Chapter 3. Manually upgrading using the roxctl CLI
You can upgrade to the latest version of Red Hat Advanced Cluster Security for Kubernetes (RHACS) from a supported older version.
-
You need to perform the manual upgrade procedure only if you used the
roxctl
CLI to install RHACS. - For upgrading to RHACS 4.0, you must be using the latest patch release of RHACS 3.74. If you are using an older version, you must first upgrade to RHACS 3.74 before upgrading to RHACS 4.0.
To upgrade Red Hat Advanced Cluster Security for Kubernetes to the latest version, you must perform the following:
- Backup the Central database
-
Upgrade the
roxctl
CLI - Generate Central database provisioning bundle
- Upgrade Central
- Upgrade Scanner
- Verify all the upgraded secured clusters
3.1. Backing up the Central database Copy linkLink copied to clipboard!
You can back up the Central database and use that backup for rolling back from a failed upgrade or data restoration in the case of an infrastructure disaster.
Prerequisites
-
You must have an API token with
read
permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. The Analyst system role hasread
permissions for all resources. -
You have installed the
roxctl
CLI. -
You have configured the
ROX_API_TOKEN
and theROX_CENTRAL_ADDRESS
environment variables.
Procedure
Run the backup command:
roxctl -e "$ROX_CENTRAL_ADDRESS" central backup
$ roxctl -e "$ROX_CENTRAL_ADDRESS" central backup
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.2. Upgrading the roxctl CLI Copy linkLink copied to clipboard!
To upgrade the roxctl
CLI to the latest version you must uninstall the existing version of roxctl
CLI and then install the latest version of the roxctl
CLI.
3.2.1. Uninstalling the roxctl CLI Copy linkLink copied to clipboard!
You can uninstall the roxctl
CLI binary on Linux by using the following procedure.
Procedure
Find and delete the
roxctl
binary:ROXPATH=$(which roxctl) && rm -f $ROXPATH
$ ROXPATH=$(which roxctl) && rm -f $ROXPATH
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Depending on your environment, you might need administrator rights to delete the
roxctl
binary.
3.2.2. Installing the roxctl CLI on Linux Copy linkLink copied to clipboard!
You can install the roxctl
CLI binary on Linux by using the following procedure.
Procedure
Download the latest version of the
roxctl
CLI:curl -O https://mirror.openshift.com/pub/rhacs/assets/4.0.5/bin/Linux/roxctl
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/4.0.5/bin/Linux/roxctl
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Make the
roxctl
binary executable:chmod +x roxctl
$ chmod +x roxctl
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Place the
roxctl
binary in a directory that is on yourPATH
:To check your
PATH
, execute the following command:echo $PATH
$ echo $PATH
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify the
roxctl
version you have installed:roxctl version
$ roxctl version
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.2.3. Installing the roxctl CLI on macOS Copy linkLink copied to clipboard!
You can install the roxctl
CLI binary on macOS by using the following procedure.
Procedure
Download the latest version of the
roxctl
CLI:curl -O https://mirror.openshift.com/pub/rhacs/assets/4.0.5/bin/Darwin/roxctl
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/4.0.5/bin/Darwin/roxctl
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Remove all extended attributes from the binary:
xattr -c roxctl
$ xattr -c roxctl
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Make the
roxctl
binary executable:chmod +x roxctl
$ chmod +x roxctl
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Place the
roxctl
binary in a directory that is on yourPATH
:To check your
PATH
, execute the following command:echo $PATH
$ echo $PATH
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify the
roxctl
version you have installed:roxctl version
$ roxctl version
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.2.4. Installing the roxctl CLI on Windows Copy linkLink copied to clipboard!
You can install the roxctl
CLI binary on Windows by using the following procedure.
Procedure
Download the latest version of the
roxctl
CLI:curl -O https://mirror.openshift.com/pub/rhacs/assets/4.0.5/bin/Windows/roxctl.exe
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/4.0.5/bin/Windows/roxctl.exe
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify the
roxctl
version you have installed:roxctl version
$ roxctl version
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3. Generating Central database provisioning bundle Copy linkLink copied to clipboard!
Before upgrading Central you must first generate a database provisioning bundle. This bundle is a tar
archive that has a README file, a few YAML configuration files, and some scripts that aid in the installation process.
Prerequisites
-
You must have an API token with the
Admin
role. -
You must have installed the
roxctl
CLI.
Procedure
Set the
ROX_API_TOKEN
and theROX_CENTRAL_ADDRESS
environment variables:export ROX_API_TOKEN=<api_token>
$ export ROX_API_TOKEN=<api_token>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow export ROX_CENTRAL_ADDRESS=<address>:<port_number>
$ export ROX_CENTRAL_ADDRESS=<address>:<port_number>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Run the
central db generate
command:roxctl -e $ROX_CENTRAL_ADDRESS central db generate \ <cluster_type> \ <storage> \ --output-dir <bundle_dir> \ --central-db-image registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.0.5
$ roxctl -e $ROX_CENTRAL_ADDRESS central db generate \ <cluster_type> \
1 <storage> \
2 --output-dir <bundle_dir> \
3 --central-db-image registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.0.5
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
cluster-type
is the type of your cluster, specifyk8s
for Kubernetes andopenshift
for OpenShift Container Platform.- 2
- For
storage
, specifyhostpath
orpvc
. If you usepvc
you can use additional options to specify volume name, size, and storage class. Run$ roxctl central db generate openshift pvc -h
for more details. - 3
- For
bundle-dir
specify the path where you want to save the generated provisioning bundle.
Next Step
- Use the Central DB provisioning bundle to create additional resources.
3.4. Creating resources by using the Central DB provisioning bundle Copy linkLink copied to clipboard!
Before you upgrade the Central cluster, you must use the Central DB provisioning bundle to create additional resources that the Central cluster requires. This bundle is a tar
archive that has a README file, a few YAML configuration files, and some scripts that aid in the installation process.
Prerequisites
- You must have generated a Central DB provisioning bundle.
-
You must have extracted the
tar
archive bundle.
Procedure
Open the extracted bundle directory and run the
setup
script:./scripts/setup.sh
$ ./scripts/setup.sh
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Run the
deploy-central-db
script:./deploy-central-db.sh
$ ./deploy-central-db.sh
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.5. Upgrading the Central cluster Copy linkLink copied to clipboard!
After you have created a backup of the Central database and generated the necessary resources by using the provisioning bundle, the next step is to upgrade the Central cluster. This process involves upgrading Central and Scanner.
3.5.1. Upgrading Central Copy linkLink copied to clipboard!
You can update Central to the latest version by downloading and deploying the updated images.
Procedure
Run the following command to update the Central image:
oc -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5
$ oc -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
Verification
Verify that the new pods have deployed:
oc get deploy -n stackrox -o wide
$ oc get deploy -n stackrox -o wide
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc get pod -n stackrox --watch
$ oc get pod -n stackrox --watch
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.5.2. Upgrading Central Copy linkLink copied to clipboard!
You can update Scanner to the latest version by downloading and deploying the updated images.
Procedure
Run the following command to update the Scanner image:
oc -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.0.5
$ oc -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.0.5
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
Verification
Verify that the new pods have deployed:
oc get deploy -n stackrox -o wide
$ oc get deploy -n stackrox -o wide
Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc get pod -n stackrox --watch
$ oc get pod -n stackrox --watch
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.5.3. Verifying the Central cluster upgrade Copy linkLink copied to clipboard!
After you have upgraded both Central and Scanner, verify that the Central cluster upgrade is complete.
Procedure
Check the Central logs by running the following command:
oc logs -n stackrox deploy/central -c central
$ oc logs -n stackrox deploy/central -c central
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
Sample output of a successful upgrade
3.6. Upgrading all secured clusters Copy linkLink copied to clipboard!
After upgrading Central services, you must upgrade all secured clusters.
If you are using automatic upgrades:
- Update all your secured clusters by using automatic upgrades.
- Skip the instructions in this section and follow the instructions in the Verify upgrades and Revoking the API token sections.
If you are not using automatic upgrades, you must run the instructions in this section on all secured clusters including the Central cluster.
- To ensure optimal functionality, use the same RHACS version for your secured clusters and the cluster on which Central is installed.
To complete manual upgrades of each secured cluster running Sensor, Collector, and Admission controller, follow the instructions in this section.
3.6.1. Updating other images Copy linkLink copied to clipboard!
You must update the sensor, collector and compliance images on each secured cluster when not using automatic upgrades.
If you are using Kubernetes, use kubectl
instead of oc
for the commands listed in this procedure.
Procedure
Update the Sensor image:
oc -n stackrox set image deploy/sensor sensor=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5
$ oc -n stackrox set image deploy/sensor sensor=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
Update the Compliance image:
oc -n stackrox set image ds/collector compliance=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5
$ oc -n stackrox set image ds/collector compliance=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
Update the Collector image:
oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.0.5
$ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.0.5
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
NoteIf you are using the collector slim image, run the following command instead:
oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:{rhacs-version}
$ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:{rhacs-version}
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Update the admission control image:
oc -n stackrox set image deploy/admission-control admission-control=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5
$ oc -n stackrox set image deploy/admission-control admission-control=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.6.2. Verifying secured cluster upgrade Copy linkLink copied to clipboard!
After you have upgraded secured clusters, verify that the updated pods are working.
Procedure
Check that the new pods have deployed:
oc get deploy,ds -n stackrox -o wide
$ oc get deploy,ds -n stackrox -o wide
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
oc get pod -n stackrox --watch
$ oc get pod -n stackrox --watch
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
3.6.3. Enabling RHCOS node scanning Copy linkLink copied to clipboard!
If you use OpenShift Container Platform, you can enable scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes for vulnerabilities by using Red Hat Advanced Cluster Security for Kubernetes (RHACS).
Prerequisites
- For scanning RHCOS node hosts of the Secured cluster, you must have installed Secured cluster on OpenShift Container Platform 4.10 or later. For more information on supported managed and self-managed OpenShift Container Platform versions, see Red Hat Advanced Cluster Security for Kubernetes Support Policy.
Procedure
Run one of the following commands to update the compliance container.
For a default compliance container with metrics disabled, run the following command:
oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":"disabled"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
$ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":"disabled"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
Copy to Clipboard Copied! Toggle word wrap Toggle overflow For a compliance container with Prometheus metrics enabled, run the following command:
oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":":9091"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
$ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":":9091"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Update the Collector DaemonSet (DS) by taking the following steps:
Add new volume mounts to Collector DS by running the following command:
oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"volumes":[{"name":"tmp-volume","emptyDir":{}},{"name":"cache-volume","emptyDir":{"sizeLimit":"200Mi"}}]}}}}'
$ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"volumes":[{"name":"tmp-volume","emptyDir":{}},{"name":"cache-volume","emptyDir":{"sizeLimit":"200Mi"}}]}}}}'
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add the new
NodeScanner
container by running the following command:oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"command":["/scanner","--nodeinventory","--config=",""],"env":[{"name":"ROX_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"ROX_CLAIR_V4_SCANNING","value":"true"},{"name":"ROX_COMPLIANCE_OPERATOR_INTEGRATION","value":"true"},{"name":"ROX_CSV_EXPORT","value":"false"},{"name":"ROX_DECLARATIVE_CONFIGURATION","value":"false"},{"name":"ROX_INTEGRATIONS_AS_CONFIG","value":"false"},{"name":"ROX_NETPOL_FIELDS","value":"true"},{"name":"ROX_NETWORK_DETECTION_BASELINE_SIMULATION","value":"true"},{"name":"ROX_NETWORK_GRAPH_PATTERNFLY","value":"true"},{"name":"ROX_NODE_SCANNING_CACHE_TIME","value":"3h36m"},{"name":"ROX_NODE_SCANNING_INITIAL_BACKOFF","value":"30s"},{"name":"ROX_NODE_SCANNING_MAX_BACKOFF","value":"5m"},{"name":"ROX_PROCESSES_LISTENING_ON_PORT","value":"false"},{"name":"ROX_QUAY_ROBOT_ACCOUNTS","value":"true"},{"name":"ROX_ROXCTL_NETPOL_GENERATE","value":"true"},{"name":"ROX_SOURCED_AUTOGENERATED_INTEGRATIONS","value":"false"},{"name":"ROX_SYSLOG_EXTRA_FIELDS","value":"true"},{"name":"ROX_SYSTEM_HEALTH_PF","value":"false"},{"name":"ROX_VULN_MGMT_WORKLOAD_CVES","value":"false"}],"image":"registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.0.5","imagePullPolicy":"IfNotPresent","name":"node-inventory","ports":[{"containerPort":8444,"name":"grpc","protocol":"TCP"}],"volumeMounts":[{"mountPath":"/host","name":"host-root-ro","readOnly":true},{"mountPath":"/tmp/","name":"tmp-volume"},{"mountPath":"/cache","name":"cache-volume"}]}]}}}}'
$ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"command":["/scanner","--nodeinventory","--config=",""],"env":[{"name":"ROX_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"ROX_CLAIR_V4_SCANNING","value":"true"},{"name":"ROX_COMPLIANCE_OPERATOR_INTEGRATION","value":"true"},{"name":"ROX_CSV_EXPORT","value":"false"},{"name":"ROX_DECLARATIVE_CONFIGURATION","value":"false"},{"name":"ROX_INTEGRATIONS_AS_CONFIG","value":"false"},{"name":"ROX_NETPOL_FIELDS","value":"true"},{"name":"ROX_NETWORK_DETECTION_BASELINE_SIMULATION","value":"true"},{"name":"ROX_NETWORK_GRAPH_PATTERNFLY","value":"true"},{"name":"ROX_NODE_SCANNING_CACHE_TIME","value":"3h36m"},{"name":"ROX_NODE_SCANNING_INITIAL_BACKOFF","value":"30s"},{"name":"ROX_NODE_SCANNING_MAX_BACKOFF","value":"5m"},{"name":"ROX_PROCESSES_LISTENING_ON_PORT","value":"false"},{"name":"ROX_QUAY_ROBOT_ACCOUNTS","value":"true"},{"name":"ROX_ROXCTL_NETPOL_GENERATE","value":"true"},{"name":"ROX_SOURCED_AUTOGENERATED_INTEGRATIONS","value":"false"},{"name":"ROX_SYSLOG_EXTRA_FIELDS","value":"true"},{"name":"ROX_SYSTEM_HEALTH_PF","value":"false"},{"name":"ROX_VULN_MGMT_WORKLOAD_CVES","value":"false"}],"image":"registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.0.5","imagePullPolicy":"IfNotPresent","name":"node-inventory","ports":[{"containerPort":8444,"name":"grpc","protocol":"TCP"}],"volumeMounts":[{"mountPath":"/host","name":"host-root-ro","readOnly":true},{"mountPath":"/tmp/","name":"tmp-volume"},{"mountPath":"/cache","name":"cache-volume"}]}]}}}}'
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.7. Rolling back Central Copy linkLink copied to clipboard!
You can roll back to a previous version of Central if the upgrade to a new version is unsuccessful.
3.7.1. Rolling back Central normally Copy linkLink copied to clipboard!
You can roll back to a previous version of Central if upgrading Red Hat Advanced Cluster Security for Kubernetes fails.
Prerequisites
- Before you can perform a rollback, you must have free disk space available on your persistent storage. Red Hat Advanced Cluster Security for Kubernetes uses disk space to keep a copy of databases during the upgrade. If the disk space is not enough to store a copy and the upgrade fails, you might not be able to roll back to an earlier version.
Procedure
Run the following command to roll back to a previous version when an upgrade fails (before the Central service starts):
oc -n stackrox rollout undo deploy/central
$ oc -n stackrox rollout undo deploy/central
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
3.7.2. Rolling back Central forcefully Copy linkLink copied to clipboard!
You can use forced rollback to roll back to an earlier version of Central (after the Central service starts).
Using forced rollback to switch back to a previous version might result in loss of data and functionality.
Prerequisites
- Before you can perform a rollback, you must have free disk space available on your persistent storage. Red Hat Advanced Cluster Security for Kubernetes uses disk space to keep a copy of databases during the upgrade. If the disk space is not enough to store a copy and the upgrade fails, you will not be able to roll back to an earlier version.
Procedure
Run the following commands to perform a forced rollback:
To forcefully rollback to the previously installed version:
oc -n stackrox rollout undo deploy/central
$ oc -n stackrox rollout undo deploy/central
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
To forcefully rollback to a specific version:
Edit Central’s
ConfigMap
:oc -n stackrox edit configmap/central-config
$ oc -n stackrox edit configmap/central-config
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
Update the value of the
maintenance.forceRollbackVersion
key:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Specify the version that you want to roll back to.
Update the Central image version:
oc -n stackrox \ set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<x.x.x.x>
$ oc -n stackrox \
1 set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<x.x.x.x>
2 Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.8. Verifying upgrades Copy linkLink copied to clipboard!
The updated Sensors and Collectors continue to report the latest data from each secured cluster.
The last time Sensor contacted Central is visible in the RHACS portal.
Procedure
-
On the RHACS portal, navigate to Platform Configuration
System Health. - Check to ensure that Sensor Upgrade shows clusters up to date with Central.
3.9. Revoking the API token Copy linkLink copied to clipboard!
For security reasons, Red Hat recommends that you revoke the API token that you have used to complete Central database backup.
Prerequisites
- After the upgrade, you must reload the RHACS portal page and re-accept the certificate to continue using the RHACS portal.
Procedure
-
On the RHACS portal, navigate to Platform Configuration
Integrations. - Scroll down to the Authentication Tokens category, and click API Token.
- Select the checkbox in front of the token name that you want to revoke.
- Click Revoke.
- On the confirmation dialog box, click Confirm.