$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
Central is the resource that contains the RHACS application management interface and services. It handles data persistence, API interactions, and RHACS portal access. You can use the same Central instance to secure multiple OpenShift Container Platform or Kubernetes clusters.
You can install Central by using one of the following methods:
Install using Helm charts
Install using the roxctl
CLI (do not use this method unless you have a specific installation need that requires using it)
You can install Central using Helm charts without any customization, using the default values, or by using Helm charts with additional customizations of configuration parameters.
You can install RHACS on your Red Hat OpenShift cluster without any customizations. You must add the Helm chart repository and install the central-services
Helm chart to install the centralized components of Central and Scanner.
Add the RHACS charts repository.
$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/
The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes Helm charts for installing different components, including:
Central services Helm chart (central-services
) for installing the centralized components (Central and Scanner).
You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation. |
Secured Cluster Services Helm chart (secured-cluster-services
) for installing the per-cluster and per-node components (Sensor, Admission Controller, Collector, and Scanner-slim).
Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor. |
Run the following command to verify the added chart repository:
$ helm search repo -l rhacs/
Use the following instructions to install the central-services
Helm chart to deploy the centralized components (Central and Scanner).
You must have access to the Red Hat Container Registry. For information about downloading images from registry.redhat.io
, see Red Hat Container Registry Authentication.
Run the following command to install Central services and expose Central using a route:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \(1)
--set imagePullSecrets.password=<password> \(2)
--set central.exposure.route.enabled=true
1 | Include the user name for your pull secret for Red Hat Container Registry authentication. |
2 | Include the password for your pull secret for Red Hat Container Registry authentication. |
Or, run the following command to install Central services and expose Central using a load balancer:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \(1)
--set imagePullSecrets.password=<password> \(2)
--set central.exposure.loadBalancer.enabled=true
1 | Include the user name for your pull secret for Red Hat Container Registry authentication. |
2 | Include the password for your pull secret for Red Hat Container Registry authentication. |
Or, run the following command to install Central services and expose Central using port forward:
$ helm install -n stackrox \
--create-namespace stackrox-central-services rhacs/central-services \
--set imagePullSecrets.username=<username> \(1)
--set imagePullSecrets.password=<password> (2)
1 | Include the user name for your pull secret for Red Hat Container Registry authentication. |
2 | Include the password for your pull secret for Red Hat Container Registry authentication. |
|
The output of the installation command includes:
An automatically generated administrator password.
Instructions on storing all the configuration values.
Any warnings that Helm generates.
You can install RHACS on your Red Hat OpenShift cluster with customizations by using Helm chart configuration parameters with the helm install
and helm upgrade
commands. You can specify these parameters by using the --set
option or by creating YAML configuration files.
Create the following files for configuring the Helm chart for installing Red Hat Advanced Cluster Security for Kubernetes:
Public configuration file values-public.yaml
: Use this file to save all non-sensitive configuration options.
Private configuration file values-private.yaml
: Use this file to save all sensitive configuration options. Ensure that you store this file securely.
Configuration file declarative-config-values.yaml
: Create this file if you are using declarative configuration to add the declarative configuration mounts to Central.
This section lists the configurable parameters of the values-private.yaml
file.
There are no default values for these parameters.
The credentials that are required for pulling images from the registry depend on the following factors:
If you are using a custom registry, you must specify these parameters:
imagePullSecrets.username
imagePullSecrets.password
image.registry
If you do not use a username and password to log in to the custom registry, you must specify one of the following parameters:
imagePullSecrets.allowNone
imagePullSecrets.useExisting
imagePullSecrets.useFromDefaultServiceAccount
Parameter | Description |
---|---|
|
The username of the account that is used to log in to the registry. |
|
The password of the account that is used to log in to the registry. |
|
Use |
|
A comma-separated list of secrets as values.
For example, |
|
Use |
If you are installing Red Hat Advanced Cluster Security for Kubernetes in a cluster that requires a proxy to connect to external services, you must specify your proxy configuration by using the proxyConfig
parameter.
For example:
env:
proxyConfig: |
url: http://proxy.name:port
username: username
password: password
excludes:
- some.domain
Parameter | Description |
---|---|
|
Your proxy configuration. |
Configurable parameters for Central.
For a new installation, you can skip the following parameters:
central.jwtSigner.key
central.serviceTLS.cert
central.serviceTLS.key
central.adminPassword.value
central.adminPassword.htpasswd
central.db.serviceTLS.cert
central.db.serviceTLS.key
central.db.password.value
When you do not specify values for these parameters the Helm chart autogenerates values for them.
If you want to modify these values you can use the helm upgrade
command and specify the values using the --set
option.
For setting the administrator password, you can only use either |
Parameter | Description |
---|---|
|
A private key which RHACS should use for signing JSON web tokens (JWTs) for authentication. |
|
An internal certificate that the Central service should use for deploying Central. |
|
The private key of the internal certificate that the Central service should use. |
|
The user-facing certificate that Central should use. RHACS uses this certificate for RHACS portal.
|
|
The private key of the user-facing certificate that Central should use.
|
|
Connection password for Central database. |
|
Administrator password for logging into RHACS. |
|
Administrator password for logging into RHACS. This password is stored in hashed format using bcrypt. |
|
An internal certificate that the Central DB service should use for deploying Central DB. |
|
The private key of the internal certificate that the Central DB service should use. |
|
The password used to connect to the Central DB. |
If you are using
|
Configurable parameters for the StackRox Scanner and Scanner V4.
For a new installation, you can skip the following parameters and the Helm chart autogenerates values for them. Otherwise, if you are upgrading to a new version, specify the values for the following parameters:
scanner.dbPassword.value
scanner.serviceTLS.cert
scanner.serviceTLS.key
scanner.dbServiceTLS.cert
scanner.dbServiceTLS.key
scannerV4.db.password.value
scannerV4.indexer.serviceTLS.cert
scannerV4.indexer.serviceTLS.key
scannerV4.matcher.serviceTLS.cert
scannerV4.matcher.serviceTLS.key
scannerV4.db.serviceTLS.cert
scannerV4.db.serviceTLS.key
Parameter | Description |
---|---|
|
The password to use for authentication with Scanner database. Do not modify this parameter because RHACS automatically creates and uses its value internally. |
|
An internal certificate that the StackRox Scanner service should use for deploying the StackRox Scanner. |
|
The private key of the internal certificate that the Scanner service should use. |
|
An internal certificate that the Scanner-db service should use for deploying Scanner database. |
|
The private key of the internal certificate that the Scanner-db service should use. |
|
The password to use for authentication with the Scanner V4 database. Do not modify this parameter because RHACS automatically creates and uses its value internally. |
|
An internal certificate that the Scanner V4 DB service should use for deploying the Scanner V4 database. |
|
The private key of the internal certificate that the Scanner V4 DB service should use. |
|
An internal certificate that the Scanner V4 service should use for deploying the Scanner V4 Indexer. |
|
The private key of the internal certificate that the Scanner V4 Indexer should use. |
|
An internal certificate that the Scanner V4 service should use for deploying the the Scanner V4 Matcher. |
|
The private key of the internal certificate that the Scanner V4 Matcher should use. |
This section lists the configurable parameters of the values-public.yaml
file.
Image pull secrets are the credentials required for pulling images from your registry.
Parameter | Description |
---|---|
|
Use |
|
A comma-separated list of secrets as values.
For example, |
|
Use |
Image declares the configuration to set up the main registry, which the Helm chart uses to resolve images for the central.image
, scanner.image
, scanner.dbImage
, scannerV4.image
, and scannerV4.db.image
parameters.
Parameter | Description |
---|---|
|
Address of your image registry.
Either use a hostname, such as |
Red Hat Advanced Cluster Security for Kubernetes automatically detects your cluster environment and sets values for env.openshift
, env.istio
, and env.platform
.
Only set these values to override the automatic cluster environment detection.
Parameter | Description |
---|---|
|
Use |
|
Use |
|
The platform on which you are installing RHACS.
Set its value to |
|
Use |
The RHACS automatically references the system root certificates to trust. When Central, the StackRox Scanner, or Scanner V4 must reach out to services that use certificates issued by an authority in your organization or a globally trusted partner organization, you can add trust for these services by specifying the root certificate authority to trust by using the following parameter:
Parameter | Description |
---|---|
|
Specify the PEM encoded certificate of the root certificate authority to trust. |
To provide security at the network level, RHACS creates default NetworkPolicy
resources in the namespace where Central is installed. These network policies allow ingress to specific components on specific ports. If you do not want RHACS to create these policies, set this parameter to Disabled
. The default value is Enabled
.
Disabling creation of default network policies can break communication between RHACS components. If you disable creation of default policies, you must create your own network policies to allow this communication. |
Parameter | Description |
---|---|
|
Specify if RHACS creates default network policies to allow communication between components. To create your own network policies, set this parameter to |
Configurable parameters for Central.
For exposing Central deployment for external access.
You must specify one parameter, either central.exposure.loadBalancer
, central.exposure.nodePort
, or central.exposure.route
.
When you do not specify any value for these parameters, you must manually expose Central or access it by using port-forwarding.
The following table includes settings for an external PostgreSQL database.
Parameter | Description |
---|---|
|
Mounts config maps used for declarative configurations. |
|
Mounts secrets used for declarative configurations. |
|
The endpoint configuration options for Central. |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes. |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes. |
|
Specify |
|
A custom registry that overrides the global |
|
The custom image name that overrides the default Central image name ( |
|
The custom image tag that overrides the default tag for Central image.
If you specify your own image tag during a new installation, you must manually increment this tag when you to upgrade to a new version by running the |
|
Full reference including registry address, image name, and image tag for the Central image.
Setting a value for this parameter overrides the |
|
The memory request for Central. |
|
The CPU request for Central. |
|
The memory limit for Central. |
|
The CPU limit for Central. |
|
Use |
|
The port number on which to expose Central. The default port number is 443. |
|
Use |
|
The port number on which to expose Central. When you skip this parameter, OpenShift Container Platform automatically assigns a port number. Red Hat recommends that you do not specify a port number if you are exposing RHACS by using a node port. |
|
Use |
|
Use |
|
The connection string for Central to use to connect to the database. This is only used when
|
|
The minimum number of connections to the database to be established. |
|
The maximum number of connections to the database to be established. |
|
The number of milliseconds a single query or transaction can be active against the database. |
|
The postgresql.conf to be used for Central DB as described in the PostgreSQL documentation in "Additional resources". |
|
The pg_hba.conf to be used for Central DB as described in the PostgreSQL documentation in "Additional resources". |
|
Specify a node selector label as |
|
A custom registry that overrides the global |
|
The custom image name that overrides the default Central DB image name ( |
|
The custom image tag that overrides the default tag for Central DB image.
If you specify your own image tag during a new installation, you must manually increment this tag when you to upgrade to a new version by running the |
|
Full reference including registry address, image name, and image tag for the Central DB image.
Setting a value for this parameter overrides the |
|
The memory request for Central DB. |
|
The CPU request for Central DB. |
|
The memory limit for Central DB. |
|
The CPU limit for Central DB. |
|
The path on the node where RHACS should create a database volume. Red Hat does not recommend using this option. |
|
The name of the persistent volume claim (PVC) you are using. |
|
Use |
|
The size (in GiB) of the persistent volume managed by the specified claim. |
The following table lists the configurable parameters for the StackRox Scanner. This is the scanner used for node and platform scanning. If Scanner V4 is not enabled, the StackRox scanner also performs image scanning. Beginning with version 4.4, Scanner V4 can be enabled to provide image scanning. See the next table for Scanner V4 parameters.
Parameter | Description |
---|---|
|
Use |
|
Specify |
|
The number of replicas to create for the StackRox Scanner deployment.
When you use it with the |
|
Configure the log level for the StackRox Scanner.
Red Hat recommends that you not change the default log level value ( |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the StackRox Scanner. This parameter is mainly used for infrastructure nodes. |
|
Use |
|
The minimum number of replicas for autoscaling. |
|
The maximum number of replicas for autoscaling. |
|
The memory request for the StackRox Scanner. |
|
The CPU request for the StackRox Scanner. |
|
The memory limit for the StackRox Scanner. |
|
The CPU limit for the StackRox Scanner. |
|
The memory request for the StackRox Scanner database deployment. |
|
The CPU request for the StackRox Scanner database deployment. |
|
The memory limit for the StackRox Scanner database deployment. |
|
The CPU limit for the StackRox Scanner database deployment. |
|
A custom registry for the StackRox Scanner image. |
|
The custom image name that overrides the default StackRox Scanner image name ( |
|
A custom registry for the StackRox Scanner DB image. |
|
The custom image name that overrides the default StackRox Scanner DB image name ( |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the StackRox Scanner DB. This parameter is mainly used for infrastructure nodes. |
The following table lists the configurable parameters for Scanner V4.
Parameter | Description |
---|---|
|
The name of the PVC to manage persistent data for Scanner V4.
If no PVC with the given name exists, it is created. The default value is |
|
The size of the PVC to manage persistent data for Scanner V4. |
|
The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter. |
|
Use |
|
Specify |
|
The number of replicas to create for the Scanner V4 Indexer deployment.
When you use it with the |
|
Configure the log level for the Scanner V4 Indexer.
Red Hat recommends that you not change the default log level value ( |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Indexer. This parameter is mainly used for infrastructure nodes. |
|
Use |
|
The minimum number of replicas for autoscaling. |
|
The maximum number of replicas for autoscaling. |
|
The memory request for the Scanner V4 Indexer. |
|
The CPU request for the Scanner V4 Indexer. |
|
The memory limit for the Scanner V4 Indexer. |
|
The CPU limit for the Scanner V4 Indexer. |
|
The number of replicas to create for the Scanner V4 Matcher deployment.
When you use it with the |
|
Red Hat recommends that you not change the default log level value ( |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Matcher. This parameter is mainly used for infrastructure nodes. |
|
Use |
|
The minimum number of replicas for autoscaling. |
|
The maximum number of replicas for autoscaling. |
|
The memory request for the Scanner V4 Matcher. |
|
The CPU request for the Scanner V4 Matcher. |
|
The memory request for the Scanner V4 database deployment. |
|
The CPU request for the Scanner V4 database deployment. |
|
The memory limit for the Scanner V4 database deployment. |
|
The CPU limit for the Scanner V4 database deployment. |
|
Specify a node selector label as |
|
If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 DB. This parameter is mainly used for infrastructure nodes. |
|
A custom registry for the Scanner V4 DB image. |
|
The custom image name that overrides the default Scanner V4 DB image name ( |
|
A custom registry for the Scanner V4 image. |
|
The custom image name that overrides the default Scanner V4 image name ( |
Use these parameters to specify additional attributes for all objects that RHACS creates.
Parameter | Description |
---|---|
|
A custom label to attach to all objects. |
|
A custom annotation to attach to all objects. |
|
A custom label to attach to all deployments. |
|
A custom annotation to attach to all deployments. |
|
A custom environment variable for all containers in all objects. |
|
A custom label to attach to all objects that Central creates. |
|
A custom annotation to attach to all objects that Central creates. |
|
A custom label to attach to all Central deployments. |
|
A custom annotation to attach to all Central deployments. |
|
A custom environment variable for all Central containers. |
|
A custom label to attach to all objects that Scanner creates. |
|
A custom annotation to attach to all objects that Scanner creates. |
|
A custom label to attach to all Scanner deployments. |
|
A custom annotation to attach to all Scanner deployments. |
|
A custom environment variable for all Scanner containers. |
|
A custom label to attach to all objects that Scanner DB creates. |
|
A custom annotation to attach to all objects that Scanner DB creates. |
|
A custom label to attach to all Scanner DB deployments. |
|
A custom annotation to attach to all Scanner DB deployments. |
|
A custom environment variable for all Scanner DB containers. |
|
A custom label to attach to all objects that Scanner V4 Indexer creates and into the pods belonging to them. |
|
A custom annotation to attach to all objects that Scanner V4 Indexer creates and into the pods belonging to them. |
|
A custom label to attach to all objects that Scanner V4 Indexer creates and into the pods belonging to them. |
|
A custom annotation to attach to all objects that Scanner V4 Indexer creates and into the pods belonging to them. |
|
A custom environment variable for all Scanner V4 Indexer containers and the pods belonging to them. |
|
A custom label to attach to all objects that Scanner V4 Matcher creates and into the pods belonging to them. |
|
A custom annotation to attach to all objects that Scanner V4 Matcher creates and into the pods belonging to them. |
|
A custom label to attach to all objects that Scanner V4 Matcher creates and into the pods belonging to them. |
|
A custom annotation to attach to all objects that Scanner V4 Matcher creates and into the pods belonging to them. |
|
A custom environment variable for all Scanner V4 Matcher containers and the pods belonging to them. |
|
A custom label to attach to all objects that Scanner V4 DB creates and into the pods belonging to them. |
|
A custom annotation to attach to all objects that Scanner V4 DB creates and into the pods belonging to them. |
|
A custom label to attach to all objects that Scanner V4 DB creates and into the pods belonging to them. |
|
A custom annotation to attach to all objects that Scanner V4 DB creates and into the pods belonging to them. |
|
A custom environment variable for all Scanner V4 DB containers and the pods belonging to them. |
You can also use:
the customize.other.service/*.labels
and the customize.other.service/*.annotations
parameters, to specify labels and annotations for all objects.
or, provide a specific service name, for example, customize.other.service/central-loadbalancer.labels
and customize.other.service/central-loadbalancer.annotations
as parameters and set their value.
The parameters specified in this section are for information only. Red Hat does not support RHACS instances with modified namespace and release names. |
Parameter | Description |
---|---|
|
Use |
|
Use |
To use declarative configuration, you must create a YAML file (in this example, named "declarative-config-values.yaml") that adds the declarative configuration mounts to Central. This file is used in a Helm installation.
Create the YAML file (in this example, named declarative-config-values.yaml
) using the following example as a guideline:
central:
declarativeConfiguration:
mounts:
configMaps:
- declarative-configs
secrets:
- sensitive-declarative-configs
Install the Central services Helm chart as documented in the "Installing the central-services Helm chart", referencing the declarative-config-values.yaml
file.
After you configure the values-public.yaml
and values-private.yaml
files, install the central-services
Helm chart to deploy the centralized components (Central and Scanner).
Run the following command:
$ helm install -n stackrox --create-namespace \
stackrox-central-services rhacs/central-services \
-f <path_to_values_public.yaml> -f <path_to_values_private.yaml> (1)
1 | Use the -f option to specify the paths for your YAML configuration files. |
Optional: If using declarative configuration, add |
You can make changes to any configuration options after you have deployed the central-services
Helm chart.
When using the helm upgrade
command to make changes, the following guidelines and requirements apply:
You can also specify configuration values using the --set
or --set-file
parameters.
However, these options are not saved, and you must manually specify all the options again whenever you make changes.
Some changes, such as enabling a new component like Scanner V4, require new certificates to be issued for the component. Therefore, you must provide a CA when making these changes.
If the CA was generated by the Helm chart during the initial installation, you must retrieve these automatically generated values from the cluster and provide them to the helm upgrade
command. The post-installation notes of the central-services
Helm chart include a command for retrieving the automatically generated values.
If the CA was generated outside of the Helm chart and provided during the installation of the central-services
chart, then you must perform that action again when using the helm upgrade
command, for example, by using the --reuse-values
flag with the helm upgrade
command.
Update the values-public.yaml
and values-private.yaml
configuration files with new values.
Run the helm upgrade
command and specify the configuration files using the -f
option:
$ helm upgrade -n stackrox \
stackrox-central-services rhacs/central-services \
--reuse-values \(1)
-f <path_to_init_bundle_file \
-f <path_to_values_public.yaml> \
-f <path_to_values_private.yaml>
1 | If you have modified values that are not included in the values_public.yaml and values_private.yaml files, include the --reuse-values parameter. |
For production environments, Red Hat recommends using the Operator or Helm charts to install RHACS. Do not use the |
To install Red Hat Advanced Cluster Security for Kubernetes you must install the roxctl
CLI by downloading the binary.
You can install roxctl
on Linux, Windows, or macOS.
You can install the roxctl
CLI binary on Linux by using the following procedure.
|
Determine the roxctl
architecture for the target operating system:
$ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
Download the roxctl
CLI:
$ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.6.1/bin/Linux/roxctl${arch}"
Make the roxctl
binary executable:
$ chmod +x roxctl
Place the roxctl
binary in a directory that is on your PATH
:
To check your PATH
, execute the following command:
$ echo $PATH
Verify the roxctl
version you have installed:
$ roxctl version
You can install the roxctl
CLI binary on macOS by using the following procedure.
|
Determine the roxctl
architecture for the target operating system:
$ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
Download the roxctl
CLI:
$ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.6.1/bin/Darwin/roxctl${arch}"
Remove all extended attributes from the binary:
$ xattr -c roxctl
Make the roxctl
binary executable:
$ chmod +x roxctl
Place the roxctl
binary in a directory that is on your PATH
:
To check your PATH
, execute the following command:
$ echo $PATH
Verify the roxctl
version you have installed:
$ roxctl version
You can install the roxctl
CLI binary on Windows by using the following procedure.
|
Download the roxctl
CLI:
$ curl -f -O https://mirror.openshift.com/pub/rhacs/assets/4.6.1/bin/Windows/roxctl.exe
Verify the roxctl
version you have installed:
$ roxctl version
Use the interactive installer to generate the required secrets, deployment configurations, and deployment scripts for your environment.
Run the interactive install command:
$ roxctl central generate interactive
Installing RHACS using the |
Press Enter to accept the default value for a prompt or enter custom values as required. The following example shows the interactive installer prompts:
Path to the backup bundle from which to restore keys and certificates (optional):
PEM cert bundle file (optional): (1)
Disable the administrator password (only use this if you have already configured an IdP for your instance) (default: "false"):
Create PodSecurityPolicy resources (for pre-v1.25 Kubernetes) (default: "false"): (2)
Administrator password (default: autogenerated):
Orchestrator (k8s, openshift):
Default container images settings (rhacs, opensource); it controls repositories from where to download the images, image names and tags format (default: "rhacs"):
The directory to output the deployment bundle to (default: "central-bundle"):
Whether to enable telemetry (default: "true"):
The central-db image to use (if unset, a default will be used according to --image-defaults) (default: "registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.6.0"):
List of secrets to add as declarative configuration mounts in central (default: "[]"): (3)
The method of exposing Central (lb, np, none) (default: "none"): (4)
The main image to use (if unset, a default will be used according to --image-defaults) (default: "registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.6.0"):
Whether to run StackRox in offline mode, which avoids reaching out to the Internet (default: "false"):
List of config maps to add as declarative configuration mounts in central (default: "[]"): (5)
The deployment tool to use (kubectl, helm, helm-values) (default: "kubectl"):
Istio version when deploying into an Istio-enabled cluster (leave empty when not running Istio) (optional):
The scanner-db image to use (if unset, a default will be used according to --image-defaults) (default: "registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.0"):
The scanner image to use (if unset, a default will be used according to --image-defaults) (default: "registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.6.0"):
The scanner-v4-db image to use (if unset, a default will be used according to --image-defaults) (default: "registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.0"):
The scanner-v4 image to use (if unset, a default will be used according to --image-defaults) (default: "registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.0"):
External volume type (hostpath, pvc): hostpath
Path on the host (default: "/var/lib/stackrox-central"):
Node selector key (e.g. kubernetes.io/hostname):
Node selector value:
1 | If you want to add a custom TLS certificate, provide the file path for the PEM-encoded certificate. When you specify a custom certificate the interactive installer also prompts you to provide a PEM private key for the custom certificate you are using. |
2 | If you are running Kubernetes version 1.25 or later, set this value to false . |
3 | For more information on using declarative configurations for authentication and authorization, see "Declarative configuration for authentication and authorization resources" in "Managing RBAC in Red Hat Advanced Cluster Security for Kubernetes". |
4 | To use the RHACS portal, you must expose Central by using a route, a load balancer or a node port. |
5 | For more information on using declarative configurations for authentication and authorization, see "Declarative configuration for authentication and authorization resources" in "Managing RBAC in Red Hat Advanced Cluster Security for Kubernetes". |
On OpenShift Container Platform, for using a hostPath volume, you must modify the SELinux policy to allow access to the directory, which the host and the container share. It is because SELinux blocks directory sharing by default. To modify the SELinux policy, run the following command:
However, Red Hat does not recommend modifying the SELinux policy, instead use PVC when installing on OpenShift Container Platform. |
On completion, the installer creates a folder named central-bundle, which contains the necessary YAML manifests and scripts to deploy Central. In addition, it shows on-screen instructions for the scripts you need to run to deploy additional trusted certificate authorities, Central and Scanner, and the authentication instructions for logging into the RHACS portal along with the autogenerated password if you did not provide one when answering the prompts.
After you run the interactive installer, you can run the setup.sh
script to install Central.
Run the setup.sh
script to configure image registry access:
$ ./central-bundle/central/scripts/setup.sh
To enable the policy as code feature (Technology Preview), manually apply the config.stackrox.io
CRD that is located in the .zip file at helm/chart/crds/config.stackrox.io_securitypolicies.yaml
.
Policy as code is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
To apply the CRD, run the following command:
$ kubectl create -f helm/chart/crds/config.stackrox.io_securitypolicies.yaml
Create the necessary resources:
$ kubectl create -R -f central-bundle/central
Check the deployment progress:
$ kubectl get pod -n stackrox -w
After Central is running, find the RHACS portal IP address and open it in your browser. Depending on the exposure method you selected when answering the prompts, use one of the following methods to get the IP address.
Exposure method | Command | Address | Example |
---|---|---|---|
Route |
|
The address under the |
|
Node Port |
|
IP or hostname of any node, on the port shown for the service |
|
Load Balancer |
|
EXTERNAL-IP or hostname shown for the service, on port 443 |
|
None |
|
|
|
If you have selected autogenerated password during the interactive install, you can run the following command to see it for logging into Central:
|