$ export ROX_API_TOKEN=<api_token>
You can restore Red Hat Advanced Cluster Security for Kubernetes from an existing backup by using the roxctl
command-line interface (CLI).
Depending upon your requirements and the data you have backed up, you can restore from the following types of backups:
Restore Central database from the Central database backup: Use this to recover from a database failure or data corruption event. It allows you to restore and recover the Central database to its earlier functional state.
Restore Central from the Central deployment backup: Use this if you are migrating Central to another cluster or namespace. This option restores the configurations of your Central installation.
You can use the roxctl
CLI to restore Red Hat Advanced Cluster Security for Kubernetes by using the restore
command. You require an API token or your administrator password to run this command.
You can restore the entire database of RHACS by using an API token.
You have a RHACS backup file.
You have an API token with the administrator role.
You have installed the roxctl
CLI.
Set the ROX_API_TOKEN
and the ROX_ENDPOINT
environment variables by running the following commands:
$ export ROX_API_TOKEN=<api_token>
$ export ROX_ENDPOINT=<address>:<port_number>
Restore the Central database by running the following command:
$ roxctl central db restore <backup_file> (1)
1 | For <backup_file> , specify the name of the backup file that you want to restore. |
You can restore the entire database of RHACS by using your administrator password.
You have a RHACS backup file.
You have the administrator password.
You have installed the roxctl
CLI.
Set the ROX_ENDPOINT
environment variable by running the following command:
$ export ROX_ENDPOINT=<address>:<port_number>
Restore the Central database by running the following command:
$ roxctl -p <admin_password> \(1)
central db restore <backup_file> (2)
1 | For <admin_password> , specify the administrator password. |
2 | For <backup_file> , specify the name of the backup file that you want to restore. |
If your connection is interrupted during a restore operation or you need to go offline, you can resume the restore operation.
If you do not have access to the machine running the resume operation, you can use the roxctl central db restore status
command to check the status of an ongoing restore operation.
If the connection is interrupted, the roxctl
CLI automatically attempts to restore a task as soon as the connection is available again.
The automatic connection retries depend on the duration specified by the timeout
option.
Use the --timeout
option to specify the time in seconds, minutes or hours after which the roxctl
CLI stops trying to resume a restore operation.
If the option is not specified, the default timeout is 10 minutes.
If a restore operation gets stuck or you want to cancel it, use the roxctl central db restore cancel
command to cancel a running restore operation.
If a restore operation is stuck, you have canceled it, or the time has expired, you can resume the previous restore by running the original command again.
|
You can restore your Central deployment to its original configuration by using the backups you made.
You must first restore certificates by using the roxctl
CLI, and then restore the Central deployment by running the Central installation scripts.
Use the roxctl
CLI to generate Kubernetes manifests to install the RHACS Central component to your cluster.
Doing this allows you to ensure that authentication certificates for Secured clusters and the API tokens remain valid for the restored version.
If you backed up another instance of RHACS Central, you can use the certificate files from that backup.
With the |
You must have the Red Hat Advanced Cluster Security for Kubernetes backup file.
You must have installed the roxctl
CLI.
Run the interactive install command:
$ roxctl central generate interactive
For the following prompt, enter the path of the Red Hat Advanced Cluster Security for Kubernetes backup file:
Enter path to the backup bundle from which to restore keys and certificates (optional): _<backup-file-path>_
For other following prompts, press Enter to accept the default value or enter custom values as required.
On completion, the interactive install command creates a folder named central-bundle
, which has the necessary YAML manifests and scripts to deploy Central.
After you run the interactive installer, you can run the setup.sh
script to install Central.
Run the setup.sh
script to configure image registry access:
$ ./central-bundle/central/scripts/setup.sh
To enable the policy as code feature (Technology Preview), manually apply the config.stackrox.io
CRD that is located in the .zip file at helm/chart/crds/config.stackrox.io_securitypolicies.yaml
.
Policy as code is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
To apply the CRD, run the following command:
Create the necessary resources:
Check the deployment progress:
After Central is running, find the RHACS portal IP address and open it in your browser. Depending on the exposure method you selected when answering the prompts, use one of the following methods to get the IP address.
Exposure method | Command | Address | Example |
---|---|---|---|
Route |
|
The address under the |
|
Node Port |
|
IP or hostname of any node, on the port shown for the service |
|
Load Balancer |
|
EXTERNAL-IP or hostname shown for the service, on port 443 |
|
None |
|
|
|
If you have selected autogenerated password during the interactive install, you can run the following command to see it for logging into Central:
|
You can restore your Central deployment to its original configuration by using the RHACS Operator.
To successfully restore, you need the backup of your Central custom resource, central-tls
, and the administrator password.
You must have the central-tls
backup file.
You must have the Central custom resource backup file.
You must have the administrator password backup file.
Use the central-tls
backup file to create resources:
$ oc apply -f central-tls.json
Use the central-htpasswd
backup file to create secrets:
$ oc apply -f central-htpasswd.json
Use the central-cr.yaml
file to create the Central deployment:
$ oc apply -f central-cr.yaml
You can restore your Central deployment to its original configuration by using Helm.
To successfully restore, you need the backup of your Central custom resource, the central-tls
secret, and the administrator password.
You must have the Helm values backup file.
You must have a Red Hat Advanced Cluster Security for Kubernetes backup file.
You must have installed the roxctl
CLI.
Generate values-private.yaml
from the RHACS database backup file:
$ roxctl central generate k8s pvc --backup-bundle _<path-to-backup-file>_ --output-format "helm-values"
Run the helm install
command and specify your backup files:
$ helm install -n stackrox --create-namespace stackrox-central-services rhacs/central-services -f central-values-backup.yaml -f central-bundle/values-private.yaml
You can use the backups of the RHACS Central database and the deployment to restore Central to another cluster or namespace.
The following list provides a high-level overview of installation steps:
Depending upon your installation method, you must first restore Central deployment by following the instructions in the following topics:
|
Restore Central database by following the instruction in the Restoring Central database by using the roxctl CLI topic.
If you have an external DNS entry pointing to your old RHACS Central instance, you must reconfigure it to point to the new RHACS Central instance that you create.