Configuring automatic upgrades for secured clusters | Configuring | Red Hat Advanced Cluster Security for Kubernetes 3.70

Enabling automatic upgrades
Disabling automatic upgrades
Automatic upgrade status
Automatic upgrade failure
Upgrading secured clusters manually from the RHACS Portal

You can automate the upgrade process for each secured cluster and view the upgrade status from the RHACS portal.

Automatic upgrades make it easier to stay up-to-date by automating the manual task of upgrading each secured cluster.

With automatic upgrades, after you upgrade Central; Sensor, Collector, and Compliance services in all secured clusters, automatically upgrade to the latest version.

Red Hat Advanced Cluster Security for Kubernetes also enables centralized management of all your secured clusters from within the RHACS portal. The new Clusters view displays information about all your secured clusters, the Sensor version for every cluster, and upgrade status messages. You can also use this view to selectively upgrade your secured clusters or change their configuration.

The automatic upgrade feature is enabled by default.
If you are using a private image registry, you must first push the Sensor and Collector images to your private registry.
The Sensor must run with the default RBAC permissions.
Automatic upgrades do not preserve any patches that you have made to any Red Hat Advanced Cluster Security for Kubernetes services running in your cluster. However, it preserves all labels and annotations that you have added to any Red Hat Advanced Cluster Security for Kubernetes object.
By default, Red Hat Advanced Cluster Security for Kubernetes creates a service account called sensor-upgrader in each secured cluster. This account is highly privileged but is only used during upgrades. If you remove this account, Sensor does not have enough permissions, and you must complete future upgrades manually.

Enabling automatic upgrades

You can enable automatic upgrades for all secured clusters to automatically upgrade Collector and Compliance services in all secured clusters to the latest version.

Procedure

In the RHACS portal, navigate to Platform Configuration → Clusters.
Turn on the Automatically upgrade secured clusters toggle.

For new installations, the Automatically upgrade secured clusters toggle is enabled by default.

Disabling automatic upgrades

If you want to manage your secured cluster upgrades manually, you can disable automatic upgrades.

Procedure

In the RHACS portal, navigate to Platform Configuration → Clusters.
Turn off the Automatically upgrade secured clusters toggle.

For new installations, the Automatically upgrade secured clusters toggle is enabled by default.

Automatic upgrade status

The Clusters view lists all clusters and their upgrade statuses.

Upgrade status	Description
Up to date with Central version	The secured cluster is running the same version as Central.
Upgrade available	A new version is available for the Sensor and Collector.
Upgrade failed. Retry upgrade.	The previous automatic upgrade failed.
Manual upgrade required	The Sensor and Collector version is older than version 2.5.29.0. You must manually upgrade your secured clusters.
Pre-flight checks complete	The upgrade is in progress. Before performing automatic upgrade, the upgrade installer runs a pre-flight check. During the pre-flight check, the installer verifies if certain conditions are satisfied and then only starts the upgrade process.

Upgrade status

Description

Up to date with Central version

The secured cluster is running the same version as Central.

Upgrade available

A new version is available for the Sensor and Collector.

Upgrade failed. Retry upgrade.

The previous automatic upgrade failed.

Manual upgrade required

The Sensor and Collector version is older than version 2.5.29.0. You must manually upgrade your secured clusters.

Pre-flight checks complete

The upgrade is in progress. Before performing automatic upgrade, the upgrade installer runs a pre-flight check. During the pre-flight check, the installer verifies if certain conditions are satisfied and then only starts the upgrade process.

Automatic upgrade failure

Sometimes, Red Hat Advanced Cluster Security for Kubernetes automatic upgrades might fail to install. When an upgrade fails, the status message for the secured cluster changes to Upgrade failed. Retry upgrade. To view more information about the failure and understand why the upgrade failed, you can check the secured cluster row in the Clusters view.

Some common reasons for the failure are:

The sensor-upgrader deployment might not have run because of a missing or a non-schedulable image.
The pre-flight checks may have failed, either because of insufficient RBAC permissions or because the cluster state is not recognizable. This can happen if you have edited Red Hat Advanced Cluster Security for Kubernetes service configurations or the auto-upgrade.stackrox.io/component label is missing.
There might be errors in executing the upgrade. If this happens, the upgrade installer automatically attempts to roll back the upgrade.

Sometimes, the rollback can fail as well. For such cases view the cluster logs to identify the issue or contact support.

After you identify and fix the root cause for the upgrade failure, you can use the Retry Upgrade option to upgrade your secured cluster.

Upgrading secured clusters manually from the RHACS Portal

If you do not want to enable automatic upgrades, you can manage your secured cluster upgrades by using the Clusters view.

To manually trigger upgrades for your secured clusters:

Procedure

In the RHACS portal, navigate to Platform Configuration → Clusters.
Select the Upgrade available option under the Upgrade status column for the cluster you want to upgrade.
To upgrade multiple clusters at once, select the checkboxes in the Cluster column for the clusters you want to update.
Click Upgrade.