RHACS Enterprise Deployment: AI-Optimized Technical Reference

Architecture Configuration Requirements

Hub-and-Spoke vs. Federated Central Models

Single Central Hub

• Failure Point: Single point of failure causes complete deployment outage at 3am
• Hardware Requirements: 16+ cores, 32+ GB RAM, 1TB+ storage (budget 2x Red Hat's sizing guide)
• Network Requirements: All clusters need port 443 access to Central
• Scaling Limit: Works until Central fails under load

Regional Central Federation (Recommended for Production)

• Scaling Capacity: Each Central handles 50-150 clusters before performance degradation
• Failure Isolation: Regional failures don't affect other regions
• Network Resilience: Functions during data center connectivity loss
• Mandatory For: Air-gapped clusters, compliance requirements
• Trade-off: More complexity but eliminates single point of failure

Critical Network Architecture

Required Ports:

• Port 443: Sensors to Central (constant communication)
• Port 8443: API access for roxctl and CI/CD
• Port 5432: PostgreSQL (internal only - exposing causes security breach)

Air-Gapped Deployment Challenges:

• Scanner vulnerability database: 50-100GB offline sync required
• Internal CA certificate expiration during critical moments
• Scanner V4 database growth: 50GB to 200GB monthly
• Certificate management complexity increases exponentially

Resource Requirements and Scaling Limits

Production Sizing Matrix

Clusters	Central CPU/RAM	Central Storage	Scanner CPU/RAM	Critical Warnings
50-100	8+ vCPU, 16+ GB	500GB+ (grows fast)	4+ vCPU, 8+ GB	Budget for AWS bill shock
100-200	16+ vCPU, 32+ GB	1TB+ (budget 2TB)	8+ vCPU, 16+ GB	Requires dedicated fast storage
200-500	32+ vCPU, 64+ GB	2TB+ (grows to 5TB)	16+ vCPU, 32+ GB	High-performance SSD mandatory
500+	Regional federation	2TB+ per region	Delegated scanning	Multiple everything required

Performance Breaking Points

Central Database Growth Crisis:

• Symptom: Database balloons to 500GB+ overnight, query timeouts during compliance scans
• Root Cause: Default data retention (365 days) not suitable for production
• Solution: Configure 90-day retention immediately, archive historical data
• Impact: AWS storage bills become CFO concern, executives lose security dashboard access

Scanner Performance Bottlenecks:

• Breaking Point: 500+ images in scan queue causes pipeline delays
• CPU Spike: Compliance scans randomly spike to 100% on deployment days
• Memory Growth: Scanner V4 database: 50GB baseline, exponential growth
• Network Impact: 100 Mbps to 1 Gbps bandwidth consumption during image scanning

Critical Operational Intelligence

Monitoring Requirements (Sleep-at-Night Metrics)

Essential Alerts:

# Critical RHACS metrics for production alerting
- stackrox_central_db_connections: Monitor for connection exhaustion
- stackrox_scanner_queue_length: Alert at 500+ queued images
- stackrox_sensor_last_contact_time: Detect offline sensors
- stackrox_policy_violations_total: Identify cryptominer alert storms
- stackrox_compliance_scan_duration: Database performance indicator

Failure Scenarios:

• Central dies at 3am → Complete deployment paralysis
• Scanner queue floods → CI/CD pipeline delays
• Database vacuum failure → PostgreSQL performance collapse
• Policy violation floods → Alert fatigue, ignored real threats

Disaster Recovery Procedures

Central Database Backup Strategy:

# Automated backup every 6 hours (minimum survival requirement)
kubectl exec -n stackrox central-db-0 -- pg_dump -U postgres stackrox > backup-$(date +%Y%m%d-%H%M).sql

Recovery Time Objectives:

• Central restoration: 2-4 hours from backup
• Sensor reconnection: Automatic within 5 minutes
• Policy cache: 24-48 hours offline operation capability
• Cross-region backup: Multiple AZ storage mandatory

Common Production Failures

Challenge 1: Policy Alert Fatigue

• Failure Mode: Thousands of violations, ignored alerts, security blindness
• Solution Sequence: Start "inform" mode → environment-specific policies → gradual enforcement
• Business Risk: Real threats hidden in noise, compliance failures

Challenge 2: Network Connectivity Hell

• Symptoms: Sensors offline, inconsistent policy enforcement
• Corporate Firewall Problem: Enterprise rules block required ports
• Proxy Configuration: Air-gapped environments need special handling
• Automation Failure: Broken firewall rules cause CI/CD failures

Security Hardening Requirements

Critical Security Controls

Network Segmentation (Non-Negotiable):

• Central cluster network isolation like nuclear launch codes
• Pod Security Standards: Restricted profile enforcement
• Resource quotas prevent resource exhaustion attacks
• No direct SSH access, bastion host only

Certificate Management Failures:

• Common Failure: 3am certificate expiry emergencies
• Rotation Cycle: 90-day rotation for Central TLS
• Air-Gapped Risk: Internal CA certificate management complexity
• Automated Rotation: Mandatory or prepare for weekend disasters

Identity Integration Challenges

RBAC at Scale (500+ Clusters):

• Use Group Sync or identity provider integration
• Avoid cluster-specific RBAC customization
• Standard role templates for common access patterns
• Principle of least privilege for all service accounts

API Security Controls:

• API tokens with limited scope and 90-day expiration
• Rate limiting to prevent abuse
• Comprehensive API access logging
• Automated token rotation processes

Implementation Decision Matrix

Cost vs. Capability Analysis

Cloud Service vs. Self-Managed:

• Self-Managed: Cheaper for 200+ clusters, full operational responsibility
• Cloud Service: Red Hat handles operations, higher cost, less control
• Break-Even Point: Approximately 200 clusters for cost parity
• Compliance Factor: Self-managed often required for air-gapped environments

Common Misconceptions

Sizing Assumptions That Fail:

• Red Hat's sizing guide consistently underestimates by 50-100%
• "8 cores handle 200 clusters" varies wildly by workload
• Storage growth is exponential, not linear
• Network bandwidth impact often overlooked in planning

Operational Complexity Underestimation:

• Scanner V4 stability took significant time to achieve
• Policy management becomes complex at scale
• Certificate management in air-gapped environments exponentially difficult
• Database maintenance becomes full-time operational concern

Resource Investment Reality

Time Requirements

• Initial Deployment: 2-4 weeks for 50+ cluster setup
• Policy Development: 3-6 months to achieve effective enforcement
• Operational Maturity: 6-12 months for stable production operations
• Team Training: DO430 certification recommended, 40-hour time investment

Expertise Requirements

• Kubernetes networking expertise mandatory
• PostgreSQL administration skills critical
• Enterprise identity integration knowledge
• Security policy development experience
• Certificate management automation capabilities

Hidden Costs

• Storage growth 2-5TB annually for large deployments
• Network bandwidth for image scanning operations
• Professional services for complex implementations
• Training and certification for operational teams
• Tool integration and custom automation development

Success Criteria and Validation

Technical Validation

• Central cluster passes CIS Kubernetes benchmarks
• Policy violation false positive rate <5%
• Scanner queue depth <100 images during peak
• Database vacuum operations complete successfully
• Cross-region backup restoration tested quarterly

Operational Validation

• Mean time to recovery <4 hours for Central failure
• Policy update deployment <30 minutes across all clusters
• Compliance report generation <2 hours for 500+ clusters
• Security incident response integration functional
• Automated certificate rotation operational

This technical reference provides the operational intelligence required for successful RHACS enterprise deployment while avoiding common implementation failures that cost time, money, and operational effectiveness.