Discover Red Hat Advanced Cluster Security for Kubernetes architecture and concepts.

Red Hat Advanced Cluster Security for Kubernetes architecture

Red Hat Advanced Cluster Security for Kubernetes installs as a set of containers in your OpenShift Container Platform cluster and it includes multiple components. You can categorize these components as follows:

  • Centralized components

  • Per-cluster components

  • Per-node component

Category Quantity Components

Centralized components

1 for multiple clusters.

Central

Scanner

Per-cluster components

1 for each cluster.

Sensor

Admission controller

Per-node component

1 on each node.

Collector

Red Hat Advanced Cluster Security for Kubernetes architecture overview

Centralized components

You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation. Red Hat Advanced Cluster Security for Kubernetes includes the following centralized components:

  • Central

  • Scanner

Central

Central is the main component of Red Hat Advanced Cluster Security for Kubernetes and it is installed as a Kubernetes deployment. It handles data persistence, API interactions, and user interface (Portal) access. You can use the same Central instance to secure multiple OpenShift Container Platform or Kubernetes clusters.

Scanner

Red Hat Advanced Cluster Security for Kubernetes includes an image vulnerability scanning component called Scanner. It analyzes all image layers to check for known vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list. Scanner also identifies vulnerabilities in packages installed by package managers and in dependencies for multiple programming languages.

Scanner only scans those images that are not already scanned by other integrated vulnerability scanners. It means that if you have integrated Red Hat Advanced Cluster Security for Kubernetes with other vulnerability scanners, Scanner checks and uses the scanning results from the integrated scanner if available.

Per-cluster components

You deploy the per-cluster components into each cluster that you want to monitor. Red Hat Advanced Cluster Security for Kubernetes includes the following per-cluster components:

  • Sensor

  • Admission controller

Sensor

Red Hat Advanced Cluster Security for Kubernetes uses the Sensor component to monitor Kubernetes and OpenShift Container Platform clusters. It handles interactions with the OpenShift Container Platform or Kubernetes API server for policy detection and enforcement, and it coordinates with Collector.

Admission controller

The admission controller prevents users from creating workloads that violate security policies in Red Hat Advanced Cluster Security for Kubernetes.

Per-node components

You deploy the per-node components in all nodes that you want to monitor. Red Hat Advanced Cluster Security for Kubernetes includes the following per-cluster components:

  • Collector

Collector

Collector collects and monitors information about container runtime and network activity. It then sends the collected information to Sensor.