Containers may be like "sandboxes," but libraries and applications still run inside of them, and like everything else, those components need to be monitored for vulnerabilities. The Red Hat Advanced Cluster Security (RHACS) module monitors runtime data on containers to look for known vulnerabilities and to verify Kubernetes clusters for policy enforcement. RHACS can gather information about the container platform and the images, applications, and configuration assets that control the behavior of applications once deployed.
When I'm doing product testing, I deploy RHACS on OpenShift. It's uncovered some major vulnerabilities before deployment, and preventing them from getting into production is what matters.
The first step is to install the Advanced Cluster Security (ACS) Operator. To start, log into your OpenShift Container Platform (OCP) web console, search for ACS in OperatorHub, and install it. By default, ACS is installed in the
ACS uses two custom resources, which you need to install after installing the ACS Operator:
- Central installs the Central, Scanner, and Scanner DB services. The Central service provides access to a user interface through a web UI or the RHACS portal. It also handles API interactions and provides persistent storage. Scanner analyzes images for known vulnerabilities. It uses Scanner DB as a cache for vulnerability definitions.
- Secured Cluster installs the Collector, Sensor, and Admission Controller services. Collector collects runtime information on container security and network activity. It then sends data to Sensor, which monitors your Kubernetes cluster for policy detection and enforcement. Admission Controller monitors workloads and prevents users from creating them in RHACS when they violate security policies.
[ Shorten your OpenShift learning curve by downloading and reading OpenShift for Developers. ]
First, select the
rhacs-operator namespace, and then click on Create project. Create a new namespace, such as stackrox.
In the stackrox project, click on Central under Provided APIs.
Enter a name for your Central custom resource, and then click Create.
After installing Central, the RHACS portal or the Web user interface (UI) is ready for you to log in.
Navigate to Networking > Routes to get the new portal's URL.
Get the password of Central (or RHACS portal) by clicking on Workloads > Secrets > central-htpasswd. Copy the password.
Now log into the RHACS portal using the ID admin with the password you copied.
Generate an init bundle
Before you can create a Secured Cluster, you need to generate an init bundle. The Secured Cluster uses this bundle to authenticate with Central. You can do this from the RHACS portal or through Central.
In RHACS portal, navigate to Platform Configuration > Integrations. Under the Authentication Tokens section, click on cluster init bundle.
Click Generate bundle, and then click Download Kubernetes secrets file to download the generated bundle and save the YAML file.
In the OpenShift UI, click on the + (plus sign) in the top-right of the stackrox project and import the YAML file you downloaded.
This creates the required resources for Scanner to authenticate with Central in the RHACS portal.
Install a Secured Cluster
Almost done! All that's left is to install the Secured Cluster. Under the Provided APIs section, select Create instance on the Secured Cluster API.
Once the scanner is up, go to the RHACS portal and click on the dashboard. The dashboard now shows data for clusters, nodes, and violations. It also shows the number of critical, high, and medium violations by cluster. You can click on each number to see details.
[ Learn how to bring security into your DevOps practice. Download A guide to implementing DevSecOps. ]
RHACS for Kubernetes automatically scans all deployments in the cluster for security risks and policy violations. For any new deployment, scanning starts as soon as the deployment is submitted to the cluster.
You can view all images scanned for vulnerabilities and their details at Vulnerability Management > Dashboard > View All (Top Riskiest Images).
Monitoring your systems is a vital part of maintenance, so stay informed about what you're about to deploy, and catch any problems before they go live.