Adding the Helm chart repository

Procedure
  • Add Red Hat Advanced Cluster Security for Kubernetes charts repository.

    $ helm repo add stackrox  https://mirror.openshift.com/pub/rhacs/charts/

    The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes two Helm charts for installing different components.

    • Central services Helm chart (central-services) for installing the centralized components (Central and Scanner).

      You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation.

    • Secured Cluster Services Helm chart (secured-cluster-services) for installing the per-cluster (Sensor and Admission controller) and per-node (Collector) components.

      Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor.

Verification
  • Run the following command to verify the added chart repository:

    $ helm search repo -l rhacs/

Configuring the central-services Helm chart

This section describes Helm chart configuration parameters that you can use with the helm install and helm upgrade commands. You can specify these parameters by using the --set option or by creating YAML configuration files.

Create the following files for configuring the Helm chart for installing Red Hat Advanced Cluster Security for Kubernetes:

  • Public configuration file values-public.yaml: Use this file to save all non-sensitive configuration options.

  • Private configuration file values-private.yaml: Use this file to save all sensitive configuration options. Make sure that you store this file securely.

Private configuration file

This section lists the configurable parameters of the values-private.yaml file. There are no default values for these parameters.

Image pull secrets

The credentials required for pulling images from your registry.

  • If you are using the stackrox.io registry, you must specify the imagePullSecrets.username and imagePullSecrets.password parameters.

  • If you are using a custom registry, you must also specify the image.registry parameter.

  • If you do not use a username and password to log in to your custom registry, you must specify one of the following parameters:

    • imagePullSecrets.allowNone

    • imagePullSecrets.useExisting

    • imagePullSecrets.useFromDefaultServiceAccount

Parameter Description

imagePullSecrets.username

The username for your registry.

imagePullSecrets.password

The password (for the selected username) of your registry.

imagePullSecrets.allowNone

Use true if you are using a custom registry and it allows pulling images without credentials.

imagePullSecrets.useExisting

A comma-seprated list of secrets as values. For example, secret1, secret2, secretN. Use this option if you have already created pre-existing image pull secrets with the given name in the target namespace.

imagePullSecrets.useFromDefaultServiceAccount

Use true if you have already configured the default service account in the target namespace with sufficiently scoped image pull secrets.

Proxy configuration

If you are installing Red Hat Advanced Cluster Security for Kubernetes in a cluster that requires a proxy to connect to external services, you must specify your proxy configuration by using the proxyConfig parameter. For example:

env:
  proxyConfig: |
    url: http://proxy.name:port
    username: username
    password: password
    excludes:
    - some.domain
Parameter Description

env.proxyConfig

Your proxy configuration.

Central

Configurable parameters for Central.

For a new installation, you can skip the following parameters:

  • central.jwtSigner.key

  • central.serviceTLS.cert

  • central.serviceTLS.key

  • central.adminPassword.value

  • central.adminPassword.htpasswd

  • When you do not specify values for these parameters the Helm chart autogenerates values for them.

  • If you want to modify these values you can use the helm upgrade command and specify the values using the --set option.

For setting the administrator password, you can only use either central.adminPassword.value or central.adminPassword.htpasswd, but not both.

Parameter Description

central.jwtSigner.key

A private key which Red Hat Advanced Cluster Security for Kubernetes should use for signing JSON web tokens (JWTs) for authentication.

central.serviceTLS.cert

An internal certificate that the Central service should use for deploying Central.

central.serviceTLS.key

The private key of the internal certificate that the Central service should use.

central.defaultTLS.cert

The user-facing certificate that Central should use. Red Hat Advanced Cluster Security for Kubernetes uses this certificate for RHACS portal.

  • For a new installation, you must provide a certificate, otherwise, Red Hat Advanced Cluster Security for Kubernetes installs Central by using a self-signed certificate.

  • If you are upgrading, Red Hat Advanced Cluster Security for Kubernetes uses the existing certificate and its key.

central.defaultTLS.key

The private key of the user-facing certificate that Central should use.

  • For a new installation, you must provide the private key, otherwise, Red Hat Advanced Cluster Security for Kubernetes installs Central by using a self-signed certificate.

  • If you are upgrading, Red Hat Advanced Cluster Security for Kubernetes uses the existing certificate and its key.

central.adminPassword.value

Administrator password for logging into Red Hat Advanced Cluster Security for Kubernetes.

central.adminPassword.htpasswd

Administrator password for logging into Red Hat Advanced Cluster Security for Kubernetes. This password is stored in hashed format using bcrypt.

If you are using central.adminPassword.htpasswd parameter, you must use a bcrypt encoded password hash. You can run the command htpasswd -nB admin to generate a password hash. For example,

htpasswd: |
  admin:<bcrypt-hash>

Scanner

Configurable parameters for Scanner.

For a new installation, you can skip the following parameters and the Helm chart autogenerates values for them. Otherwise, if you are upgrading to a new version, specify the values for the following parameters:

  • scanner.dbPassword.value

  • scanner.serviceTLS.cert

  • scanner.serviceTLS.key

  • scanner.dbServiceTLS.cert

  • scanner.dbServiceTLS.key

Parameter Description

scanner.dbPassword.value

The password to use for authentication with Scanner database. Do not modify this parameter because Red Hat Advanced Cluster Security for Kubernetes automatically creates and uses its value internally.

scanner.serviceTLS.cert

An internal certificate that the Scanner service should use for deploying Scanner.

scanner.serviceTLS.key

The private key of the internal certificate that the Scanner service should use.

scanner.dbServiceTLS.cert

An internal certificate that the Scanner-db service should use for deploying Scanner database.

scanner.dbServiceTLS.key

The private key of the internal certificate that the Scanner-db service should use.

Public configuration file

This section lists the configurable parameters of the values-public.yaml file.

Image pull secrets

Image pull secrets are the credentials required for pulling images from your registry.

Parameter Description

imagePullSecrets.allowNone

Use true if you are using a custom registry and it allows pulling images without credentials.

imagePullSecrets.useExisting

A comma-seprated list of secrets as values. For example, secret1, secret2. Use this option if you have already created pre-existing image pull secrets with the given name in the target namespace.

imagePullSecrets.useFromDefaultServiceAccount

Use true if you have already configured the default service account in the target namespace with sufficiently scoped image pull secrets.

Image

Image declares the configuration to set up the main registry, which the Helm chart uses to resolve images for the central.image, scanner.image, and scanner.dbImage parameters.

Parameter Description

image.registry

Address of your image registry. Either use a hostname, such as stackrox.io, or a remote registry hostname, such as us.gcr.io/stackrox-mirror.

Environment variables

Red Hat Advanced Cluster Security for Kubernetes automatically detects your cluster environment and sets values for env.openshift, env.istio, and env.platform. Only set these values to override the automatic cluster environment detection.

Parameter Description

env.openshift

Use true for installing on an OpenShift Container Platform cluster and overriding automatic cluster environment detection.

env.istio

Use true for installing on an Istio enabled cluster and overriding automatic cluster environment detection.

env.platform

The platform on which you are installing Red Hat Advanced Cluster Security for Kubernetes. Set its value to default or gke to specify cluster platform and override automatic cluster environment detection.

env.offlineMode

Use true to use Red Hat Advanced Cluster Security for Kubernetes in offline mode.

Central

Configurable parameters for Central.

  • You must specify a persistent storage option as either hostPath or persistentVolumeClaim.

  • For exposing Central deployment for external access. You must specify one parameter, either central.exposure.loadBalancer, central.exposure.nodePort, or central.exposure.route. When you do not specify any value for these parameters, you must manually expose Central or access it by using port-forwarding.

Parameter Description

central.disableTelemetry

Use true to disable online telemetry data collection.

central.endpointsConfig

The endpoint configuration options for Central.

central.nodeSelector

Specify a node selector label (as label-key: label-value) to force Central to only schedule on nodes with the specified label.

central.image.registry

A custom registry that overrides the global image.registry parameter for the Central image.

central.image.name

The custom image name that overrides the default Central image name (main).

central.image.tag

The custom image tag that overrides the default tag for Central image. If you specify you own image tag during a new installation, you must manually increment this tag when you to upgrade to a new version by running the helm upgrade command. If you mirror Central images in your own registry, do not modify the original image tags.

central.image.fullRef

Full reference including registry address, image name, and image tag for the Central image. Setting a value for this parameter overrides the central.image.registry, central.image.name, and central.image.tag parameters.

central.resources.requests.memory

The memory request for Central to override the default value.

central.resources.requests.cpu

The CPU request for Central to override the default value.

central.resources.limits.memory

The memory limit for Central to override the default value.

central.resources.limits.cpu

The CPU limit for Central to override the default value.

central.persistence.hostPath

The path on the node where Red Hat Advanced Cluster Security for Kubernetes should create a database volume.

central.persistence.persistentVolumeClaim.claimName

The name of the persistent volume claim (PVC) you are using.

central.persistence.persistentVolumeClaim.createClaim

Use true to create a new persistent volume claim, or false to use an existing claim.

central.persistence.persistentVolumeClaim.size

The size (in GiB) of the persistent volume managed by the specified claim.

central.exposure.loadBalancer.enabled

Use true to expose Central by using a load balancer.

central.exposure.loadBalancer.port

The port number on which to expose Central. The default port number is 443.

central.exposure.nodePort.enabled

Use true to expose Central by using the node port service.

central.exposure.nodePort.port

The port number on which to expose Central. When you skip this parameter, OpenShift Container Platform automatically assigns a port number. Red Hat recommends that you do not specify a port number if you are exposing Red Hat Advanced Cluster Security for Kubernetes by using a node port.

central.exposure.route.enabled

Use true to expose Central by using a route. This parameter is only available for OpenShift Container Platform clusters.

Scanner

Configurable parameters for Scanner.

Parameter Description

scanner.disable

Use true to install Red Hat Advanced Cluster Security for Kubernetes without Scanner. When you use it with the helm upgrade command, Helm removes existing Scanner deployment.

scanner.replicas

The number of replicas to create for the Scanner deployment. When you use it with the scanner.autoscaling parameter, this value sets the initial number of replicas.

scanner.logLevel

Configure the log level for Scanner. Red Hat recommends that you not change the log level’s default value (INFO).

scanner.autoscaling.disable

Use true to disable autoscaling for Scanner deployment. When you disable autoscaling, the minReplicas and maxReplicas parameters do not have any effect.

scanner.autoscaling.minReplicas

The minimum number of replicas for autoscaling.

scanner.autoscaling.maxReplicas

The maximum number of replicas for autoscaling.

scanner.resources.requests.memory

The memory request for Scanner to override the default value.

scanner.resources.requests.cpu

The CPU request for Scanner to override the default value.

scanner.resources.limits.memory

The memory limit for Scanner to override the default value.

scanner.resources.limits.cpu

The CPU limit for Scanner to override the default value.

scanner.dbResources.requests.memory

The memory request for Scanner database deployment to override the default values.

scanner.dbResources.requests.cpu

The CPU request for Scanner database deployment to override the default values.

scanner.dbResources.limits.memory

The memory limit for Scanner database deployment to override the default values.

scanner.dbResources.limits.cpu

The CPU limit for Scanner database deployment to override the default values.

scanner.image.registry

A custom registry for the Scanner image.

scanner.image.name

The custom image name that overrides the default Scanner image name (scanner).

scanner.dbImage.registry

A custom registry for the Scanner DB image.

scanner.dbImage.name

The custom image name that overrides the default Scanner DB image name (scanner-db).

Customization

Use these parameters to specify additional attributes for all objects that Red Hat Advanced Cluster Security for Kubernetes creates.

Parameter Description

customize.labels

A custom label to attach to all objects.

customize.annotations

A custom annotation to attach to all objects.

customize.podLabels

A custom label to attach to all deployments.

customize.podAnnotations

A custom annotation to attach to all deployments.

customize.envVars

A custom environment variable for all containers in all objects.

customize.central.labels

A custom label to attach to all objects that Central creates.

customize.central.annotations

A custom annotation to attach to all objects that Central creates.

customize.central.podLabels

A custom label to attach to all Central deployments.

customize.central.podAnnotations

A custom annotation to attach to all Central deployments.

customize.central.envVars

A custom environment variable for all Central containers.

customize.scanner.labels

A custom label to attach to all objects that Scanner creates.

customize.scanner.annotations

A custom annotation to attach to all objects that Scanner creates.

customize.scanner.podLabels

A custom label to attach to all Scanner deployments.

customize.scanner.podAnnotations

A custom annotation to attach to all Scanner deployments.

customize.scanner.envVars

A custom environment variable for all Scanner containers.

customize.scanner-db.labels

A custom label to attach to all objects that Scanner DB creates.

customize.scanner-db.annotations

A custom annotation to attach to all objects that Scanner DB creates.

customize.scanner-db.podLabels

A custom label to attach to all Scanner DB deployments.

customize.scanner-db.podAnnotations

A custom annotation to attach to all Scanner DB deployments.

customize.scanner-db.envVars

A custom environment variable for all Scanner DB containers.

You can also use:

  • the customize.other.service/*.labels and the customize.other.service/*.annotations parameters, to specify labels and annotations for all objects.

  • or, provide a specific service name, for example, customize.other.service/central-loadbalancer.labels and customize.other.service/central-loadbalancer.annotations as parameters and set their value.

Advanced customization

The parameters specified in this section are for information only. Red Hat does not support Red Hat Advanced Cluster Security for Kubernetes instances with modified namespace and release names.

Parameter Description

allowNonstandardNamespace

Use true to deploy Red Hat Advanced Cluster Security for Kubernetes into a namespace other than the default namespace stackrox.

allowNonstandardReleaseName

Use true to deploy Red Hat Advanced Cluster Security for Kubernetes with a release name other than the default stackrox-central-services.

Installing the central-services Helm chart

After you configure the values-public.yaml and values-private.yaml files, install the central-services Helm chart to deploy the centralized components (Central and Scanner).

Procedure
  • Run the following command:

    $ helm install -n stackrox --create-namespace \
      stackrox-central-services stackrox/central-services \
      -f <path_to_values_public.yaml> -f <path_to_values_private.yaml> (1)
    1 Use the -f option to specify the paths for your YAML configuration files.

Changing configuration options after deploying the central-services Helm chart

You can make changes to any configuration options after you have deployed the central-services Helm chart.

Procedure
  1. Update the values-public.yaml and values-private.yaml configuration files with new values.

  2. Run the helm upgrade command and specify the configuration files using the -f option:

    $ helm upgrade -n stackrox \
      stackrox-central-services stackrox/central-services \
      -f <path_to_values_public.yaml> \
      -f <path_to_values_private.yaml>

    You can also specify configuration values using the --set or --set-file parameters. However, these options are not saved, and it requires you to manually specify all the options again whenever you make changes.

Generating an init bundle

To create a secured cluster, you must create an init bundle. The secured cluster uses this bundle to authenticate with Central.

You can create an init bundle by using the the roxctl CLI or from the RHACS portal.

Generating an init bundle by using the roxctl CLI

You can create an init bundle by using the the roxctl CLI.

Prerequisites
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure
  • Run the following command to generate a cluster init bundle:

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" \
      central init-bundles generate <cluster_init_bundle_name> \
      --output cluster_init_bundle.yaml

Make sure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters.

Additional resources

Generating an init bundle by using the RHACS portal

You can create an init bundle by using the RHACS portal.

Procedure
  1. Find the address of the RHACS portal based on your exposure method:

    1. For a route:

      $ oc get route central -n stackrox
    2. For a load balancer:

      $ oc get service central-loadbalancer -n stackrox
    3. For port forward:

      1. Run the following command:

        $ oc port-forward svc/central 18443:443 -n stackrox
      2. Navigate to https://localhost:18443/.

  2. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  3. Under the Authentication Tokens section, click on Cluster Init Bundle.

  4. Click New Integration.

  5. Enter a name for the cluster init bundle and click Generate.

  6. Click Download Helm Values File to download the generated bundle.

Store this bundle securely because it contains secrets. You can use the same bundle to create multiple secured clusters.

Configuring the secured-cluster-services Helm chart

This section describes Helm chart configuration parameters that you can use with the helm install and helm upgrade commands. You can specify these parameters by using the --set option or by creating YAML configuration files.

Create the following files for configuring the Helm chart for installing Red Hat Advanced Cluster Security for Kubernetes:

  • Public configuration file values-public.yaml: Use this file to save all non-sensitive configuration options.

  • Private configuration file values-private.yaml: Use this file to save all sensitive configuration options. Make sure that you store this file securely.

While using the secured-cluster-services Helm chart, do not modify the values.yaml file that is part of the chart.

Configuration parameters

Parameter Description

clusterName

Name of your cluster.

centralEndpoint

Address of the Central endpoint, including the port number. If you are using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with wss://.

sensor.endpoint

Address of the Sensor endpoint including port number.

image.main.name

The name of the main image.

image.collector.name

The name of the Collector image.

image.main.registry

Address of the registry you are using for the main image.

image.collector.registry

Address of the registry you are using for the Collector image.

image.main.pullPolicy

Image pull policy for main images.

image.collector.pullPolicy

Image pull policy for the Collector images.

image.main.tag

Tag of main image to use.

image.collector.tag

Tag of collector image to use.

collector.collectionMethod

Either EBPF, KERNEL_MODULE, or NO_COLLECTION.

admissionControl.listenOnCreates

This setting controls whether Kubernetes is configured to contact Red Hat Advanced Cluster Security for Kubernetes with AdmissionReview requests for workload creation events.

admissionControl.listenOnUpdates

When you keep it as false, Red Hat Advanced Cluster Security for Kubernetes creates the ValidatingWebhookConfiguration in a way that causes the Kubernetes API server not to send object update events. Since the volume of object updates is usually higher than the object creates, leaving this as false limits the load on the admission control service and decreases the chances of a malfunctioning admission control service.

admissionControl.listenOnEvents

This setting controls whether the cluster is configured to contact Red Hat Advanced Cluster Security for Kubernetes with AdmissionReview requests for Kubernetes exec and portforward events. Red Hat Advanced Cluster Security for Kubernetes does not support this feature on OpenShift Container Platform.

admissionControl.dynamic.enforceOnCreates

This setting controls whether Red Hat Advanced Cluster Security for Kubernetes evaluates policies; if it is disabled, all AdmissionReview requests are automatically accepted.

admissionControl.dynamic.enforceOnUpdates

This setting controls the behavior of the admission control service. You must specify listenOnUpdates as true for this to work.

admissionControl.dynamic.scanInline

If you set this option to true, the admission control service requests an image scan before making an admission decision. Since image scans take several seconds, enable this option only if you can ensure that all images used in your cluster are scanned before deployment (for example, by a CI integration during image build). This option corresponds to the Contact image scanners option in the RHACS Portal.

admissionControl.dynamic.disableBypass

Set it to true to disable bypassing the Admission Controller.

admissionControl.dynamic.timeout

The maximum time, in seconds, Red Hat Advanced Cluster Security for Kubernetes should wait while evaluating admission review requests. Use this to set request timeouts when you enable image scanning. If the image scan runs longer than the specified time, Red Hat Advanced Cluster Security for Kubernetes accepts the request.

registryOverride

Use this parameter to override the default docker.io registry. Specify the name of your registry if you are using some other registry.

collector.disableTaintTolerations

If you specify false, tolerations are applied to Collector, and the Collector pods can schedule onto all nodes with taints. If you specify it as true, no tolerations are applied, and the Collector pods are not scheduled onto nodes with taints.

createUpgraderServiceAccount

Specify true to create the sensor-upgrader account. By default, Red Hat Advanced Cluster Security for Kubernetes creates a service account called sensor-upgrader in each secured cluster. This account is highly privileged but is only used during upgrades. If you do not create this account, you must complete future upgrades manually if the Sensor does not have enough permissions.

createSecrets

Specify false to skip the orchestrator secret creation for the Sensor, Collector, and Admission Controller.

collector.slimMode

Specify true if you want to use a slim Collector image for deploying Collector. Using slim Collector images requires Central to provide the matching kernel module or eBPF probe. If you are running Red Hat Advanced Cluster Security for Kubernetes in offline mode, you must download a kernel support package from stackrox.io and upload it to Central for slim Collectors to function. Otherwise, you must ensure that Central can access the online probe repository hosted at https://collector-modules.stackrox.io/.

sensor.resources

Resource specification for Sensor.

admissionControl.resources

Resource specification for Admission Controller.

collector.resources

Resource specification for Collector.

collector.complianceResources

Resource specification for Collector’s Compliance container.

exposeMonitoring

If you set this option to true, Red Hat Advanced Cluster Security for Kubernetes exposes Prometheus metrics endpoints on port number 9090 for the Sensor, Collector, and the Admission Controller.

Environment variables

You can specify environment variables for Sensor and Admission Controller in the following format:

customize:
  envVars:
    ENV_VAR1: "value1"
    ENV_VAR2: "value2"

The customize setting allows you to specify custom Kubernetes metadata (labels and annotations) for all objects created by this Helm chart and additional pod labels, pod annotations, and container environment variables for workloads.

The configuration is hierarchical, in the sense that metadata defined at a more generic scope (for example, for all objects) can be overridden by metadata defined at a narrower scope (for example, only for the Sensor deployment).

Installing the secured-cluster-services Helm chart

After you configure the values-public.yaml and values-private.yaml files, install the secured-cluster-services Helm chart to deploy the per-cluster and per-node components (Sensor, Admission Controller, and Collector).

To install Collector on systems configured with Unified Extensible Firmware Interface (UEFI) boot, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages.

Procedure
  • Run the following command:

    $ helm install -n stackrox --create-namespace \
      stackrox-secured-cluster-services rhacs/secured-cluster-services \
      -f <name_of_cluster_init_bundle.yaml> \
      -f <path_to_values_public.yaml> -f <path_to_values_private.yaml> (1)
    1 Use the -f option to specify the paths for your YAML configuration files.

To deploy secured-cluster-services Helm chart by using a continuous integration (CI) system, pass the init bundle YAML file as an environment variable to the helm install command:

$ helm install ... -f <(echo "$INIT_BUNDLE_YAML_SECRET") (1)
1 If you are using base64 encoded variables, use the helm install …​ -f <(echo "$INIT_BUNDLE_YAML_SECRET" | base64 --decode) command instead.

Changing configuration options after deploying the secured-cluster-services Helm chart

You can make changes to any configuration options after you have deployed the secured-cluster-services Helm chart.

Procedure
  1. Update the values-public.yaml and values-private.yaml configuration files with new values.

  2. Run the helm upgrade command and specify the configuration files using the -f option:

    $ helm upgrade -n stackrox \
      stackrox-secured-cluster-services stackrox/secured-cluster-services \
      --reuse-values \ (1)
      -f <path_to_values_public.yaml> \
      -f <path_to_values_private.yaml>
    1 You must specify the --reuse-values parameter, otherwise the Helm upgrade command resets all previously configured settings.

    You can also specify configuration values using the --set or --set-file parameters. However, these options are not saved, and it requires you to manually specify all the options again whenever you make changes.

Verifying installation

After you complete the installation, navigate to the RHACS portal and run a few vulnerable applications to evaluate the results of security assessments and policy violations.

The sample applications listed in the following section contain critical vulnerabilities and they are specifically designed to verify the build and deploy-time assessment features of Red Hat Advanced Cluster Security for Kubernetes.

  1. Find the address of the RHACS portal based on your exposure method:

    1. For a route:

      $ oc get route central -n stackrox
    2. For a load balancer:

      $ oc get service central-loadbalancer -n stackrox
    3. For port forward:

      1. Run the following command:

        $ oc port-forward svc/central 18443:443 -n stackrox
      2. Navigate to https://localhost:18443/.

  2. Create a new project:

    $ oc new-project test
  3. Start some applications with critical vulnerabilities:

    $ oc run shell --labels=app=shellshock,team=test-team \
      --image=vulnerables/cve-2014-6271 -n test
    $ oc run samba --labels=app=rce \
      --image=vulnerables/cve-2017-7494 -n test

    Red Hat Advanced Cluster Security for Kubernetes automatically scans these deployments for security risk and policy violations as soon as they are submitted to the cluster.

  4. Navigate to the RHACS portal to view the violations. You can log in to the RHACS portal by using the default username admin and the generated password.