Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Upgrading

Red Hat Advanced Cluster Security for Kubernetes 4.5

Upgrading Red Hat Advanced Cluster Security for Kubernetes

Red Hat OpenShift Documentation Team

Abstract

This section provides instructions on upgrading Red Hat Advanced Cluster Security for Kubernetes by using Helm charts or the roxctl command-line interface.

Chapter 1. Upgrading by using the Operator

Upgrades through the Red Hat Advanced Cluster Security for Kubernetes (RHACS) Operator are performed automatically or manually, depending on the Update approval option you chose at installation.

Follow these guidelines when upgrading:

  • If the version for Central is earlier than 3.74, you must upgrade to 3.74 before upgrading to a 4.x version. For upgrading Central to version 3.74, see the upgrade documentation for version 3.74.
  • When upgrading Operator-based Central deployments from version 3.74, first ensure the Operator upgrade mode is set to Manual. Then, upgrade the Operator to version 4.0 following the procedure in the upgrade documentation for version 4.0 and ensure that Central is online. After the upgrade to version 4.0 is complete, Red Hat recommends upgrading Central to the latest version for full functionality.

1.1. Preparing to upgrade

Before you upgrade the Red Hat Advanced Cluster Security for Kubernetes (RHACS) version, complete the following steps:

  • If you are upgrading from version 3.74, verify that you are running the latest patch release version of the RHACS Operator 3.74.
  • Backup your existing Central database.
  • If the cluster you are upgrading contains the SecuredCluster custom resource (CR), change the collection method to CORE_BPF. For more information, see "Changing the collection method".

1.1.1. Changing the collection method

If the cluster that you are upgrading contains the SecuredCluster CR, you must ensure that the per node collection setting is set to CORE_BPF before you upgrade.

Procedure

  1. In the OpenShift Container Platform web console, go to the RHACS Operator page.
  2. In the top navigation menu, select Secured Cluster.
  3. Click the instance name, for example, stackrox-secured-cluster-services.

  4. Use one of the following methods to change the setting:

    • In the Form view, under Per Node SettingsCollector SettingsCollection, select CORE_BPF.
    • Click YAML to open the YAML editor and locate the spec.perNode.collector.collection attribute. If the value is KernelModule or EBPF, then change it to CORE_BPF.
  5. Click Save.

1.2. Modifying Central custom resource

The Central DB service requires persistent storage. If you have not configured a default storage class for the Central cluster that is an SSD or is high performance, you must update the Central custom resource to configure the storage class for the Central DB persistent volume claim (PVC).

Note

Skip this section if you have already configured a default storage class for Central.

Procedure

  • Update the central custom resource with the following configuration: 
spec:
  central:
    db:
      isEnabled: Default
1 

      persistence:
        persistentVolumeClaim:
2 

          claimName: central-db
          size: 100Gi
          storageClassName: <storage-class-name>
Copy to Clipboard
1
You must not change the value of IsEnabled to Enabled.
2
If this claim exists, your cluster uses the existing claim, otherwise it creates a new claim.

1.3. Modifying Central custom resource for external database

Prerequisites

  • You must have a database in your database instance that supports PostgreSQL 13 and a user with the following permissions:

    • Connection rights to the database.
    • Usage and Create on the schema.
    • Select, Insert, Update, and Delete on all tables in the schema.
    • Usage on all sequences in the schema.

Procedure

  1. Create a password secret in the deployed namespace by using the OpenShift Container Platform web console or the terminal.

    • On the OpenShift Container Platform web console, go to the WorkloadsSecrets page. Create a Key/Value secret with the key password and the value as the path of a plain text file containing the password for the superuser of the provisioned database.

    • Or, run the following command in your terminal: 

      $ oc create secret generic external-db-password \
      1 
      
  --from-file=password=<password.txt>
      2
      Copy to Clipboard
      1
      If you use Kubernetes, enter kubectl instead of oc.
      2
      Replace password.txt with the path of the file which has the plain text password.
  2. Go to the Red Hat Advanced Cluster Security for Kubernetes operator page in the OpenShift Container Platform web console. Select Central in the top navigation bar and select the instance you want to connect to the database.
  3. Go to the YAML editor view.
  4. For db.passwordSecret.name specify the referenced secret that you created in earlier steps. For example, external-db-password.
  5. For db.connectionString specify the connection string in keyword=value format, for example, host=<host> port=5432 database=stackrox user=stackrox sslmode=verify-ca
  6. For db.persistence delete the entire block.

  7. If necessary, you can specify a Certificate Authority for Central to trust the database certificate by adding a TLS block under the top-level spec, as shown in the following example:

    • Update the central custom resource with the following configuration: 

      spec:
  tls:
    additionalCAs:
    - name: db-ca
      content: |
        <certificate>
  central:
    db:
      isEnabled: Default
      1 
      
      connectionString: "host=<host> port=5432 user=<user> sslmode=verify-ca"
      passwordSecret:
        name: external-db-password
      Copy to Clipboard
      1
      You must not change the value of IsEnabled to Enabled.
  8. Click Save.

1.4. Changing the subscription channel

You can change the update channel for the RHACS Operator by using the OpenShift Container Platform web console or by using the command line. For upgrading to RHACS 4.0 from RHACS 3.74, you must change the update channel.

Important

You must change the subscription channel for all clusters where you installed the RHACS Operator, including Central and all secured clusters.

Prerequisites

  • You must verify that you are using the latest RHACS 3.74 Operator and there are no pending manual Operator upgrades.
  • You must verify that you backed up your Central database.
  • You have access to an OpenShift Container Platform cluster web console using an account with cluster-admin permissions.
Changing the subscription channel by using the web console

Use the following instructions for changing the subscription channel by using the web console:

Procedure

  1. In the Administrator perspective of the OpenShift Container Platform web console, go to OperatorsInstalled Operators.
  2. Click the RHACS Operator.
  3. Click the Subscription tab.
  4. Click the name of the update channel under Update Channel.
  5. Select stable, then click Save.

  6. For subscriptions with an Automatic approval strategy, the update begins automatically. Go back to the OperatorsInstalled Operators page to monitor the progress of the update. When complete, the status changes to Succeeded and Up to date.

    For subscriptions with a Manual approval strategy, you can manually approve the update from the Subscription tab.

Changing the subscription channel by using command line

Use the following instructions for changing the subscription channel by using command line:

Procedure

  • Run the following command to change the subscription channel to stable: 

    $ oc -n rhacs-operator \
    1 
    
  patch subscriptions.operators.coreos.com rhacs-operator \
  --type=merge --patch='{ "spec": { "channel": "stable" }}'
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

During the update, the RHACS Operator provisions a new deployment called central-db and your data begins migrating. It takes around 30 minutes and happens only after you upgrade.

1.5. Removing Central-attached PV after upgrading to version 4.1 and later

Kubernetes and OpenShift Container Platform do not delete persistent volumes (PV) automatically. When you upgrade RHACS from earlier versions, the Central PV called stackrox-db remains mounted. However, in RHACS 4.1, Central does not need the previously attached PV anymore.

The PV has data and persistent files used by earlier RHACS versions. You can use the PV to roll back to an earlier version before RHACS 4.1. Or, if you have a large RocksDB backup bundle for Central, you can use the PV to restore that data.

After you complete the upgrade to 4.1, you can remove the Central-attached persistent volume claim (PVC) to free up the storage. Only remove the PVC if you do not plan to roll back or restore from earlier RocksDB backups.

Warning

After removing PVC, you cannot roll back Central to an earlier version before RHACS 4.1 or restore large RocksDB backups created with RocksDB.

1.5.1. Removing Central-attached PV using the RHACS Operator for RHACS version 4.1 and later

Remove the Central-attached persistent volume claim (PVC) stackrox-db to free up storage space.

Procedure

  • Add the following annotation to Central: 

    annotations:
  platform.stackrox.io/obsolete-central-pvc: "true"
    Copy to Clipboard

Verification

  • Run the following command: 

    $ oc -n stackrox describe pvc stackrox-db | grep -i 'Used By'
Used By: <none>
    1
    Copy to Clipboard
    1
    Wait until you see Used By: <none>. It might take a few minutes.

1.6. Rolling back an Operator upgrade

To roll back an Operator upgrade, you must perform the steps described in one of the following sections. You can roll back an Operator upgrade by using the CLI or the OpenShift Container Platform web console.

Note

If you are rolling back from RHACS 4.0, you can only rollback to the latest patch release version of RHACS 3.74.

1.6.1. Rolling back an Operator upgrade by using the CLI

You can roll back the Operator version by using CLI commands.

Procedure

  1. Delete the OLM subscription by running the following command:

    • For OpenShift Container Platform, run the following command: 

      $ oc -n rhacs-operator delete subscription rhacs-operator
      Copy to Clipboard

    • For Kubernetes, run the following command: 

      $ kubectl -n rhacs-operator delete subscription rhacs-operator
      Copy to Clipboard

  2. Delete the cluster service version (CSV) by running the following command:

    • For OpenShift Container Platform, run the following command: 

      $ oc -n rhacs-operator delete csv -l operators.coreos.com/rhacs-operator.rhacs-operator
      Copy to Clipboard

    • For Kubernetes, run the following command: 

      $ kubectl -n rhacs-operator delete csv -l operators.coreos.com/rhacs-operator.rhacs-operator
      Copy to Clipboard

  3. Determine the previous version you want to roll back to by choosing one of the following options:

    • If the current Central instance is running, query the RHACS API to get the rollback version by running the following command: 

      $ curl -k -s -u <user>:<password> https://<central hostname>/v1/centralhealth/upgradestatus | jq -r .upgradeStatus.forceRollbackTo
      Copy to Clipboard

    • If the current Central instance is not running, perform the following steps:

      Note

      This procedure can only be used for RHACS release 3.74 and earlier when the rocksdb database is installed.

      1. Ensure the Central deployment is scaled down by running the following command:

        • For OpenShift Container Platform, run the following command: 

          $ oc scale -n <central namespace> –replicas=0 deploy/central
          Copy to Clipboard

        • For Kubernetes, run the following command: 

          $ kubectl scale -n <central namespace> –replicas=0 deploy/central
          Copy to Clipboard

      2. Save the following pod spec as a YAML file: 

        apiVersion: v1
kind: Pod
metadata:
  name: get-previous-db-version
spec:
  containers:
  - name: get-previous-db-version
    image: registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<rollback version>
    command:
    - sh
    args:
    - '-c'
    - "cat /var/lib/stackrox/.previous/migration_version.yaml | grep '^image:' | cut -f 2 -d : | tr -d ' '"
    volumeMounts:
    - name: stackrox-db
      mountPath: /var/lib/stackrox
  volumes:
  - name: stackrox-db
    persistentVolumeClaim:
      claimName: stackrox-db
        Copy to Clipboard

      3. Create a pod in your Central namespace by running the following command using the YAML file that you saved:

        • For OpenShift Container Platform, run the following command: 

          $ oc create -n <central namespace> -f pod.yaml
          Copy to Clipboard

        • For Kubernetes, run the following command: 

          $ kubectl create -n <central namespace> -f pod.yaml
          Copy to Clipboard

      4. After pod creation is complete, get the version by running the following command:

        • For OpenShift Container Platform, run the following command: 

          $ oc logs -n <central namespace> get-previous-db-version
          Copy to Clipboard

        • For Kubernetes, run the following command: 

          $ kubectl logs -n <central namespace> get-previous-db-version
          Copy to Clipboard

  4. Edit the central-config.yaml ConfigMap to set the maintenance.forceRollBackVersion:<version> parameter by running the following command:

    • For OpenShift Container Platform, run the following command: 

      $ oc get configmap -n <central namespace> central-config -o yaml | sed -e "s/forceRollbackVersion: none/forceRollbackVersion: <version>/" | oc -n <central namespace> apply -f -
      Copy to Clipboard

    • For Kubernetes, run the following command: 

      $ kubectl get configmap -n <central namespace> central-config -o yaml | sed -e "s/forceRollbackVersion: none/forceRollbackVersion: <version>/" | kubectl -n <central namespace> apply -f -
      Copy to Clipboard

  5. Set the image for the Central deployment using the version string shown in Step 3 as the image tag. For example, run the following command:

    • For OpenShift Container Platform, run the following command: 

      $ oc set image -n <central namespace> deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<version>
      Copy to Clipboard

    • For Kubernetes, run the following command: 

      $ kubectl set image -n <central namespace> deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<version>
      Copy to Clipboard

Verification

  1. Ensure that the Central pod starts and has a ready status. If the pod crashes, check the logs to see if the backup was restored. A successful log message appears similar to the following example: 

    Clone to Migrate ".previous", ""
    Copy to Clipboard
  2. Reinstall the Operator on the rolled back channel. For example, 3.74.2 is installed on the rhacs-3.74 channel.

1.6.2. Rolling back an Operator upgrade by using the web console

You can roll back the Operator version by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to an OpenShift Container Platform cluster web console using an account with cluster-admin permissions.

Procedure

  1. Go to the OperatorsInstalled Operators page.
  2. Click the RHACS Operator.
  3. On the Operator Details page, select Uninstall Operator from the Actions list. Following this action, the Operator stops running and no longer receives updates.

  4. Determine the previous version you want to roll back to by choosing one of the following options:

    • If the current Central instance is running, you can query the RHACS API to get the rollback version by running the following command from a terminal window: 

      $ curl -k -s -u <user>:<password> https://<central hostname>/v1/centralhealth/upgradestatus | jq -r .upgradeStatus.forceRollbackTo
      Copy to Clipboard

    • You can create a pod and extract the previous version by performing the following steps:

      Note

      This procedure can only be used for RHACS release 3.74 and earlier when the rocksdb database is installed.

      1. Go to WorkloadsDeploymentscentral.
      2. Under Deployment details, click the down arrow next to the pod count to scale down the pod.

      3. Go to WorkloadsPodsCreate Pod and paste the contents of the pod spec as shown in the following example into the editor: 

        apiVersion: v1
kind: Pod
metadata:
  name: get-previous-db-version
spec:
  containers:
  - name: get-previous-db-version
    image: registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<rollback version>
    command:
    - sh
    args:
    - '-c'
    - "cat /var/lib/stackrox/.previous/migration_version.yaml | grep '^image:' | cut -f 2 -d : | tr -d ' '"
    volumeMounts:
    - name: stackrox-db
      mountPath: /var/lib/stackrox
  volumes:
  - name: stackrox-db
    persistentVolumeClaim:
      claimName: stackrox-db
        Copy to Clipboard
      4. Click Create.
      5. After the pod is created, click the Logs tab to get the version string.

  5. Update the rollback configuration by performing the following steps:

    1. Go to WorkloadsConfigMapscentral-config and select Edit ConfigMap from the Actions list.
    2. Find the forceRollbackVersion line in the value of the central-config.yaml key.
    3. Replace none with 3.73.3, and then save the file.

  6. Update Central to the earlier version by performing the following steps:

    1. Go to WorkloadsDeploymentscentral and select Edit Deployment from the Actions list.
    2. Update the image name, and then save the changes.

Verification

  1. Ensure that the Central pod starts and has a ready status. If the pod crashes, check the logs to see if the backup was restored. A successful log message appears similar to the following example: 

    Clone to Migrate ".previous", ""
    Copy to Clipboard
  2. Reinstall the Operator on the rolled back channel. For example, 3.74.2 is installed on the rhacs-3.74 channel.

1.7. Troubleshooting Operator upgrade issues

Follow these instructions to investigate and resolve upgrade-related issues for the RHACS Operator.

1.7.1. Central DB cannot be scheduled

Follow the instructions here to troubleshoot a failing Central DB pod during an upgrade:

  1. Check the status of the central-db pod: 

    $ oc -n <namespace> get pod -l app=central-db
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

  2. If the status of the pod is Pending, use the describe command to get more details: 

    $ oc -n <namespace> describe po/<central-db-pod-name>
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

  3. You might see the FailedScheduling warning message: 

    Type     Reason            Age   From               Message
----     ------            ----  ----               -------
Warning  FailedScheduling  54s   default-scheduler  0/7 nodes are available: 1 Insufficient memory, 3 node(s) had untolerated taint {node-role.kubernetes.io/master: }, 4 Insufficient cpu. preemption: 0/7 nodes are available: 3 Preemption is not helpful for scheduling, 4 No preemption victims found for incoming pod.
    Copy to Clipboard

  4. This warning message suggests that the scheduled node had insufficient memory to accommodate the pod’s resource requirements. If you have a small environment, consider increasing resources on the nodes or adding a larger node that can support the database.

    Otherwise, consider decreasing the resource requirements for the central-db pod in the custom resource under centraldbresources. However, running central with fewer resources than the recommended minimum might lead to degraded performance for RHACS.

1.7.2. Central or Secured cluster fails to deploy

When RHACS Operator has the following conditions, you must check the custom resource conditions to find the issue:

  • If the Operator fails to deploy Central or Secured Cluster
  • If the Operator fails to apply CR changes to actual resources

  • For Central, run the following command to check the conditions: 

    $ oc -n rhacs-operator describe centrals.platform.stackrox.io
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

  • For Secured clusters, run the following command to check the conditions: 

    $ oc -n rhacs-operator describe securedclusters.platform.stackrox.io
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

You can identify configuration errors from the conditions output:

Example output

 Conditions:
    Last Transition Time:  2023-04-19T10:49:57Z
    Status:                False
    Type:                  Deployed
    Last Transition Time:  2023-04-19T10:49:57Z
    Status:                True
    Type:                  Initialized
    Last Transition Time:  2023-04-19T10:59:10Z
    Message:               Deployment.apps "central" is invalid: spec.template.spec.containers[0].resources.requests: Invalid value: "50": must be less than or equal to cpu limit
    Reason:                ReconcileError
    Status:                True
    Type:                  Irreconcilable
    Last Transition Time:  2023-04-19T10:49:57Z
    Message:               No proxy configuration is desired
    Reason:                NoProxyConfig
    Status:                False
    Type:                  ProxyConfigFailed
    Last Transition Time:  2023-04-19T10:49:57Z
    Message:               Deployment.apps "central" is invalid: spec.template.spec.containers[0].resources.requests: Invalid value: "50": must be less than or equal to cpu limit
    Reason:                InstallError
    Status:                True
    Type:                  ReleaseFailed
Copy to Clipboard

Additionally, you can view RHACS pod logs to find more information about the issue. Run the following command to view the logs: 

oc -n rhacs-operator logs deploy/rhacs-operator-controller-manager manager
1
Copy to Clipboard
1
If you use Kubernetes, enter kubectl instead of oc.

Chapter 2. Upgrading using Helm charts

You must follow a specific upgrade path for RHACS depending on the release of RHACS that you are running. You must also back up your Central database before updating the Helm chart and performing the upgrade.

2.1. Upgrade sequence from RHACS release 3.74 and earlier

When upgrading from earlier releases, follow this guidance:

  • If the release for Central is earlier than 3.74, you must upgrade to the latest 3.74 patch before upgrading to a 4.x release. See the upgrade documentation for version 3.74 for information about upgrades from earlier versions to 3.74.
  • To upgrade to release 4.5 or later from release 3.74, you must first upgrade to any latest patch of RHACS version 4.0 through 4.4. Then you can upgrade to release 4.5 or later.

If you have installed RHACS by using Helm charts, to upgrade to the latest version of RHACS perform the following steps:

  1. Back up the Central database.
  2. Optionally, optimize Central’s database and Persistent Volume Claims (PVC).
  3. Optionally, generate a values-private.yaml configuration file containing root certificates for the central-services Helm chart.
  4. Update the Helm chart.
  5. Run the helm upgrade command.
Important

To ensure optimal functionality, use the same version for your secured-cluster-services Helm chart and central-services Helm chart.

2.2. Backing up the Central database

You can back up the Central database and use that backup for rolling back from a failed upgrade or data restoration in the case of an infrastructure disaster.

Prerequisites

  • You must have an API token with read permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. The Analyst system role has read permissions for all resources.
  • You have installed the roxctl CLI.
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure

  • Run the backup command: 

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" central backup
    Copy to Clipboard

2.3. Optimizing Central database and PVC

When you upgrade to Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4.0, RHACS creates a PostgreSQL instance called central-db with a default Persistent Volume Claims (PVC). Optionally, you can customize central-db or PVC configuration.

Red Hat recommends the following minimum memory and CPU requests: 

central:
  db:
    resources:
      requests:
        memory: 16Gi
        cpu: 8
      limits:
        memory: 16Gi
        cpu: 8
Copy to Clipboard

2.4. Generating root certificates file

If you do not have access to your values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS), use the following instruction to generate the values-private.yaml configuration file containing root certificates.

Skip the instruction here, if you have access to your values-private.yaml configuration file.

Important

The generated values-private.yaml file has sensitive configuration options. Ensure that you store this file securely.

Procedure

  1. Download the create_certificate_values_file.sh script.

  2. Make the create_certificate_values_file.sh script executable: 

    $ chmod +x create_certificate_values_file.sh
    Copy to Clipboard

  3. Run the create_certificate_values_file.sh script file: 

    $ create_certificate_values_file.sh values-private.yaml
    Copy to Clipboard

2.5. Updating the Helm chart repository

You must always update Helm charts before upgrading to a new version of Red Hat Advanced Cluster Security for Kubernetes.

Prerequisites

  • You must have already added the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.
  • You must be using Helm version 3.8.3 or newer.

Procedure

  • Update Red Hat Advanced Cluster Security for Kubernetes charts repository. 

    $ helm repo update
    Copy to Clipboard

Verification

  • Run the following command to verify the added chart repository: 

    $ helm search repo -l rhacs/
    Copy to Clipboard

2.7. Running the Helm upgrade command

You can use the helm upgrade command to update Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites

  • You must have access to the values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS). Otherwise, you must generate the values-private.yaml configuration file containing root certificates before proceeding with these commands.

Procedure

  • Run the helm upgrade command and specify the configuration files by using the -f option: 

    $ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> \
    1 
    
  -f values-private.yaml \
  --set central.db.password.generate=true \
  --set central.db.serviceTLS.generate=true \
  --set central.db.persistence.persistentVolumeClaim.createClaim=true
    Copy to Clipboard
    1
    Use the -f option to specify the paths for your YAML configuration files. 
    $ helm upgrade -n stackrox stackrox-secured-cluster-services \
  rhacs/secured-cluster-services --version <current-rhacs-version> \
    1 
    
  -f values-private.yaml
    Copy to Clipboard
    1
    Use the -f option to specify the paths for your YAML configuration files.
Note

You might use the --reuse-values option to preserve the previously configured Helm values during the upgrade. If you do that, you must turn off central-db creation before you upgrade to the next version.

See the following command example: 

$ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> --reuse-values \
  -f values-private.yaml \
  --set central.db.password.generate=false \
  --set central.db.serviceTLS.generate=false \
  --set central.db.persistence.persistentVolumeClaim.createClaim=false
Copy to Clipboard

2.8. Removing Central-attached PV after upgrading to version 4.1 and later

Kubernetes and OpenShift Container Platform do not delete persistent volumes (PV) automatically. When you upgrade RHACS from earlier versions, the Central PV called stackrox-db remains mounted. However, in RHACS 4.1, Central does not need the previously attached PV anymore.

The PV has data and persistent files used by earlier RHACS versions. You can use the PV to roll back to an earlier version before RHACS 4.1. Or, if you have a large RocksDB backup bundle for Central, you can use the PV to restore that data.

After you complete the upgrade to 4.1, you can remove the Central-attached persistent volume claim (PVC) to free up the storage. Only remove the PVC if you do not plan to roll back or restore from earlier RocksDB backups.

Warning

After removing PVC, you cannot roll back Central to an earlier version before RHACS 4.1 or restore large RocksDB backups created with RocksDB.

2.8.1. Removing Central-attached PV using Helm

Remove the Central-attached persistent volume claim (PVC) stackrox-db to free up storage space.

Procedure

  • Run the following command: 

    $ helm upgrade -n stackrox stackrox-central-services \
    rhacs/central-services --version <current-rhacs-version> \
    --set central.persistence.none=true
    Copy to Clipboard

Verification

  • Run the following command: 

    $ oc -n stackrox describe pvc stackrox-db | grep -i 'Used By'
Used By: <none>
    1
    Copy to Clipboard
    1
    Wait until you see Used By: <none>. It may take a few minutes.

2.9. Rolling back a Helm upgrade

You can roll back to an earlier version of Central if the upgrade to a new version is unsuccessful.

Procedure

  1. Run the following helm upgrade command: 

    $ helm upgrade -n stackrox \
  stackrox-central-services rhacs/central-services \
  --version <previous_rhacs_74_version> \
    1 
    
  --set central.db.enabled=false
    Copy to Clipboard
    1
    Replace <previous_rhacs_74_version> with the previously installed RHACS version.

  2. Delete the central-db persistent volume claim (PVC): 

    $ oc -n stackrox delete pvc central-db
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

Chapter 3. Manually upgrading using the roxctl CLI

You can upgrade to the latest version of Red Hat Advanced Cluster Security for Kubernetes (RHACS) from a supported older version.

Important
  • You need to perform the manual upgrade procedure only if you used the roxctl CLI to install RHACS.
  • There are manual steps for each version upgrade that must be followed, for example, from version 3.74 to version 4.0, and from version 4.0 to version 4.1. Therefore, Red Hat recommends upgrading first from 3.74 to 4.0, then from 4.0 to 4.1, then 4.1 to 4.2, until the selected version is installed. For full functionality, Red Hat recommends upgrading to the most recent version.

To upgrade RHACS to the latest version, perform the following steps:

  1. Backup the Central database
  2. Upgrade the roxctl CLI
  3. Upgrade the Central cluster
  4. Upgrade all secured clusters

3.1. Backing up the Central database

You can back up the Central database and use that backup for rolling back from a failed upgrade or data restoration in the case of an infrastructure disaster.

Prerequisites

  • You must have an API token with read permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. The Analyst system role has read permissions for all resources.
  • You have installed the roxctl CLI.
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure

  • Run the backup command: 

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" central backup
    Copy to Clipboard

3.2. Upgrading the roxctl CLI

To upgrade the roxctl CLI to the latest version you must uninstall the existing version of roxctl CLI and then install the latest version of the roxctl CLI.

3.2.1. Uninstalling the roxctl CLI

You can uninstall the roxctl CLI binary on Linux by using the following procedure.

Procedure

  • Find and delete the roxctl binary: 

    $ ROXPATH=$(which roxctl) && rm -f $ROXPATH
    1
    Copy to Clipboard
    1
    Depending on your environment, you might need administrator rights to delete the roxctl binary.

3.2.2. Installing the roxctl CLI on Linux

You can install the roxctl CLI binary on Linux by using the following procedure.

Note

roxctl CLI for Linux is available for amd64, arm64, ppc64le, and s390x architectures.

Procedure

  1. Determine the roxctl architecture for the target operating system: 

    $ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
    Copy to Clipboard

  2. Download the roxctl CLI: 

    $ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.5.9/bin/Linux/roxctl${arch}"
    Copy to Clipboard

  3. Make the roxctl binary executable: 

    $ chmod +x roxctl
    Copy to Clipboard

  4. Place the roxctl binary in a directory that is on your PATH:

    To check your PATH, execute the following command: 

    $ echo $PATH
    Copy to Clipboard

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard

3.2.3. Installing the roxctl CLI on macOS

You can install the roxctl CLI binary on macOS by using the following procedure.

Note

roxctl CLI for macOS is available for amd64 and arm64 architectures.

Procedure

  1. Determine the roxctl architecture for the target operating system: 

    $ arch="$(uname -m | sed "s/x86_64//")"; arch="${arch:+-$arch}"
    Copy to Clipboard

  2. Download the roxctl CLI: 

    $ curl -L -f -o roxctl "https://mirror.openshift.com/pub/rhacs/assets/4.5.9/bin/Darwin/roxctl${arch}"
    Copy to Clipboard

  3. Remove all extended attributes from the binary: 

    $ xattr -c roxctl
    Copy to Clipboard

  4. Make the roxctl binary executable: 

    $ chmod +x roxctl
    Copy to Clipboard

  5. Place the roxctl binary in a directory that is on your PATH:

    To check your PATH, execute the following command: 

    $ echo $PATH
    Copy to Clipboard

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard

3.2.4. Installing the roxctl CLI on Windows

You can install the roxctl CLI binary on Windows by using the following procedure.

Note

roxctl CLI for Windows is available for the amd64 architecture.

Procedure

  • Download the roxctl CLI: 

    $ curl -f -O https://mirror.openshift.com/pub/rhacs/assets/4.5.9/bin/Windows/roxctl.exe
    Copy to Clipboard

Verification

  • Verify the roxctl version you have installed: 

    $ roxctl version
    Copy to Clipboard

3.3. Upgrading the Central cluster

After you have created a backup of the Central database and generated the necessary resources by using the provisioning bundle, the next step is to upgrade the Central cluster. This process involves upgrading Central and Scanner.

3.3.1. Upgrading Central

You can update Central to the latest version by downloading and deploying the updated images.

Procedure

  • Run the following command to update the Central image: 

    $ oc -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.5.9
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

Verification

  • Verify that the new pods have deployed: 

    $ oc get deploy -n stackrox -o wide
    Copy to Clipboard 
    $ oc get pod -n stackrox --watch
    Copy to Clipboard
3.3.1.1. Editing the GOMEMLIMIT environment variable for the Central deployment

Upgrading to version 4.4 requires that you manually replace the GOMEMLIMIT environment variable with the ROX_MEMLIMIT environment variable. You must edit this variable for each deployment.

Procedure

  1. Run the following command to edit the variable for the Central deployment: 

    $ oc -n stackrox edit deploy/central
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.
  2. Replace the GOMEMLIMIT variable with ROX_MEMLIMIT.
  3. Save the file.

3.3.2. Upgrading Scanner

You can update Scanner to the latest version by downloading and deploying the updated images.

Important

If you are using Kubernetes, enter the kubectl command instead of the oc command.

Procedure

  1. If you have created custom Scanner configurations, you must apply these changes before updating the Scanner configuration file:

    1. To generate Scanner, run the following command: 

      $ roxctl -e "$ROX_CENTRAL_ADDRESS" scanner generate
      Copy to Clipboard

    2. To apply the TLS secrets YAML file, run the following command: 

      $ oc apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yaml
      Copy to Clipboard

    3. To apply the Scanner configuration YAML file, run the following command: 

      $ oc apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yaml
      Copy to Clipboard

  2. To update the Scanner image, run the following command: 

    $ oc -n stackrox set image deploy/scanner \
scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.5.9
    Copy to Clipboard

  3. To update the Scanner database image, run the following command: 

    $ oc -n stackrox set image deploy/scanner-db \
db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.9 \
init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.9
    Copy to Clipboard

Verification

  • To verify that the new pods have been deployed, run the following commands: 

    $ oc get deploy -n stackrox -o wide
    Copy to Clipboard 
    $ oc get pod -n stackrox --watch
    Copy to Clipboard
3.3.2.1. Editing the GOMEMLIMIT environment variable for the Scanner deployment

Upgrading to version 4.4 requires that you manually replace the GOMEMLIMIT environment variable with the ROX_MEMLIMIT environment variable. You must edit this variable for each deployment.

Procedure

  1. Run the following command to edit the variable for the Scanner deployment: 

    $ oc -n stackrox edit deploy/scanner
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.
  2. Replace the GOMEMLIMIT variable with ROX_MEMLIMIT.
  3. Save the file.

3.3.3. Verifying the Central cluster upgrade

After you have upgraded both Central and Scanner, verify that the Central cluster upgrade is complete.

Procedure

  • Check the Central logs by running the following command: 

    $ oc logs -n stackrox deploy/central -c central
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

Sample output of a successful upgrade

No database restore directory found (this is not an error).
Migrator: 2023/04/19 17:58:54: starting DB compaction
Migrator: 2023/04/19 17:58:54: Free fraction of 0.0391 (40960/1048576) is < 0.7500. Will not compact
badger 2023/04/19 17:58:54 INFO: All 1 tables opened in 2ms
badger 2023/04/19 17:58:55 INFO: Replaying file id: 0 at offset: 846357
badger 2023/04/19 17:58:55 INFO: Replay took: 50.324µs
badger 2023/04/19 17:58:55 DEBUG: Value log discard stats empty
Migrator: 2023/04/19 17:58:55: DB is up to date. Nothing to do here.
badger 2023/04/19 17:58:55 INFO: Got compaction priority: {level:0 score:1.73 dropPrefix:[]}
version: 2023/04/19 17:58:55.189866 ensure.go:49: Info: Version found in the DB was current. We’re good to go!
Copy to Clipboard

3.4. Upgrading all secured clusters

After upgrading Central services, you must upgrade all secured clusters.

Important

  • If you are using automatic upgrades:

  • If you are not using automatic upgrades, you must run the instructions in this section on all secured clusters including the Central cluster.

    • To ensure optimal functionality, use the same RHACS version for your secured clusters and the cluster on which Central is installed.

To complete manual upgrades of each secured cluster running Sensor, Collector, and Admission controller, follow the instructions in this section.

3.4.1. Updating other images

You must update the sensor, collector and compliance images on each secured cluster when not using automatic upgrades.

Note

If you are using Kubernetes, use kubectl instead of oc for the commands listed in this procedure.

Procedure

  1. Update the Sensor image: 

    $ oc -n stackrox set image deploy/sensor sensor=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.5.9
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

  2. Update the Compliance image: 

    $ oc -n stackrox set image ds/collector compliance=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.5.9
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

  3. Update the Collector image: 

    $ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.5.9
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.
    Note

    If you are using the collector slim image, run the following command instead: 

    $ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:{rhacs-version}
    Copy to Clipboard

  4. Update the admission control image: 

    $ oc -n stackrox set image deploy/admission-control admission-control=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.5.9
    Copy to Clipboard
Important

If you have installed RHACS on Red Hat OpenShift by using the roxctl CLI, you need to migrate the security context constraints (SCCs).

For more information, see "Migrating SCCs during the manual upgrade" in the "Additional resources" section.

Next steps

3.4.2. Migrating SCCs during the manual upgrade

By migrating the security context constraints (SCCs) during the manual upgrade by using roxctl CLI, you can seamlessly transition the Red Hat Advanced Cluster Security for Kubernetes (RHACS) services to use the Red Hat OpenShift SCCs, ensuring compatibility and optimal security configurations across Central and all secured clusters.

Procedure

  1. List all of the RHACS services that are deployed on Central and all secured clusters: 

    $ oc -n stackrox describe pods | grep 'openshift.io/scc\|^Name:'
    Copy to Clipboard

    Example output

    Name:      admission-control-6f4dcc6b4c-2phwd
           openshift.io/scc: stackrox-admission-control
#...
Name:      central-575487bfcb-sjdx8
           openshift.io/scc: stackrox-central
Name:      central-db-7c7885bb-6bgbd
           openshift.io/scc: stackrox-central-db
Name:      collector-56nkr
           openshift.io/scc: stackrox-collector
#...
Name:      scanner-68fc55b599-f2wm6
           openshift.io/scc: stackrox-scanner
Name:      scanner-68fc55b599-fztlh
#...
Name:      sensor-84545f86b7-xgdwf
           openshift.io/scc: stackrox-sensor
#...
    Copy to Clipboard

    In this example, you can see that each pod has its own custom SCC, which is specified through the openshift.io/scc field.

  2. Add the required roles and role bindings to use the Red Hat OpenShift SCCs instead of the RHACS custom SCCs.

    To add the required roles and role bindings to use the Red Hat OpenShift SCCs for the Central cluster, complete the following steps:

    1. Create a file named update-central.yaml that defines the role and role binding resources by using the following content:

      Example 3.1. Example YAML file

      apiVersion: rbac.authorization.k8s.io/v1
kind: Role
      1 
      
metadata:
  annotations:
     email: support@stackrox.com
     owner: stackrox
  labels:
     app.kubernetes.io/component: central
     app.kubernetes.io/instance: stackrox-central-services
     app.kubernetes.io/name: stackrox
     app.kubernetes.io/part-of: stackrox-central-services
     app.kubernetes.io/version: 4.4.0
  name: use-central-db-scc
      2 
      
  namespace: stackrox
      3 
      
Rules:
      4 
      
- apiGroups:
  - security.openshift.io
  resourceNames:
  - nonroot-v2
  resources:
  - securitycontextconstraints
  verbs:
  - use
- - -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
     email: support@stackrox.com
     owner: stackrox
  labels:
     app.kubernetes.io/component: central
     app.kubernetes.io/instance: stackrox-central-services
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: stackrox
     app.kubernetes.io/part-of: stackrox-central-services
     app.kubernetes.io/version: 4.4.0
  name: use-central-scc
  namespace: stackrox
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - nonroot-v2
  resources:
  - securitycontextconstraints
  verbs:
  - use
- - -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
     email: support@stackrox.com
     owner: stackrox
  labels:
     app.kubernetes.io/component: scanner
     app.kubernetes.io/instance: stackrox-central-services
     app.kubernetes.io/name: stackrox
     app.kubernetes.io/part-of: stackrox-central-services
     app.kubernetes.io/version: 4.4.0
  name: use-scanner-scc
  namespace: stackrox
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - nonroot-v2
  resources:
  - securitycontextconstraints
  verbs:
  - use
- - -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
      5 
      
metadata:
  annotations:
     email: support@stackrox.com
     owner: stackrox
  labels:
     app.kubernetes.io/component: central
     app.kubernetes.io/instance: stackrox-central-services
     app.kubernetes.io/name: stackrox
     app.k ubernetes.io/part-of: stackrox-central-services
     app.kubernetes.io/version: 4.4.0
  name: central-db-use-scc
      6 
      
  namespace: stackrox
roleRef:
      7 
      
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: use-central-db-scc
subjects:
      8 
      
- kind: ServiceAccount
  name: central-db
  namespace: stackrox
- - -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
     email: support@stackrox.com
     owner: stackrox
  labels:
     app.kubernetes.io/component: central
     app.kubernetes.io/instance: stackrox-central-services
     app.kubernetes.io/name: stackrox
     app.kubernetes.io/part-of: stackrox-central-services
     app.kubernetes.io/version: 4.4.0
  name: central-use-scc
  namespace: stackrox
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: use-central-scc
subjects:
- kind: ServiceAccount
  name: central
  namespace: stackrox
- - -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
     email: support@stackrox.com
     owner: stackrox
  labels:
     app.kubernetes.io/component: scanner
     app.kubernetes.io/instance: stackrox-central-services
     app.kubernetes.io/name: stackrox
     app.kubernetes.io/part-of: stackrox-central-services
     app.kubernetes.io/version: 4.4.0
  name: scanner-use-scc
  namespace: stackrox
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: use-scanner-scc
subjects:
- kind: ServiceAccount
  name: scanner
  namespace: stackrox
- - -
      Copy to Clipboard
      1
      The type of Kubernetes resource, in this example, Role.
      2
      The name of the role resource.
      3
      The namespace in which the role is created.
      4
      Describes the permissions granted by the role resource.
      5
      The type of Kubernetes resource, in this example, RoleBinding.
      6
      The name of the role binding resource.
      7
      Specifies the role to bind in the same namespace.
      8
      Specifies the subjects that are bound to the role.

    2. Create the role and role binding resources specified in the update-central.yaml file by running the following command: 

      $ oc -n stackrox create -f ./update-central.yaml
      Copy to Clipboard

  3. To add the required roles and role bindings to use the Red Hat OpenShift SCCs for all secured clusters, complete the following steps:

    1. Create a file named upgrade-scs.yaml that defines the role and role binding resources by using the following content:

      Example 3.2. Example YAML file

      apiVersion: rbac.authorization.k8s.io/v1
kind: Role
      1 
      
metadata:
  annotations:
     email: support@stackrox.com
     owner: stackrox
  labels:
     app.kubernetes.io/component: collector
     app.kubernetes.io/instance: stackrox-secured-cluster-services
     app.kubernetes.io/name: stackrox
     app.kubernetes.io/part-of: stackrox-secured-cluster-services
     app.kubernetes.io/version: 4.4.0
     auto-upgrade.stackrox.io/component: sensor
  name: use-privileged-scc
      2 
      
  namespace: stackrox
      3 
      
rules:
      4 
      
- apiGroups:
  - security.openshift.io
  resourceNames:
  - privileged
  resources:
  - securitycontextconstraints
  verbs:
  - use
- - -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
      5 
      
metadata:
  annotations:
     email: support@stackrox.com
     owner: stackrox
  labels:
     app.kubernetes.io/component: collector
     app.kubernetes.io/instance: stackrox-secured-cluster-services
     app.kubernetes.io/name: stackrox
     app.kubernetes.io/part-of: stackrox-secured-cluster-services
     app.kubernetes.io/version: 4.4.0
     auto-upgrade.stackrox.io/component: sensor
  name: collector-use-scc
      6 
      
  namespace: stackrox
roleRef:
      7 
      
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: use-privileged-scc
subjects:
      8 
      
- kind: ServiceAccount
  name: collector
  namespace: stackrox
- - -
      Copy to Clipboard
      1
      The type of Kubernetes resource, in this example, Role.
      2
      The name of the role resource.
      3
      The namespace in which the role is created.
      4
      Describes the permissions granted by the role resource.
      5
      The type of Kubernetes resource, in this example, RoleBinding.
      6
      The name of the role binding resource.
      7
      Specifies the role to bind in the same namespace.
      8
      Specifies the subjects that are bound to the role.

    2. Create the role and role binding resources specified in the upgrade-scs.yaml file by running the following command: 

      $ oc -n stackrox create -f ./update-scs.yaml
      Copy to Clipboard
      Important

      You must run this command on each secured cluster to create the role and role bindings specified in the upgrade-scs.yaml file.

  4. Delete the SCCs that are specific to RHACS:

    1. To delete the SCCs that are specific to the Central cluster, run the following command: 

      $ oc delete scc/stackrox-central scc/stackrox-central-db scc/stackrox-scanner
      Copy to Clipboard

    2. To delete the SCCs that are specific to all secured clusters, run the following command: 

      $ oc delete scc/stackrox-admission-control scc/stackrox-collector scc/stackrox-sensor
      Copy to Clipboard
      Important

      You must run this command on each secured cluster to delete the SCCs that are specific to each secured cluster.

Verification

  • Ensure that all the pods are using the correct SCCs by running the following command: 

    $ oc -n stackrox describe pods | grep 'openshift.io/scc\|^Name:'
    Copy to Clipboard

    Compare the output with the following table:

    ComponentPrevious custom SCCNew Red Hat OpenShift 4 SCC

    Central

    stackrox-central

    nonroot-v2

    Central-db

    stackrox-central-db

    nonroot-v2

    Scanner

    stackrox-scanner

    nonroot-v2

    Scanner-db

    stackrox-scanner

    nonroot-v2

    Admission Controller

    stackrox-admission-control

    restricted-v2

    Collector

    stackrox-collector

    privileged

    Sensor

    stackrox-sensor

    restricted-v2

3.4.2.1. Editing the GOMEMLIMIT environment variable for the Sensor deployment

Upgrading to version 4.4 requires that you manually replace the GOMEMLIMIT environment variable with the ROX_MEMLIMIT environment variable. You must edit this variable for each deployment.

Procedure

  1. Run the following command to edit the variable for the Sensor deployment: 

    $ oc -n stackrox edit deploy/sensor
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.
  2. Replace the GOMEMLIMIT variable with ROX_MEMLIMIT.
  3. Save the file.
3.4.2.2. Editing the GOMEMLIMIT environment variable for the Collector deployment

Upgrading to version 4.4 requires that you manually replace the GOMEMLIMIT environment variable with the ROX_MEMLIMIT environment variable. You must edit this variable for each deployment.

Procedure

  1. Run the following command to edit the variable for the Collector deployment: 

    $ oc -n stackrox edit deploy/collector
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.
  2. Replace the GOMEMLIMIT variable with ROX_MEMLIMIT.
  3. Save the file.
3.4.2.3. Editing the GOMEMLIMIT environment variable for the Admission Controller deployment

Upgrading to version 4.4 requires that you manually replace the GOMEMLIMIT environment variable with the ROX_MEMLIMIT environment variable. You must edit this variable for each deployment.

Procedure

  1. Run the following command to edit the variable for the Admission Controller deployment: 

    $ oc -n stackrox edit deploy/admission-control
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.
  2. Replace the GOMEMLIMIT variable with ROX_MEMLIMIT.
  3. Save the file.
3.4.2.4. Verifying secured cluster upgrade

After you have upgraded secured clusters, verify that the updated pods are working.

Procedure

  • Check that the new pods have deployed: 

    $ oc get deploy,ds -n stackrox -o wide
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc. 
    $ oc get pod -n stackrox --watch
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

3.5. Enabling RHCOS node scanning

If you use OpenShift Container Platform, you can enable scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes for vulnerabilities by using Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites

Procedure

  1. Run one of the following commands to update the compliance container.

    • For a default compliance container with metrics disabled, run the following command: 

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":"disabled"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
      Copy to Clipboard

    • For a compliance container with Prometheus metrics enabled, run the following command: 

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"name":"compliance","env":[{"name":"ROX_METRICS_PORT","value":":9091"},{"name":"ROX_NODE_SCANNING_ENDPOINT","value":"127.0.0.1:8444"},{"name":"ROX_NODE_SCANNING_INTERVAL","value":"4h"},{"name":"ROX_NODE_SCANNING_INTERVAL_DEVIATION","value":"24m"},{"name":"ROX_NODE_SCANNING_MAX_INITIAL_WAIT","value":"5m"},{"name":"ROX_RHCOS_NODE_SCANNING","value":"true"},{"name":"ROX_CALL_NODE_INVENTORY_ENABLED","value":"true"}]}]}}}}'
      Copy to Clipboard

  2. Update the Collector DaemonSet (DS) by taking the following steps:

    1. Add new volume mounts to Collector DS by running the following command: 

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"volumes":[{"name":"tmp-volume","emptyDir":{}},{"name":"cache-volume","emptyDir":{"sizeLimit":"200Mi"}}]}}}}'
      Copy to Clipboard

    2. Add the new NodeScanner container by running the following command: 

      $ oc -n stackrox patch daemonset/collector -p '{"spec":{"template":{"spec":{"containers":[{"command":["/scanner","--nodeinventory","--config=",""],"env":[{"name":"ROX_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"ROX_CLAIR_V4_SCANNING","value":"true"},{"name":"ROX_COMPLIANCE_OPERATOR_INTEGRATION","value":"true"},{"name":"ROX_CSV_EXPORT","value":"false"},{"name":"ROX_DECLARATIVE_CONFIGURATION","value":"false"},{"name":"ROX_INTEGRATIONS_AS_CONFIG","value":"false"},{"name":"ROX_NETPOL_FIELDS","value":"true"},{"name":"ROX_NETWORK_DETECTION_BASELINE_SIMULATION","value":"true"},{"name":"ROX_NETWORK_GRAPH_PATTERNFLY","value":"true"},{"name":"ROX_NODE_SCANNING_CACHE_TIME","value":"3h36m"},{"name":"ROX_NODE_SCANNING_INITIAL_BACKOFF","value":"30s"},{"name":"ROX_NODE_SCANNING_MAX_BACKOFF","value":"5m"},{"name":"ROX_PROCESSES_LISTENING_ON_PORT","value":"false"},{"name":"ROX_QUAY_ROBOT_ACCOUNTS","value":"true"},{"name":"ROX_ROXCTL_NETPOL_GENERATE","value":"true"},{"name":"ROX_SOURCED_AUTOGENERATED_INTEGRATIONS","value":"false"},{"name":"ROX_SYSLOG_EXTRA_FIELDS","value":"true"},{"name":"ROX_SYSTEM_HEALTH_PF","value":"false"},{"name":"ROX_VULN_MGMT_WORKLOAD_CVES","value":"false"}],"image":"registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.9","imagePullPolicy":"IfNotPresent","name":"node-inventory","ports":[{"containerPort":8444,"name":"grpc","protocol":"TCP"}],"volumeMounts":[{"mountPath":"/host","name":"host-root-ro","readOnly":true},{"mountPath":"/tmp/","name":"tmp-volume"},{"mountPath":"/cache","name":"cache-volume"}]}]}}}}'
      Copy to Clipboard

3.6. Removing Central-attached PV after upgrading to version 4.1 and later

Kubernetes and OpenShift Container Platform do not delete persistent volumes (PV) automatically. When you upgrade RHACS from earlier versions, the Central PV called stackrox-db remains mounted. However, in RHACS 4.1, Central does not need the previously attached PV anymore.

The PV has data and persistent files used by earlier RHACS versions. You can use the PV to roll back to an earlier version before RHACS 4.1. Or, if you have a large RocksDB backup bundle for Central, you can use the PV to restore that data.

After you complete the upgrade to 4.1, you can remove the Central-attached persistent volume claim (PVC) to free up the storage. Only remove the PVC if you do not plan to roll back or restore from earlier RocksDB backups.

Warning

After removing PVC, you cannot roll back Central to an earlier version before RHACS 4.1 or restore large RocksDB backups created with RocksDB.

3.6.1. Removing Central-attached PV using the roxctl CLI

Remove the Central-attached persistent volume claim (PVC) stackrox-db to free up storage space.

Procedure

  • Run the following command: 

    $ oc get deployment central -n stackrox -o json | jq '(.spec.template.spec.volumes[] | select(.name=="stackrox-db"))={"name": "stackrox-db", "emptyDir": {}}' | oc apply -f -
    Copy to Clipboard

    It replaces the stackrox-db` entry in the spec.template.spec.volumes to a local emptyDir.

Verification

  • Run the following command: 

    $ oc -n stackrox describe pvc stackrox-db | grep -i 'Used By'
Used By: <none>
    1
    Copy to Clipboard
    1
    Wait until you see Used By: <none>. It might take a few minutes.

3.7. Rolling back Central

You can roll back to a previous version of Central if the upgrade to a new version is unsuccessful.

3.7.1. Rolling back Central normally

You can roll back to a previous version of Central if upgrading Red Hat Advanced Cluster Security for Kubernetes fails.

Prerequisites

  • Before you can perform a rollback, you must have free disk space available on your persistent storage. Red Hat Advanced Cluster Security for Kubernetes uses disk space to keep a copy of databases during the upgrade. If the disk space is not enough to store a copy and the upgrade fails, you might not be able to roll back to an earlier version.

Procedure

  • Run the following command to roll back to a previous version when an upgrade fails (before the Central service starts): 

    $ oc -n stackrox rollout undo deploy/central
    1
    Copy to Clipboard
    1
    If you use Kubernetes, enter kubectl instead of oc.

3.7.2. Rolling back Central forcefully

You can use forced rollback to roll back to an earlier version of Central (after the Central service starts).

Important

Using forced rollback to switch back to a previous version might result in loss of data and functionality.

Prerequisites

  • Before you can perform a rollback, you must have free disk space available on your persistent storage. Red Hat Advanced Cluster Security for Kubernetes uses disk space to keep a copy of databases during the upgrade. If the disk space is not enough to store a copy and the upgrade fails, you will not be able to roll back to an earlier version.

Procedure

  • Run the following commands to perform a forced rollback:

    • To forcefully rollback to the previously installed version: 

      $ oc -n stackrox rollout undo deploy/central
      1
      Copy to Clipboard
      1
      If you use Kubernetes, enter kubectl instead of oc.

    • To forcefully rollback to a specific version:

      1. Edit Central’s ConfigMap: 

        $ oc -n stackrox edit configmap/central-config
        1
        Copy to Clipboard
        1
        If you use Kubernetes, enter kubectl instead of oc.

      2. Update the value of the maintenance.forceRollbackVersion key: 

        data:
  central-config.yaml: |
    maintenance:
      safeMode: false
      compaction:
         enabled: true
         bucketFillFraction: .5
         freeFractionThreshold: 0.75
      forceRollbackVersion: <x.x.x.x>
        1 
        
  ...
        Copy to Clipboard
        1
        Specify the version that you want to roll back to.

      3. Update the Central image version: 

        $ oc -n stackrox \
        1 
        
  set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<x.x.x.x>
        2
        Copy to Clipboard
        1
        If you use Kubernetes, enter kubectl instead of oc.
        2
        Specify the version that you want to roll back to. It must be the same version that you specified for the maintenance.forceRollbackVersion key in the central-config config map.

3.8. Verifying upgrades

The updated Sensors and Collectors continue to report the latest data from each secured cluster.

The last time Sensor contacted Central is visible in the RHACS portal.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationSystem Health.
  2. Check to ensure that Sensor Upgrade shows clusters up to date with Central.

3.9. Revoking the API token

For security reasons, Red Hat recommends that you revoke the API token that you have used to complete Central database backup.

Prerequisites

  • After the upgrade, you must reload the RHACS portal page and re-accept the certificate to continue using the RHACS portal.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationIntegrations.
  2. Scroll down to the Authentication Tokens category, and click API Token.
  3. Select the checkbox in front of the token name that you want to revoke.
  4. Click Revoke.
  5. On the confirmation dialog box, click Confirm.

3.10. Troubleshooting the cluster upgrader

If you encounter problems when using the legacy installation method for the secured cluster and enabling the automated updates, you can try troubleshooting the problem. The following errors can be found in the clusters view when the upgrader fails.

3.10.1. Upgrader is missing permissions

Symptom

The following error is displayed in the cluster page: 

Upgrader failed to execute PreflightStage of the roll-forward workflow: executing stage "Run preflight checks": preflight check "Kubernetes authorization" reported errors. This usually means that access is denied. Have you configured this Secured Cluster for automatically receiving upgrades?"
Copy to Clipboard

Procedure

  1. Ensure that the bundle for the secured cluster was generated with future upgrades enabled before clicking Download YAML file and keys.
  2. If possible, remove that secured cluster and generate a new bundle making sure that future upgrades are enabled.

  3. If you cannot re-create the cluster, you can take these actions:

    1. Ensure that the service account sensor-upgrader exists in the same namespace as Sensor.
    2. Ensure that a ClusterRoleBinding exists (default name: <namespace>:upgrade-sensors) that grants the cluster-admin ClusterRole to the sensor-upgrader service account.

3.10.2. Upgrader cannot start due to missing image

Symptom

The following error is displayed in the cluster page: 

"Upgrade initialization error: The upgrader pods have trouble pulling the new image: Error pulling image: (...) (<image_reference:tag>: not found)"
Copy to Clipboard

Procedure

  1. Ensure that the Secured Cluster can access the registry and pull the image <image_reference:tag>.
  2. Ensure that the image pull secrets are configured correctly in the secured cluster.

3.10.3. Upgrader cannot start due to an unknown reason

Symptom

The following error is displayed in the cluster page: 

"Upgrade initialization error: Pod terminated: (Error)"
Copy to Clipboard

Procedure

  1. Ensure that the upgrader has enough permissions for accessing the cluster objects. For more information, see "Upgrader is missing permissions".
  2. Check the upgrader logs for more insights.
3.10.3.1. Obtaining upgrader logs

The logs can be accessed by running the following command: 

$ kubectl -n <namespace> logs deploy/sensor-upgrader
1
Copy to Clipboard
1
For <namespace>, specify the namespace in which Sensor is running.

Usually, the upgrader deployment is only running in the cluster for a short time while doing the upgrades. It is removed later, so accessing its logs using the orchestrator CLI can require proper timing.

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat