Manual Upgrade (3.0.0+)

As of August 2020, Sysdig has changed its upgrade procedure.

All on-premises installations and upgrades are now scheduled with and guided by Sysdig technical account managers and professional services division. See Oversight Services Now Offered for All Installs and Upgrades.


For customers, the instructions in this section are for review purposes only.

Sysdig platform on-premise releases are listed here. Each release has a version number and specific release notes.

This release has the following significant changes:

  • Added NATS service to deliver events to the Sysdig backend

  • Added services for the beta Policy Advisor, which permits a user to auto-generate Pod Security Policies and perform dry tests or “simulations” of them before committing them to an environment.

  • Added services for activity audit, which allows users to view different data sources in-depth for monitoring, troubleshooting, diagnostics, or to meet regulatory controls

  • Some Anchore reporting components are not needed anymore and have been removed.

Download the New Version

Download the new version from Sysdig’s GitHub and unzip it.

wget https://github.com/draios/sysdigcloud-kubernetes/archive/<version_number>.tar.gz &&  tar xvf <version_number>.tar.gz

Edit New Files to Match Your Customized Files

It is important to use the latest YAML files for a successful upgrade.


Edit the following files within the sysdigcloud directory to match any customizations you may have made in your existing production system.


Please do not edit the image: property.

Sysdig Component Files

Ensure that any passwords or user names are transferred from your existing config.yaml to the new one. Suggested areas to review are listed below.

  • config.yaml:

    The following variables are always customized in Sysdig installations:

    api.url
    collector.endpoint
    sysdigcloud.license
    mysql.password
    

    Modifying following variables is optional but commonly done:

    cassandra.jvm.options
    elasticsearch.jvm.options
    sysdigcloud.jvm.api.options
    sysdigcloud.jvm.collector.options
    sysdigcloud.jvm.worker.options
    
  • Check deployment YAML files for CPU/memory settings.

  • Update the spec.replicas definition in the following files:

    • sysdigcloud/api-deployment.yaml

    • sysdigcloud/collector-deployment.yaml

    • sysdigcloud/worker-deployment.yaml

  • If running Sysdig Secure:

    • sysdigcloud/anchore-core-config.yaml

    • sysdigcloud/anchore-worker-config.yaml

    • sysdigcloud/anchore-core-deployment.yaml

    • sysdigcloud/anchore-worker-deployment.yaml

    • sysdigcloud/scanning-api-deployment.yaml

    • sysdigcloud/scanning-alertmgr-deployment.yaml

Postgres File (Sysdig Secure Only)

  • postgres-statefulset.yaml : Edit the storage class name in this file.

    The file is located in datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulsets.yaml

    Storage class name appears as spec.volumeClaimTemplates[].spec.storageClassName

Elasticsearch and Cassandra Files

  • elasticsearch-statefulset.yaml: For example, your environment may have customized the values for the number of replicas, resource constraints, amount of storage, and the storage class name:

    spec.replicas and spec.template.spec.containers[elasticsearch].env[ELASTICSEARCH_GOSSIP_NODES_NUM].value
    spec.template.spec.containers[].resources
    spec.volumeClaimTemplates[].spec.resources.requests.storage
    spec.volumeClaimTemplates[].spec.storageClassName
    
  • cassandra-statefulset.yaml: As with Elasticsearch, your environment may have customized the values for the number of replicas, resource constraints, amount of storage, and the storage class name:

    spec.replicas
    spec.template.spec.containers[].resources
    spec.volumeClaimTemplates[].spec.resources.requests.storage
    spec.volumeClaimTemplates[].spec.storageClassName
    

Apply the Files

The --force flag deletes the object and re-creates it whereas the --replace flag automatically creates an object if it doesn’t exist.

For the upgrade, assume NAMESPACE=sysdigcloud.

Install the NATS Components

In version 3.0, a NATS datastore was introduced for handling events inside the Sysdig platform:

kubectl -n $NAMESPACE apply -f datastores/as_kubernetes_pods/manifests/nats-streaming/nats-streaming-deployment.yaml
kubectl -n $NAMESPACE apply -f datastores/as_kubernetes_pods/manifests/nats-streaming/nats-streaming-service.yaml

Upgrade Sysdig Monitor

Run the kubectl commands to apply the relevant files to your cluster.

kubectl -n $NAMESPACE apply -f sysdigcloud/config.yaml

kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/elasticsearch/elasticsearch-statefulset.yaml
kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/cassandra/cassandra-statefulset.yaml

Pause to allow Elasticsearch and Cassandra to come up. then continue:

kubectl -n $NAMESPACE apply -f sysdigcloud/api-deployment.yaml

Pause to allow api to come up, then continue:

kubectl -n $NAMESPACE apply -f sysdigcloud/collector-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/worker-deployment.yaml

Upgrade Sysdig Secure

Run the kubectl commands to apply the relevant files to your cluster.

kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulset.yaml

kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-core-config.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-worker-config.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-core-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-worker-deployment.yaml

kubectl -n $NAMESPACE apply -f sysdigcloud/scanning-api-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/scanning-alertmgr-deployment.yaml

Create secrets for the new policy advisor and activity audit components by deploying the policy-advisor-secret.yaml.

kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-secret.yaml

Deploy the components:

kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-service.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-api-service.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-api-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-worker-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-janitor-cronjob.yaml

You can delete the Anchore reporting components to free up system resources:

kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-enterprise-license.yaml
kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-config.yaml
kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-deployment.yaml
kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-service.yaml



Last modified September 23, 2022