2.3. 升级所有安全集群
升级中部服务后,您必须升级所有安全的集群。
要完成每个运行 Sensor、Collector 和 Admission Controller 的安全集群的手动升级,请按照本节中的说明操作。
2.3.1. 更新就绪度探测
如果您要从 Red Hat Advanced Cluster Security for Kubernetes 3.65.0 的以下版本升级,则需要运行以下命令来更新就绪度探测路径。如果您运行的版本高于 3.65,请跳过这一步。
流程
更新就绪度探测路径:
$ oc -n stackrox patch deploy/sensor -p '{"spec":{"template":{"spec":{"containers":[{"name":"sensor","readinessProbe":{"httpGet":{"path":"/ready"}}}]}}}}' 1
- 1
- 如果使用 Kubernetes,请输入
kubectl
而不是oc
。
2.3.2. 更新 OpenShift 安全性上下文约束
根据要升级到的 Red Hat Advanced Cluster Security for Kubernetes 的版本,您必须更新特定的 OpenShift Container Platform 安全性上下文约束(SCC)。
只有在 OpenShift Container Platform 中使用 Red Hat Advanced Cluster Security for Kubernetes 时,才运行本节中的命令。否则,请跳过本节中的说明。
流程
Red Hat Advanced Cluster Security for Kubernetes 3.64.0 对 SCC 进行了重新命名。如果您要从以下 Red Hat Advanced Cluster Security for Kubernetes 3.64.0 版本升级,则必须删除并重新应用 SCC,否则跳过这一步:
运行以下命令以更新 Central:
$ oc apply -f - <<EOF kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: name: stackrox-central labels: app.kubernetes.io/name: stackrox annotations: kubernetes.io/description: stackrox-central is the security constraint for the central server email: support@stackrox.com owner: stackrox allowHostDirVolumePlugin: false allowedCapabilities: [] allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false defaultAddCapabilities: [] fsGroup: type: MustRunAs ranges: - max: 4000 min: 4000 priority: 0 readOnlyRootFilesystem: true requiredDropCapabilities: [] runAsUser: type: MustRunAs uid: 4000 seLinuxContext: type: MustRunAs seccompProfiles: - '*' users: - system:serviceaccount:stackrox:central volumes: - '*' EOF
$ oc delete scc central
运行以下命令以更新 Scanner:
$ oc apply -f - <<EOF kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: name: stackrox-scanner labels: app.kubernetes.io/name: stackrox annotations: email: support@stackrox.com owner: stackrox kubernetes.io/description: stackrox-scanner is the security constraint for the Scanner container priority: 0 runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny seccompProfiles: - '*' users: - system:serviceaccount:stackrox:scanner volumes: - '*' allowHostDirVolumePlugin: false allowedCapabilities: [] allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false defaultAddCapabilities: [] fsGroup: type: RunAsAny readOnlyRootFilesystem: false requiredDropCapabilities: [] EOF
$ oc delete scc scanner
在每个 OpenShift Secured 集群中运行以下命令:
$ oc apply -f - <<EOF apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: stackrox-admission-control labels: app.kubernetes.io/name: stackrox auto-upgrade.stackrox.io/component: "sensor" annotations: email: support@stackrox.com owner: stackrox kubernetes.io/description: stackrox-admission-control is the security constraint for the admission controller users: - system:serviceaccount:stackrox:admission-control priority: 0 runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny seccompProfiles: - '*' supplementalGroups: type: RunAsAny fsGroup: type: RunAsAny groups: [] readOnlyRootFilesystem: true allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: [] defaultAddCapabilities: [] requiredDropCapabilities: [] volumes: - configMap - downwardAPI - emptyDir - secret --- apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: stackrox-collector labels: app.kubernetes.io/name: stackrox auto-upgrade.stackrox.io/component: "sensor" annotations: email: support@stackrox.com owner: stackrox kubernetes.io/description: This SCC is based on privileged, hostaccess, and hostmount-anyuid users: - system:serviceaccount:stackrox:collector allowHostDirVolumePlugin: true allowPrivilegedContainer: true fsGroup: type: RunAsAny groups: [] priority: 0 readOnlyRootFilesystem: true runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny seccompProfiles: - '*' supplementalGroups: type: RunAsAny allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowedCapabilities: [] defaultAddCapabilities: [] requiredDropCapabilities: [] volumes: - configMap - downwardAPI - emptyDir - hostPath - secret --- apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: stackrox-sensor labels: app.kubernetes.io/name: stackrox auto-upgrade.stackrox.io/component: "sensor" annotations: email: support@stackrox.com owner: stackrox kubernetes.io/description: stackrox-sensor is the security constraint for the sensor users: - system:serviceaccount:stackrox:sensor - system:serviceaccount:stackrox:sensor-upgrader priority: 0 runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny seccompProfiles: - '*' supplementalGroups: type: RunAsAny fsGroup: type: RunAsAny groups: [] readOnlyRootFilesystem: true allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: [] defaultAddCapabilities: [] requiredDropCapabilities: [] volumes: - configMap - downwardAPI - emptyDir - secret EOF
$ oc delete scc admission-control collector sensor
2.3.3. 更新其他镜像
在不使用自动升级时,您必须更新每个安全集群中的 sensor, collector 和 compliance 镜像。
如果使用 Kubernetes,请在此流程中列出的命令中使用 kubectl
而不是 oc
。
流程
更新 Sensor 镜像:
$ oc -n stackrox set image deploy/sensor sensor=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.71.3 1
- 1
- 如果使用 Kubernetes,请输入
kubectl
而不是oc
。
更新 Compliance 镜像:
$ oc -n stackrox set image ds/collector compliance=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.71.3 1
- 1
- 如果使用 Kubernetes,请输入
kubectl
而不是oc
。
更新 Collector 镜像:
$ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:3.71.3 1
- 1
- 如果使用 Kubernetes,请输入
kubectl
而不是oc
。
注意如果使用 collector slim 镜像,请运行以下命令:
$ oc -n stackrox set image ds/collector collector=registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:{rhacs-version}
更新准入控制镜像:
$ oc -n stackrox set image deploy/admission-control admission-control=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.71.3
2.3.4. 验证安全集群升级
在升级了安全集群后,验证更新的 pod 是否正常工作。