Configuring Central configuration options for RHACS using the Operator

Central configuration options using the Operator
Customizing the installation using the Operator with overlays
- Overlays
- Overlay examples

When installing the Central instance by using the Operator, you can configure optional settings.

Central configuration options using the Operator

When you create a Central instance, the Operator lists the following configuration options for the Central custom resource.

The following table includes settings for an external PostgreSQL database.

Central settings

Parameter Description

Parameter	Description
`central.adminPasswordSecret`	Specify a secret that contains the administrator password in the `password` data item. If omitted, the operator autogenerates a password and stores it in the `password` item in the `central-htpasswd` secret.
`central.defaultTLSSecret`	By default, Central only serves an internal TLS certificate, which means that you need to handle TLS termination at the ingress or load balancer level. If you want to terminate TLS in Central and serve a custom server certificate, you can specify a secret containing the certificate and private key.
`central.adminPasswordGenerationDisabled`	Set this parameter to `true` to disable the automatic administrator password generation. Use this only after you perform the first-time setup of alternative authentication methods. Do not use this for initial installation. Otherwise, you must reinstall the custom resource to log back in.
`central.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes.
`central.exposure.loadBalancer.enabled`	Set this to `true` to expose Central through a load balancer.
`central.exposure.loadBalancer.port`	Use this parameter to specify a custom port for your load balancer.
`central.exposure.loadBalancer.ip`	Use this parameter to specify a static IP address reserved for your load balancer.
`central.exposure.route.enabled`	Set this to `true` to expose Central through a Red Hat OpenShift route. The default value is `false`.
`central.exposure.route.host`	Specify a custom hostname to use for Central’s route. Leave this unset to accept the default value that OpenShift Container Platform provides.
`central.exposure.nodeport.enabled`	Set this to `true` to expose Central through a node port. The default value is `false`.
`central.exposure.nodeport.port`	Use this to specify an explicit node port.
`central.monitoring.exposeEndpoint`	Use `Enabled` to enable monitoring for Central. When you enable monitoring, RHACS creates a new monitoring service on port number `9090`. The default value is `Disabled`.
`central.nodeSelector`	If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.
`central.persistence.hostPath.path`	Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.
`central.persistence.persistentVolumeClaim.claimName`	The name of the PVC to manage persistent data. If no PVC with the given name exists, it is created. The default value is `stackrox-db` if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.
`central.persistence.persistentVolumeClaim.size`	The size of the persistent volume when created through the claim. This is automatically generated by default.
`central.persistence.persistentVolumeClaim.storageClassName`	The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.
`central.resources.limits`	Use this parameter to override the default resource limits for the Central.
`central.resources.requests`	Use this parameter to override the default resource requests for the Central.
`central.imagePullSecrets`	Use this parameter to specify the image pull secrets for the Central image.
`central.db.passwordSecret.name`	Specify a secret that has the database password in the `password` data item. Only use this parameter if you want to specify a connection string manually. If omitted, the operator auto-generates a password and stores it in the `password` item in the `central-db-password` secret.
`central.db.connectionString`	Setting this parameter will not deploy Central DB, and Central will connect using the specified connection string. If you specify a value for this parameter, you must also specify a value for `central.db.passwordSecret.name`. This parameter has the following constraints: Connection string must be in keyword/value format as described in the PostgreSQL documentation. For more information, see the links in the Additional resources section. Only PostgreSQL 13 is supported. Connections through PGBouncer are not supported. User must be a superuser who can create and delete databases.
`central.db.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central DB. This parameter is mainly used for infrastructure nodes.
`central.db.persistence.hostPath.path`	Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.
`central.db.persistence.persistentVolumeClaim.claimName`	The name of the PVC to manage persistent data. If no PVC with the given name exists, it is created. The default value is `central-db` if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.
`central.db.persistence.persistentVolumeClaim.size`	The size of the persistent volume when created through the claim. This is automatically generated by default.
`central.db.persistence.persistentVolumeClaim.storageClassName`	The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.
`central.db.resources.limits`	Use this parameter to override the default resource limits for the Central DB.
`central.db.resources.requests`	Use this parameter to override the default resource requests for the Central DB.

central.adminPasswordSecret

Specify a secret that contains the administrator password in the password data item. If omitted, the operator autogenerates a password and stores it in the password item in the central-htpasswd secret.

central.defaultTLSSecret

By default, Central only serves an internal TLS certificate, which means that you need to handle TLS termination at the ingress or load balancer level. If you want to terminate TLS in Central and serve a custom server certificate, you can specify a secret containing the certificate and private key.

central.adminPasswordGenerationDisabled

Set this parameter to true to disable the automatic administrator password generation. Use this only after you perform the first-time setup of alternative authentication methods. Do not use this for initial installation. Otherwise, you must reinstall the custom resource to log back in.

central.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central. This parameter is mainly used for infrastructure nodes.

central.exposure.loadBalancer.enabled

Set this to true to expose Central through a load balancer.

central.exposure.loadBalancer.port

Use this parameter to specify a custom port for your load balancer.

central.exposure.loadBalancer.ip

Use this parameter to specify a static IP address reserved for your load balancer.

central.exposure.route.enabled

Set this to true to expose Central through a Red Hat OpenShift route. The default value is false.

central.exposure.route.host

Specify a custom hostname to use for Central’s route. Leave this unset to accept the default value that OpenShift Container Platform provides.

central.exposure.nodeport.enabled

Set this to true to expose Central through a node port. The default value is false.

central.exposure.nodeport.port

Use this to specify an explicit node port.

central.monitoring.exposeEndpoint

Use Enabled to enable monitoring for Central. When you enable monitoring, RHACS creates a new monitoring service on port number 9090. The default value is Disabled.

central.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

central.persistence.hostPath.path

Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.

central.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data. If no PVC with the given name exists, it is created. The default value is stackrox-db if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.

central.persistence.persistentVolumeClaim.size

The size of the persistent volume when created through the claim. This is automatically generated by default.

central.persistence.persistentVolumeClaim.storageClassName

The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.

central.resources.limits

Use this parameter to override the default resource limits for the Central.

central.resources.requests

Use this parameter to override the default resource requests for the Central.

central.imagePullSecrets

Use this parameter to specify the image pull secrets for the Central image.

central.db.passwordSecret.name

Specify a secret that has the database password in the password data item. Only use this parameter if you want to specify a connection string manually. If omitted, the operator auto-generates a password and stores it in the password item in the central-db-password secret.

central.db.connectionString

Setting this parameter will not deploy Central DB, and Central will connect using the specified connection string. If you specify a value for this parameter, you must also specify a value for central.db.passwordSecret.name. This parameter has the following constraints:

Connection string must be in keyword/value format as described in the PostgreSQL documentation. For more information, see the links in the Additional resources section.
Only PostgreSQL 13 is supported.
Connections through PGBouncer are not supported.
User must be a superuser who can create and delete databases.

central.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Central DB. This parameter is mainly used for infrastructure nodes.

central.db.persistence.hostPath.path

Specify a host path to store persistent data in a directory on the host. Red Hat does not recommend using this. If you need to use host path, you must use it with a node selector.

central.db.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data. If no PVC with the given name exists, it is created. The default value is central-db if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.

central.db.persistence.persistentVolumeClaim.size

The size of the persistent volume when created through the claim. This is automatically generated by default.

central.db.persistence.persistentVolumeClaim.storageClassName

The name of the storage class to use for the PVC. If your cluster is not configured with a default storage class, you must provide a value for this parameter.

central.db.resources.limits

Use this parameter to override the default resource limits for the Central DB.

central.db.resources.requests

Use this parameter to override the default resource requests for the Central DB.

StackRox Scanner settings

Parameter Description

Parameter	Description
`scanner.analyzer.nodeSelector`	If you want this scanner to only run on specific nodes, you can use this parameter to configure a node selector.
`scanner.analyzer.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the StackRox Scanner. This parameter is mainly used for infrastructure nodes.
`scanner.analyzer.resources.limits`	Use this parameter to override the default resource limits for the StackRox Scanner.
`scanner.analyzer.resources.requests`	Use this parameter to override the default resource requests for the StackRox Scanner.
`scanner.analyzer.scaling.autoScaling`	When enabled, the number of analyzer replicas is managed dynamically based on the load, within the limits specified.
`scanner.analyzer.scaling.maxReplicas`	Specifies the maximum replicas to be used in the analyzer autoscaling configuration
`scanner.analyzer.scaling.minReplicas`	Specifies the minimum replicas to be used in the analyzer autoscaling configuration
`scanner.analyzer.scaling.replicas`	When autoscaling is disabled, the number of replicas is always configured to match this value.
`scanner.db.nodeSelector`	If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.
`scanner.db.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the StackRox Scanner DB. This parameter is mainly used for infrastructure nodes.
`scanner.db.resources.limits`	Use this parameter to override the default resource limits for the StackRox Scanner DB.
`scanner.db.resources.requests`	Use this parameter to override the default resource requests for the StackRox Scanner DB.
`scanner.monitoring.exposeEndpoint`	Use `Enabled` to enable monitoring for the StackRox Scanner. When you enable monitoring, RHACS creates a new monitoring service on port number `9090`. The default value is `Disabled`.
`scanner.scannerComponent`	If you do not want to deploy the StackRox Scanner, you can disable it by using this parameter. If you disable the StackRox Scanner, all other settings in this section have no effect. Red Hat does not recommend disabling Red Hat Advanced Cluster Security for Kubernetes the StackRox Scanner. Do not disable the StackRox Scanner if you have enabled Scanner V4. Scanner V4 requires that the StackRox Scanner is also enabled to provide the necessary scanning capabilities.

scanner.analyzer.nodeSelector

If you want this scanner to only run on specific nodes, you can use this parameter to configure a node selector.

scanner.analyzer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the StackRox Scanner. This parameter is mainly used for infrastructure nodes.

scanner.analyzer.resources.limits

Use this parameter to override the default resource limits for the StackRox Scanner.

scanner.analyzer.resources.requests

Use this parameter to override the default resource requests for the StackRox Scanner.

scanner.analyzer.scaling.autoScaling

When enabled, the number of analyzer replicas is managed dynamically based on the load, within the limits specified.

scanner.analyzer.scaling.maxReplicas

Specifies the maximum replicas to be used in the analyzer autoscaling configuration

scanner.analyzer.scaling.minReplicas

Specifies the minimum replicas to be used in the analyzer autoscaling configuration

scanner.analyzer.scaling.replicas

When autoscaling is disabled, the number of replicas is always configured to match this value.

scanner.db.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scanner.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the StackRox Scanner DB. This parameter is mainly used for infrastructure nodes.

scanner.db.resources.limits

Use this parameter to override the default resource limits for the StackRox Scanner DB.

scanner.db.resources.requests

Use this parameter to override the default resource requests for the StackRox Scanner DB.

scanner.monitoring.exposeEndpoint

Use Enabled to enable monitoring for the StackRox Scanner. When you enable monitoring, RHACS creates a new monitoring service on port number 9090. The default value is Disabled.

scanner.scannerComponent

If you do not want to deploy the StackRox Scanner, you can disable it by using this parameter. If you disable the StackRox Scanner, all other settings in this section have no effect. Red Hat does not recommend disabling Red Hat Advanced Cluster Security for Kubernetes the StackRox Scanner. Do not disable the StackRox Scanner if you have enabled Scanner V4. Scanner V4 requires that the StackRox Scanner is also enabled to provide the necessary scanning capabilities.

Scanner V4 settings (Technology Preview)

Scanner V4 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Parameter Description

Parameter	Description
`scannerV4.db.nodeSelector`	If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.
`scannerV4.db.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner V4 DB. This parameter is mainly used for infrastructure nodes.
`scannerV4.db.resources.limits`	Use this parameter to override the default resource limits for Scanner V4 DB.
`scannerV4.db.resources.requests`	Use this parameter to override the default resource requests for Scanner V4 DB.
`scannerV4.db.persistence.persistentVolumeClaim.claimName`	The name of the PVC to manage persistent data for Scanner V4. If no PVC with the given name exists, it is created. The default value is `scanner-v4-db` if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.
`scannerV4.indexer.nodeSelector`	If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.
`scannerV4.indexer.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Indexer. This parameter is mainly used for infrastructure nodes.
`scannerV4.indexer.resources.limits`	Use this parameter to override the default resource limits for the Scanner V4 Indexer.
`scannerV4.indexer.resources.requests`	Use this parameter to override the default resource requests for the Scanner V4 Indexer.
`scannerV4.indexer.scaling.autoScaling`	When enabled, the number of Scanner V4 Indexer replicas is managed dynamically based on the load, within the limits specified.
`scannerV4.indexer.scaling.maxReplicas`	Specifies the maximum replicas to be used in the Scanner V4 Indexer autoscaling configuration.
`scannerV4.indexer.scaling.minReplicas`	Specifies the minimum replicas to be used in the Scanner V4 Indexer autoscaling configuration.
`scannerV4.indexer.scaling.replicas`	When autoscaling is disabled for the Scanner V4 Indexer, the number of replicas is always configured to match this value.
`scannerV4.matcher.nodeSelector`	If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.
`scannerV4.matcher.tolerations`	If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Matcher. This parameter is mainly used for infrastructure nodes.
`scannerV4.matcher.resources.limits`	Use this parameter to override the default resource limits for the Scanner V4 Matcher.
`scannerV4.matcher.resources.requests`	Use this parameter to override the default resource requests for the Scanner V4 Matcher.
`scannerV4.matcher.scaling.autoScaling`	When enabled, the number of Scanner V4 Matcher replicas is managed dynamically based on the load, within the limits specified.
`scannerV4.matcher.scaling.maxReplicas`	Specifies the maximum replicas to be used in the Scanner V4 Matcher autoscaling configuration.
`scannerV4.matcher.scaling.minReplicas`	Specifies the minimum replicas to be used in the Scanner V4 Matcher autoscaling configuration.
`scannerV4.matcher.scaling.replicas`	When autoscaling is disabled for the Scanner V4 Matcher, the number of replicas is always configured to match this value.
`scannerV4.monitoring.exposeEndpoint`	Configures a monitoring endpoint for Scanner V4. The monitoring endpoint allows other services to collect metrics from Scanner V4, provided in a Prometheus-compatible format. Use `Enabled` to expose the monitoring endpoint. When you enable monitoring, RHACS creates a new service, `monitoring`, with port 9090, and a network policy allowing inbound connections to the port. By default, this is not enabled.
`scannerV4.scannerComponent`	Enables Scanner V4. The default value is `default`, which is disabled. To enable Scanner V4, set this parameter to `Enabled`.

scannerV4.db.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.db.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for Scanner V4 DB. This parameter is mainly used for infrastructure nodes.

scannerV4.db.resources.limits

Use this parameter to override the default resource limits for Scanner V4 DB.

scannerV4.db.resources.requests

Use this parameter to override the default resource requests for Scanner V4 DB.

scannerV4.db.persistence.persistentVolumeClaim.claimName

The name of the PVC to manage persistent data for Scanner V4. If no PVC with the given name exists, it is created. The default value is scanner-v4-db if not set. To prevent data loss, the PVC is not removed automatically when Central is deleted.

scannerV4.indexer.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.indexer.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Indexer. This parameter is mainly used for infrastructure nodes.

scannerV4.indexer.resources.limits

Use this parameter to override the default resource limits for the Scanner V4 Indexer.

scannerV4.indexer.resources.requests

Use this parameter to override the default resource requests for the Scanner V4 Indexer.

scannerV4.indexer.scaling.autoScaling

When enabled, the number of Scanner V4 Indexer replicas is managed dynamically based on the load, within the limits specified.

scannerV4.indexer.scaling.maxReplicas

Specifies the maximum replicas to be used in the Scanner V4 Indexer autoscaling configuration.

scannerV4.indexer.scaling.minReplicas

Specifies the minimum replicas to be used in the Scanner V4 Indexer autoscaling configuration.

scannerV4.indexer.scaling.replicas

When autoscaling is disabled for the Scanner V4 Indexer, the number of replicas is always configured to match this value.

scannerV4.matcher.nodeSelector

If you want this component to only run on specific nodes, you can use this parameter to configure a node selector.

scannerV4.matcher.tolerations

If the node selector selects tainted nodes, use this parameter to specify a taint toleration key, value, and effect for the Scanner V4 Matcher. This parameter is mainly used for infrastructure nodes.

scannerV4.matcher.resources.limits

Use this parameter to override the default resource limits for the Scanner V4 Matcher.

scannerV4.matcher.resources.requests

Use this parameter to override the default resource requests for the Scanner V4 Matcher.

scannerV4.matcher.scaling.autoScaling

When enabled, the number of Scanner V4 Matcher replicas is managed dynamically based on the load, within the limits specified.

scannerV4.matcher.scaling.maxReplicas

Specifies the maximum replicas to be used in the Scanner V4 Matcher autoscaling configuration.

scannerV4.matcher.scaling.minReplicas

Specifies the minimum replicas to be used in the Scanner V4 Matcher autoscaling configuration.

scannerV4.matcher.scaling.replicas

When autoscaling is disabled for the Scanner V4 Matcher, the number of replicas is always configured to match this value.

scannerV4.monitoring.exposeEndpoint

Configures a monitoring endpoint for Scanner V4. The monitoring endpoint allows other services to collect metrics from Scanner V4, provided in a Prometheus-compatible format. Use Enabled to expose the monitoring endpoint. When you enable monitoring, RHACS creates a new service, monitoring, with port 9090, and a network policy allowing inbound connections to the port. By default, this is not enabled.

scannerV4.scannerComponent

Enables Scanner V4. The default value is default, which is disabled. To enable Scanner V4, set this parameter to Enabled.

General and miscellaneous settings

Parameter Description

Parameter	Description
`tls.additionalCAs`	Additional Trusted CA certificates for the secured cluster to trust. These certificates are typically used when integrating with services using a private certificate authority.
`misc.createSCCs`	Specify `true` to create `SecurityContextConstraints` (SCCs) for Central. Setting to `true` might cause issues in some environments.
`customize.annotations`	Allows specifying custom annotations for the Central deployment.
`customize.envVars`	Advanced settings to configure environment variables.
`egress.connectivityPolicy`	Configures whether RHACS should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.
`monitoring.openshift.enabled`	If you set this option to `false`, Red Hat Advanced Cluster Security for Kubernetes will not set up Red Hat OpenShift monitoring. Defaults to `true` on Red Hat OpenShift 4.
`overlays`	See Customizing the installation using the operator with overlays

tls.additionalCAs

Additional Trusted CA certificates for the secured cluster to trust. These certificates are typically used when integrating with services using a private certificate authority.

misc.createSCCs

Specify true to create SecurityContextConstraints (SCCs) for Central. Setting to true might cause issues in some environments.

customize.annotations

Allows specifying custom annotations for the Central deployment.

customize.envVars

Advanced settings to configure environment variables.

egress.connectivityPolicy

Configures whether RHACS should run in online or offline mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.

monitoring.openshift.enabled

If you set this option to false, Red Hat Advanced Cluster Security for Kubernetes will not set up Red Hat OpenShift monitoring. Defaults to true on Red Hat OpenShift 4.

overlays

See Customizing the installation using the operator with overlays

Customizing the installation using the Operator with overlays

Learn how to tailor the installation of RHACS using the Operator method with overlays.

Overlays

When Central or SecuredCluster custom resources don’t expose certain low-level configuration options as parameters, you can use the .spec.overlays field for adjustments. Use this field to amend the Kubernetes resources generated by these custom resources.

The .spec.overlays field comprises a sequence of patches, applied in their listed order. These patches are processed by the Operator on the Kubernetes resources before deployment to the cluster.

The .spec.overlays field in both Central and SecuredCluster allows users to modify low-level Kubernetes resources in arbitrary ways. Use this feature only when the desired customization is not available through the SecuredCluster or Central custom resources.

Support for the .spec.overlays feature is limited primarily because it grants the ability to make intricate and highly specific modifications to Kubernetes resources, which can vary significantly from one implementation to another. This level of customization introduces a complexity that goes beyond standard usage scenarios, making it challenging to provide broad support. Each modification can be unique, potentially interacting with the Kubernetes system in unpredictable ways across different versions and configurations of the product. This variability means that troubleshooting and guaranteeing the stability of these customizations require a level of expertise and understanding specific to each individual’s setup. Consequently, while this feature empowers tailoring Kubernetes resources to meet precise needs, greater responsibility must also assumed to ensure the compatibility and stability of configurations, especially during upgrades or changes to the underlying product.

The following example shows the structure of an overlay:

overlays:
- apiVersion: v1     (1)
  kind: ConfigMap    (2)
  name: my-configmap (3)
  patches:
    - path: .data    (4)
      value: |       (5)
        key1: data2
        key2: data2

1	Targeted Kubernetes resource ApiVersion, for example `apps/v1`, `v1`, `networking.k8s.io/v1`
2	Resource type (e.g., Deployment, ConfigMap, NetworkPolicy)
3	Name of the resource, for example `my-configmap`
4	JSONPath expression to the field, for example `spec.template.spec.containers[name:central].env[-1]`
5	YAML string for the new field value

Adding an overlay

For customizations, you can add overlays to Central or SecuredCluster custom resources. Use the OpenShift CLI (oc) or the OpenShift Container Platform web console for modifications.

If overlays do not take effect as expected, check the RHACS Operator logs for any syntax errors or issues logged.

Overlay examples

Specifying an EKS pod role ARN for the Central ServiceAccount

Add an Amazon Elastic Kubernetes Service (EKS) pod role Amazon Resource Name (ARN) annotation to the central ServiceAccount as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
  # ...
  overlays:
  - apiVersion: v1
    kind: ServiceAccount
    name: central
    patches:
      - path: metadata.annotations.eks\.amazonaws\.com/role-arn
        value: "\"arn:aws:iam:1234:role\""

Injecting an environment variable into the Central deployment

Inject an environment variable into the central deployment as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
  # ...
  overlays:
  - apiVersion: apps/v1
    kind: Deployment
    name: central
    patches:
    - path: spec.template.spec.containers[name:central].env[-1]
      value: |
        name: MY_ENV_VAR
        value: value

Extending network policy with an ingress rule

Add an ingress rule to the allow-ext-to-central network policy for port 999 traffic as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      name: allow-ext-to-central
      patches:
        - path: spec.ingress[-1]
          value: |
            ports:
            - port: 999
              protocol: TCP

Modifying ConfigMap data

Modify the central-endpoints ConfigMap data as shown in the following example:

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: v1
      kind: ConfigMap
      name: central-endpoints
      patches:
      - path: data
        value: |
          endpoints.yaml: |
            disableDefault: false

Adding a container to the `Central` deployment

Add a new container to the central deployment as shown in the following example:.

apiVersion: platform.stackrox.io
kind: Central
metadata:
  name: central
spec:
    # ...
    overlays:
    - apiVersion: apps/v1
      kind: Deployment
      name: central
      patches:
        - path: spec.template.spec.containers[-1]
      value: |
        name: nginx
        image: nginx
        ports:
          - containerPort: 8000
            name: http
            protocol: TCP

Additional resources

Central configuration options using the Operator

Central settings

StackRox Scanner settings

Scanner V4 settings (Technology Preview)

General and miscellaneous settings

Customizing the installation using the Operator with overlays

Overlays

Adding an overlay

Overlay examples

Specifying an EKS pod role ARN for the Central ServiceAccount

Injecting an environment variable into the Central deployment

Extending network policy with an ingress rule

Modifying ConfigMap data

Adding a container to the Central deployment

Adding a container to the `Central` deployment