At a high level, deploying Red Hat Advanced Cluster Security involves the following steps:
- Install the Advanced Cluster Security operator using the OpenShift embedded Operator Hub.
- Install the Central component.
- Generate the Init bundle and create the required resources.
- Install Secured Cluster services.
Installing Advanced Cluster Security operator
To install the Advanced Cluster Security operator:
- Log in to the OpenShift web console and select Operators > Operator Hub.
- Search for and select Advanced Cluster Security for Kubernetes. Click Install.
- On the Install Operator page:
- Keep the Installation mode default value as All namespaces on the cluster.
- Choose a specific namespace in which to install the operator for the Installed namespace field.
Red Hat recommends installing the Red Hat Advanced Cluster Security for Kubernetes operator in the rhacs-operators namespace.
- Under Update approval, select automatic updates.
- Click Install.
Figure 34. Installing ACS operator
- After the installation finishes, select Operators > Installed Operators.
- Verify that the Red Hat Advanced Cluster Security for Kubernetes operator is displayed with the Succeeded status.
Installing Central
Central is an Advanced Cluster Security component that is deployed only on one OpenShift cluster. You can monitor multiple OpenShift clusters using the same instance of Central.
To install Central:
- On the OpenShift Container Platform web console, select Operators > Installed Operators.
- From the list of installed operators, select Red Hat Advanced Cluster Security for Kubernetes.
- Create a project called ”stackrox.”
- Under Provided APIs, click Create instance of Central.
- Enter a name for your Central CR and add any labels that you want to apply. Alternatively, accept the default values for the available options.
- Click Create.
Note: The Central resource has a PVC in its definition. Ensure that PVC is available on the cluster before deploying Central.
Generating the Init bundle and creating resources
To generate the init bundle using the Advanced Cluster Security portal:
- Using CLI, fetch the route for the Advanced Cluster Security portal:
[core@csah-pri ~]$ oc get route central -n stackrox
- Open the Advanced Cluster Security portal using the route that you obtained in the preceding step and select Platform Configuration > Integrations.
- Under Authentication Tokens, click Cluster Init Bundle (indicated on the page with a Helm icon).
Figure 35. Advanced Cluster Security Integrations
- Click Generate bundle.
- Enter a name for the cluster init bundle and click Generate.
- To download the generated bundle, click Download Kubernetes Secret File on the on the Configure Cluster Init Bundle Integration page.
- Create the resources using the YAML file:
core@csah-pri ~]$ oc create -f <init_bundle>.yaml -n stackrox
Installing Secured Cluster services
Install the secured cluster services using the SecuredCluster CR.
Note: You must install the secured cluster services on every cluster in your environment that you want to monitor using Advanced Cluster Security.
- Log in to the OpenShift web console and select Operators > Installed Operators.
- From the list of installed operators in the stackrox project, select the Red Hat Advanced Cluster Security for Kubernetes operator.
- Under Provided APIs section, select Secured Cluster.
- Select Create SecuredCluster.
- Enter a name for your SecuredCluster CR.
- For Central Endpoint, enter the address and port number of your Central instance. For example, if Central is available at https://central.example.com, specify the central endpoint as central.example.com:443.
Note: The default value of central.stackrox.svc:443 only works when you install secured cluster services and Central in the same cluster.
Figure 36. Creating a SecuredCluster CR instance
- Accept the default values or update them as needed. Click Create.
When all pods are running, the cluster is displayed in the Central Advanced Cluster Security portal on the Clusters tab under Platform Configuration.
Figure 37. Automated Cluster Security portal