Overview
This document is based on the Oficial Documentation. The idea is to create a local environment with multiple Kubernetes clusters provisioned via kind for laboratory purposes.
The Stackrox Platform is composed of two components:
- Central Services (central)
- Secured Cluster Services (clients)
I will explain how to provision each one using Kind
Central services (Central)
Prerequisites
- A kind cluster deployed the install the Stackrox central.
- To have a free node port in your cluster. E.g., 32444.
- A Red Hat Account is needed to download the container images.
- A domain name. E.g. stackrox.iplanet.site
- A SSL Certificate files for the domain stackrox.iplanet.site (cert.crt and cert.key).
Steps
Create a .env file with the username and password of your Red Hat account.
cat << EOF >> ./env
RH_USERNAME=email@domain.com
RH_PASSWORD=supersecret
EOF
Install via helm
export $(cat .env | xargs)
helm repo add stackrox https://charts.stackrox.io
helm repo update
helm install -n stackrox stackrox-central-services \
rhacs/central-services \
--create-namespace \
--set-file central.defaultTLS.cert=./cert.crt \
--set-file central.defaultTLS.key=./cert.key \
--set imagePullSecrets.username=$RH_USERNAME \
--set imagePullSecrets.password=$RH_PASSWORD \
--set central.exposure.nodePort.enabled=true \
--set central.exposure.nodePort.port=32444
[Optional]
If you want to save this deployment configuration, save the generated-values.yaml file using this command:
kubectl -n stackrox get secret \
stackrox-generated-vmxhju -o \
go-template='{{ index .data "generated-values.yaml" }}' | \
base64 --decode > generated-values.yaml
Secured cluster services (Clusters Clients)
Prerequisites
- Create another cluster with Kind.
- Create a token with “admin role” from the central services.
- Download the same version of roxctl CLI from Central.
Steps
To create a token, go to this URL:
https://$your_central_host:32444/main/integrations/authProviders/apitoken/create
Generate a token: (Save it as register.token)
Download the CLI from the central UI
Generate config file to deploy in the Kubernetes clients
export ROX_API_TOKEN="$(cat ./register.token)"
export ROX_CENTRAL_ADDRESS=stackrox.iplanet.site:32444
export CLUSTER_NAME=local-standard
roxctl -e $ROX_CENTRAL_ADDRESS central \
init-bundles generate cluster-init-$CLUSTER_NAME \
--output cluster-init-bundle-$CLUSTER_NAME.yaml
Install via helm
helm repo add stackrox https://charts.stackrox.io
helm repo update
helm install -n stackrox \
stackrox-secured-cluster-services \
rhacs/secured-cluster-services \
--create-namespace \
--set clusterName=$CLUSTER_NAME \
--set imagePullSecrets.username=$RH_USERNAME \
--set imagePullSecrets.password=$RH_PASSWORD \
--set centralEndpoint=$ROX_CENTRAL_ADDRESS \
--set clusterLabels.env=local \
--set collector.collectionMethod=NO_COLLECTION \
-f cluster-init-bundle-$CLUSTER_NAME.yaml
Because we are using kind cluster, the
collectionMethodis set toNO_COLLECTION.
[Optional]
If you provisioned your kind cluster with the experimental option KIND_EXPERIMENTAL_DOCKER_NETWORK, you need to allow network communication with the central kind network.
E.g., if your docker network for your central cluster is: 172.28.1.0/24, execute this command to permit all communication among kind clusters installed.
sudo iptables -I FORWARD -s 172.28.1.0/24 -d 0/0 -j ACCEPT
sudo iptables -I FORWARD -s 0/0 -d 172.28.1.0/24 -j ACCEPT
Check your setup
Finally, if you provisioned two clusters in the central, you should see them in the “Platform configuration > Clusters” menu.
Latest comments (0)