certain low-level configuration options as parameters, you can use the .spec.overlays field for adjustments. Use this field to amend the Kubernetes resources generated by these custom resources.

The .spec.overlays field comprises a sequence of patches, applied in their listed order. These patches are processed by the Operator on the Kubernetes resources before deployment to the cluster.

The .spec.overlays field in both Central and SecuredCluster allows users to modify low-level Kubernetes resources in arbitrary ways. Use this feature only when the desired customization is not available through the SecuredCluster or Central custom resources.

Support for the .spec.overlays feature is limited primarily because it grants the ability to make intricate and highly specific modifications to Kubernetes resources, which can vary significantly from one implementation to another. This level of customization introduces a complexity that goes beyond standard usage scenarios, making it challenging to provide broad support. Each modification can be unique, potentially interacting with the Kubernetes system in unpredictable ways across different versions and configurations of the product. This variability means that troubleshooting and guaranteeing the stability of these customizations require a level of expertise and understanding specific to each individual’s setup. Consequently, while this feature empowers tailoring Kubernetes resources to meet precise needs, greater responsibility must also assumed to ensure the compatibility and stability of configurations, especially during upgrades or changes to the underlying product.

The following example shows the structure of an overlay:

overlays:
- apiVersion: v1     (1)
  kind: ConfigMap    (2)
  name: my-configmap (3)
  patches:
    - path: .data    (4)
      value: |       (5)
        key1: data2
        key2: data2
1 Targeted Kubernetes resource ApiVersion, for example apps/v1, v1, networking.k8s.io/v1
2 Resource type (e.g., Deployment, ConfigMap, NetworkPolicy)
3 Name of the resource, for example my-configmap
4 JSONPath expression to the field, for example spec.template.spec.containers[name:central].env[-1]
5 YAML string for the new field value

Adding an overlay

For customizations, you can add overlays to Central or SecuredCluster custom resources. Use the OpenShift CLI (oc) or the OpenShift Container Platform web console for modifications.

If overlays do not take effect as expected, check the RHACS Operator logs for any syntax errors or issues logged.

Overlay examples

Specifying an EKS pod role ARN for the Central ServiceAccount

Add an Amazon Elastic Kubernetes Service (EKS) pod role Amazon Resource Name (ARN) annotation to the central ServiceAccount as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
  # ...
  overlays:
  - apiVersion: v1
    kind: ServiceAccount
    name: central
    patches:
      - path: metadata.annotations.eks\.amazonaws\.com/role-arn
        value: "\"arn:aws:iam:1234:role\""

Injecting an environment variable into the Central deployment

Inject an environment variable into the central deployment as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
  # ...
  overlays:
  - apiVersion: apps/v1
    kind: Deployment
    name: central
    patches:
    - path: spec.template.spec.containers[name:central].env[-1]
      value: |
        name: MY_ENV_VAR
        value: value

Extending network policy with an ingress rule

Add an ingress rule to the allow-ext-to-central network policy for port 999 traffic as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      name: allow-ext-to-central
      patches:
        - path: spec.ingress[-1]
          value: |
            ports:
            - port: 999
              protocol: TCP

Modifying ConfigMap data

Modify the central-endpoints ConfigMap data as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: v1
      kind: ConfigMap
      name: central-endpoints
      patches:
      - path: data
        value: |
          endpoints.yaml: |
            disableDefault: false

Adding a container to the Central deployment

Add a new container to the central deployment as shown in the following example:.

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: apps/v1
      kind: Deployment
      name: central
      patches:
        - path: spec.template.spec.containers[-1]
      value: |
        name: nginx
        image: nginx
        ports:
          - containerPort: 8000
            name: http
            protocol: TCP