Red Hat Advanced Cluster Security for Kubernetes installs a set services on your OpenShift Container Platform cluster. This topic describes the installation procedure for installing Red Hat Advanced Cluster Security for Kubernetes on your OpenShift Container Platform cluster without any customizations.

The following steps represent the high-level installation flow for quickly installing Red Hat Advanced Cluster Security for Kubernetes:

  1. Add the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.

  2. Install the central-services Helm chart to install the centralized components (Central and Scanner).

  3. Generate an init bundle.

  4. Install the secured-cluster-services Helm chart to install the per-cluster and per-node components (Sensor, Admission Controller, and Collector).

Before you install:

Adding the Helm chart repository

Procedure
  • Add Red Hat Advanced Cluster Security for Kubernetes charts repository.

    $ helm repo add stackrox  https://mirror.openshift.com/pub/rhacs/charts/

    The Helm repository for Red Hat Advanced Cluster Security for Kubernetes includes two Helm charts for installing different components.

    • Central services Helm chart (central-services) for installing the centralized components (Central and Scanner).

      You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation.

    • Secured Cluster Services Helm chart (secured-cluster-services) for installing the per-cluster (Sensor and Admission controller) and per-node (Collector) components.

      Deploy the per-cluster components into each cluster that you want to monitor and deploy the per-node components in all nodes that you want to monitor.

Verification
  • Run the following command to verify the added chart repository:

    $ helm search repo -l rhacs/

Installing the central-services Helm chart without customization

Use the following instructions to install the central-services Helm chart to deploy the centralized components (Central and Scanner).

Procedure
  • Run the following command to install Central services and expose Central using a route:

    $ helm install -n stackrox \
      --create-namespace stackrox-central-services rhacs/central-services \
      --set imagePullSecrets.allowNone=true \
      --set central.exposure.route.enabled=true
  • Or, run the following command to install Central services and expose Central using a load balancer:

    $ helm install -n stackrox \
      --create-namespace stackrox-central-services rhacs/central-services \
      --set imagePullSecrets.allowNone=true \
      --set central.exposure.loadBalancer.enabled=true
  • Or, run the following command to install Central services and expose Central using port forward:

    $ helm install -n stackrox \
      --create-namespace stackrox-central-services rhacs/central-services \
      --set imagePullSecrets.allowNone=true

The output of the installation command includes:

  • An automatically generated administrator password.

  • Instructions on storing all the configuration values.

  • Any warnings that Helm generates.

Generating an init bundle

To create a secured cluster, you must create an init bundle. The secured cluster uses this bundle to authenticate with Central.

Generating an init bundle by using the roxctl CLI

You can create an init bundle by using the the roxctl CLI.

Prerequisites
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure
  • Run the following command to generate a cluster init bundle:

Make sure that you store this bundle securely because it contains secrets. You can use the same bundle to set up multiple secured clusters.

Installing the secured-cluster-services Helm chart without customization

Use the following instructions to install the secured-cluster-services Helm chart to deploy the per-cluster and per-node components (Sensor, Admission Controller, and Collector).

To install Collector on systems configured with Unified Extensible Firmware Interface (UEFI) boot, you must use eBPF probes because kernel modules are unsigned, and the UEFI firmware cannot load unsigned packages.

Prerequisites
  • You must have the address and the port number that you are exposing the Central service on.

Procedure
  • Run the following command:

    $ helm install -n stackrox --create-namespace \
        stackrox-secured-cluster-services stackrox/secured-cluster-services \
        -f <path_to_cluster_init_bundle.yaml> \ (1)
        --set clusterName=<name_of_the_secured_cluster> \
        --set centralEndpoint=<endpoint_of_central_service> (2)
    1 Use the -f option to specify the path for the init bundle.
    2 Specify the address and port number for Central.

Verifying installation

After you complete the installation, navigate to the RHACS portal and run a few vulnerable applications to evaluate the results of security assessments and policy violations.

The sample applications listed in the following section contain critical vulnerabilities and they are specifically designed to verify the build and deploy-time assessment features of Red Hat Advanced Cluster Security for Kubernetes.

  1. Find the address of the RHACS portal based on your exposure method:

    1. For a route:

      $ oc get route central -n stackrox
    2. For a load balancer:

      $ oc get service central-loadbalancer -n stackrox
    3. For port forward:

      1. Run the following command:

        $ oc port-forward svc/central 18443:443 -n stackrox
      2. Navigate to https://localhost:18443/.

  2. Create a new project:

    $ oc new-project test
  3. Start some applications with critical vulnerabilities:

    $ oc run shell --labels=app=shellshock,team=test-team \
      --image=vulnerables/cve-2014-6271 -n test
    $ oc run samba --labels=app=rce \
      --image=vulnerables/cve-2017-7494 -n test

    Red Hat Advanced Cluster Security for Kubernetes automatically scans these deployments for security risk and policy violations as soon as they are submitted to the cluster.

  4. Navigate to the RHACS portal to view the violations. You can log in to the RHACS portal by using the default username admin and the generated password.