红帽全球峰会3.3. 升级中央集群
备份 Central 数据库后,下一步是升级中部集群。此步骤包括 upgrade Central、roxctl CLI 和 Scanner。
3.3.1. 升级 Central
您可以通过下载和部署更新的镜像,将 Central 更新到最新版本。
3.3.1.1. 在 OpenShift Container Platform 上升级 Central
如果在 OpenShift Container Platform 上安装了 Red Hat Advanced Cluster Security for Kubernetes,请使用以下步骤进行升级。
流程
修补本地角色:
oc -n stackrox patch role edit -p '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["create","get", "list", "watch", "update", "patch", "delete","deletecollection"]}]}'$ oc -n stackrox patch role edit -p '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["create","get", "list", "watch", "update", "patch", "delete","deletecollection"]}]}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 清理现有的角色和角色绑定:
oc -n stackrox delete RoleBinding admission-control-use-scc || true
$ oc -n stackrox delete RoleBinding admission-control-use-scc || trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow oc -n stackrox delete RoleBinding sensor-use-scc || true
$ oc -n stackrox delete RoleBinding sensor-use-scc || trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow oc -n stackrox delete Role use-anyuid-scc || true
$ oc -n stackrox delete Role use-anyuid-scc || trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow 通过删除硬编码的安全上下文,将
sensor和admission-control设置为restricted[-v2]安全性上下文约束:oc -n stackrox patch deploy sensor -p '{"spec":{"template":{"spec":{"securityContext":null}}}}'$ oc -n stackrox patch deploy sensor -p '{"spec":{"template":{"spec":{"securityContext":null}}}}'1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Red Hat Advanced Cluster Security for Kubernetes 会自动重新创建 pod,但
sensor可能需要一些时间才能重启。
oc -n stackrox patch deploy admission-control -p '{"spec":{"template":{"spec":{"securityContext":null}}}}'$ oc -n stackrox patch deploy admission-control -p '{"spec":{"template":{"spec":{"securityContext":null}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 运行以下命令来升级 Central:
oc -n stackrox patch deploy/central -p '{"spec":{"template":{"spec":{"containers":[{"name":"central","env":[{"name":"ROX_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]}]}}}}'$ oc -n stackrox patch deploy/central -p '{"spec":{"template":{"spec":{"containers":[{"name":"central","env":[{"name":"ROX_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]}]}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc -n stackrox patch deployment/scanner -p '{"spec":{"template":{"spec":{"containers":[{"name":"scanner","securityContext":{"runAsUser":65534}}]}}}}'$ oc -n stackrox patch deployment/scanner -p '{"spec":{"template":{"spec":{"containers":[{"name":"scanner","securityContext":{"runAsUser":65534}}]}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow oc -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.73.5
$ oc -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.73.51 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 如果从私有镜像 registry 部署镜像,请将新镜像推送到私有 registry 中,并在此处替换镜像 registry 地址。
重要如果您还没有使用 Helm 或 Operator 安装 Red Hat Advanced Cluster Security for Kubernetes,并希望使用 OpenShift OAuth 服务器启用身份验证,您必须运行以下命令:
oc -n stackrox set env deploy/central ROX_ENABLE_OPENSHIFT_AUTH=true
$ oc -n stackrox set env deploy/central ROX_ENABLE_OPENSHIFT_AUTH=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow Copy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
验证新 pod 是否已部署:
oc get deploy -n stackrox -o wide
$ oc get deploy -n stackrox -o wideCopy to Clipboard Copied! Toggle word wrap Toggle overflow oc get pod -n stackrox --watch
$ oc get pod -n stackrox --watchCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.1.2. 在 Kubernetes 上升级 Central
如果您在 Kubernetes 上安装了 Red Hat Advanced Cluster Security for Kubernetes,请使用以下步骤进行升级。
先决条件
- 如果您从私有镜像 registry 部署镜像,请先将新镜像推送到私有 registry 中,然后使用以下命令替换您的镜像 registry。
流程
修补本地角色:
kubectl -n stackrox patch role edit -p '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["create","get", "list", "watch", "update", "patch", "delete","deletecollection"]}]}'$ kubectl -n stackrox patch role edit -p '{"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["create","get", "list", "watch", "update", "patch", "delete","deletecollection"]}]}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 运行以下命令来升级 Central:
kubectl -n stackrox patch deploy/central -p '{"spec":{"template":{"spec":{"containers":[{"name":"central","env":[{"name":"ROX_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]}]}}}}'$ kubectl -n stackrox patch deploy/central -p '{"spec":{"template":{"spec":{"containers":[{"name":"central","env":[{"name":"ROX_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]}]}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow kubectl -n stackrox patch deployment/scanner -p '{"spec":{"template":{"spec":{"containers":[{"name":"scanner","securityContext":{"runAsUser":65534}}]}}}}'$ kubectl -n stackrox patch deployment/scanner -p '{"spec":{"template":{"spec":{"containers":[{"name":"scanner","securityContext":{"runAsUser":65534}}]}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow kubectl -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.73.5
$ kubectl -n stackrox set image deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.73.51 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 如果从私有镜像 registry 部署镜像,请将新镜像推送到私有 registry 中,并在此处替换镜像 registry 地址。
验证
验证新 pod 是否已部署:
kubectl get deploy -n stackrox -o wide
$ kubectl get deploy -n stackrox -o wideCopy to Clipboard Copied! Toggle word wrap Toggle overflow kubectl get pod -n stackrox --watch
$ kubectl get pod -n stackrox --watchCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.2. 升级 roxctl CLI
要将 roxctl CLI 升级到最新版本,您必须卸载 roxctl CLI 的现有版本,然后安装 roxctl CLI 的最新版本。
3.3.2.1. 卸载 roxctl CLI
您可以按照以下流程卸载 Linux 上的 roxctl CLI 二进制文件。
流程
查找并删除
roxctl二进制文件:ROXPATH=$(which roxctl) && rm -f $ROXPATH
$ ROXPATH=$(which roxctl) && rm -f $ROXPATH1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- 根据您的环境,您可能需要管理员删除
roxctl二进制文件。
3.3.2.2. 在 Linux 中安装 roxctl CLI
您可以按照以下流程在 Linux 上安装 roxctl CLI 二进制文件。
流程
下载
roxctlCLI 的最新版本:curl -O https://mirror.openshift.com/pub/rhacs/assets/3.73.5/bin/Linux/roxctl
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.73.5/bin/Linux/roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 使
roxctl二进制文件可执行:chmod +x roxctl
$ chmod +x roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 将
roxctl二进制文件放到PATH中的目录中:要查看您的
PATH,请执行以下命令:echo $PATH
$ echo $PATHCopy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
验证您已安装的
roxctl版本:roxctl version
$ roxctl versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.2.3. 在 macOS 上安装 roxctl CLI
您可以按照以下流程在 macOS 中安装 roxctl CLI 二进制文件。
流程
下载
roxctlCLI 的最新版本:curl -O https://mirror.openshift.com/pub/rhacs/assets/3.73.5/bin/Darwin/roxctl
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.73.5/bin/Darwin/roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 从二进制文件中删除所有扩展属性:
xattr -c roxctl
$ xattr -c roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 使
roxctl二进制文件可执行:chmod +x roxctl
$ chmod +x roxctlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 将
roxctl二进制文件放到PATH中的目录中:要查看您的
PATH,请执行以下命令:echo $PATH
$ echo $PATHCopy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
验证您已安装的
roxctl版本:roxctl version
$ roxctl versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.2.4. 在 Windows 上安装 roxctl CLI
您可以按照以下流程在 Windows 上安装 roxctl CLI 二进制文件。
流程
下载
roxctlCLI 的最新版本:curl -O https://mirror.openshift.com/pub/rhacs/assets/3.73.5/bin/Windows/roxctl.exe
$ curl -O https://mirror.openshift.com/pub/rhacs/assets/3.73.5/bin/Windows/roxctl.exeCopy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
验证您已安装的
roxctl版本:roxctl version
$ roxctl versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow
升级 roxctl CLI 后,您可以升级 Scanner。
3.3.3. 升级扫描器
您可以使用 roxctl CLI 将 Scanner 更新至最新版本。
先决条件
- 如果从私有镜像 registry 部署镜像,您必须首先将新镜像推送到私有 registry 中,然后编辑以下部分中的命令以使用私有镜像 registry 的名称。
流程
如果您已创建了自定义扫描程序配置,则必须在更新扫描程序配置文件前应用这些更改。
使用以下
roxctl命令生成 Scanner:roxctl -e "$ROX_CENTRAL_ADDRESS" scanner generate
$ roxctl -e "$ROX_CENTRAL_ADDRESS" scanner generateCopy to Clipboard Copied! Toggle word wrap Toggle overflow 应用 TLS secret YAML 文件:
如果使用 OpenShift Container Platform,请输入以下命令:
oc apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yaml
$ oc apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yaml
$ kubectl apply -f scanner-bundle/scanner/02-scanner-03-tls-secret.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
应用 Scanner 配置 YAML 文件:
如果使用 OpenShift Container Platform,请输入以下命令:
oc apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yaml
$ oc apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yaml
$ kubectl apply -f scanner-bundle/scanner/02-scanner-04-scanner-config.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
更新 Scanner 镜像:
如果使用 OpenShift Container Platform,请输入以下命令:
oc -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.73.5
$ oc -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.73.5Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.73.5
$ kubectl -n stackrox set image deploy/scanner scanner=registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.73.5Copy to Clipboard Copied! Toggle word wrap Toggle overflow
更新 Scanner 数据库镜像:
如果使用 OpenShift Container Platform,请输入以下命令:
oc -n stackrox set image deploy/scanner-db db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.73.5 init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.73.5
$ oc -n stackrox set image deploy/scanner-db db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.73.5 init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.73.5Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl -n stackrox set image deploy/scanner-db db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.73.5 init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.73.5
$ kubectl -n stackrox set image deploy/scanner-db db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.73.5 init-db=registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.73.5Copy to Clipboard Copied! Toggle word wrap Toggle overflow
验证
检查新 pod 是否已成功部署:
如果使用 OpenShift Container Platform,请输入以下命令:
oc get pod -n stackrox --watch
$ oc get pod -n stackrox --watchCopy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl get pod -n stackrox --watch
$ kubectl get pod -n stackrox --watchCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.3.1. 升级到 RHACS 版本 3.71
如果要使用 roxctl CLI 和 YAML 文件升级到 RHACS 3.71,则需要执行一些额外的步骤。Scanner DB 镜像不再将 scanner-db-password Kubernetes Secret 挂载到 db Scanner DB 容器中。相反,scanner-db-password 仅在 init 容器 init-db 中使用。因此,您必须将 POSTGRES_PASSWORD_FILE 环境变量添加到 init 容器配置中。init 容器还必须挂载 scanner-db-tls-volume 和 scanner-db-password 卷。如果使用 OpenShift Container Platform 或 Kubernetes,则以下部分提供 RHACS 的升级步骤。有关 init 容器的更多信息,请参阅 Kubernetes 文档。
先决条件
-
此流程假设 Scanner DB 配置中的
db容器是index 0,它是容器列表中的第一个条目;而scanner-db-password卷挂载则位于index 2,这是第三个条目。
虽然这种情况适用于大多数部署,但请在输入这些命令前检查 Scanner DB 的配置。如果您的值不同,您必须使用以下命令调整 …/containers/x/volumeMounts/y 值。
流程
应用补丁:
如果使用 OpenShift Container Platform,请输入以下命令:
oc -n stackrox patch deployment.apps/scanner-db --patch '{"spec":{"template":{"spec":{"initContainers":[{"name":"init-db","env":[{"name":"POSTGRES_PASSWORD_FILE","value":"/run/secrets/stackrox.io/secrets/password"}],"command":["/usr/local/bin/docker-entrypoint.sh","postgres","-c","config_file=/etc/postgresql.conf"],"volumeMounts":[{"name":"db-data","mountPath":"/var/lib/postgresql/data"},{"name":"scanner-db-tls-volume","mountPath":"/run/secrets/stackrox.io/certs","readOnly":true},{"name":"scanner-db-password","mountPath":"/run/secrets/stackrox.io/secrets","readOnly":true}],"securityContext":{"runAsGroup":70,"runAsNonRoot":true,"runAsUser":70}}]}}}}'$ oc -n stackrox patch deployment.apps/scanner-db --patch '{"spec":{"template":{"spec":{"initContainers":[{"name":"init-db","env":[{"name":"POSTGRES_PASSWORD_FILE","value":"/run/secrets/stackrox.io/secrets/password"}],"command":["/usr/local/bin/docker-entrypoint.sh","postgres","-c","config_file=/etc/postgresql.conf"],"volumeMounts":[{"name":"db-data","mountPath":"/var/lib/postgresql/data"},{"name":"scanner-db-tls-volume","mountPath":"/run/secrets/stackrox.io/certs","readOnly":true},{"name":"scanner-db-password","mountPath":"/run/secrets/stackrox.io/secrets","readOnly":true}],"securityContext":{"runAsGroup":70,"runAsNonRoot":true,"runAsUser":70}}]}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl -n stackrox patch deployment.apps/scanner-db --patch '{"spec":{"template":{"spec":{"initContainers":[{"name":"init-db","env":[{"name":"POSTGRES_PASSWORD_FILE","value":"/run/secrets/stackrox.io/secrets/password"}],"command":["/usr/local/bin/docker-entrypoint.sh","postgres","-c","config_file=/etc/postgresql.conf"],"volumeMounts":[{"name":"db-data","mountPath":"/var/lib/postgresql/data"},{"name":"scanner-db-tls-volume","mountPath":"/run/secrets/stackrox.io/certs","readOnly":true},{"name":"scanner-db-password","mountPath":"/run/secrets/stackrox.io/secrets","readOnly":true}],"securityContext":{"runAsGroup":70,"runAsNonRoot":true,"runAsUser":70}}]}}}}'$ kubectl -n stackrox patch deployment.apps/scanner-db --patch '{"spec":{"template":{"spec":{"initContainers":[{"name":"init-db","env":[{"name":"POSTGRES_PASSWORD_FILE","value":"/run/secrets/stackrox.io/secrets/password"}],"command":["/usr/local/bin/docker-entrypoint.sh","postgres","-c","config_file=/etc/postgresql.conf"],"volumeMounts":[{"name":"db-data","mountPath":"/var/lib/postgresql/data"},{"name":"scanner-db-tls-volume","mountPath":"/run/secrets/stackrox.io/certs","readOnly":true},{"name":"scanner-db-password","mountPath":"/run/secrets/stackrox.io/secrets","readOnly":true}],"securityContext":{"runAsGroup":70,"runAsNonRoot":true,"runAsUser":70}}]}}}}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
删除路径:
如果使用 OpenShift Container Platform,请输入以下命令:
oc -n stackrox patch deployment.apps/scanner-db --type json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/volumeMounts/2"}]'$ oc -n stackrox patch deployment.apps/scanner-db --type json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/volumeMounts/2"}]'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl -n stackrox patch deployment.apps/scanner-db --type json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/volumeMounts/2"}]'$ kubectl -n stackrox patch deployment.apps/scanner-db --type json --patch '[{"op":"remove","path":"/spec/template/spec/containers/0/volumeMounts/2"}]'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.4. 验证 Central 集群升级
在升级了 Central 和 Scanner 后,验证该中央集群升级已完成。
流程
检查 Central 日志:
如果使用 OpenShift Container Platform,请输入以下命令:
oc logs -n stackrox deploy/central -c central
$ oc logs -n stackrox deploy/central -c centralCopy to Clipboard Copied! Toggle word wrap Toggle overflow 如果使用 Kubernetes,请输入以下命令:
kubectl logs -n stackrox deploy/central -c central
$ kubectl logs -n stackrox deploy/central -c centralCopy to Clipboard Copied! Toggle word wrap Toggle overflow
成功升级的输出示例
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}