$ ROXPATH=$(which roxctl) && rm -f $ROXPATH (1)
You can upgrade your secured clusters in RHACS Cloud service by using the roxctl
CLI.
You need to manually upgrade secured clusters only if you used the |
roxctl
CLITo upgrade the roxctl
CLI to the latest version, you must uninstall your current version of the roxctl
CLI and then install the latest version of the roxctl
CLI.
You can uninstall the roxctl
CLI binary on Linux by using the following procedure.
Find and delete the roxctl
binary:
$ ROXPATH=$(which roxctl) && rm -f $ROXPATH (1)
1 | Depending on your environment, you might need administrator rights to delete the roxctl binary. |
You can install the roxctl
CLI binary on Linux by using the following procedure.
|
Determine the roxctl
architecture for the target operating system:
$ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
Download the roxctl
CLI:
$ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.4.5/bin/Linux/roxctl${arch}"
Make the roxctl
binary executable:
$ chmod +x roxctl
Place the roxctl
binary in a directory that is on your PATH
:
To check your PATH
, execute the following command:
$ echo $PATH
Verify the roxctl
version you have installed:
$ roxctl version
You can install the roxctl
CLI binary on macOS by using the following procedure.
|
Download the roxctl
CLI:
$ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.4.5/bin/Darwin/roxctl${arch}"
Remove all extended attributes from the binary:
$ xattr -c roxctl
Make the roxctl
binary executable:
$ chmod +x roxctl
Place the roxctl
binary in a directory that is on your PATH
:
To check your PATH
, execute the following command:
$ echo $PATH
Verify the roxctl
version you have installed:
$ roxctl version
You can install the roxctl
CLI binary on Windows by using the following procedure.
|
Download the roxctl
CLI:
$ curl -f -O https://mirror.openshift.com/pub/rhacs/assets/4.4.5/bin/Windows/roxctl.exe
Verify the roxctl
version you have installed:
$ roxctl version
To ensure optimal functionality, use the same RHACS version for your secured clusters that RHACS Cloud service is running. If you are using automatic upgrades, update all your secured clusters by using automatic upgrades. If you are not using automatic upgrades, complete the instructions in this section on all secured clusters. |
To complete manual upgrades of each secured cluster running Sensor, Collector, and Admission controller, follow these instructions.
You must update the sensor, collector and compliance images on each secured cluster when not using automatic upgrades.
If you are using Kubernetes, use |
Update the Sensor image:
$ oc -n stackrox set image deploy/sensor sensor=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.4.5 (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
Update the Compliance image:
$ oc -n stackrox set image ds/collector compliance=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.4.5 (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
Update the Collector image:
$ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.4.5 (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
If you are using the collector slim image, run the following command instead:
|
Update the admission control image:
$ oc -n stackrox set image deploy/admission-control admission-control=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.4.5
If you have installed RHACS on Red Hat OpenShift by using the For more information, see "Migrating SCCs during the manual upgrade" in the "Additional resources" section. |
By migrating the security context constraints (SCCs) during the manual upgrade by using roxctl
CLI, you can seamlessly transition the Red Hat Advanced Cluster Security for Kubernetes (RHACS) services to use the Red Hat OpenShift SCCs, ensuring compatibility and optimal security configurations across Central and all secured clusters.
List all of the RHACS services that are deployed on all secured clusters:
$ oc -n stackrox describe pods | grep 'openshift.io/scc\|^Name:'
Name: admission-control-6f4dcc6b4c-2phwd
openshift.io/scc: stackrox-admission-control
#...
Name: central-575487bfcb-sjdx8
openshift.io/scc: stackrox-central
Name: central-db-7c7885bb-6bgbd
openshift.io/scc: stackrox-central-db
Name: collector-56nkr
openshift.io/scc: stackrox-collector
#...
Name: scanner-68fc55b599-f2wm6
openshift.io/scc: stackrox-scanner
Name: scanner-68fc55b599-fztlh
#...
Name: sensor-84545f86b7-xgdwf
openshift.io/scc: stackrox-sensor
#...
In this example, you can see that each pod has its own custom SCC, which is specified through the openshift.io/scc
field.
Add the required roles and role bindings to use the Red Hat OpenShift SCCs instead of the RHACS custom SCCs.
To add the required roles and role bindings to use the Red Hat OpenShift SCCs for all secured clusters, complete the following steps:
Create a file named upgrade-scs.yaml
that defines the role and role binding resources by using the following content:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role (1)
metadata:
annotations:
email: support@stackrox.com
owner: stackrox
labels:
app.kubernetes.io/component: collector
app.kubernetes.io/instance: stackrox-secured-cluster-services
app.kubernetes.io/name: stackrox
app.kubernetes.io/part-of: stackrox-secured-cluster-services
app.kubernetes.io/version: 4.4.0
auto-upgrade.stackrox.io/component: sensor
name: use-privileged-scc (2)
namespace: stackrox (3)
rules: (4)
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
- - -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding (5)
metadata:
annotations:
email: support@stackrox.com
owner: stackrox
labels:
app.kubernetes.io/component: collector
app.kubernetes.io/instance: stackrox-secured-cluster-services
app.kubernetes.io/name: stackrox
app.kubernetes.io/part-of: stackrox-secured-cluster-services
app.kubernetes.io/version: 4.4.0
auto-upgrade.stackrox.io/component: sensor
name: collector-use-scc (6)
namespace: stackrox
roleRef: (7)
apiGroup: rbac.authorization.k8s.io
kind: Role
name: use-privileged-scc
subjects: (8)
- kind: serviceAccount
name: collector
namespace: stackrox
- - -
1 | The type of Kubernetes resource, in this example, Role . |
2 | The name of the role resource. |
3 | The namespace in which the role is created. |
4 | Describes the permissions granted by the role resource. |
5 | The type of Kubernetes resource, in this example, RoleBinding . |
6 | The name of the role binding resource. |
7 | Specifies the role to bind in the same namespace. |
8 | Specifies the subjects that are bound to the role. |
Create the role and role binding resources specified in the upgrade-scs.yaml
file by running the following command:
$ oc -n stackrox create -f ./update-scs.yaml
You must run this command on each secured cluster to create the role and role bindings specified in the |
Delete the SCCs that are specific to RHACS:
To delete the SCCs that are specific to all secured clusters, run the following command:
$ oc delete scc/stackrox-admission-control scc/stackrox-collector scc/stackrox-sensor
You must run this command on each secured cluster to delete the SCCs that are specific to each secured cluster. |
Ensure that all the pods are using the correct SCCs by running the following command:
$ oc -n stackrox describe pods | grep 'openshift.io/scc\|^Name:'
Compare the output with the following table:
Component | Previous custom SCC | New Red Hat OpenShift 4 SCC |
---|---|---|
Central |
|
|
Central-db |
|
|
Scanner |
|
|
Scanner-db |
|
|
Admission Controller |
|
|
Collector |
|
|
Sensor |
|
|
Upgrading to version 4.4 requires that you manually replace the GOMEMLIMIT
environment variable with the ROX_MEMLIMIT
environment variable. You must edit this variable for each deployment.
Run the following command to edit the variable for the Sensor deployment:
$ oc -n stackrox edit deploy/sensor (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
Replace the GOMEMLIMIT
variable with ROX_MEMLIMIT
.
Save the file.
Upgrading to version 4.4 requires that you manually replace the GOMEMLIMIT
environment variable with the ROX_MEMLIMIT
environment variable. You must edit this variable for each deployment.
Run the following command to edit the variable for the Collector deployment:
$ oc -n stackrox edit deploy/collector (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
Replace the GOMEMLIMIT
variable with ROX_MEMLIMIT
.
Save the file.
Upgrading to version 4.4 requires that you manually replace the GOMEMLIMIT
environment variable with the ROX_MEMLIMIT
environment variable. You must edit this variable for each deployment.
Run the following command to edit the variable for the Admission Controller deployment:
$ oc -n stackrox edit deploy/admission-control (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
Replace the GOMEMLIMIT
variable with ROX_MEMLIMIT
.
Save the file.
After you have upgraded secured clusters, verify that the updated pods are working.
Check that the new pods have deployed:
$ oc get deploy,ds -n stackrox -o wide (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
$ oc get pod -n stackrox --watch (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
If you use OpenShift Container Platform, you can enable scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes for vulnerabilities by using Red Hat Advanced Cluster Security for Kubernetes (RHACS).
For scanning RHCOS node hosts of the Secured cluster, you must have installed Secured cluster on OpenShift Container Platform 4.11 or later. For information about supported platforms and architecture, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix. For life cycle support information for RHACS, see the Red Hat Advanced Cluster Security for Kubernetes Support Policy.
Run one of the following commands to update the compliance container.
For a default compliance container with metrics disabled, run the following command:
$ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":"disabled"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
For a compliance container with Prometheus metrics enabled, run the following command:
$ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":":9091"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
Update the Collector DaemonSet (DS) by taking the following steps:
Add new volume mounts to Collector DS by running the following command:
$ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"volumes":[{"name":"tmp-volume","emptyDir":{}},{"name":"cache-volume","emptyDir":{"sizeLimit":"200Mi"}}]}}}}'
Add the new NodeScanner
container by running the following command:
$ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"command":["/scanner","--nodeinventory","--config=",""],"env":[{"name":"ROX_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"ROX_CLAIR_V4_SCANNING","value":"true"},{"name":"ROX_COMPLIANCE_OPERATOR_INTEGRATION","value":"true"},{"name":"ROX_CSV_EXPORT","value":"false"},{"name":"ROX_DECLARATIVE_CONFIGURATION","value":"false"},{"name":"ROX_INTEGRATIONS_AS_CONFIG","value":"false"},{"name":"ROX_NETPOL_FIELDS","value":"true"},{"name":"ROX_NETWORK_DETECTION_BASELINE_SIMULATION","value":"true"},{"name":"ROX_NETWORK_GRAPH_PATTERNFLY","value":"true"},{"name":"ROX_NODE_SCANNING_CACHE_TIME","value":"3h36m"},{"name":"ROX_NODE_SCANNING_INITIAL_BACKOFF","value":"30s"},{"name":"ROX_NODE_SCANNING_MAX_BACKOFF","value":"5m"},{"name":"ROX_PROCESSES_LISTENING_ON_PORT","value":"false"},{"name":"ROX_QUAY_ROBOT_ACCOUNTS","value":"true"},{"name":"ROX_ROXCTL_NETPOL_GENERATE","value":"true"},{"name":"ROX_SOURCED_AUTOGENERATED_INTEGRATIONS","value":"false"},{"name":"ROX_SYSLOG_EXTRA_FIELDS","value":"true"},{"name":"ROX_SYSTEM_HEALTH_PF","value":"false"},{"name":"ROX_VULN_MGMT_WORKLOAD_CVES","value":"false"}],"image":"registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.4.5","imagePullPolicy":"IfNotPresent","name":"node-inventory","ports":[{"containerPort":8444,"name":"grpc","protocol":"TCP"}],"volumeMounts":[{"mountPath":"/host","name":"host-root-ro","readOnly":true},{"mountPath":"/tmp/","name":"tmp-volume"},{"mountPath":"/cache","name":"cache-volume"}]}]}}}}'