Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

2.3. 升级所有安全集群

升级中部服务后,您必须升级所有安全的集群。

重要

  • 如果您使用自动升级:

    • 使用自动升级来更新所有受保护的集群。
    • 跳过本节中的说明,并按照 验证升级和撤销 API 令牌 部分中的说明进行操作。

  • 如果您不使用自动升级,则必须在包括 Central 集群在内的所有安全集群中运行本节中的说明。

    • 为确保最佳功能,请为您的安全集群和安装 Central 的集群使用相同的 RHACS 版本。

要完成每个运行 Sensor、Collector 和 Admission Controller 的安全集群的手动升级,请按照本节中的说明操作。

2.3.1. 更新就绪度探测
复制链接

如果您要从 Red Hat Advanced Cluster Security for Kubernetes 3.65.0 的以下版本升级,则需要运行以下命令来更新就绪度探测路径。如果您运行的版本高于 3.65,请跳过这一步。

流程

  • 更新就绪度探测路径: 

    $ oc -n stackrox patch deploy/sensor -p '{"spec":{"template":{"spec":{"containers":[{"name":"sensor","readinessProbe":{"httpGet":{"path":"/ready"}}}]}}}}'
    1
    Copy to Clipboard Toggle word wrap
    1
    如果使用 Kubernetes,请输入 kubectl 而不是 oc

2.3.2. 更新 OpenShift 安全性上下文约束
复制链接

根据要升级到的 Red Hat Advanced Cluster Security for Kubernetes 的版本,您必须更新特定的 OpenShift Container Platform 安全性上下文约束(SCC)。

警告

只有在 OpenShift Container Platform 中使用 Red Hat Advanced Cluster Security for Kubernetes 时,才运行本节中的命令。否则,请跳过本节中的说明。

流程

  • Red Hat Advanced Cluster Security for Kubernetes 3.64.0 对 SCC 进行了重新命名。如果您要从以下 Red Hat Advanced Cluster Security for Kubernetes 3.64.0 版本升级,则必须删除并重新应用 SCC,否则跳过这一步:

    1. 运行以下命令以更新 Central: 

      $ oc apply -f - <<EOF
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: stackrox-central
  labels:
    app.kubernetes.io/name: stackrox
  annotations:
    kubernetes.io/description: stackrox-central is the security constraint for the central server
    email: support@stackrox.com
    owner: stackrox
allowHostDirVolumePlugin: false
allowedCapabilities: []
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
defaultAddCapabilities: []
fsGroup:
  type: MustRunAs
  ranges:
    - max: 4000
      min: 4000
priority: 0
readOnlyRootFilesystem: true
requiredDropCapabilities: []
runAsUser:
  type: MustRunAs
  uid: 4000
seLinuxContext:
  type: MustRunAs
seccompProfiles:
  - '*'
users:
  - system:serviceaccount:stackrox:central
volumes:
  - '*'
EOF
      Copy to Clipboard Toggle word wrap 
      $ oc delete scc central
      Copy to Clipboard Toggle word wrap

    2. 运行以下命令以更新 Scanner: 

      $ oc apply -f - <<EOF
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: stackrox-scanner
  labels:
    app.kubernetes.io/name: stackrox
  annotations:
    email: support@stackrox.com
    owner: stackrox
    kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container
priority: 0
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
  - '*'
users:
  - system:serviceaccount:stackrox:scanner
volumes:
  - '*'
allowHostDirVolumePlugin: false
allowedCapabilities: []
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
defaultAddCapabilities: []
fsGroup:
  type: RunAsAny
readOnlyRootFilesystem: false
requiredDropCapabilities: []
EOF
      Copy to Clipboard Toggle word wrap 
      $ oc delete scc scanner
      Copy to Clipboard Toggle word wrap

    3. 在每个 OpenShift Secured 集群中运行以下命令: 

      $ oc apply -f - <<EOF
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: stackrox-admission-control
  labels:
    app.kubernetes.io/name: stackrox
    auto-upgrade.stackrox.io/component: "sensor"
  annotations:
    email: support@stackrox.com
    owner: stackrox
    kubernetes.io/description: stackrox-admission-control is the security constraint for the admission controller
users:
  - system:serviceaccount:stackrox:admission-control
priority: 0
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
  - '*'
supplementalGroups:
  type: RunAsAny
fsGroup:
  type: RunAsAny
groups: []
readOnlyRootFilesystem: true
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: []
defaultAddCapabilities: []
requiredDropCapabilities: []
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - secret
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: stackrox-collector
  labels:
    app.kubernetes.io/name: stackrox
    auto-upgrade.stackrox.io/component: "sensor"
  annotations:
    email: support@stackrox.com
    owner: stackrox
    kubernetes.io/description: This SCC is based on privileged, hostaccess, and hostmount-anyuid
users:
  - system:serviceaccount:stackrox:collector
allowHostDirVolumePlugin: true
allowPrivilegedContainer: true
fsGroup:
  type: RunAsAny
groups: []
priority: 0
readOnlyRootFilesystem: true
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
  - '*'
supplementalGroups:
  type: RunAsAny
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowedCapabilities: []
defaultAddCapabilities: []
requiredDropCapabilities: []
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - hostPath
  - secret
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: stackrox-sensor
  labels:
    app.kubernetes.io/name: stackrox
    auto-upgrade.stackrox.io/component: "sensor"
  annotations:
    email: support@stackrox.com
    owner: stackrox
    kubernetes.io/description: stackrox-sensor is the security constraint for the sensor
users:
  - system:serviceaccount:stackrox:sensor
  - system:serviceaccount:stackrox:sensor-upgrader
priority: 0
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
  - '*'
supplementalGroups:
  type: RunAsAny
fsGroup:
  type: RunAsAny
groups: []
readOnlyRootFilesystem: true
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: []
defaultAddCapabilities: []
requiredDropCapabilities: []
volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - secret
EOF
      Copy to Clipboard Toggle word wrap 
      $ oc delete scc admission-control collector sensor
      Copy to Clipboard Toggle word wrap

2.3.3. 更新其他镜像
复制链接

在不使用自动升级时,您必须更新每个安全集群中的 sensor, collector 和 compliance 镜像。

注意

如果使用 Kubernetes,请在此流程中列出的命令中使用 kubectl 而不是 oc

流程

  1. 更新 Sensor 镜像: 

    $ oc -n stackrox set image deploy/sensor sensor=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.71.3
    1
    Copy to Clipboard Toggle word wrap
    1
    如果使用 Kubernetes,请输入 kubectl 而不是 oc

  2. 更新 Compliance 镜像: 

    $ oc -n stackrox set image ds/collector compliance=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.71.3
    1
    Copy to Clipboard Toggle word wrap
    1
    如果使用 Kubernetes,请输入 kubectl 而不是 oc

  3. 更新 Collector 镜像: 

    $ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:3.71.3
    1
    Copy to Clipboard Toggle word wrap
    1
    如果使用 Kubernetes,请输入 kubectl 而不是 oc
    注意

    如果使用 collector slim 镜像,请运行以下命令: 

    $ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:{rhacs-version}
    Copy to Clipboard Toggle word wrap

  4. 更新准入控制镜像: 

    $ oc -n stackrox set image deploy/admission-control admission-control=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.71.3
    Copy to Clipboard Toggle word wrap

2.3.4. 验证安全集群升级
复制链接

在升级了安全集群后,验证更新的 pod 是否正常工作。

流程

  • 检查新 pod 是否已部署: 

    $ oc get deploy,ds -n stackrox -o wide
    1
    Copy to Clipboard Toggle word wrap
    1
    如果使用 Kubernetes,请输入 kubectl 而不是 oc
    $ oc get pod -n stackrox --watch
    1
    Copy to Clipboard Toggle word wrap
    1
    如果使用 Kubernetes,请输入 kubectl 而不是 oc
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat