×

Secured Cluster services configuration options

When you create a Central instance, the Operator lists the following configuration options for the Central custom resource.

Required Configuration Settings

Parameter Description

centralEndpoint

The endpoint of Central instance to connect to, including the port number. If using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with wss://. If you do not specify a value for this parameter, Sensor attempts to connect to a Central instance running in the same namespace.

clusterName

The unique name of this cluster, which shows up in the RHACS portal. After you set the name by using this parameter, you cannot change it again. To change the name, you must delete and re-create the object.

Admission controller settings

Parameter Description

admissionControl.listenOnCreates

Specify true to enable preventive policy enforcement for object creations. The default value is true.

admissionControl.listenOnEvents

Specify true to enable monitoring and enforcement for Kubernetes events, such as port-forward and exec events. It is used to control access to resources through the Kubernetes API. The default value is true.

admissionControl.listenOnUpdates

Specify true to enable preventive policy enforcement for object updates. It will not have any effect unless Listen On Creates is set to true as well. The default value is true.

admissionControl.nodeSelector

If you want this component to only run on specific nodes, you can configure a node selector using this parameter.

admissionControl.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Admission Control. This parameter is mainly used for infrastructure nodes.

admissionControl.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

admissionControl.resources.limits

Use this parameter to override the default resource limits for the admission controller.

admissionControl.resources.requests

Use this parameter to override the default resource requests for the admission controller.

admissionControl.bypass

Use one of the following values to configure the bypassing of admission controller enforcement:

  • BreakGlassAnnotation to enable bypassing the admission controller via the admission.stackrox.io/break-glass annotation.

  • Disabled to disable the ability to bypass admission controller enforcement for the secured cluster.

The default value is BreakGlassAnnotation.

admissionControl.contactImageScanners

Use one of the following values to specify if the admission controller must connect to the image scanner:

  • ScanIfMissing if the scan results for the image are missing.

  • DoNotScanInline to skip scanning the image when processing the admission request.

The default value is DoNotScanInline.

admissionControl.timeoutSeconds

Use this parameter to specify the maximum number of seconds RHACS must wait for an admission review before marking it as fail open. If the admission webhook does not receive information that it is requesting before the end of the timeout period, it fails, but in fail open status, it still allows the operation to succeed. For example, the admission controller would allow a deployment to be created even if a scan had timed out and RHACS could not determine if the deployment violated a policy. For example, the admission controller would allow a deployment to be created even if the scan had timed out. Beginning in release 4.5, Red Hat reduced the default timeout setting for the RHACS admission controller webhooks from 20 seconds to 10 seconds, resulting in an effective timeout of 12 seconds within the ValidatingWebhookConfiguration. This change does not negatively affect OpenShift Container Platform users because OpenShift Container Platform caps the timeout at 13 seconds.

Scanner configuration

Use Scanner configuration settings to modify the local cluster scanner for the integrated OpenShift image registry.

Parameter Description

scanner.analyzer.nodeSelector

Specify a node selector label as label-key: label-value to force Scanner to only schedule on nodes with the specified label.

scanner.analyzer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner.

scanner.analyzer.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

scanner.analyzer.resources.requests.memory

The memory request for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.requests.cpu

The CPU request for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.limits.memory

The memory limit for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.resources.limits.cpu

The CPU limit for the Scanner container. Use this parameter to override the default value.

scanner.analyzer.scaling.autoscaling

If you set this option to Disabled, Red Hat Advanced Cluster Security for Kubernetes disables autoscaling on the Scanner deployment. The default value is Enabled.

scanner.analyzer.scaling.minReplicas

The minimum number of replicas for autoscaling. The default value is 2.

scanner.analyzer.scaling.maxReplicas

The maximum number of replicas for autoscaling. The default value is 5.

scanner.analyzer.scaling.replicas

The default number of replicas. The default value is 3.

scanner.analyzer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner.

scanner.db.nodeSelector

Specify a node selector label as label-key: label-value to force Scanner DB to only schedule on nodes with the specified label.

scanner.db.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

scanner.db.resources.requests.memory

The memory request for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.requests.cpu

The CPU request for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.limits.memory

The memory limit for the Scanner DB container. Use this parameter to override the default value.

scanner.db.resources.limits.cpu

The CPU limit for the Scanner DB container. Use this parameter to override the default value.

scanner.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner DB.

scanner.scannerComponent

If you set this option to Disabled, Red Hat Advanced Cluster Security for Kubernetes does not deploy the Scanner deployment. Do not disable the Scanner on OpenShift Container Platform clusters. The default value is AutoSense.

scannerV4.db.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner V4 DB. This parameter is mainly used for infrastructure nodes.

scannerV4.db.resources.limits

Use this parameter to override the default resource limits for Scanner V4 DB.

scannerV4.db.resources.requests

Use this parameter to override the default resource requests for Scanner V4 DB.

scannerV4.db.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data for Scanner V4. If no PVC with the given name exists, it is created. The default value is scanner-v4-db if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.

scannerV4.indexer.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.indexer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Indexer. This parameter is mainly used for infrastructure nodes.

scannerV4.indexer.resources.limits

Use this parameter to override the default resource limits for the Scanner V4 Indexer.

scannerV4.indexer.resources.requests

Use this parameter to override the default resource requests for the Scanner V4 Indexer.

scannerV4.indexer.scaling.autoScaling

When enabled, the number of Scanner V4 Indexer replicas is managed dynamically based on the load, within the limits specified.

scannerV4.indexer.scaling.maxReplicas

Specifies the maximum replicas to be used in the Scanner V4 Indexer autoscaling configuration.

scannerV4.indexer.scaling.minReplicas

Specifies the minimum replicas to be used in the Scanner V4 Indexer autoscaling configuration.

scannerV4.indexer.scaling.replicas

When autoscaling is disabled for the Scanner V4 Indexer, the number of replicas is always configured to match this value.

scannerV4.monitoring.exposeEndpoint

Configures a monitoring endpoint for Scanner V4. The monitoring endpoint allows other services to collect metrics from Scanner V4, provided in a Prometheus-compatible format. Use Enabled to expose the monitoring endpoint. When you enable monitoring, RHACS creates a new service, monitoring, with port 9090, and a network policy allowing inbound connections to the port. By default, this is not enabled.

scannerV4.scannerComponent

Enables Scanner V4. The default value is default, which is disabled. To enable Scanner V4, set this parameter to Enabled.

Image configuration

Use image configuration settings when you are using a custom registry.

Parameter Description

imagePullSecrets.name

Additional image pull secrets to be taken into account for pulling images.

Per node settings

Per node settings define the configuration settings for components that run on each node in a cluster to secure the cluster. These components are Collector and Compliance.

Parameter Description

perNode.collector.collection

The method for system-level data collection. The default value is CORE_BPF. Red Hat recommends using CORE_BPF for data collection. If you select NoCollection, Collector does not report any information about the network activity and the process executions. Available options are NoCollection and CORE_BPF. The EBPF option is available only for version 4.4 and earlier.

perNode.collector.imageFlavor

The image type to use for Collector. You can specify it as Regular or Slim. This value is deprecated. Regular and Slim images are identical.

perNode.collector.resources.limits

Use this parameter to override the default resource limits for Collector.

perNode.collector.resources.requests

Use this parameter to override the default resource requests for Collector.

perNode.compliance.resources.requests

Use this parameter to override the default resource requests for Compliance.

perNode.compliance.resources.limits

Use this parameter to override the default resource limits for Compliance.

perNode.taintToleration

To ensure comprehensive monitoring of your cluster activity, Red Hat Advanced Cluster Security for Kubernetes runs services on every node in the cluster, including tainted nodes by default. If you do not want this behavior, specify AvoidTaints for this parameter. The default value is TolerateTaints.

Sensor configuration

This configuration defines the settings of the Sensor components, which runs on one node in a cluster.

Parameter Description

sensor.nodeSelector

If you want Sensor to only run on specific nodes, you can configure a node selector.

sensor.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Sensor. This parameter is mainly used for infrastructure nodes.

sensor.hostAliases

Use this parameter to inject hosts and IP addresses into the pod’s hosts file.

sensor.resources.limits

Use this parameter to override the default resource limits for Sensor.

sensor.resources.requests

Use this parameter to override the default resource requests for Sensor.

General and miscellaneous settings

Parameter Description

customize.annotations

Allows specifying custom annotations for the Central deployment.

customize.envVars

Advanced settings to configure environment variables.

egress.connectivityPolicy

Configures whether Red Hat Advanced Cluster Security for Kubernetes should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.

misc.createSCCs

Set this to true to create SCCs for Central. It may cause issues in some environments.

network.policies

To provide security at the network level, RHACS creates default NetworkPolicy resources in the namespace where secured cluster resources are installed. These network policies allow ingress to specific components on specific ports. If you do not want RHACS to create these policies, set this parameter to Disabled. The default value is Enabled.

Disabling creation of default network policies can break communication between RHACS components. If you disable creation of default policies, you must create your own network policies to allow this communication.

overlays

See "Customizing the installation using the Operator with overlays".

tls.additionalCAs

Additional trusted CA certificates for the secured cluster. These certificates are used when integrating with services using a private certificate authority.

Customizing the installation using the Operator with overlays

Learn how to tailor the installation of RHACS using the Operator method with overlays.

Overlays

When Central or SecuredCluster custom resources don’t expose certain low-level configuration options as parameters, you can use the .spec.overlays field for adjustments. Use this field to amend the Kubernetes resources generated by these custom resources.

The .spec.overlays field comprises a sequence of patches, applied in their listed order. These patches are processed by the Operator on the Kubernetes resources before deployment to the cluster.

The .spec.overlays field in both Central and SecuredCluster allows users to modify low-level Kubernetes resources in arbitrary ways. Use this feature only when the desired customization is not available through the SecuredCluster or Central custom resources.

Support for the .spec.overlays feature is limited primarily because it grants the ability to make intricate and highly specific modifications to Kubernetes resources, which can vary significantly from one implementation to another. This level of customization introduces a complexity that goes beyond standard usage scenarios, making it challenging to provide broad support. Each modification can be unique, potentially interacting with the Kubernetes system in unpredictable ways across different versions and configurations of the product. This variability means that troubleshooting and guaranteeing the stability of these customizations require a level of expertise and understanding specific to each individual’s setup. Consequently, while this feature empowers tailoring Kubernetes resources to meet precise needs, greater responsibility must also assumed to ensure the compatibility and stability of configurations, especially during upgrades or changes to the underlying product.

The following example shows the structure of an overlay:

overlays:
- apiVersion: v1     (1)
  kind: ConfigMap    (2)
  name: my-configmap (3)
  patches:
    - path: .data    (4)
      value: |       (5)
        key1: data2
        key2: data2
1 Targeted Kubernetes resource ApiVersion, for example apps/v1, v1, networking.k8s.io/v1
2 Resource type (e.g., Deployment, ConfigMap, NetworkPolicy)
3 Name of the resource, for example my-configmap
4 JSONPath expression to the field, for example spec.template.spec.containers[name:central].env[-1]
5 YAML string for the new field value

Adding an overlay

For customizations, you can add overlays to Central or SecuredCluster custom resources. Use the OpenShift CLI (oc) or the OpenShift Container Platform web console for modifications.

If overlays do not take effect as expected, check the RHACS Operator logs for any syntax errors or issues logged.

Overlay examples

Specifying an EKS pod role ARN for the Central ServiceAccount

Add an Amazon Elastic Kubernetes Service (EKS) pod role Amazon Resource Name (ARN) annotation to the central ServiceAccount as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
  # ...
  overlays:
  - apiVersion: v1
    kind: ServiceAccount
    name: central
    patches:
      - path: metadata.annotations.eks\.amazonaws\.com/role-arn
        value: "\"arn:aws:iam:1234:role\""

Injecting an environment variable into the Central deployment

Inject an environment variable into the central deployment as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
  # ...
  overlays:
  - apiVersion: apps/v1
    kind: Deployment
    name: central
    patches:
    - path: spec.template.spec.containers[name:central].env[-1]
      value: |
        name: MY_ENV_VAR
        value: value

Extending network policy with an ingress rule

Add an ingress rule to the allow-ext-to-central network policy for port 999 traffic as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      name: allow-ext-to-central
      patches:
        - path: spec.ingress[-1]
          value: |
            ports:
            - port: 999
              protocol: TCP

Modifying ConfigMap data

Modify the central-endpoints ConfigMap data as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: v1
      kind: ConfigMap
      name: central-endpoints
      patches:
      - path: data
        value: |
          endpoints.yaml: |
            disableDefault: false

Adding a container to the Central deployment

Add a new container to the central deployment as shown in the following example:.

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: apps/v1
      kind: Deployment
      name: central
      patches:
        - path: spec.template.spec.containers[-1]
      value: |
        name: nginx
        image: nginx
        ports:
          - containerPort: 8000
            name: http
            protocol: TCP