Operator configuration

Learn about the operator configuration parameters you can use when you install or upgrade the StackRox Kubernetes Security Platform on OpenShift by using the RHACS Operator.

This topic describes the configuration options available as part of the Red Hat Advanced Cluster Security (RHACS) Operator.

The RHACS Operator includes custom resources for the RHACS Operator to manage the following services:

Each custom resource has common and advanced configuration settings. Common configuration settings are used most of the time and are displayed in the OpenShift Catalog`s custom resource form view. Advanced settings are less frequently used and only available in the YAML view.

The RHACS Operator is only supported on OpenShift versions 4.6 and up.

Central services custom resource

This section details the common and advanced configuration options for the Central custom resource.

Supported Settings

Supported settings for the Central custom resource include settings for:

  1. Labels
  2. The Central Administrator password
  3. The Central Exposure type
  4. The user interface certificate
  5. Persistence settings
  6. Resource requests and limits
  7. Taint Tolerations
  8. Trusted certificate authorities
  9. Offline mode
  10. Scanner Configuration

Central Settings

ParameterDescription
central.adminPasswordSecretSpecify a secret that contains the administrator password in the “password” data item. If omitted, the operator will autogenerate a password and store it in the “password” item in the “central-htpasswd” secret. Autogenerated by default.
central.defaultTLSSecret By default, Central will only serve an internal TLS certificate, which means that you will need to handle TLS termination at the ingress or load balancer level. If you want to terminate TLS in Central and serve a custom server certificate, you can specify a secret containing the certificate and private key here.
central.exposure.loadBalancer.enabledSet this to true to expose Central through a load balancer.
central.exposure.loadBalancer.portIf you have a custom port for your load balancer, you can enter it here.
central.exposure.loadBalancer.ipIf you have a static IP address reserved for your load balancer, you can enter it here.
central.exposure.route.enabledSet this to true to expose Central through an OpenShift route. Defaults to false.
central.exposure.nodeport.enabledSet this to true to expose Central through a NodePort. Defaults to false.
central.exposure.nodeport.portUse this to specify an explicit node port.
central.nodeSelectorIf you want this component to only run on specific nodes, you can configure a node selector here.
central.persistence.hostPath.pathStores persistent data on a directory on the host. This isn’t recommended, and should only be used together with a node selector
central.persistence.persistentVolumeClaim.claimNameThe name of the PVC to manage persistent data. If no PVC with the given name exists, it will be created. Defaults to “stackrox-db” if not set. To prevent data losses the PVC isn’t removed automatically with Central`s deletion.
central.persistence.persistentVolumeClaim.sizeThe size of the persistent volume when created through the claim. This is automatically generated by default.
central.persistence.persistentVolumeClaim.storageClassNameThe name of the storage class to use for the PVC. If your cluster isn’t configured with a default storage class, you must select a value here.
central.resources.limitsAllows overriding the default resource settings for this component.
central.resources.requestsAllows overriding the default resource settings for this component.
central.imagePullSecretsSpecifies the image pull secrets for the Central image.

Scanner Settings

ParameterDescription
scanner.analyzer.nodeSelectorIf you want this scanner to only run on specific nodes, you can configure a node selector here.
scanner.analyzer.resources.limitsAllows overriding the default resource settings for this component.
scanner.analyzer.resources.requestsAllows overriding the default resource settings for this component.
scanner.analyzer.scaling.autoScalingWhen enabled, the number of analyzer replicas is managed dynamically based on the load, within the limits specified.
scanner.analyzer.scaling.maxReplicasSpecifies the maximum replicas to be used the analyzer autoScaling configuration
scanner.analyzer.scaling.minReplicasSpecifies the minimum replicas to be used the analyzer autoScaling configuration
scanner.analyzer.scaling.replicasWhen autoscaling is disabled, the number of replicas will always be configured to match this value.
scanner.db.nodeSelectorIf you want this component to only run on specific nodes, you can configure a node selector here.
scanner.db.resources.limitsAllows overriding the default resource settings for this component.
scanner.db.resources.requestsAllows overriding the default resource settings for this component.
scanner.scannerComponentIf you don’t want to deploy the Red Hat Advanced Cluster Security Scanner, you can disable it here (not recommended). If you do so, all the settings in this section will have no effect.

General and Miscellaneous Settings

ParameterDescription
tls.additionalCAsAdditional Trusted CA certificates for the secured cluster to trust. This is typically used when integrating with services using a private certificate authority.
misc.createSCCsSet this to true to create SCCs for Central. This may cause issues in some environments.

The SecuredCluster custom resource

This section details the common and advanced configuration options for the SecuredCluster custom resource.

Supported Settings

Supported settings for the SecuredCluster custom resource include settings for:

  1. Labels
  2. Admission Controller Settings
  3. Central Endpoint configuration
  4. The cluster name
  5. Per node settings
  6. Sensor configuration
  7. Image Pull Secrets
  8. Trusted certificate authorities

Required Configuration Settings

ParameterDescription
centralEndpointThe endpoint of the Red Hat Advanced Cluster Security Central instance to connect to, including the port number. If using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with wss://. Note: when leaving this blank, Sensor will attempt to connect to a Central instance running in the same namespace.
clusterNameThe unique name of this cluster, as it will be shown in the Red Hat Advanced Cluster Security UI. Note: Once a name is set here, you won’t be able to change it again. You will need to delete and re-create this object in order to register a cluster with a new name.

Admission Controller Settings

ParameterDescription
admissionControl.listenOnCreatesSet this to true to enable preventive policy enforcement for object creations. Defaults to false
admissionControl.listenOnEventsSet this to true to enable monitoring and enforcement for Kubernetes events, such as port-forward and exec. This is used to control access to resources through the Kubernetes API. Defaults to true.
admissionControl.listenOnUpdatesSet this to true to enable preventive policy enforcement for object updates. This won’t have any effect unless Listen On Creates is set to true as well. Defaults to false
admissionControl.nodeSelector.If you want this component to only run on specific nodes, you can configure a node selector using this setting.
admissionControl.resources.limitsAllows overriding the default resource settings for this component.
admissionControl.resources.requestsAllows overriding the default resource settings for this component.

Image Configuration

Use Image configuration settings when you are using a custom registry.

ParameterDescription
imagePullSecrets.nameAdditional image pull secrets to be taken into account for pulling images.

Per Node settings

Per node settings define the configuration settings for components that run on each node in a cluster to secure the cluster. These components are collector and compliance. Usually, the defaults are acceptable.

ParameterDescription
perNode.collector.collectionThe method for system-level data collection. Kernel module is recommended. If you select NoCollection, you won’t be able to see any information about network activity and process executions. Options include NoCollection, EBPF and KernelModule. Defaults to KernelModule.
perNode.collector.imageFlavorThe image flavor to use for collector. Options include Regular and Slim. “Regular” images are bigger in size, but contain kernel modules for most kernels. If you use the “Slim” image flavor, you must ensure that your Central instance is connected to the internet, or regularly receives Collector Support Package updates. Defaults to Slim.
perNode.collector.resources.limitsAllows overriding the default resource requests for collector
perNode.collector.resources.requestsAllows overriding the default resource limits for collector
perNode.compliance.resources.requestsAllows overriding the default resource requests for compliance, which is the container responsible for checking host level configuration.
perNode.compliance.resources.limitsAllows overriding the default resource limits for compliance, which is the container responsible for checking host level configuration.

Taint Tolerations

ParameterDescription
taintTolerationTo ensure comprehensive monitoring of your cluster activity, Red Hat Advanced Cluster Security will run services on every node in the cluster, including tainted nodes by default. If you don’t want this behavior, please select AvoidTaints here.

Sensor Configuration

This configuration defines the settings of the Sensor components, which runs on one node in a cluster.

ParameterDescription
sensor.nodeSelectorIf you want Sensor to only run on specific nodes, you can configure a node selector.
sensor.resources.limitsAllows overriding the default resource limits for sensor
sensor.resources.requestsAllows overriding the default resource limits for sensor

General and Miscellaneous Settings

ParameterDescription
tls.additionalCAsAdditional Trusted CA certificates for the secured cluster to trust. This is typically used when integrating with services using a private certificate authority.
misc.createSCCsSet this to true to create SCCs for Central. This may cause issues in some environments.
customize.annotationsAllows specifying custom annotations for the Central deployment.
customize.envVarsAdvanced Settings to configure environment variables.
egress.connectivityPolicyConfigures whether Red Hat Advanced Cluster Security should run in online or offline (disconnected) mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.
clusterLabelsAssign labels to clusters that may be used to define access scopes for roles.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.