Skip to main content
  1. Take it in Bytes/
  2. Tech/OpenShift/
  3. OCP Engineering/

Deploying Red Hat Advanced Cluster Security (RHACS) in a Private OpenShift Cluster

·5 mins· 0
Technical Introduction Guide RHACS Trivy DAST SAST IAST StackRox eBPF OPA SCA DevOps Private Network OpenShift Security ACS DevSecOps
Table of Contents
Advanced Cluster Security - This article is part of a series.
Part 2: This Article

Today, we’ll be exploring Red Hat Advanced Cluster Security (RHACS) and how to deploy it within a private OpenShift cluster. RHACS is an end-to-end Kubernetes-native security solution that provides deep visibility and control to minimize the risk area and provide the necessary governance and control for your OpenShift clusters.

For More Information See my prior write-up on the basics of RHACS

Why Red HAt Advanced Cluster Security (RHACS)? #

RHACS helps to identify, prioritize, and resolve the most critical security risks and vulnerabilities in your clusters. It offers several key features to enhance the security of your OpenShift cluster:

  • Cluster-wide visibility into workloads, network traffic, and vulnerabilities
  • Policy-driven security enforcement and compliance management
  • Integration with CI/CD pipelines for early detection of security issues
  • Centralized monitoring and management of your OpenShift cluster’s security

This is achieved through the capabilities of:

  • Risk Prioritization: Identifies and ranks vulnerabilities to help security teams focus on the most significant issues.
  • Compliance Automation: Simplifies compliance with automated policy enforcement and audit-ready reporting.
  • Threat Prevention: Blocks attacks and enforces security controls in real-time.

Deploying RHACS in OpenShift #

RHACS Offline Mode #

It is possible to use Red Hat Advanced Cluster Security (RHACS) for Kubernetes for clusters that are not connected to the internet by enabling offline mode. Offline mode allows RHACS components to operate without connecting to public addresses or hosts.

This requires the following:

  1. Retrieve RHACS images and install in cluster.
  2. Enable offline mode during install (not upgrades).
Remember to routinely update your Scanner’s vulnerability list!

Images can be downloaded via OLM and the OperatorHub with an internet-connected workstation and then pushed to your mirror registry. You can also manually pull and retag using tools such as Skopeo, Docker, etc, described below.

The images are as follows:

You must maintain the name of the image and tag when retagging.

For each image, you should pull, tag, and push to your private registry:

docker login
docker pull <image>
docker tag <image> <new_image>
docker push <new_image>

You can also mirror entire registries, which you can read more about in my post on the Integrated OCP Registry. You can also see further examples in this post by Zhimin Wen.

Deploying the RHACS Operator #

RedHat-Logo-Hat-ColorRedHat-Logo-Hat-ColorSee Red Hat’s docs for prerequisite and sizing information.

RHACS can be deployed on OpenShift using the RHACS Operator. Here’s how to get started:

  • Install the RHACS Operator
oc new-project stackrox
oc create -f
oc apply -f operator.yaml
You can also deploy the Operator from the OCP Web Console via the Operator Catalog.
  • Deploy RHACS

Create a RHACS resource to deploy the Central component and its dependencies. You can customize the resource to suit your needs. Below is a basic example:

kind: Central
  name: central
    - name: redhat-pull-secret

Using the Web console automates the generation and installation of this configuration.

  • Deploy Scanner and Sensor

After deploying Central, you need to deploy the Scanner and Sensor components. Scanner is used for scanning images for vulnerabilities, and Sensor is used for securing your running workloads.

oc apply -f scanner.yaml
oc apply -f sensor.yaml
  • Access RHACS

Once RHACS is up and running, you can access it through its route:

oc get route central -n stackrox

Follow-up #

Remember to enable offline mode during the install, as mentioned above. If you prefer using Helm or roxctl, you can find instructions here.

In order to begin monitoring a cluster, whether it be the hosting cluster or another, you must install the SecureCluster resource on each target cluster. Prior to that, you will need to create an init bundle. This is usually relatively easy, but can be tricky in disconnected environments. However, following Red Hat’s documentation should resolve any issues you might have.

Key Considerations #

  • Networking: Ensure that RHACS can communicate with your cluster nodes and that it can pull images from Red Hat’s registry or your private registry.
  • Compatibility: RHACS is compatible with OpenShift 4.6 and later. Ensure your cluster meets this requirement.
  • RBAC: Consider who should have access to RHACS and what actions they should be able to perform. RHACS offers granular role-based access control (RBAC) to ensure that users only have access to the necessary resources and actions.
  • Storage: RHACS requires a persistent storage backend for its components. Make sure you have enough storage available and that it’s scalable.
  • Monitoring and Alerting: Integrate RHACS with your existing monitoring and alerting solutions to receive notifications on critical security issues and policy

Conclusion #

Deploying RHACS in your private OpenShift cluster provides a significant boost to your cluster’s security posture. With its risk prioritization, compliance automation, and threat prevention capabilities, RHACS offers an all-in-one solution for securing your OpenShift clusters. Although it requires some setup and configuration, the enhanced visibility and control over your cluster’s security make it a worthy addition.

References #

Advanced Cluster Security - This article is part of a series.
Part 2: This Article