If your network configuration restricts outbound traffic through proxies, you can configure proxy settings in Red Hat Advanced Cluster Security for Kubernetes to route traffic through a proxy.

When you use a proxy with Red Hat Advanced Cluster Security for Kubernetes:

  • All outgoing HTTP, HTTPS, and other TCP traffic from Central and Scanner goes through the proxy.

  • Traffic between Central and Scanner does not go through the proxy.

  • The proxy configuration does not affect the other Red Hat Advanced Cluster Security for Kubernetes components.

  • When you are not using the offline mode, and a Collector running in a secured cluster needs to download an additional kernel module or eBPF probe at runtime:

    • The collector attempts to download them by contacting Sensor.

    • The Sensor then forwards this request to Central.

    • Central uses the proxy to locate the module or probe at https://collector-modules.stackrox.io.

Configuring a proxy on an existing deployment

To configure a proxy in an existing deployment, you must export the proxy-config secret as a YAML file, update your proxy configuration in that file, and upload it as a secret.

Procedure
  1. Save the existing secret as a YAML file:

    $ oc -n stackrox get secret proxy-config \
      -o go-template='{{index .data "config.yaml" | \
      base64decode}}{{"\n"}}' > /tmp/proxy-config.yaml
  2. Edit the fields you want to modify in the YAML configuration file, as specified in the Configure proxy during installation section.

  3. After you save the changes, run the following command to replace the secret:

    $ oc -n stackrox create secret generic proxy-config \
      --from-file=config.yaml=/tmp/proxy-config.yaml -o yaml --dry-run | \
      oc label -f - --local -o yaml app.kubernetes.io/name=stackrox | \
      oc apply -f -
    • You must wait for at least 1 minute, until OpenShift Container Platform propagates your changes to Central and Scanner.

    • If you see any issues with outgoing connections after changing the proxy configuration, you must restart your Central and Scanner pods.

Configuring a proxy during installation

When you are installing Red Hat Advanced Cluster Security for Kubernetes by using the roxctl command-line interface (CLI) or Helm, you can specify your proxy configuration during the installation.

When you run the installer by using the roxctl central generate command, the installer generates the secrets and deployment configuration files for your environment. You can configure a proxy by editing the generated configuration secret (YAML) file. Currently, you cannot configure proxies by using the roxctl CLI. The configuration is stored in a Kubernetes secret and it is shared by both Central and Scanner.

Procedure
  1. Open the configuration file central/proxy-config-secret.yaml from your deployment bundle directory.

    If you are using Helm the configuration file is at central/templates/proxy-config-secret.yaml.

  2. Edit the fields you want to modify in the configuration file:

    apiVersion: v1
    kind: Secret
    metadata:
      namespace: stackrox
      name: proxy-config
    type: Opaque
    stringData:
      config.yaml: |- (4)
        # # NOTE: Both central and scanner should be restarted if this secret is changed.
        # # While it is possible that some components will pick up the new proxy configuration
        # # without a restart, it cannot be guaranteed that this will apply to every possible
        # # integration etc.
        # url: http://proxy.name:port (2)
        # username: username (1)
        # password: password (1)
        # # If the following value is set to true, the proxy wil NOT be excluded for the default hosts:
        # # - *.stackrox, *.stackrox.svc
        # # - localhost, localhost.localdomain, 127.0.0.0/8, ::1
        # # - *.local
        # omitDefaultExcludes: false
        # excludes:  # hostnames (may include * components) for which you do not (3)
        # # want to use a proxy, like in-cluster repositories.
        # - some.domain
        # # The following configuration sections allow specifying a different proxy to be used for HTTP(S) connections.
        # # If they are omitted, the above configuration is used for HTTP(S) connections as well as TCP connections.
        # # If only the `http` section is given, it will be used for HTTPS connections as well.
        # # Note: in most cases, a single, global proxy configuration is sufficient.
        # http:
        #   url: http://http-proxy.name:port (2)
        #   username: username (1)
        #   password: password (1)
        # https:
        #   url: http://https-proxy.name:port (2)
        #   username: username (1)
        #   password: password (1)
    1 Adding a username and a password is optional, both at the beginning and in the http and https sections.
    2 The url option supports the following URL schemes:
    • http:// for an HTTP proxy.

    • https:// for a TLS-enabled HTTP proxy.

    • socks5:// for a SOCKS5 proxy.

    3 The excludes list can contain DNS names (with or without * wildcards), IP addresses, or IP blocks in CIDR notation (for example, 10.0.0.0/8). The values in this list are applied to all outgoing connections, regardless of protocol.
    4 The |- line in the stringData section indicates the start of the configuration data.
    • When you first open the file, all values are commented out (by using the # sign at the beginning of the line). Lines starting with double hash signs # # contain explanation of the configuration keys.

    • Make sure that when you edit the fields, you maintain an indentation level of two spaces relative to the config.yaml: |- line.

  3. After editing the configuration file, you can proceed with your usual installation. The updated configuration instructs Red Hat Advanced Cluster Security for Kubernetes to use the proxy running on the provided address and the port number.