Stackrox
The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
Install / Use
/learn @stackrox/StackroxREADME
Table of Contents
- StackRox Kubernetes Security Platform
StackRox Kubernetes Security Platform
The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment. StackRox integrates with every stage of container lifecycle: build, deploy and runtime.
The StackRox Kubernetes Security platform is built on the foundation of the product formerly known as Prevent, which itself was called Mitigate and Apollo. You may find references to these previous names in code or documentation.
Community
You can reach out to us through Slack (#stackrox). For alternative ways, stop by our Community Hub stackrox.io.
For event updates, blogs and other resources follow the StackRox community site at stackrox.io.
For the StackRox Code of Conduct.
To report a vulnerability or bug.
Deploying StackRox
Quick Installation using Helm
StackRox offers quick installation via Helm Charts. Follow the Helm Installation Guide to get helm CLI on your system.
Then run the helm quick installation script or proceed to section Manual Installation using Helm for configuration options.
/bin/bash <(curl -fsSL https://raw.githubusercontent.com/stackrox/stackrox/master/scripts/quick-helm-install.sh)
A default deployment of StackRox has certain CPU and memory requests and may fail on small (e.g. development) clusters if sufficient resources are not available. You may use the --small command-line option in order to install StackRox on smaller clusters with limited resources. Using this option is not recommended for production deployments.
/bin/bash <(curl -fsSL https://raw.githubusercontent.com/stackrox/stackrox/master/scripts/quick-helm-install.sh) --small
The script adds the StackRox helm repository, generates an admin password, installs stackrox-central-services, creates an init bundle for provisioning stackrox-secured-cluster-services, and finally installs stackrox-secured-cluster-services on the same cluster.
Finally, the script will automatically open the browser and log you into StackRox. A certificate warning may be displayed since the certificate is self-signed. See the Accessing the StackRox User Interface (UI) section to read more about the warnings. After authenticating you can access the dashboard using https://localhost:8000/main/dashboard.
</details>Manual Installation using Helm
Follow the Helm Installation Guide to get the helm CLI on your system.
Deploying using Helm consists of 4 steps
- Add the StackRox repository to Helm
- Launch StackRox Central Services using helm
- Create a cluster configuration and a service identity (init bundle)
- Deploy the StackRox Secured Cluster Services using that configuration and those credentials (this step can be done multiple times to add more clusters to the StackRox Central Service)
First, the StackRox Central Services will be added to your Kubernetes cluster. This includes the UI and Scanner. To start, add the stackrox/helm-charts/opensource repository to Helm.
helm repo add stackrox https://raw.githubusercontent.com/stackrox/helm-charts/main/opensource/
To see all available Helm charts in the repo run (you may add the option --devel to show non-release builds as well)
helm search repo stackrox
To install stackrox-central-services, you will need a secure password. This password will be needed later for UI login and when creating an init bundle.
ROX_ADMIN_PASSWORD="$(openssl rand -base64 20 | tr -d '/=+')"
From here, you can install stackrox-central-services to get Central and Scanner components deployed on your cluster.
Note: You need only one deployed instance of stackrox-central-services even if you plan to secure multiple clusters.
To perform the installation, choose one of the following commands depending on your cluster size.
Default Central Installation
If you're installing in a reasonably sized cluster, use the default installation command:
helm upgrade --install -n stackrox --create-namespace stackrox-central-services \
stackrox/stackrox-central-services \
--set central.adminPassword.value="${ROX_ADMIN_PASSWORD}" \
--set central.persistence.none="true"
Central Installation in Clusters With Limited Resources
If you're installing in a single node cluster, or the default installation results in pods stuck pending due to lack of resources, use the following command instead to reduce stackrox-central-services resource requirements. Keep in mind that these reduced resource settings are not suited for a production setup.
helm upgrade --install -n stackrox --create-namespace stackrox-central-services \
stackrox/stackrox-central-services \
--set central.adminPassword.value="${ROX_ADMIN_PASSWORD}" \
--set central.persistence.none="true" \
--set central.resources.requests.memory=1Gi \
--set central.resources.requests.cpu=1 \
--set central.resources.limits.memory=4Gi \
--set central.resources.limits.cpu=1 \
--set central.db.resources.requests.memory=1Gi \
--set central.db.resources.requests.cpu=500m \
--set central.db.resources.limits.memory=4Gi \
--set central.db.resources.limits.cpu=1 \
--set scanner.autoscaling.disable=true \
--set scanner.replicas=1 \
--set scanner.resources.requests.memory=500Mi \
--set scanner.resources.requests.cpu=500m \
--set scanner.resources.limits.memory=2500Mi \
--set scanner.resources.limits.cpu=2000m
Next, the secured cluster component will need to be deployed to collect information on from the Kubernetes nodes.
Set a meaningful cluster name for your secured cluster in the CLUSTER_NAME shell variable. The cluster will be identified by this name in the clusters list of the StackRox UI.
CLUSTER_NAME="my-secured-cluster"
Set the endpoint of Central the Secured Cluster Services should communicate to. If you're deploying stackrox-secured-cluster-services on the same cluster as stackrox-central-services, leave it as shown, otherwise change the value to the endpoint through which Central is accessible.
CENTRAL_ENDPOINT="central.stackrox.svc:443"
Generate an init bundle containing initialization secrets. The init bundle will be saved in stackrox-init-bundle.yaml, and you will use it to provision secured clusters as shown below.
echo "$ROX_ADMIN_PASSWORD" | \
kubectl -n stackrox exec -i deploy/central -- bash -c 'ROX_ADMIN_PASSWORD=$(cat) roxctl --insecure-skip-tls-verify \
central init-bundles generate stackrox-init-bundle --output -' > stackrox-init-bundle.yaml
Then install stackrox-secured-cluster-services (with the init bundle you just generated).
To perform the installation, choose one of the following commands depending on your cluster size.
Default Secured Cluster Services Installation
If you're installing in a reasonably sized cluster, use the default installation command:
helm upgrade --install -n stackrox --create-namespace stackrox-secured-cluster-services \
stackrox/stackrox-secured-cluster-services \
-f stackrox-init-bundle.yaml \
--set clusterName="$CLUSTER_NAME" \
--set centralEndpoint="$CENTRAL_ENDPOINT"
Secured Cluster Services Installation in Clusters With Limited Resources
If you're installing in a single node cluster, or the default installation results in pods stuck pending due to lack of resources, use the following command instead to reduce stackrox-secured-cluster-services resource requirements. Keep in mind that these reduced resource settings are not suited for a production setup.
helm upgrade --install -n stackrox --create-namespace stackrox-secured-cluster-services \
stackrox/stackrox-secured-cluster-services \
-f stack
Related Skills
healthcheck
336.9kHost security hardening and risk-tolerance configuration for OpenClaw deployments
node-connect
336.9kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
336.9kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
83.0kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
