Debug School

Cover image for Red Hat Advanced Cluster Security
Suyash Sambhare
Suyash Sambhare

Posted on

Red Hat Advanced Cluster Security

Shielding cloud-native applications requires substantial changes in security. Apply controls beforehand in the application development life cycle, use the infrastructure itself to apply controls and keep up with progressively quick release plans.

Driven by StackRox technology, ACS shields your fundamental applications across build, deployment, and runtime. The software deploys in your infrastructure and incorporates with your DevOps tooling and roadmaps to bring better defence and agreement. The policy engine includes hundreds of assembled controls to impose DevOps and security best practices, industry standards such as CIS Benchmarks and National Institute of Standards Technology (NIST) guidelines, configuration management of both containers and Kubernetes and runtime security.

Features and Benefits

  • Increases protection.
  • Destroys blind spots, providing staff with insights into critical vulnerabilities and threat vectors.
  • Reduces time and costs.
  • Reduces the time and effort needed to implement security and streamlines security analysis, investigation, and remediation using the rich context Kubernetes provides.
  • Increases scalability and portability.
  • Provides scalability and resiliency native to Kubernetes, avoiding operational conflict and complexity that can result from out-of-band security controls.

RHACS Operator

Red Hat provides the RHACS Operator by using the following update channels in the Red Hat Operator catalogue:

  • stable: Provides the most recent version and patches to the most recent version. Using the stable channel and configuring automatic operator upgrades ensures that the most recent RHACS version is deployed.
  • rhacs-x.yy: Channels follow a specific RHACS version and include all patches to that version. Newer versions are published to the stable channel.

Custom Resources

  • Central Services - Central is a deployment required on only one cluster in your environment. Users interact with RHACS via the user interface or APIs on Central. Central also sends notifications for violations and interacts with integrations. Users may select exposures for Central that best meet their environment.
  • Secured Cluster Services - Secured cluster services are placed on each cluster you manage and report back to Central. These services allow users to enforce policies and monitor your OpenShift and Kubernetes clusters. Secured Cluster Services come as two Deployments (Sensor and Admission Controller) and one DaemonSet (Collector).


Central Services

Service Deployment Type Description
Central Deployment Users interact with Red Hat Advanced Cluster Security through the user interface or APIs on Central. Central also sends notifications for violations and interacts with integrations.
Central DB Deployment Central DB is a PostgreSQL-based persistent storage for the data collected and managed by Central.
Scanner Deployment Scanner is a Red Hat developed and certified image scanner. Scanner analyzes and reports vulnerabilities for images. Scanner uses HPA to scale the number of replicas based on workload.
Scanner DB Deployment Scanner DB is a cache for vulnerability definitions to serve vulnerability scanning use cases throughout the software development life cycle.

Secured Cluster Services

Service Deployment Type Description
Sensor Deployment Sensor analyzes and monitors Kubernetes in secured clusters.
Collector DaemonSet Analyzes and monitors container activity on Kubernetes nodes.
Admission Controller Deployment ValidatingWebhookConfiguration for enforcing policies in the deploy lifecycle.

Central Custom Resource

Central Services is the configuration template for RHACS Central deployment. For all customization options, please visit the RHACS documentation.

SecuredCluster Custom Resource

SecuredCluster is the configuration template for the RHACS Secured Cluster services.

Installation Prerequisites

Before deploying a SecuredCluster resource, you need to create a cluster init bundle secret.

  • Through the RHACS UI: To create a cluster init bundle secret through the RHACS UI, navigate to Platform Configuration > Clusters, and then click Manage Tokens in the top-right corner. Select Cluster Init Bundle and click Generate Bundle. Select Download Kubernetes secrets file and store the file under a name of your choice (for example, cluster-init-secrets.yaml).
  • Through the roxctl CLI: To create a cluster init bundle secret through the roxctl command-line interface, run roxctl central init-bundles generate <name> --output-secrets <file name>. Run oc project and check that it reports the correct namespace where you intend to deploy SecuredCluster. In case you want to install SecuredCluster to a different namespace, select it by running oc project <namespace>. Then, run oc create -f init-bundle.yaml.

Required Fields
The following attributes are required to be specified. For all customization options, please visit the RHACS documentation.

Parameter Description
clusterName The name given to this secured cluster. The cluster will appear with this name in RHACS user interface.
centralEndpoint This field should specify the address of the Central endpoint, including the port number. centralEndpoint may be omitted if this SecuredCluster Custom Resource is in the same cluster and namespace as Central.


Top comments (0)