Each component of Red Hat Advanced Cluster Security for Kubernetes uses an X.509 certificate to authenticate itself to other components. These certificates have expiration dates, and you must reissue them before they expire. You can view the certificate expiry dates in the Platform ConfigurationClusters view from the RHACS portal.

Reissuing internal certificates for Central

Central uses a built-in server certificate for authentication when communicating with other Red Hat Advanced Cluster Security for Kubernetes services. This certificate is unique to your Central installation. The RHACS portal shows an information banner when the Central certificate is about to expire.

The information banner only appears 15 days before the certificate expiry date.

Prerequisites
  • To reissue certificates, you must have write permission for the ServiceIdentity resource.

Procedure
  1. Click on the link in the banner to download a YAML configuration file, which contains a new OpenShift Container Platform secret, including the certificate and key values.

  2. Apply the new YAML configuration file to the cluster where you have installed Central.

    $ oc apply -f <secret_file.yaml>
  3. Restart Central to apply the changes.

Restarting the Central container

You can restart the Central container by killing the Central container or by deleting the Central pod.

Procedure
  • Run the following command to kill the Central container:

    You must wait for at least 1 minute, until OpenShift Container Platform propagates your changes and restarts the Central container.

    $ oc -n stackrox exec deploy/central -c central -- kill 1
  • Or, run the following command to delete the Central pod:

    $ oc -n stackrox delete pod -lapp=central

Reissuing internal certificates for Scanner

Scanner has a built-in certificate that it uses to communicate with Central.

The RHACS portal shows an information banner when the Scanner certificate is about to expire.

The information banner only appears 15 days before the certificate expiry date.

Prerequisites
  • To reissue certificates, you must have write permission for the ServiceIdentity resource.

Procedure
  1. Click on the link in the banner to download a YAML configuration file, which contains a new OpenShift Container Platform secret, including the certificate and key values.

  2. Apply the new YAML configuration file to the cluster where you installed Scanner.

    $ oc apply -f <secret_file.yaml>
  3. Restart Scanner to apply the changes.

Restarting the Scanner container

You can restart the Scanner container by deleting the pod.

Procedure
  • Run the following command to delete the Scanner pod:

    • On OpenShift Container Platform:

      $ oc delete pod -n stackrox -l app=scanner
    • On Kubernetes:

      $ kubectl delete pod -n stackrox -l app=scanner

Reissuing internal certificates for Sensor, Collector, and Admission Controller

Sensor, Collector, and Admission Controller use certificates to communicate with each other, and with Central.

To replace the certificates, you can either:

  • Download a YAML configuration file from the portal, or

  • Use the automatic upgrades functionality

Reissuing internal certificates for secured clusters by downloading YAML configuration

You can download a YAML configuration file from the RHACS portal to reissue internal certificates for Sensor, Collector, and Admission Controller.

Prerequisites
  • To reissue certificates, you must have write permission for the ServiceIdentity resource.

Procedure
  1. Download the YAML configuration file:

    1. In the RHACS portal, navigate to Platform ConfigurationClusters.

    2. In the Clusters view, select a Cluster to view its details.

    3. From the cluster details panel, select the link in the notification to download a YAML configuration file, which contains a new OpenShift Container Platform secret, including the certificate and key values.

  2. Apply the new YAML configuration file to the cluster.

    • On OpenShift Container Platform:

      $ oc apply -f <secret_file.yaml>
    • On Kubernetes:

      $ kubectl apply -f <secret_file.yaml>

Reissuing internal certificates for secured clusters by using automatic upgrades

You can reissue internal certificates for Sensor, Collector, and Admission Controller by using automatic upgrades.

Prerequisites
  • You must have enabled automatic upgrades for all clusters.

  • To reissue certificates, you must have write permission for the ServiceIdentity resource.

Procedure
  1. In the RHACS portal, navigate to Platform ConfigurationClusters.

  2. In the Clusters view, select a Cluster to view its details.

  3. From the cluster details panel, select the link to apply credentials by using an automatic upgrade.

When you apply an automatic upgrade, Red Hat Advanced Cluster Security for Kubernetes creates new credentials in the selected cluster. However, you will still see a notification. The notification goes away when each Red Hat Advanced Cluster Security for Kubernetes service begins using the new credentials after the service restarts.