Installation of Red Hat Advanced Cluster Security
This repository contains Kubernetes manifests for installing Red Hat Advanced Cluster Security (ACS) on OpenShift clusters.
- Access to an OpenShift cluster
ocCLI tool installed- Cluster admin permissions
- Access to the
redhat-operatorscatalog source
First, install the Red Hat Advanced Cluster Security operator on your central cluster:
oc apply -k k8/operators/This will:
- Create the
rhacs-operatornamespace - Create an OperatorGroup for the namespace
- Subscribe to the
rhacs-operatorfrom the Red Hat operators catalog - Subscribe to the
openshift-complianceoperator (and create respective namespace).
Wait for the operator to be fully installed and ready. You can check the status with:
oc get pods -n rhacs-operatorWait until the operator pod is in Running state and ready (typically takes 1-2 minutes).
Once the operator is ready, create the Central component:
oc apply -k k8/central/This will:
- Create the
stackroxnamespace - Create a Central custom resource instance
- Trigger the operator to deploy the Central component
Monitor the Central deployment:
oc get pods -n stackroxOr watch all resources:
watch oc get pvc,deploy,svc,route -n stackroxscanner-db will take the longest to initialize (~5+ minutes)
The Central component will take several minutes to fully deploy. Once all pods are running, you can access the Central UI through the route that was created.
To check the status of the Central instance via the CLI
oc get central stackrox-central-services -o jsonpath-as-json='{.status.conditions}' -n stackroxOutput:
[
[
{
"lastTransitionTime": "2025-11-21T18:20:34Z",
"message": "StackRox Central Services has been installed.\n\n\n\n\nStackRox Kubernetes Security Platform collects and transmits anonymous usage and\nsystem configuration information. If you want to OPT OUT from this, use\n--set central.telemetry.enabled=false.\n\n\nThank you for using StackRox!\n",
"reason": "InstallSuccessful",
"status": "True",
"type": "Deployed"
},
...Retrieve the admin user's password from the central-htpasswd secret
oc -n stackrox extract secret/central-htpasswd \
--keys password --to -Example output:
# password
UIooqQXXrcxX0mzDuYUPCo6uXRetrieve the URL of the RHACS portal from the central route
oc -n stackrox get route central -o jsonpath='https://{.spec.host}'Example Output:
https://central-stackrox.apps.<cluster-domain>
log in with admin and the extracted password
Note If you see the error The database is currently not available. If this problem persists, please contact support.
You might not have enough cluster resources to launch the central-db deployment. If testing you may be able to scale down the following resources, otherwise provision mode nodes
oc patch hpa scanner -n stackrox \
--type=merge \
-p '{"spec":{"minReplicas":1,"maxReplicas":1}}'
oc patch hpa scanner-v4-indexer -n stackrox \
--type=merge \
-p '{"spec":{"minReplicas":1,"maxReplicas":1}}'
oc patch hpa scanner-v4-matcher -n stackrox \
--type=merge \
-p '{"spec":{"minReplicas":1,"maxReplicas":1}}'
# Classic scanner: 2 → 1
oc scale deploy scanner --replicas=1
# v4 indexer: 2 → 1
oc scale deploy scanner-v4-indexer --replicas=1
# v4 matcher: 2 → 1
oc scale deploy scanner-v4-matcher --replicas=1
# Optional: if still tight, you can even scale scanner dbs a bit
# but usually just replica cuts are enough.After Central is deployed and accessible, you can secure additional clusters. This process involves:
- Creating a cluster init bundle from the Central UI
- Applying the init bundle to the cluster you want to secure
- Deploying a SecuredCluster custom resource
From the ACS console, navigate to Platform Configuration → Clusters, then click the Init bundles button.
From the Cluster init bundles page, click Create bundle.
Provide a name (e.g., install-import), select OpenShift, and click Download.
This will download a file to your local system called install-import-Operator-secrets-cluster-init-bundle.yaml.
Important: Keep this file secure as it contains authentication credentials for connecting clusters to Central.
To have Central manage itself as a secured cluster, apply the init bundle and SecuredCluster resource on the Central cluster:
# Apply the init bundle secrets
oc -n stackrox apply -f install-import-Operator-secrets-cluster-init-bundle.yaml
# Deploy the SecuredCluster resource for the central cluster
oc apply -k k8/secured-cluster/base/Expected output when applying the init bundle:
secret/collector-tls created
secret/sensor-tls created
secret/admission-control-tls created
Eventually, the cluster will show up in ACS as Healthy and Up to date with Central.
To secure additional clusters (managed clusters), you need to install the ACS operator and deploy a SecuredCluster resource on each cluster.
Note: This process can be automated with ACM (Advanced Cluster Management) policies, which is out of scope for this guide.
-
Log in to the managed cluster:
oc login -u admin -p <password> https://api.<domain-of-managed-cluster>.com:6443
-
Install the RHACS Operator:
oc apply -k k8/operators/
Wait for the operator to be ready:
oc get pods -n rhacs-operator
-
Create the
stackroxnamespace:oc apply -f k8/central/namespace.yaml
-
Apply the init bundle (downloaded in Step 1):
oc apply -f install-import-Operator-secrets-cluster-init-bundle.yaml -n stackrox
-
Deploy the SecuredCluster resource:
For the first managed cluster, edit the overlay file:
# Edit the managed-cluster.yaml file vi k8/secured-cluster/overlays/secured-cluster01/managed-cluster.yamlUpdate the
centralEndpointwith your Central cluster's endpoint:- Use the same hostname as the Central UI route
- Remove the
https://prefix - Add
:443port
Example:
apiVersion: platform.stackrox.io/v1alpha1 kind: SecuredCluster metadata: name: stackrox-secured-cluster-services namespace: stackrox spec: clusterName: secured-cluster01 # Update with your central cluster endpoint (route hostname + :443) centralEndpoint: central-stackrox.apps.<cluster-domain>:443
Then apply it:
oc apply -f k8/secured-cluster/overlays/secured-cluster01/managed-cluster.yaml
For additional clusters, you can:
- Use the
secured-cluster02overlay directory - Create a new overlay following the same pattern
- Or directly apply a customized SecuredCluster YAML
-
Monitor the deployment:
oc get pods -n stackrox oc get pvc,deploy,svc,route -n stackrox
Note: The full deployment might be resource-intensive for Single Node OpenShift (SNO) clusters. Monitor resource usage and scale down components if needed (see resource scaling section above).
k8/
├── operators/
│ ├── kustomization.yaml # Kustomize config for operator resources
│ ├── acs.yaml # ACS operator installation manifest
│ └── compliance-operator.yaml # Compliance operator namespace and subscription
├── central/
│ ├── kustomization.yaml # Kustomize config for Central resources
│ ├── namespace.yaml # StackRox namespace definition
│ └── central.yaml # Central component deployment manifest
└── secured-cluster/
├── base/ # Base SecuredCluster configuration
│ ├── kustomization.yaml
│ └── secured-cluster.yaml # Base SecuredCluster CR (clusterName: central-cluster)
└── overlays/ # Overlays for different managed clusters
├── secured-cluster01/
│ └── managed-cluster.yaml # SecuredCluster for first managed cluster
└── secured-cluster02/ # Overlay directory for second managed cluster
- Base configuration: Use
k8/secured-cluster/base/to deploy a SecuredCluster on the Central cluster itself - Overlays: Use overlay directories for managed clusters with different cluster names and central endpoints
- Kustomize: All directories support
oc apply -kfor applying resources