Skip to content

Instantly share code, notes, and snippets.

Last active August 24, 2021 19:53
Show Gist options
  • Save jkeam/24e7c80fe5e5d1378b2ea9d790e50ccb to your computer and use it in GitHub Desktop.
Save jkeam/24e7c80fe5e5d1378b2ea9d790e50ccb to your computer and use it in GitHub Desktop.
Installing StackRox on OCP 4.x

Installing StackRox on OCP 4.x


There are a few env variables you need to set first. Also assuming you have oc installed and you are logged in as a cluster admin. This has been tested on OCP v4.5.36 and StackRox v3.0.58.0.

export YOUR_STACKROX_PASSWORD=whateverYourPasswordIs
export STACKROX_PASSWORD=Pa22word  # used to log into your deployed stackrox instance. user is `admin` and password is this

Install CLI

  1. Download roxctl
# replace Darwin with Linux for linux
wget --http-user=$YOUR_STACKROX_USERNAME --http-password=$YOUR_STACKROX_PASSWORD

Install Central

  1. Generate Templates
roxctl central generate openshift pvc --storage-class gp2 --size 30 --enable-telemetry=false --lb-type route -p $STACKROX_PASSWORD --openshift-version 4
  1. Deploy
oc apply -R -f central-bundle/central
  1. Verify
watch oc get pod -n stackrox
  1. Set Route Var
export CENTRAL_ROUTE=$(oc get route -n stackrox -o jsonpath="{.items[0]}")

Install Scanner

  1. Modify Replica Count
sed -i -e 's/replicas: 3/replicas: 1/g' ./central-bundle/scanner/02-scanner-06-deployment.yaml
sed -i -e 's/minReplicas: 2/minReplicas: 1/g' central-bundle/scanner/02-scanner-08-hpa.yaml
  1. Deploy
oc apply -R -f central-bundle/scanner
  1. Verify
watch oc get pod -n stackrox

Install Sensor

  1. Generate Templates
roxctl sensor generate openshift --openshift-version 4 --central central.stackrox:443 --insecure --insecure-skip-tls-verify --name ocp --collection-method kernel-module -p $STACKROX_PASSWORD --admission-controller-listen-on-updates --admission-controller-listen-on-creates --admission-controller-scan-inline  --slim-collector=false -e $CENTRAL_ROUTE:443
  1. Deploy
  1. Verify
watch oc get pod -n stackrox


There are three major components:

  1. Central
  2. Scanner
  3. Sensor/Collector


External Resources

  1. StackRox Workshop - All the instructions here basically came from @clemenko and his workshop. Big thanks to him.
Copy link

jkeam commented Apr 12, 2021

Oh and change --central to --central central.stackrox:443. This is because you are installing to the same cluster and we can use the internal DNS. No need for the external routing of the sensor traffic.


Copy link

jkeam commented Jun 22, 2021

Copy link

jkeam commented Aug 24, 2021

Great news! Installation on OpenShift can officially be done by an operator now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment