Jump To Close Expand all Collapse all Table of contents Security 1. Security Expand section "1. Security" Collapse section "1. Security" 1.1. Role-based access control Expand section "1.1. Role-based access control" Collapse section "1.1. Role-based access control" 1.1.1. Overview of roles 1.1.2. RBAC implementation Expand section "1.1.2. RBAC implementation" Collapse section "1.1.2. RBAC implementation" 1.1.2.1. Cluster lifecycle RBAC 1.1.2.2. Application lifecycle RBAC 1.1.2.3. Governance lifecycle RBAC 1.1.2.4. Observability RBAC 1.2. Certificates Expand section "1.2. Certificates" Collapse section "1.2. Certificates" 1.2.1. List certificates 1.2.2. Refresh a certificate 1.2.3. Refresh certificates for Red Hat Advanced Cluster Management for Kubernetes 1.2.4. Replacing the root CA certificate Expand section "1.2.4. Replacing the root CA certificate" Collapse section "1.2.4. Replacing the root CA certificate" 1.2.4.1. Prerequisites for root CA certificate 1.2.4.2. Creating the root CA certificate with OpenSSL 1.2.4.3. Replacing root CA certificates 1.2.4.4. Refreshing cert-manager certificates 1.2.4.5. Restoring root CA certificates 1.2.5. Replacing the management ingress certificates Expand section "1.2.5. Replacing the management ingress certificates" Collapse section "1.2.5. Replacing the management ingress certificates" 1.2.5.1. Prerequisites to replace management ingress certificate Expand section "1.2.5.1. Prerequisites to replace management ingress certificate" Collapse section "1.2.5.1. Prerequisites to replace management ingress certificate" 1.2.5.1.1. Example configuration file for generating a certificate 1.2.5.1.2. OpenSSL commands for generating a certificate 1.2.5.2. Replace the Bring Your Own (BYO) ingress certificate 1.2.5.3. Restore the default self-signed certificate for management ingress 2. Governance and risk Expand section "2. Governance and risk" Collapse section "2. Governance and risk" 2.1. Governance architecture 2.2. Policy overview Expand section "2.2. Policy overview" Collapse section "2.2. Policy overview" 2.2.1. Policy YAML structure 2.2.2. Policy YAML table 2.2.3. Policy sample file 2.3. Policy controllers Expand section "2.3. Policy controllers" Collapse section "2.3. Policy controllers" 2.3.1. Kubernetes configuration policy controller Expand section "2.3.1. Kubernetes configuration policy controller" Collapse section "2.3.1. Kubernetes configuration policy controller" 2.3.1.1. Configuration policy controller YAML structure 2.3.1.2. Configuration policy sample 2.3.1.3. Configuration policy YAML table 2.3.2. Certificate policy controller Expand section "2.3.2. Certificate policy controller" Collapse section "2.3.2. Certificate policy controller" 2.3.2.1. Certificate policy controller YAML structure Expand section "2.3.2.1. Certificate policy controller YAML structure" Collapse section "2.3.2.1. Certificate policy controller YAML structure" 2.3.2.1.1. Certificate policy controller YAML table 2.3.2.2. Certificate policy sample 2.3.3. IAM policy controller Expand section "2.3.3. IAM policy controller" Collapse section "2.3.3. IAM policy controller" 2.3.3.1. IAM policy YAML structure 2.3.3.2. IAM policy YAMl table 2.3.3.3. IAM policy sample 2.3.4. Integrate third-party policy controllers 2.3.5. Creating a custom policy controller Expand section "2.3.5. Creating a custom policy controller" Collapse section "2.3.5. Creating a custom policy controller" 2.3.5.1. Writing a policy controller 2.3.5.2. Deploying your controller to the cluster Expand section "2.3.5.2. Deploying your controller to the cluster" Collapse section "2.3.5.2. Deploying your controller to the cluster" 2.3.5.2.1. Scaling your controller deployment 2.4. Policy samples Expand section "2.4. Policy samples" Collapse section "2.4. Policy samples" 2.4.1. Memory usage policy Expand section "2.4.1. Memory usage policy" Collapse section "2.4.1. Memory usage policy" 2.4.1.1. Memory usage policy YAML structure 2.4.1.2. Memory usage policy table 2.4.1.3. Memory usage policy sample 2.4.2. Namespace policy Expand section "2.4.2. Namespace policy" Collapse section "2.4.2. Namespace policy" 2.4.2.1. Namespace policy YAML structure 2.4.2.2. Namespace policy YAML table 2.4.2.3. Namespace policy sample 2.4.3. Image vulnerability policy Expand section "2.4.3. Image vulnerability policy" Collapse section "2.4.3. Image vulnerability policy" 2.4.3.1. Image vulnerability policy YAML structure 2.4.3.2. Image vulnerability policy YAML table 2.4.3.3. Image vulnerability policy sample 2.4.4. Pod nginx policy Expand section "2.4.4. Pod nginx policy" Collapse section "2.4.4. Pod nginx policy" 2.4.4.1. Pod nginx policy YAML structure 2.4.4.2. Pod nginx policy table 2.4.4.3. Pod nginx policy sample 2.4.5. Pod security policy Expand section "2.4.5. Pod security policy" Collapse section "2.4.5. Pod security policy" 2.4.5.1. Pod security policy YAML structure 2.4.5.2. Pod security policy table 2.4.5.3. Pod security policy sample 2.4.6. Role policy Expand section "2.4.6. Role policy" Collapse section "2.4.6. Role policy" 2.4.6.1. Role policy YAML structure 2.4.6.2. Role policy table 2.4.6.3. Role policy sample 2.4.7. Rolebinding policy Expand section "2.4.7. Rolebinding policy" Collapse section "2.4.7. Rolebinding policy" 2.4.7.1. Rolebinding policy YAML structure 2.4.7.2. Rolebinding policy table 2.4.7.3. Rolebinding policy sample 2.4.8. Security Context Constraints policy Expand section "2.4.8. Security Context Constraints policy" Collapse section "2.4.8. Security Context Constraints policy" 2.4.8.1. SCC policy YAML structure 2.4.8.2. SCC policy table 2.4.8.3. SCC policy sample 2.4.9. ETCD encryption policy Expand section "2.4.9. ETCD encryption policy" Collapse section "2.4.9. ETCD encryption policy" 2.4.9.1. ETCD encryption policy YAML structure 2.4.9.2. ETCD encryption policy table 2.4.9.3. Etcd encryption policy sample 2.4.10. Integrating gatekeeper constraints and constraint templates 2.5. Manage security policies Expand section "2.5. Manage security policies" Collapse section "2.5. Manage security policies" 2.5.1. Managing security policies Expand section "2.5.1. Managing security policies" Collapse section "2.5.1. Managing security policies" 2.5.1.1. Creating a security policy Expand section "2.5.1.1. Creating a security policy" Collapse section "2.5.1.1. Creating a security policy" 2.5.1.1.1. Creating a security policy from the command line interface Expand section "2.5.1.1.1. Creating a security policy from the command line interface" Collapse section "2.5.1.1.1. Creating a security policy from the command line interface" 2.5.1.1.1.1. Viewing your security policy from the CLI 2.5.1.1.2. Creating a cluster security policy from the console Expand section "2.5.1.1.2. Creating a cluster security policy from the console" Collapse section "2.5.1.1.2. Creating a cluster security policy from the console" 2.5.1.1.2.1. Viewing your security policy from the console 2.5.1.2. Updating security policies Expand section "2.5.1.2. Updating security policies" Collapse section "2.5.1.2. Updating security policies" 2.5.1.2.1. Disabling security policies 2.5.1.2.2. Deleting a security policy 2.5.2. Managing configuration policies Expand section "2.5.2. Managing configuration policies" Collapse section "2.5.2. Managing configuration policies" 2.5.2.1. Creating a configuration policy Expand section "2.5.2.1. Creating a configuration policy" Collapse section "2.5.2.1. Creating a configuration policy" 2.5.2.1.1. Creating a configuration policy from the CLI Expand section "2.5.2.1.1. Creating a configuration policy from the CLI" Collapse section "2.5.2.1.1. Creating a configuration policy from the CLI" 2.5.2.1.1.1. Viewing your configuration policy from the CLI 2.5.2.1.2. Creating a configuration policy from the console Expand section "2.5.2.1.2. Creating a configuration policy from the console" Collapse section "2.5.2.1.2. Creating a configuration policy from the console" 2.5.2.1.2.1. Viewing your configuration policy from the console 2.5.2.2. Updating configuration policies Expand section "2.5.2.2. Updating configuration policies" Collapse section "2.5.2.2. Updating configuration policies" 2.5.2.2.1. Disabling configuration policies 2.5.2.3. Deleting a configuration policy 2.5.3. Managing image vulnerability policies Expand section "2.5.3. Managing image vulnerability policies" Collapse section "2.5.3. Managing image vulnerability policies" 2.5.3.1. Creating an image vulnerability policy Expand section "2.5.3.1. Creating an image vulnerability policy" Collapse section "2.5.3.1. Creating an image vulnerability policy" 2.5.3.1.1. Creating an image vulnerability policy from the CLI Expand section "2.5.3.1.1. Creating an image vulnerability policy from the CLI" Collapse section "2.5.3.1.1. Creating an image vulnerability policy from the CLI" 2.5.3.1.1.1. Viewing your image vulnerability policy from the CLI 2.5.3.2. Creating an image vulnerability policy from the console 2.5.3.3. Viewing image vulnerability violations from the console 2.5.3.4. Updating image vulnerability policies Expand section "2.5.3.4. Updating image vulnerability policies" Collapse section "2.5.3.4. Updating image vulnerability policies" 2.5.3.4.1. Disabling image vulnerability policies 2.5.3.4.2. Deleting an image vulnerability policy 2.5.4. Managing memory usage policies Expand section "2.5.4. Managing memory usage policies" Collapse section "2.5.4. Managing memory usage policies" 2.5.4.1. Creating a memory usage policy Expand section "2.5.4.1. Creating a memory usage policy" Collapse section "2.5.4.1. Creating a memory usage policy" 2.5.4.1.1. Creating a memory usage policy from the CLI Expand section "2.5.4.1.1. Creating a memory usage policy from the CLI" Collapse section "2.5.4.1.1. Creating a memory usage policy from the CLI" 2.5.4.1.1.1. Viewing your policy from the CLI 2.5.4.1.2. Creating an memory usage policy from the console Expand section "2.5.4.1.2. Creating an memory usage policy from the console" Collapse section "2.5.4.1.2. Creating an memory usage policy from the console" 2.5.4.1.2.1. Viewing your memory usage policy from the console 2.5.4.2. Updating memory usage policies Expand section "2.5.4.2. Updating memory usage policies" Collapse section "2.5.4.2. Updating memory usage policies" 2.5.4.2.1. Disabling memory usage policies 2.5.4.2.2. Deleting a memory usage policy 2.5.5. Managing namespace policies Expand section "2.5.5. Managing namespace policies" Collapse section "2.5.5. Managing namespace policies" 2.5.5.1. Creating a namespace policy Expand section "2.5.5.1. Creating a namespace policy" Collapse section "2.5.5.1. Creating a namespace policy" 2.5.5.1.1. Creating a namespace policy from the CLI Expand section "2.5.5.1.1. Creating a namespace policy from the CLI" Collapse section "2.5.5.1.1. Creating a namespace policy from the CLI" 2.5.5.1.1.1. Viewing your namespace policy from the CLI 2.5.5.1.2. Creating a namespace policy from the console Expand section "2.5.5.1.2. Creating a namespace policy from the console" Collapse section "2.5.5.1.2. Creating a namespace policy from the console" 2.5.5.1.2.1. Viewing your namespace policy from the console 2.5.5.2. Updating namespace policies Expand section "2.5.5.2. Updating namespace policies" Collapse section "2.5.5.2. Updating namespace policies" 2.5.5.2.1. Disabling namespace policies 2.5.5.2.2. Deleting a namespace policy 2.5.6. Managing pod nginx policies Expand section "2.5.6. Managing pod nginx policies" Collapse section "2.5.6. Managing pod nginx policies" 2.5.6.1. Creating a pod nginx policy Expand section "2.5.6.1. Creating a pod nginx policy" Collapse section "2.5.6.1. Creating a pod nginx policy" 2.5.6.1.1. Creating a pod nginx policy from the CLI Expand section "2.5.6.1.1. Creating a pod nginx policy from the CLI" Collapse section "2.5.6.1.1. Creating a pod nginx policy from the CLI" 2.5.6.1.1.1. Viewing your nginx policy from the CLI 2.5.6.2. Creating an pod nginx policy from the console 2.5.6.3. Updating pod nginx policies Expand section "2.5.6.3. Updating pod nginx policies" Collapse section "2.5.6.3. Updating pod nginx policies" 2.5.6.3.1. Disabling pod nginx policies 2.5.6.3.2. Deleting a pod nginx policy 2.5.7. Managing pod security policies Expand section "2.5.7. Managing pod security policies" Collapse section "2.5.7. Managing pod security policies" 2.5.7.1. Creating a pod security policy Expand section "2.5.7.1. Creating a pod security policy" Collapse section "2.5.7.1. Creating a pod security policy" 2.5.7.1.1. Creating a pod security policy from the CLI Expand section "2.5.7.1.1. Creating a pod security policy from the CLI" Collapse section "2.5.7.1.1. Creating a pod security policy from the CLI" 2.5.7.1.1.1. Viewing your pod security policy from the CLI 2.5.7.1.2. Creating a pod security policy from the console Expand section "2.5.7.1.2. Creating a pod security policy from the console" Collapse section "2.5.7.1.2. Creating a pod security policy from the console" 2.5.7.1.2.1. Viewing your pod security policy from the console 2.5.7.2. Updating pod security policies Expand section "2.5.7.2. Updating pod security policies" Collapse section "2.5.7.2. Updating pod security policies" 2.5.7.2.1. Disabling pod security policies 2.5.7.2.2. Deleting a pod security policy 2.5.8. Managing role policies Expand section "2.5.8. Managing role policies" Collapse section "2.5.8. Managing role policies" 2.5.8.1. Creating a role policy Expand section "2.5.8.1. Creating a role policy" Collapse section "2.5.8.1. Creating a role policy" 2.5.8.1.1. Creating a role policy from the CLI Expand section "2.5.8.1.1. Creating a role policy from the CLI" Collapse section "2.5.8.1.1. Creating a role policy from the CLI" 2.5.8.1.1.1. Viewing your role policy from the CLI 2.5.8.1.2. Creating a role policy from the console Expand section "2.5.8.1.2. Creating a role policy from the console" Collapse section "2.5.8.1.2. Creating a role policy from the console" 2.5.8.1.2.1. Viewing your role policy from the console 2.5.8.2. Updating role policies Expand section "2.5.8.2. Updating role policies" Collapse section "2.5.8.2. Updating role policies" 2.5.8.2.1. Disabling role policies 2.5.8.2.2. Deleting a role policy 2.5.9. Managing rolebinding policies Expand section "2.5.9. Managing rolebinding policies" Collapse section "2.5.9. Managing rolebinding policies" 2.5.9.1. Creating a rolebinding policy Expand section "2.5.9.1. Creating a rolebinding policy" Collapse section "2.5.9.1. Creating a rolebinding policy" 2.5.9.1.1. Creating a rolebinding policy from the CLI Expand section "2.5.9.1.1. Creating a rolebinding policy from the CLI" Collapse section "2.5.9.1.1. Creating a rolebinding policy from the CLI" 2.5.9.1.1.1. Viewing your rolebinding policy from the CLI 2.5.9.1.2. Creating a rolebinding policy from the console Expand section "2.5.9.1.2. Creating a rolebinding policy from the console" Collapse section "2.5.9.1.2. Creating a rolebinding policy from the console" 2.5.9.1.2.1. Viewing your rolebinding policy from the console 2.5.9.2. Updating rolebinding policies Expand section "2.5.9.2. Updating rolebinding policies" Collapse section "2.5.9.2. Updating rolebinding policies" 2.5.9.2.1. Disabling rolebinding policies 2.5.9.2.2. Deleting a rolebinding policy 2.5.10. Managing Security Context Constraints policies Expand section "2.5.10. Managing Security Context Constraints policies" Collapse section "2.5.10. Managing Security Context Constraints policies" 2.5.10.1. Creating an SCC policy Expand section "2.5.10.1. Creating an SCC policy" Collapse section "2.5.10.1. Creating an SCC policy" 2.5.10.1.1. Creating an SCC policy from the CLI Expand section "2.5.10.1.1. Creating an SCC policy from the CLI" Collapse section "2.5.10.1.1. Creating an SCC policy from the CLI" 2.5.10.1.1.1. Viewing your SCC policy from the CLI 2.5.10.1.2. Creating an SCC policy from the console Expand section "2.5.10.1.2. Creating an SCC policy from the console" Collapse section "2.5.10.1.2. Creating an SCC policy from the console" 2.5.10.1.2.1. Viewing your SCC policy from the console 2.5.10.2. Updating SCC policies Expand section "2.5.10.2. Updating SCC policies" Collapse section "2.5.10.2. Updating SCC policies" 2.5.10.2.1. Disabling SCC policies 2.5.10.2.2. Deleting an SCC policy 2.5.11. Managing certificate policies Expand section "2.5.11. Managing certificate policies" Collapse section "2.5.11. Managing certificate policies" 2.5.11.1. Creating a certificate policy Expand section "2.5.11.1. Creating a certificate policy" Collapse section "2.5.11.1. Creating a certificate policy" 2.5.11.1.1. Creating a certificate policy from the CLI Expand section "2.5.11.1.1. Creating a certificate policy from the CLI" Collapse section "2.5.11.1.1. Creating a certificate policy from the CLI" 2.5.11.1.1.1. Viewing your certificate policy from the CLI 2.5.11.1.2. Creating a certificate policy from the console Expand section "2.5.11.1.2. Creating a certificate policy from the console" Collapse section "2.5.11.1.2. Creating a certificate policy from the console" 2.5.11.1.2.1. Viewing your certificate policy from the console 2.5.11.2. Updating certificate policies Expand section "2.5.11.2. Updating certificate policies" Collapse section "2.5.11.2. Updating certificate policies" 2.5.11.2.1. Bringing your own certificates 2.5.11.2.2. Adding a label into your Kubernetes secret 2.5.11.2.3. Disabling certificate policies 2.5.11.2.4. Deleting a certificate policy 2.5.12. Managing IAM policies Expand section "2.5.12. Managing IAM policies" Collapse section "2.5.12. Managing IAM policies" 2.5.12.1. Creating an IAM policy Expand section "2.5.12.1. Creating an IAM policy" Collapse section "2.5.12.1. Creating an IAM policy" 2.5.12.1.1. Creating an IAM policy from the CLI Expand section "2.5.12.1.1. Creating an IAM policy from the CLI" Collapse section "2.5.12.1.1. Creating an IAM policy from the CLI" 2.5.12.1.1.1. Viewing your IAM policy from the CLI 2.5.12.1.2. Creating an IAM policy from the console Expand section "2.5.12.1.2. Creating an IAM policy from the console" Collapse section "2.5.12.1.2. Creating an IAM policy from the console" 2.5.12.1.2.1. Viewing your IAM policy from the console 2.5.12.2. Updating IAM policies Expand section "2.5.12.2. Updating IAM policies" Collapse section "2.5.12.2. Updating IAM policies" 2.5.12.2.1. Disabling IAM policies 2.5.12.2.2. Deleting an IAM policy 2.5.13. Managing ETCD encryption policies Expand section "2.5.13. Managing ETCD encryption policies" Collapse section "2.5.13. Managing ETCD encryption policies" 2.5.13.1. Creating an encryption policy Expand section "2.5.13.1. Creating an encryption policy" Collapse section "2.5.13.1. Creating an encryption policy" 2.5.13.1.1. Creating an encryption policy from the CLI Expand section "2.5.13.1.1. Creating an encryption policy from the CLI" Collapse section "2.5.13.1.1. Creating an encryption policy from the CLI" 2.5.13.1.1.1. Viewing your encryption policy from the CLI 2.5.13.1.2. Creating an encryption policy from the console Expand section "2.5.13.1.2. Creating an encryption policy from the console" Collapse section "2.5.13.1.2. Creating an encryption policy from the console" 2.5.13.1.2.1. Viewing your encryption policy from the console 2.5.13.2. Updating encryption policies Expand section "2.5.13.2. Updating encryption policies" Collapse section "2.5.13.2. Updating encryption policies" 2.5.13.2.1. Disabling encryption policies 2.5.13.2.2. Deleting an encryption policy 2.5.14. Gatekeeper policy integration Expand section "2.5.14. Gatekeeper policy integration" Collapse section "2.5.14. Gatekeeper policy integration" 2.5.14.1. Creating a gatekeeper policy Expand section "2.5.14.1. Creating a gatekeeper policy" Collapse section "2.5.14.1. Creating a gatekeeper policy" 2.5.14.1.1. Creating a gatekeeper policy for admission 2.5.14.1.2. Creating a gatekeeper policy for audit Legal Notice Settings Close Language: 简体中文 日本語 English Language: 简体中文 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 简体中文 日本語 English Language: 简体中文 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Security Red Hat Advanced Cluster Management for Kubernetes 2.1SecurityRed Hat Advanced Cluster Management for Kubernetes TeamLegal NoticeAbstract Security and governance in Red Hat Advanced Cluster Management for Kubernetes Next