If you use an ingress controller, Istio, or a Layer 7 load balancer that prefers unencrypted HTTP back ends, you can configure the StackRox Kubernetes Security Platform to expose the StackRox portal over HTTP. Doing this makes the StackRox portal available over a plaintext back end.
To expose the StackRox portal over HTTP:
- You must be running version 2.5.25 or newer of the StackRox Kubernetes Security Platform. If you are on an older version, see the Upgrade StackRox page for upgrade instructions.
- You must be using an ingress controller, a Layer 7 load balancer, or Istio to encrypt external traffic with HTTPS. It’s insecure to expose the StackRox portal directly to external clients using plain HTTP.
For the StackRox Kubernetes Security Platform version 3.0.40 and newer, we recommend that you use a YAML configuration file to expose Central over HTTP. See configure endpoints for more details.
To enable the HTTP server during deployment, use the
option with the
roxctl command-line interface (CLI). For example, to use it with the
interactive installation process, run the following command:
roxctl central generate interactive --plaintext-endpoints=<endpoints-spec>
<endpoints-spec> is a comma-separated list of single endpoint
specifications in the form of
typeworks in most use cases. For advanced use cases, you can either use
grpcor omit its value. If you omit the value for
type, you can configure two endpoints in your proxy, one for gRPC and the other for HTTP, that both point to the same exposed HTTP port on Central. However, most proxies don’t support carrying both gRPC and HTTP traffic on the same external port.
addris the IP address on which you want to expose Central. You can omit this, or use
127.0.0.1if you want to have an HTTP endpoint which is only accessible by using port-forwarding.
portis the port number on which you want to expose Central.
Here are a few valid
--plaintext-endpoints=8080 --plaintext-endpoints=http@8080 --plaintext-endpoints=:8081 --plaintext-endpoints=grpc@:8081 --plaintext-endpoints=localhost:8080 --plaintext-endpoints=http@localhost:8080
To enable the HTTP server on an existing StackRox deployment:
Add an environment variable to the StackRox Central deployment with the name
ROX_PLAINTEXT_ENDPOINTSand set its value to an endpoint specification, for example:
CENTRAL_PLAINTEXT_PATCH=' spec: template: spec: containers: - name: central env: - name: ROX_PLAINTEXT_ENDPOINTS value: "http@8080,grpc@8081" ' kubectl -n stackrox patch deploy/central -p "$CENTRAL_PLAINTEXT_PATCH"
CENTRAL_PLAINTEXT_PATCH=' spec: template: spec: containers: - name: central env: - name: ROX_PLAINTEXT_ENDPOINTS value: "http@8080,grpc@8081" ' oc -n stackrox patch deploy/central -p "$CENTRAL_PLAINTEXT_PATCH"
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.