This guide describes step-by-step instructions for installing the StackRox Kubernetes Security Platform by using the OpenShift Operator for Red Hat Advanced Cluster Security (RHACS) and conducting simple tests using sample container images.
The StackRox Kubernetes Security Platform installs as a set of containers in your OpenShift cluster and includes multiple components. The main software component of the StackRox Kubernetes Security Platform is called Central. To learn about the components that make up the StackRox Kubernetes Security Platform, see StackRox architecture.
The Advanced Cluster Security operator supports the following two custom resources:
Central: Central is the management control plane and user interface for RHACS. Central includes the following services:
- Central: Central is the RHACS application management interface and services.
- Scanner: Scanner is the StackRox vulnerability scanner, a Red Hat developed and certified scanner for the container images and its associated database.
SecuredCluster: Secured Cluster Services manages the components of RHACS necessary to secure your OpenShift cluster. Secured Cluster includes the following services:
- Sensor: Sensor is the service responsible for analyzing and monitoring the cluster.
- Collector: Collector analyzes and monitors container activity on Kubernetes nodes.
- Admission Control: Admission Controller is the validating webhook designed to enforce and monitor events against the OpenShift/Kubernetes API server.
- From your OpenShift console > OperatorHub, find and install the Red Hat Advanced Cluster Security Operator.
- Configure and deploy the
Centralcustom resource. Usually, you only need to install Central once per environment, and it may not apply if this isn’t your first installation.
- Configure and deploy the
SecuredClustercustom resource into every cluster that you want to monitor. You will need to install the Operator on each cluster as well.
To install the StackRox Kubernetes Security Platform, you need:
To Install Red Hat Advanced Cluster Security Operator:
- In your OpenShift Container Platform Console, select Operators > OperatorHub to access the list of available operators.
- Search for Advanced Cluster Security and select the Advanced Cluster Security operator.
- Select Install on the Advanced Cluster Security Operator details page.
- On the Install Operator page, keep the default values (if you don’t require customization) and then select Install.
- After the installation completes, go to your OpenShift Container Platform Console and navigate to Operators > Installed Operators.
When you install the StackRox Kubernetes Security Platform for the first time, you must first install the Central custom resource. Because the SecuredCluster installation is dependent on certificates that Central generates; otherwise, if you have already installed Central, proceed with the Install Secured Cluster Services section.
You deploy Central services only once and you can monitor multiple separate clusters by using the same installation.
This topic shows you how to install Central quickly without any customization. However, for the production environment, you must configure the Operator as needed. See the Operator configuration topic to learn more.
To quickly install Central services, use the following instructions:
- Go to your OpenShift Container Platform Console and navigate to Operators > Installed Operators.
- Switch your Project from openshift-operators to the project you would like to install StackRox inside. It’s recommended to use a new project called stackrox.
- Select the Advanced Cluster Security Operator.
- On the Details tab under the Provided APIs section, select Create instance on the Central API.
- Enter a name for your central custom resource and any required labels. Otherwise, accept the defaults.
- Select Create.
When installing Central or SecuredCluster, ensure you are in the correct project and don’t install in the default openshift-operators project after installing the Operator. Please ensure that you create a new dedicated namespace to install Central and SecuredCluster.
Following are some configuration options you can configure for the centralized components. See the Operator configuration topic to see details about all available configuration options.
- Central configuration options:
- Administrator password
- Exposure type
- TLS Certificate
- Persistence settings
- Resource requests and limits
- Scanner configuration options:
- Enable or disable scanner
- Scanner settings
- Connectivity policy for offline mode
- General options:
- Trusted Certificate Authorities
Following are some advanced configuration options you can configure for the centralized components. See the Operator configuration topic to see details about all available configuration options.
- Image pull secrets
- Customizations and environment variables
After Central finishes installing, log into the RHACS portal to verify successful installation.
- Go to the Central custom resource and select your central instance. By default, this is
- On the details page, find the admin credentials information and exposure summary.
- Run the command in Central Admin Credentials Info to get your admin password.
- Navigate to the Networking side tab and select Routes.
- Search for the Route named Central and navigate to its location.
- Log into the RHACS user interface using the username admin and the password you retrieved from the Central Admin Credentials Info details.
You must install the Secured Cluster services on every cluster in your environment that you want to monitor. For each cluster on which you have installed the RHACS operator, perform the following actions:
Before deploying a SecuredCluster resource, you need to create an cluster init bundle secret. This secret contains the certificates required for mutual authentication between RHACS services.
Navigate to the RHACS user interface.
To create a cluster init bundle secret, navigate to Platform Configuration > Clusters, and then click Manage Tokens in the top-right corner. Select Cluster Init Bundle, and click Generate Bundle. Select Download Kubernetes secrets file, and store the file under a name of your choice.
Run the following command using your downloaded Kubernetes secrets file. If you have chosen a name other than init-bundle.yaml or a project other than stackrox, specify that file name and project namespace instead.
oc create -f init-bundle.yaml -n stackrox
To install Secured Cluster services, use the following instructions:
Go to your OpenShift Container Platform Console and navigate to Operators > Installed Operators.
Select the Advanced Cluster Security Operator.
On the Details tab under the Provided APIs section, select Create instance on the SecuredCluster API.
Enter a name for your secured cluster. Central uses this name to reference the secured cluster in the StackRox portal.
For Central Endpoint, enter the address and port number of your Central instance. For example, if Central is available at
https://central.example.com, then specify
central.example.com:443as the Central endpoint. The default value of central.stackrox:443 will only work if you’re installing secured cluster services in the same cluster that Central is installed in.
Perform any supported customization to meet your organizational needs. To learn more about supported customizations, view the operator configuration guide.
Following are some configuration options you can configure for the Secured Cluster services. See the Operator configuration topic to see details about all available configuration options.
- Sensor settings
- Admission Control settings
- Compliance settings
- Collector settings
- Trusted Certificate Authorities
After you complete the installation and configure necessary integrations, run sample applications to evaluate the results of security assessments and policy violations.
The sample applications described below are specifically designed to verify the build and deploy-time assessment features of the StackRox Kubernetes Security Platform.
To run the sample application:
Create a new namespace (or project).
kubectl create ns test
Start a few workloads with critical vulnerabilities:
kubectl run shell --labels=app=shellshock,team=test-team --image=vulnerables/cve-2014-6271 -n test kubectl run samba --labels=app=rce --image=vulnerables/cve-2017-7494 -n test
The StackRox Kubernetes Security Platform automatically scans these deployments for security risk and policy violations as soon as they’re submitted to the cluster.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.