Manual Upgrade (3.0.0+)

Sysdig platform on-premise releases are listed here. Each release has a version number and specific release notes.

This release has the following significant changes:

  • Added NATS service to deliver events to the Sysdig backend

  • Added services for the beta Policy Advisor, which permits a user to auto-generate Pod Security Policies and perform dry tests or "simulations" of them before committing them to an environment.

  • Added services for activity audit, which allows users to view different data sources in-depth for monitoring, troubleshooting, diagnostics, or to meet regulatory controls

  • Some Anchore reporting components are not needed anymore and have been removed.

Download the New Version

Download the new version from Sysdig's GitHub and unzip it.

wget https://github.com/draios/sysdigcloud-kubernetes/archive/<version_number>.tar.gz &&  tar xvf <version_number>.tar.gz

Edit New Files to Match Your Customized Files

Warning

It is important to use the latest YAML files for a successful upgrade.

Edit the following files within the sysdigcloud directory to match any customizations you may have made in your existing production system.

Please do not edit the image: property.

Sysdig Component Files

Ensure that any passwords or user names are transferred from your existing config.yaml to the new one. Suggested areas to review are listed below.

  • config.yaml:

    The following variables are always customized in Sysdig installations:

    api.url
    collector.endpoint
    sysdigcloud.license
    mysql.password

    Modifying following variables is optional but commonly done:

    cassandra.jvm.options
    elasticsearch.jvm.options
    sysdigcloud.jvm.api.options
    sysdigcloud.jvm.collector.options
    sysdigcloud.jvm.worker.options
  • Check deployment YAML files for CPU/memory settings.

  • Update the spec.replicas definition in the following files:

    • sysdigcloud/api-deployment.yaml

    • sysdigcloud/collector-deployment.yaml

    • sysdigcloud/worker-deployment.yaml

  • If running Sysdig Secure:

    • sysdigcloud/anchore-core-config.yaml

    • sysdigcloud/anchore-worker-config.yaml

    • sysdigcloud/anchore-core-deployment.yaml

    • sysdigcloud/anchore-worker-deployment.yaml

    • sysdigcloud/scanning-api-deployment.yaml

    • sysdigcloud/scanning-alertmgr-deployment.yaml

Postgres File (Sysdig Secure Only)

  • postgres-statefulset.yaml : Edit the storage class name in this file.

    The file is located in datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulsets.yaml

    Storage class name appears as spec.volumeClaimTemplates[].spec.storageClassName

Elasticsearch and Cassandra Files

  • elasticsearch-statefulset.yaml: For example, your environment may have customized the values for the number of replicas, resource constraints, amount of storage, and the storage class name:

    spec.replicas and spec.template.spec.containers[elasticsearch].env[ELASTICSEARCH_GOSSIP_NODES_NUM].value
    spec.template.spec.containers[].resources
    spec.volumeClaimTemplates[].spec.resources.requests.storage
    spec.volumeClaimTemplates[].spec.storageClassName
  • cassandra-statefulset.yaml: As with Elasticsearch, your environment may have customized the values for the number of replicas, resource constraints, amount of storage, and the storage class name:

    spec.replicas
    spec.template.spec.containers[].resources
    spec.volumeClaimTemplates[].spec.resources.requests.storage
    spec.volumeClaimTemplates[].spec.storageClassName

Apply the Files

Note

The --force flag deletes the object and re-creates it whereas the --replace flag automatically creates an object if it doesn't exist.

For the upgrade, assume NAMESPACE=sysdigcloud.

Install the NATS Components

In version 3.0, a NATS datastore was introduced for handling events inside the Sysdig platform:

kubectl -n $NAMESPACE apply -f datastores/as_kubernetes_pods/manifests/nats-streaming/nats-streaming-deployment.yaml
kubectl -n $NAMESPACE apply -f datastores/as_kubernetes_pods/manifests/nats-streaming/nats-streaming-service.yaml

Upgrade Sysdig Monitor

Run the kubectl commands to apply the relevant files to your cluster.

kubectl -n $NAMESPACE apply -f sysdigcloud/config.yaml

kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/elasticsearch/elasticsearch-statefulset.yaml
kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/cassandra/cassandra-statefulset.yaml

Pause to allow Elasticsearch and Cassandra to come up. then continue:

kubectl -n $NAMESPACE apply -f sysdigcloud/api-deployment.yaml

Pause to allow api to come up, then continue:

kubectl -n $NAMESPACE apply -f sysdigcloud/collector-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/worker-deployment.yaml

Upgrade Sysdig Secure

Run the kubectl commands to apply the relevant files to your cluster.

kubectl -n $NAMESPACE replace --force -f datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulset.yaml

kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-core-config.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-worker-config.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-core-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/anchore-worker-deployment.yaml

kubectl -n $NAMESPACE apply -f sysdigcloud/scanning-api-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/scanning-alertmgr-deployment.yaml

Create secrets for the new policy advisor and activity audit components by deploying the policy-advisor-secret.yaml.

kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-secret.yaml

Deploy the components:

kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-service.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-api-service.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-api-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/policy-advisor-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-worker-deployment.yaml
kubectl -n $NAMESPACE apply -f sysdigcloud/activity-audit-janitor-cronjob.yaml

You can delete the Anchore reporting components to free up system resources:

kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-enterprise-license.yaml 
kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-config.yaml
kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-deployment.yaml
kubectl -n $NAMESPACE delete -f sysdigcloud/anchore-reports-service.yaml