Image
How to get started with Red Hat Advanced Cluster Security for Kubernetes
RHACS monitors runtime data on containers to help you uncover potential vulnerabilities during product testing.
Image
Cytonn Photography from Pexels
Containers may be like "sandboxes," but libraries and applications still run inside of them, and like everything else, those components need to be monitored for vulnerabilities. The Red Hat Advanced Cluster Security (RHACS) module monitors runtime data on containers to look for known vulnerabilities and to verify Kubernetes clusters for policy enforcement. RHACS can gather information about the container platform and the images, applications, and configuration assets that control the behavior of applications once deployed.
When I'm doing product testing, I deploy RHACS on OpenShift. It's uncovered some major vulnerabilities before deployment, and preventing them from getting into production is what matters.
Install RHACS
The first step is to install the Advanced Cluster Security (ACS) Operator. To start, log into your OpenShift Container Platform (OCP) web console, search for ACS in OperatorHub, and install it. By default, ACS is installed in the rhacs-operator namespace.
Image
ACS uses two custom resources, which you need to install after installing the ACS Operator:
- Central installs the Central, Scanner, and Scanner DB services. The Central service provides access to a user interface through a web UI or the RHACS portal. It also handles API interactions and provides persistent storage. Scanner analyzes images for known vulnerabilities. It uses Scanner DB as a cache for vulnerability definitions.
- Secured Cluster installs the Collector, Sensor, and Admission Controller services. Collector collects runtime information on container security and network activity. It then sends data to Sensor, which monitors your Kubernetes cluster for policy detection and enforcement. Admission Controller monitors workloads and prevents users from creating them in RHACS when they violate security policies.
Image
[ Shorten your OpenShift learning curve by downloading and reading OpenShift for Developers. ]
Install Central
First, select the rhacs-operator namespace, and then click on Create project. Create a new namespace, such as stackrox.
In the stackrox project, click on Central under Provided APIs.
Image
Enter a name for your Central custom resource, and then click Create.
After installing Central, the RHACS portal or the Web user interface (UI) is ready for you to log in.
Navigate to Networking > Routes to get the new portal's URL.
Image
Get the password of Central (or RHACS portal) by clicking on Workloads > Secrets > central-htpasswd. Copy the password.
Image
Now log into the RHACS portal using the ID admin with the password you copied.
Generate an init bundle
Before you can create a Secured Cluster, you need to generate an init bundle. The Secured Cluster uses this bundle to authenticate with Central. You can do this from the RHACS portal or through Central.
In RHACS portal, navigate to Platform Configuration > Integrations. Under the Authentication Tokens section, click on cluster init bundle.
Click Generate bundle, and then click Download Kubernetes secrets file to download the generated bundle and save the YAML file.
Image
In the OpenShift UI, click on the + (plus sign) in the top-right of the stackrox project and import the YAML file you downloaded.
This creates the required resources for Scanner to authenticate with Central in the RHACS portal.
Install a Secured Cluster
Almost done! All that's left is to install the Secured Cluster. Under the Provided APIs section, select Create instance on the Secured Cluster API.
Image
Once the scanner is up, go to the RHACS portal and click on the dashboard. The dashboard now shows data for clusters, nodes, and violations. It also shows the number of critical, high, and medium violations by cluster. You can click on each number to see details.
[ Learn how to bring security into your DevOps practice. Download A guide to implementing DevSecOps. ]
RHACS for Kubernetes automatically scans all deployments in the cluster for security risks and policy violations. For any new deployment, scanning starts as soon as the deployment is submitted to the cluster.
Image
You can view all images scanned for vulnerabilities and their details at Vulnerability Management > Dashboard > View All (Top Riskiest Images).
Image
Stay informed
Monitoring your systems is a vital part of maintenance, so stay informed about what you're about to deploy, and catch any problems before they go live.
Image
Sometimes the process to delete Kubernetes namespaces gets hung up, and the command never completes. Here's how to troubleshoot terminating namespaces
Image
Find out how to check pod status for your OpenShift deployments.
Image
Ansible provides an easy and flexible way to test containers in your OpenShift 4 clusters.
Shveta Sachdeva
Shveta is a senior software engineer at Red Hat, leading a team. She is a subject-matter expert on the Migration Toolkit for Applications (MTA) and Pathfinder that helps customers migrate their applications to containers (Openshift and Kubernetes) and the latest technologies. More about me
Try Red Hat Enterprise Linux
Download it at no charge from the Red Hat Developer program.
Related Content
Image
Now that your environment has been set up, deploy a sample application on an OpenShift Local cluster.
Image
Install Red Hat OpenShift Local on your own machine to test your work before deployment.
Image
Learn how operators can serve as governance tools in a multitenant setting.