Operator Catalog (Red Hat only)¶
Per DECISION #024, only Red Hat operators are used on any of the four POC clusters. No community operators, no CRD-as-a-service from untrusted sources.
Before installing each operator, check the Red Hat ecosystem catalog / OperatorHub to verify the currently-recommended channel + CSV version. Channel names below are accurate as of 2026-04-24 but may shift — always reconfirm at install time.
Install sources¶
| Source | Scope |
|---|---|
redhat-operators |
Red Hat-supported operators (primary source — all entries below use this) |
certified-operators |
Red Hat-certified partner operators (allowed per DECISION #024, treat like Red Hat) |
community-operators |
❌ Disabled — not trusted |
redhat-marketplace |
❌ Skip — entitles us differently; stick with redhat-operators |
Cluster-wide block: set OperatorHub CR to disable community + redhat-marketplace sources. See the baseline policy policies/operator-sources.yaml in the GitOps repo.
Hub-cluster operators (hub-dc + hub-dr)¶
Everything below is deployed via GitOps. Each entry is a Subscription CR committed to components/_base/<operator-slug>/ in openshift-platform-gitops.
| Operator | Source | Channel (verify) | Install namespace | CSV pin (verify) | Purpose |
|---|---|---|---|---|---|
| Advanced Cluster Management | redhat-operators |
release-2.13 |
open-cluster-management |
e.g. advanced-cluster-management.v2.13.x |
Multi-cluster management, policy engine, pull-mode ArgoCD integration |
| Advanced Cluster Security (ACS) | redhat-operators |
stable |
rhacs-operator |
latest stable CSV | ACS Central — policy engine, image scanning, deployment admission |
| Red Hat OpenShift GitOps | redhat-operators |
gitops-1.18 |
openshift-gitops-operator |
openshift-gitops-operator.v1.18.x |
ArgoCD instance, ApplicationSet controller, multi-cluster CD |
| Compliance Operator | redhat-operators |
stable |
openshift-compliance |
latest stable CSV | OpenSCAP-based compliance scans (PCI-DSS, CIS) |
| Cluster Observability Operator (COO) | redhat-operators |
stable |
openshift-cluster-observability-operator |
latest stable CSV | Monitoring stack (Prometheus + Thanos + aggregated metrics) |
| Red Hat Build of Keycloak (RHBK) | redhat-operators |
stable-v26 |
keycloak |
rhbk-operator.v26.x |
OIDC IdP for all 4 clusters (replaces community Keycloak) |
| Red Hat Logging / Loki | redhat-operators |
stable-6 |
openshift-logging |
latest stable CSV | Cluster logging + forwarder (complements OTel) |
| Red Hat Gatekeeper Operator | redhat-operators |
stable |
openshift-gatekeeper-system |
gatekeeper-operator-product.v3.21.0 |
Admission policies for org rules (labels, naming, resource caps, :latest tag block, mutations) — hubs for policy authoring + ACM propagates to spokes |
| Network Observability Operator | redhat-operators |
stable |
openshift-netobserv-operator |
v1.11.1 (verify) | eBPF network flow collection; flow logs to Loki (hub) + OCP console flow-visualization plugin; PCI-friendly traffic audit |
| OADP Operator (OpenShift API for Data Protection) | redhat-operators |
stable |
openshift-adp |
v1.5.5 (verify) | Velero-based backup/restore CR engine; required for ACM BackupSchedule/Restore → MinIO; backs up hub ACM state |
Spoke-cluster operators (spoke-dc + spoke-dr)¶
| Operator | Source | Channel (verify) | Install namespace | Purpose |
|---|---|---|---|---|
| Red Hat OpenShift GitOps | redhat-operators |
gitops-1.18 |
openshift-gitops-operator |
Pull-mode ArgoCD agent (receives ManifestWork from hub) |
| Compliance Operator | redhat-operators |
stable |
openshift-compliance |
PCI-DSS + CIS scans on the spoke itself |
| Advanced Cluster Security (secured-cluster) | redhat-operators |
stable |
rhacs-operator |
ACS SecuredCluster sensor (reports to Central on hub) |
| Red Hat AMQ Streams | redhat-operators |
stable |
openshift-operators |
Kafka KRaft for Issue #2 (Red Hat supported Kafka, not community Strimzi) |
| OpenShift Pipelines (Tekton) | redhat-operators |
latest (pinned to pipelines-1.22 for reproducibility) |
openshift-pipelines |
Cloud-native CI/CD; v1.22.0 verified via OperatorHub; for workload CI on spokes (alongside Jenkins on VMs) |
| Network Observability Operator | redhat-operators |
stable |
openshift-netobserv-operator |
v1.11.1 (verify) |
| OADP Operator | redhat-operators |
stable |
openshift-adp |
v1.5.5 (verify) |
| Red Hat Integration - Schema Registry | redhat-operators |
stable |
openshift-operators |
Confluent/Apicurio Schema Registry alternative (needed for Kafka Issue #2) |
| Crunchy Postgres for OpenShift | certified-operators |
v5 |
per-namespace | Postgres for WSO2 backend (partner-certified) |
| OpenShift Data Foundation (ODF) | redhat-operators |
stable-4.21 |
openshift-storage |
Block + object storage if workloads need it (may not be needed with 3-node compact spokes — assess Day 1) |
| Red Hat Gatekeeper Operator | redhat-operators |
stable |
openshift-gatekeeper-system |
Enforces org policies propagated from hub via ACM Policy |
Operator-specific notes¶
Advanced Cluster Management for Kubernetes (RHACM)¶
- Install on hub-dc first; hub-dr is bootstrapped as a managed cluster of hub-dc initially, then promoted to independent hub on failover.
- After install, create
MultiClusterHubCR inopen-cluster-managementnamespace — this triggers all the addons (cluster-backup, application-lifecycle, policy-framework, observability, etc.). - Version alignment matters: spoke klusterlet agent version must be compatible with hub ACM version.
release-2.13works with OpenShift 4.14+.
Red Hat Advanced Cluster Security (ACS / StackRox)¶
- Hub runs
Central(the management plane). - Each spoke + hub itself runs a
SecuredClusterCR — this deploys the Sensor, Collector, and Admission Webhook. - Initial policies shipped by default cover: deploying images with Critical CVEs, privileged containers, etc. Add BRAC POC-specific ones (PCI-DSS-mapped) under
components/_base/acs-central/policies/.
OpenShift GitOps¶
- Channel
gitops-1.18as of 2026-04-24 (verify latest before install). - Installing the operator creates a default
openshift-gitopsArgoCD instance. We customize it via a separateArgoCDCR committed to Git (number of replicas, resource limits, SSO via Keycloak, dex config). - Pull-mode propagation requires both hub and spokes on the same GitOps version.
Red Hat Build of Keycloak (RHBK)¶
- Replaces community Keycloak for BRAC POC per DECISION #024.
- Install the operator; then create
KeycloakCR that references a database secret (Crunchy Postgres CR in same namespace). - Realm imported via
KeycloakRealmImportCR — committed to Git as part ofcomponents/_base/keycloak-realm-brac-poc/. - Exposed externally via OCP Route with cert-manager TLS.
Red Hat AMQ Streams (Kafka)¶
- Replaces community Strimzi for Kafka Issue #2.
- Deploy
KafkaCR (KRaft mode, 3 brokers, 3 controllers) in a dedicated namespace on spoke-dc. - Schema Registry via Red Hat Integration operator (separate Subscription).
Compliance Operator¶
- Install on all 4 clusters.
- On hubs, primary use: scan the hub itself.
- On spokes, primary use: scan the workload cluster.
- Scans scheduled via
ScanSettingBindingCRs in Git — one forpci-dss-4, one forocp4-cis, both mapped to all clusters via ACM Policy.
Cluster Observability Operator¶
- Hubs only.
- Collects metrics cross-cluster via
ThanosQuerier+MetricsConsolidation. - Presents a unified view of metrics from hub-dc, hub-dr, spoke-dc, spoke-dr.
- Not used for application traces — that's the OpenTelemetry stack on spokes (Issue #6).
OpenShift Data Foundation (ODF)¶
- Optional — depends on whether workloads need RWX block/object or if in-cluster storage (local PVs) suffices on 3-node compact spokes.
- If used: install on spokes only; significant resource cost (needs dedicated storage nodes).
- Decision point during Phase 1: measure. If Longhorn/local PV sufficient for POC scope, skip ODF to save headroom.
Verification checklist (per operator, before install)¶
-
Channel availability:
oc get packagemanifest <operator-name> -n openshift-marketplace \ -o jsonpath='{.status.channels[*].name}{"\n"}{.status.defaultChannel}'Verify expected channel is listed + default matches what we want. -
CSV version pin:
oc get packagemanifest <operator-name> -n openshift-marketplace \ -o jsonpath='{.status.channels[?(@.name=="<channel>")].currentCSV}'Pin this exact CSV in our Subscription manifest for reproducibility. -
Dependencies: check if the operator needs prerequisite operators (e.g., ACS needs central operator installed before SecuredCluster CR; RHBK needs CNPG/Crunchy Postgres operator).
-
Cluster-scoped vs namespace-scoped: matters for where we create the Subscription + whether
InstallPlanrequires manual approval.
What NOT to install¶
- ❌ Community Argo CD (only the Red Hat-packaged OpenShift GitOps)
- ❌ Community Keycloak / Keycloak Operator (only RHBK — Red Hat Build of Keycloak)
- ❌ Community Prometheus Operator (use COO for hub aggregation; built-in monitoring for in-cluster)
- ❌ Strimzi / open-source Kafka (use Red Hat AMQ Streams)
- ❌ Community Compliance scanners (use the Red Hat Compliance Operator)
- ❌ Helm charts from unvetted third parties — any Helm we use is either a Red Hat chart or an internally reviewed chart committed to
openshift-platform-gitops
If a needed capability doesn't have a Red Hat operator: 1. Document why (this is a scope/decision item) 2. Raise with Security Lead + Project Lead 3. Consider whether a certified-partner operator covers the gap 4. As last resort, vendor the manifest into our GitOps repo + submit for internal review
How this plan is applied¶
Each operator is represented in the GitOps repo by a Kustomize base:
components/_base/rhacm/
├── kustomization.yaml
├── namespace.yaml
├── operatorgroup.yaml
├── subscription.yaml
├── multiclusterhub.yaml
└── README.md # install notes, verified channel, CSV pin
The relevant ApplicationSet (hub-platform.yaml / spoke-platform.yaml) references the base per-cluster overlay, which can override replica counts or resource limits for DR-site variations.
Created: 2026-04-24 · Owner: Project Lead + Security Lead · Status: Draft pending Day-1 channel verification