Installing StackRox on OCP 4.x

install_stackrox_on_ocp4.md

Installing StackRox on OCP 4.x

Prerequisites

There are a few env variables you need to set first. Also assuming you have oc installed and you are logged in as a cluster admin. This has been tested on OCP v4.5.36 and StackRox v3.0.58.0.

export YOUR_STACKROX_USERNAME=test@example.com
export YOUR_STACKROX_PASSWORD=whateverYourPasswordIs
export STACKROX_PASSWORD=Pa22word  # used to log into your deployed stackrox instance. user is `admin` and password is this

Install CLI

1. Download roxctl

# replace Darwin with Linux for linux
wget --http-user=$YOUR_STACKROX_USERNAME --http-password=$YOUR_STACKROX_PASSWORD https://install.stackrox.io/3.0.58.0/bin/Darwin/roxctl

Install Central

1. Generate Templates

roxctl central generate openshift pvc --storage-class gp2 --size 30 --enable-telemetry=false --lb-type route -p $STACKROX_PASSWORD --openshift-version 4

2. Deploy

./central-bundle/scanner/scripts/setup.sh
oc apply -R -f central-bundle/central

3. Verify

watch oc get pod -n stackrox

4. Set Route Var

export CENTRAL_ROUTE=$(oc get route -n stackrox -o jsonpath="{.items[0].spec.host}")

Install Scanner

1. Modify Replica Count

sed -i -e 's/replicas: 3/replicas: 1/g' ./central-bundle/scanner/02-scanner-06-deployment.yaml
sed -i -e 's/minReplicas: 2/minReplicas: 1/g' central-bundle/scanner/02-scanner-08-hpa.yaml

2. Deploy

./central-bundle/scanner/scripts/setup.sh
oc apply -R -f central-bundle/scanner

3. Verify

watch oc get pod -n stackrox

Install Sensor

1. Generate Templates

roxctl sensor generate openshift --openshift-version 4 --central central.stackrox:443 --insecure --insecure-skip-tls-verify --name ocp --collection-method kernel-module -p $STACKROX_PASSWORD --admission-controller-listen-on-updates --admission-controller-listen-on-creates --admission-controller-scan-inline  --slim-collector=false -e $CENTRAL_ROUTE:443

2. Deploy

./sensor-ocp/sensor.sh

3. Verify

watch oc get pod -n stackrox

Architecture

There are three major components:

1. Central
2. Scanner
3. Sensor/Collector

External Resources

1. StackRox Workshop - All the instructions here basically came from @clemenko and his workshop. Big thanks to him.

You should change the template to

roxctl central generate openshift pvc --storage-class gp2 --size 30 --enable-telemetry=false --lb-type route -p $STACKROX_PASSWORD --openshift-version 4

This will create the route object for you.

Also looks like you missed the ./central-bundle/central/scripts/setup.sh.

You should change the template to

roxctl central generate openshift pvc --storage-class gp2 --size 30 --enable-telemetry=false --lb-type route -p $STACKROX_PASSWORD --openshift-version 4

This will create the route object for you.

Also looks like you missed the ./central-bundle/central/scripts/setup.sh.

Ooo great suggestions, thanks! I'll update.

Oh and change --central stackrox-central-stackrox.apps.cluster-b6a3.b6a3.sandbox1438.opentlc.com:443 to --central central.stackrox:443. This is because you are installing to the same cluster and we can use the internal DNS. No need for the external routing of the sensor traffic.

Oh and change --central stackrox-central-stackrox.apps.cluster-b6a3.b6a3.sandbox1438.opentlc.com:443 to --central central.stackrox:443. This is because you are installing to the same cluster and we can use the internal DNS. No need for the external routing of the sensor traffic.

👍

Resource requirements: https://help.stackrox.com/docs/system-info/resources/

Great news! Installation on OpenShift can officially be done by an operator now. https://docs.openshift.com/acs/installing/install-ocp-operator.html