If you are using an enterprise certificate authority (CA) on your network, or self-signed certificates, you must add the CA’s root certificate to the StackRox Kubernetes Security Platform as a trusted root CA.
Adding trusted root CAs allows:
- Central and Scanner to trust remote servers when you integrate with other tools.
- Sensor to trust custom certificates you use for StackRox Central.
You can add additional CAs during the installation or on an existing StackRox deployment. You must first configure your trusted CAs in the cluster where you’ve deployed StackRox Central and then propagate the changes to Scanner and Sensor.
To add custom CAs:
Use the ca-setup.sh script.
- If you are doing a new installation, you can find the ca-setup.sh script
- You must run the ca-setup.sh script in the same terminal from which you logged into your Kubernetes or OpenShift cluster.
- If you are doing a new installation, you can find the ca-setup.sh script in the
Make the ca-setup.sh script executable.
chmod +x ca-setup.sh
To add a single certificate, use the
./ca-setup.sh -f <certificate>
You must use a PEM-encoded certificate file (with any extension).
To add multiple certificates at once, move all certificates in a directory, and then use the
./ca-setup.sh -d <directory-name>
You must use PEM-encoded certificate files with
.crtextension and each file should only contain a single certificate.
You can also use the
-u(update) option along with the file or directory options to update any previously added certificates.
After you configure trusted CAs, you must make StackRox services trust them.
If you’ve configured trusted CAs before deploying Central and Scanner, skip the following steps and continue with the instructions in the Sensor section.
If you’ve configured trusted CAs after installation, you must complete the following instructions:
Restart Central to apply changes.
kubectl -n stackrox exec deploy/central -c central -- kill 1
oc -n stackrox exec deploy/central -c central -- kill 1
If you are adding certificates for integrating with image registries, you must also restart Scanner.
kubectl delete po -n stackrox -l app=scanner
oc delete po -n stackrox -l app=scanner
Once you’ve added trusted CAs and configured Central, the CAs are included in any new sensor deployment bundles that you create.
If Sensor is reporting problems while connecting to Central, you need to generate a sensor deployment YAML file and update existing clusters.
- If you’re deploying with
./ca-setup-sensor.sh -d ./additional-cas/before you run the
- If you’re deploying with Helm, follow the Helm chart documentation. You don’t have to run any additional scripts.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.