Deploying Red Hat Advanced Cluster Security for Kubernetes
Overview
Hello everyone, welcome back. Thanks for viewing my earlier article on Continuous Security for Cloud-native Applications.
In this article, we will look at how to install Red Hat Advanced Cluster Security for Kubernetes (RHACS, also named StackRox).
The following diagram shows a high-level architecture diagram of how RHACS connects to the managed clusters, and the main components include:
- Central: gather and display information from other components
- Scanner: scan images for vulnerabilities
- Sensor: collects and augments data from the collector
- Admission Controller: interacts with Kubernetes API server and prevents creating workloads that don't adhere to security policies
- Controller: collect and monitor container activities
Goal
- Install Advanced Cluster Security Central
- Deploy Secured Cluster Services
- Summary
Install Advanced Cluster Security / StackRox Central
In this section you install Advanced Cluster Security / StackRox Central v3.0.x on top of Red Hat OpenShift Container Platform (OCP) which is running on AWS cloud. For the offical documentation, please see the quick start guide.
Please note that the RHACS operator isn't available from the Operator Hub of OpenShift at the time I am writing this article. So I will use Helm chart for the installation in this article.
Check Helm version
Use the 'helm version' command to verify the version of Helm you have installed is v3.2 or newer. If Helm is not installed, please see the installing Helm CLI instructions.
$ helm version
version.BuildInfo{Version:"v3.5.0+6.el8", GitCommit:"77fb4bd2415712e8bfebe943389c404893ad53ce", GitTreeState:"clean", GoVersion:"go1.14.12"}
Get the Helm chart
1.Add the Advanced Cluster Security charts repository
$ helm repo add rhacs https://mirror.openshift.com/pub/rhacs/charts/ "rhacs" has been added to your repositories
2.Verify the added repository
$ helm search repo -l rhacs/ NAME CHART VERSION APP VERSION DESCRIPTION rhacs/central-services 61.0.0 3.0.61.0 Helm Chart for StackRox Central Clusters ... rhacs/secured-cluster-services 61.0.0 3.0.61.0 Helm Chart for StackRox Secured Clusters ... rhacs/stackrox-central-services 61.0.0 3.0.61.0 Helm Chart for StackRox Central Clusters ... rhacs/stackrox-secured-cluster-services 61.0.0 3.0.61.0 Helm Chart for StackRox Secured Clusters ...
3.Ensure the latest version of the charts repository installed in your local machine
$ helm repo update Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "rhacs" chart repository Update Complete. ⎈Happy Helming!⎈
Install Central with Helm
You can install it via an OpenShift Route option as shown below
$ helm install -n stackrox --create-namespace stackrox-central-services rhacs/central-services --set imagePullSecrets.allowNone=true --set central.exposure.route.enabled=true NAME: stackrox-central-services LAST DEPLOYED: Mon Jun 14 04:17:25 2021 NAMESPACE: stackrox STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: StackRox 3.0.61.0 has been installed. ... Thank you for using StackRox!
Accessing Advanced Cluster Security / StackRox Dashboard
To access central using an OpenShift route using the 'oc get route' command
$ oc get route central -n stackrox NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD central central-stackrox.apps.cluster-5txzv.5txzv.example.opentlc.com central https passthrough None
Launch your browser, and navigate to https://central-stackrox.apps.cluster-5txzv.5txzv.example.opentlc.com/ as shown above. When promoted, please accept the self-signed certificates twice.
Login to the Advanced Cluster Security cluster using the admin credentials from the Central installation log earlier.
Once login successfully, you will see the following dashboard. Congratulation, you have successfully installed Advanced Cluster Security Central.
Deploy Secured Cluster Services
To monitor a cluster, you must deploy the secured cluster services v3.0.x.
Using ROXCTL
To create a secured cluster, you need to create an init bundle. This bundle is used for a secured cluster to authenticate to Central.
1.Follow the authentication instructions, and generate an 'ROX_API_TOKEN'. Remember to select the 'admin' role when generating a token.
2.Create the following environment variables, and the lab environment as shown below.
$ export ROX_API_TOKEN=<api-token> $ export ROX_CENTRAL_ADDRESS=central-stackrox.apps.cluster-5txzv.5txzv.example.opentlc.com:443
3.Download ROXCTL from the Central dashboard and copy it over to the Bastion host. The Bastion is running on Red Hat Enterprise Linux 8.2.
4.Generate a cluster init bundle using the 'roxctl' CLI
$ roxctl -e "$ROX_CENTRAL_ADDRESS" central init-bundles generate cluster-init-bundle-name --output cluster-init-bundle.yaml ... Successfully generated new init bundle. Name: cluster-init-bundle-name Created at: 2021-06-14T06:12:53.481197005Z Expires at: 2022-06-14T06:13:00Z Created By: myadmin ID: dd6a48e8-2b91-4b77-941b-df804a466cf5 The newly generated init bundle has been written to file "cluster-init-bundle.yaml". ...
Deploy a sensor
Run the following command to deploy a sensor.
$ helm install -n stackrox --create-namespace stackrox-secured-cluster-services rhacs/secured-cluster-services -f cluster-init-bundle.yaml \ > --set clusterName=sam-tlc-lab \ > --set imagePullSecrets.allowNone=true NAME: stackrox-secured-cluster-services LAST DEPLOYED: Mon Jun 14 06:32:39 2021 NAMESPACE: stackrox STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: StackRox Secured Cluster Services 3.0.61.0 has been installed. Secured Cluster Configuration Summary: Name: sam-tlc-lab Kubernetes Namespace: stackrox Helm Release Name: stackrox-secured-cluster-services Central Endpoint: central.stackrox:443 OpenShift Cluster: 4 Admission Control Webhooks deployed: Admission Control Creates/Updates enforced: false ... Thank you for using StackRox!
Login to the Advanced Cluster Security dashboard again. Now you should be able to see some system violations data as shown below. Congratulation that you've successfully deployed the secured cluster services.
Summary
In conclusion, we achieved the following tasks in this article:
- Installed Advanced Cluster Security Central
- Deployed Secured Cluster Services
I hope this was informative and of value to you.