Overview

This document is based on the Oficial Documentation. The idea is to create a local environment with multiple Kubernetes clusters provisioned via kind for laboratory purposes.

The Stackrox Platform is composed of two components:

• Central Services (central)
• Secured Cluster Services (clients)

I will explain how to provision each one using Kind

Central services (Central)

Prerequisites

• A kind cluster deployed the install the Stackrox central.
• To have a free node port in your cluster. E.g., 32444.
• A Red Hat Account is needed to download the container images.
• A domain name. E.g. stackrox.iplanet.site
• A SSL Certificate files for the domain stackrox.iplanet.site (cert.crt and cert.key).

Steps

Create a .env file with the username and password of your Red Hat account.

cat << EOF >> ./env
RH_USERNAME=email@domain.com
RH_PASSWORD=supersecret
EOF

Install via helm

export $(cat .env | xargs)
helm repo add stackrox https://charts.stackrox.io
helm repo update
helm install -n stackrox stackrox-central-services \
  rhacs/central-services \
  --create-namespace \
  --set-file central.defaultTLS.cert=./cert.crt \
  --set-file central.defaultTLS.key=./cert.key \
  --set imagePullSecrets.username=$RH_USERNAME \
  --set imagePullSecrets.password=$RH_PASSWORD \
  --set central.exposure.nodePort.enabled=true \
  --set central.exposure.nodePort.port=32444

[Optional]

If you want to save this deployment configuration, save the generated-values.yaml file using this command:

kubectl -n stackrox get secret \
  stackrox-generated-vmxhju -o \
  go-template='{{ index .data "generated-values.yaml" }}' | \
  base64 --decode > generated-values.yaml

Secured cluster services (Clusters Clients)

Prerequisites

• Create another cluster with Kind.
• Create a token with “admin role” from the central services.
• Download the same version of roxctl CLI from Central.

Steps

To create a token, go to this URL:

https://$your_central_host:32444/main/integrations/authProviders/apitoken/create

Generate a token: (Save it as register.token)

Download the CLI from the central UI

Generate config file to deploy in the Kubernetes clients

export ROX_API_TOKEN="$(cat ./register.token)"
export ROX_CENTRAL_ADDRESS=stackrox.iplanet.site:32444
export CLUSTER_NAME=local-standard
roxctl -e $ROX_CENTRAL_ADDRESS central \
  init-bundles generate cluster-init-$CLUSTER_NAME \
  --output cluster-init-bundle-$CLUSTER_NAME.yaml

Install via helm

helm repo add stackrox https://charts.stackrox.io
helm repo update
helm install -n stackrox \
  stackrox-secured-cluster-services \
  rhacs/secured-cluster-services \
  --create-namespace \
  --set clusterName=$CLUSTER_NAME \
  --set imagePullSecrets.username=$RH_USERNAME \
  --set imagePullSecrets.password=$RH_PASSWORD \
  --set centralEndpoint=$ROX_CENTRAL_ADDRESS \
  --set clusterLabels.env=local \
  --set collector.collectionMethod=NO_COLLECTION \
  -f cluster-init-bundle-$CLUSTER_NAME.yaml

Because we are using kind cluster, the collectionMethod is set to NO_COLLECTION.

[Optional]

If you provisioned your kind cluster with the experimental option KIND_EXPERIMENTAL_DOCKER_NETWORK, you need to allow network communication with the central kind network.

E.g., if your docker network for your central cluster is: 172.28.1.0/24, execute this command to permit all communication among kind clusters installed.

sudo iptables -I FORWARD -s 172.28.1.0/24 -d 0/0 -j ACCEPT
sudo iptables -I FORWARD -s 0/0 -d 172.28.1.0/24 -j ACCEPT

Check your setup

Finally, if you provisioned two clusters in the central, you should see them in the “Platform configuration > Clusters” menu.

References

• https://github.com/stackrox/helm-charts/tree/main/3.69.1/central-services
• https://github.com/stackrox/helm-charts/tree/main/3.69.1/secured-cluster-services