The Red Hat Advanced Cluster Security (RHACS) operator is now available, giving users flexible installation and lifecycle management of RHACS in their OpenShift clusters. Since the StackRox acquisition earlier this year, the team has upgraded and improved how organizations secure and manage their Kubernetes applications and supply chains. Red Hat OpenShift’s use of the operator pattern presents a chance to integrate with OpenShift’s OperatorHub and allow self-service management using the operator Lifecycle Manager (OLM).
First, let us review how you can utilize RHACS in your day-to-day security operations before we examine the RHACS operator.
What is Red Hat Advanced Cluster Security?
Red Hat Advanced Cluster Security for Kubernetes (RHACS) is the enterprise-ready Kubernetes-native security platform that enables organizations to build, deploy, and run cloud-native applications anywhere more securely. RHACS provides a security application with a lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.
RHACS is built for Kubernetes, with deep integrations delivering deployment, namespace and cluster-centric visibility. With Kubernetes, risk profiling is different. Misconfigurations are common, so you need a solution that provides rich, multi-factor risk profiling while focusing on the most impactful issues. RHACS is focused on delivering rich Kubernetes-focused context to harden your application lifecycle while maximizing agility in development and deployment.
A Kubernetes operator is a method of packaging, deploying, and managing a Kubernetes application. Applications and workloads often have complex application-level configuration settings beyond those provided by Kubernetes. Operators are designed to fill this gap using an application-specific controller built upon the existing Kubernetes concepts. Operators simplify the complex configuration logic required of an application system administrator, or in other words, the application’s “Operator.” This extra automation layer removes tedious manual application management tasks, making processes more scalable, repeatable, and standardized.
The function of the operator pattern is to capture the intentions of how a human operator would manage a service. A human operator needs to have a complete understanding of how an app or service should work, how to deploy it, and how to fix any problems. Using the RHACS operator, you can configure RHACS like an expert operator by taking advantage of the operational knowledge built into the operator and exposed as a custom resource.
Getting Started with the RHACS Operator
If you have an existing OpenShift Container Platform installation, the setup is extremely straightforward. The basic workflow will follow these three steps:
- From your OpenShift console > OperatorHub, find and install the Red Hat Advanced Cluster Security operator.
- Configure and deploy the Central custom resource.
- Configure and deploy the SecuredCluster custom resource into every cluster that you want to monitor.
The Red Hat Advanced Cluster Security operator supports the following two custom resources:
The Central custom resource allows users to configure Central services. Central is the management control plane and user interface for RHACS. Central includes the following services:
Central: Central is the RHACS application management interface and services.
Scanner: Scanner is the StackRox vulnerability scanner, a Red Hat developed and certified scanner for the container images and associated databases.
The SecuredCluster custom resource allows users to configure SecuredCluster services. Secured Cluster Services manages the components of RHACS necessary to secure your OpenShift cluster. SecuredCluster includes the following services:
Sensor: Sensor is the service responsible for analyzing and monitoring the cluster.
Collector: Collector analyzes and monitors container activity on Kubernetes nodes.
Management and Upgrades
Users would install and update the RHACS components with Helm charts and YAML files in a typical installation. The declarative YAML objects provide easier audits, approval for changes, and set configuration defaults that initialize in each enabled cluster. The RHACS operator builds on this functionality to help with installation and upgrades. The operator allows automatic installation and application upgrades giving you more time to focus on security threats to your clusters and not the management of the application itself.
The operator’s default configuration settings are set to a “monitor” security policy, allowing users time to analyze their typical behavior, set policies and enforce the created rules when comfortable. As you become acquainted with RHACS, it will be essential to understand the configuration options and adjust the settings to fit your requirements.
Useful Configuration Options
One of the main benefits of operators is the configuration capabilities that are given to the users. RHACS users can alter a significant amount of Central services and the SecuredCluster service settings. You can review our documentation for a complete list and view the most common use cases below.
Central Services Configuration
Central configuration options:
- Administrator password
- Exposure type
- TLS Certificate
Administrator password: Specify a secret that contains the administrator password in the “password” data item. If omitted, the operator will autogenerate a password that administrators can access.
Exposure type: Specify how to access the central interface, including using a NodePort service or through a load balancer.
TLS Certificate: By default, Central will only serve an internal TLS certificate, which means that you will need to handle TLS termination at the ingress or load balancer level. If you want to terminate TLS in Central and serve a custom server certificate, you can specify a secret containing the certificate and private key here.
SecuredCluster Services Configuration
SecuredCluster configuration options
- Admission controller settings
- Connectivity policy
Admission controller settings: The admission controller settings have a few configurable options, including enabling and disable the controller and monitoring Kubernetes events, such as port-forward and exec events. Since the admission controller will be RHACS policies are enforced, it is essential to understand how admission controllers function.
Connectivity policy: Configures whether Red Hat Advanced Cluster Security should run in online or offline (disconnected) mode. In offline mode, automatic updates of vulnerability definitions and kernel modules are disabled.
General Configuration Options
- Resource requests and limits
- Trusted Certificate Authorities
Resource requests and limits: Allows overriding the default resource settings for the Central and SecuredCluster services. Adjust the resource limits and requests to optimize resource allocation within your clusters.
Labels: Add extra labels to the Central and SecuredCluster services.
Trusted Certificate Authorities: Additional trusted CA certificates for the secured cluster. These certificates are used when integrating with services using a private certificate authority.
There are installation prerequisites for RHACS before you can utilize the operator. Before you install, make sure that you:
- Understand Red Hat Advanced Cluster Security for Kubernetes architecture.
- Review the prerequisites for installing Red Hat Advanced Cluster Security for Kubernetes.
After you have the environment for RHACS, installing and using the operator is as only two prerequisites:
- You have access to an OpenShift Container Platform cluster using an account with operator installation permissions.
- You must be using OpenShift Container Platform 4.6 or later.