Sysdig Documentation

v1765 Upgrade (Kubernetes)

Sysdig platform on-premises releases are listed here. Each release has a version number and specific Release Notes.

The v. 1765 release of Sysdig Platform includes a scanning feature in Sysdig Secure which requires some additional upgrade steps.

Note

If you are running only Sysdig Monitor, and do not want to use Sysdig Secure, you can perform a simpler upgrade.

In this case, you would:

  1. Apply at minimum the mandatory releases, as listed here: On-Premises Upgrades.

  2. Run the Migration Tool.

  3. Run the basic Upgrade .

Warning

If you are running Sysdig Secure on OpenShift, contact Sysdig Support for assistance upgrading to v. 1765.

If you are running both Sysdig Monitor and Sysdig Secure (aka Sysdig Platform), use the instructions on this page.

Overview

The 1765 release of the Sysdig Platform supports the Sysdig Secure image scanning feature. Upgrading to this release requires adding components and changing existing components in your current Sysdig Platform implementation.

These are the major changes:

  • All ingress now uses an ingress controller.

  • An additional database on the existing mysql deployment is required if you are using Sysdig Secure.

  • There are additional Kubernetes services, deployments, and statefulsets.

  • The “sysdigcloud-config” configmap has added many new key/values.

  • There are new Kubernetes secrets that are referenced by some components.

Before You Upgrade

Before upgrading to v. 1765, you must:

  1. Apply at minimum the mandatory releases, as listed here: On-Premises Upgrades.

  2. Run a Migration Tool.

  3. Complete all the installation steps on this page.

Warning

It is highly recommended to follow upgrade best practices:

  • Keep upgrades current

  • Upgrade progressively without skipping versions, and

  • Test upgrades in a non-mission-critical or staging environment before rolling into production.

Steps

Step 1 Download the sysdigcloud-kubernetes release

Step 2 Update existing configmaps and add secrets

Edit the sysdigcloud-config configmap and copy in the new Scanning and Anchore section from sysdigcloud/config.yaml:

kubectl -n sysdigcloud edit configmap sysdigcloud-config

Create the scanning and anchore secrets:

kubectl -n sysdigcloud apply -f ./sysdigcloud/scanning-secrets.yaml
kubectl -n sysdigcloud apply -f ./sysdigcloud/anchore-secrets.yaml

Step 3 Add a database to MySQL deployment

You must manually create a new database on your existing MySQL endpoint and create a user and password for it. This database will be used by the scanning feature.

Log in to your existing MySQL RDBMS and connect via the mysql cli program with the root user:

kubectl -n sysdigcloud get pods
kubectl -n sysdigcloud exec -it <any-mysql-pod> bash
mysql --user=root --password=change_me
   CREATE DATABASE IF NOT EXISTS `sysdig_scanning` ;
   CREATE USER 'scanninguser'@'%' IDENTIFIED BY 'change_me' ;
   GRANT ALL ON `sysdig_scanning`.* TO 'scanninguser'@'%' ;
   FLUSH PRIVILEGES ;

Step 4 Add Postgres statefulset and service

  1. Define the storage class that Postgres will use by editing the./datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulset.yamlfile, and changing the storageClassName” setting to the desired storage class.

  2. Create the Postgres statefulset and service:

    kubectl -n sysdigcloud create -f ./datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulset.yaml
    kubectl -n sysdigcloud create -f ./datastores/as_kubernetes_pods/manifests/postgres/postgres-service.yaml
  3. Wait for the Postgres statefulset to be running before proceeding.

Step 5 Add anchore core and worker deployments and services

  1. Create the anchore configmaps:

    kubectl -n sysdigcloud create -f ./sysdigcloud/anchore-core-config.yaml
    kubectl -n sysdigcloud create -f ./sysdigcloud/anchore-worker-config.yaml
  2. Create the anchore core deployment:

    kubectl -n sysdigcloud create -f ./sysdigcloud/anchore-core-deployment.yaml

    Wait for the anchore core pod to be running before proceeding.

  3. Create the remaining anchore kubernetes objects:

    kubectl -n sysdigcloud create -f ./sysdigcloud/anchore-worker-deployment.yaml
    kubectl -n sysdigcloud create -f ./sysdigcloud/anchore-service.yaml

Step 6 Add the scanning deployments and service

  1. Create the scanning api deployment:

    kubectl -n sysdigcloud create -f ./sysdigcloud/scanning-api-deployment.yaml

    Wait for the scanning-api pod to be running before proceeding.

  2. Create the remaining scanning kubernetes objects:

    kubectl -n sysdigcloud create -f ./sysdigcloud/scanning-alertmgr-deployment.yaml
    kubectl -n sysdigcloud create -f ./sysdigcloud/scanning-service.yaml

Step 7 Add the ingress controller and redirect incoming API/ UI traffic to it

Note

There will be a disruption in running agents during this upgrade while services are modified.

  1. Remove the following services:

    kubectl -n sysdigcloud delete service sysdigcloud-api
    kubectl -n sysdigcloud delete service sysdigcloud-collector
  2. Create the api-headless-service service:

    kubectl -n sysdigcloud create -f ./sysdigcloud/api-headless-service.yaml
  3. Create the ingress controller:

    1. Define <namespace> in ingress-clusterrolebinding.yaml. (In this document, we use sysdigcloud).

      subjects:
 
      - kind: ServiceAccount
   
        name: ingress-controller
   
        namespace: <namespace>
    2. Edit the DNS entries in api-ingress-with-secure.yaml for your environment:

      spec:
        rules:
          - host: <EXTERNAL-DNS-NAME>
            http:
              paths:
                - backend:
                    serviceName: sysdigcloud-api
                    servicePort: 8080 
                  path: /
        tls:
          - hosts:
              - <EXTERNAL-DNS-NAME>
    3. Deploy the ingress yaml files:

      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/ingress-clusterrole.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/ingress-clusterrolebinding.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/ingress-role.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/ingress-rolebinding.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/ingress-serviceaccount.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/default-backend-service.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/default-backend-deployment.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/ingress-configmap.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/ingress-tcp-services-configmap.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/ingress_controller/ingress-daemonset.yaml
      kubectl -n sysdigcloud create -f sysdigcloud/api-ingress-with-secure.yaml