This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

    Manual Upgrade (3.0.0+)

    As of August 2020, Sysdig has changed its upgrade procedure.

    All on-premises installations and upgrades are now scheduled with and guided by Sysdig technical account managers and professional services division. See Oversight Services Now Offered for All Installs and Upgrades .

    For customers, the instructions in this section are for review purposes only.

    Sysdig platform on-premise releases are listed here. Each release has a version number and specific release notes.

    This release has the following significant changes:

    • Added NATS service to deliver events to the Sysdig backend

    • Added services for the beta Policy Advisor, which permits a user to auto-generate Pod Security Policies and perform dry tests or “simulations” of them before committing them to an environment.

    • Added services for activity audit, which allows users to view different data sources in-depth for monitoring, troubleshooting, diagnostics, or to meet regulatory controls

    • Some Anchore reporting components are not needed anymore and have been removed.

    Download the New Version

    Download the new version from Sysdig’s GitHub and unzip it.

    wget https://github.com/draios/sysdigcloud-kubernetes/archive/<version_number>.tar.gz &&  tar xvf <version_number>.tar.gz
    

    Edit New Files to Match Your Customized Files

    It is important to use the latest YAML files for a successful upgrade.

    Edit the following files within the sysdigcloud directory to match any customizations you may have made in your existing production system.

    Please do not edit the image: property.

    Sysdig Component Files

    Ensure that any passwords or user names are transferred from your existing config.yaml to the new one. Suggested areas to review are listed below.

    • config.yaml:

      The following variables are always customized in Sysdig installations:

      api.url
      collector.endpoint
      sysdigcloud.license
      mysql.password
      

      Modifying following variables is optional but commonly done:

      cassandra.jvm.options
      elasticsearch.jvm.options
      sysdigcloud.jvm.api.options
      sysdigcloud.jvm.collector.options
      sysdigcloud.jvm.worker.options
      
    • Check deployment YAML files for CPU/memory settings.

    • Update the spec.replicas definition in the following files:

      • sysdigcloud/api-deployment.yaml

      • sysdigcloud/collector-deployment.yaml

      • sysdigcloud/worker-deployment.yaml

    • If running Sysdig Secure:

      • sysdigcloud/anchore-core-config.yaml

      • sysdigcloud/anchore-worker-config.yaml

      • sysdigcloud/anchore-core-deployment.yaml

      • sysdigcloud/anchore-worker-deployment.yaml

      • sysdigcloud/scanning-api-deployment.yaml

      • sysdigcloud/scanning-alertmgr-deployment.yaml

    Postgres File (Sysdig Secure Only)

    • postgres-statefulset.yaml : Edit the storage class name in this file.

      The file is located in datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulsets.yaml

      Storage class name appears as spec.volumeClaimTemplates[].spec.storageClassName

    Elasticsearch and Cassandra Files

    • elasticsearch-statefulset.yaml: For example, your environment may have customized the values for the number of replicas, resource constraints, amount of storage, and the storage class name:

      spec.replicas and spec.template.spec.containers[elasticsearch].env[ELASTICSEARCH_GOSSIP_NODES_NUM].value
      spec.template.spec.containers[].resources
      spec.volumeClaimTemplates[].spec.resources.requests.storage
      spec.volumeClaimTemplates[].spec.storageClassName
      
    • cassandra-statefulset.yaml: As with Elasticsearch, your environment may have customized the values for the number of replicas, resource constraints, amount of storage, and the storage class name:

      spec.replicas
      spec.template.spec.containers[].resources
      spec.volumeClaimTemplates[].spec.resources.requests.storage
      spec.volumeClaimTemplates[].spec.storageClassName
      

    Apply the Files

    The --force flag deletes the object and re-creates it whereas the --replace flag automatically creates an object if it doesn’t exist.

    For the upgrade, assume NAMESPACE=sysdigcloud.

    Install the NATS Components

    In version 3.0, a NATS datastore was introduced for handling events inside the Sysdig platform:

    kubectl -n $NAMESPACE apply -f datastores/as_kubernetes_pods/manifests/nats-streaming/nats-streaming-deployment.yaml
    kubectl -n $NAMESPACE apply -f datastores/as_kubernetes_pods/manifests/nats-streaming/nats-streaming-service.yaml
    

    Upgrade Sysdig Monitor

    Run the kubectl commands to apply the relevant files to your cluster.

    kubectl -n $NAMESPACE apply -f sysdigcloud/config.yaml
    
    kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/elasticsearch/elasticsearch-statefulset.yaml
    kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/cassandra/cassandra-statefulset.yaml
    

    Pause to allow Elasticsearch and Cassandra to come up. then continue:

    kubectl -n $NAMESPACE apply -f sysdigcloud/api-deployment.yaml
    

    Pause to allow api to come up, then continue:

    kubectl -n $NAMESPACE apply -f sysdigcloud/collector-deployment.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/worker-deployment.yaml
    

    Upgrade Sysdig Secure

    Run the kubectl commands to apply the relevant files to your cluster.

    kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulset.yaml
    
    kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-core-config.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-worker-config.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-core-deployment.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-worker-deployment.yaml
    
    kubectl -n $NAMESPACE apply -f sysdigcloud/scanning-api-deployment.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/scanning-alertmgr-deployment.yaml
    

    Create secrets for the new policy advisor and activity audit components by deploying the policy-advisor-secret.yaml.

    kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-secret.yaml
    

    Deploy the components:

    kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-service.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-api-service.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-api-deployment.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-deployment.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-worker-deployment.yaml
    kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-janitor-cronjob.yaml
    

    You can delete the Anchore reporting components to free up system resources:

    kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-enterprise-license.yaml
    kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-config.yaml
    kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-deployment.yaml
    kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-service.yaml