$ sudo docker pull registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/defender:defender_<VERSION> $ sudo docker pull registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/console:console_<VERSION>
Download the latest Twistlock release to the host where you manage your cluster with oc.
If you customized twistlock.cfg, port those changes forward to twistlock.cfg in the latest release. Otherwise, proceed to the next step.
(Optional) If you’re storing Twistlock images in the cluster’s internal registry, pull the latest images from Twistlock’s cloud registry and push them there. Otherwise, proceed to the next step.
Pull the latest Twistlock images using URL auth.
$ sudo docker pull registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/defender:defender_<VERSION> $ sudo docker pull registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/console:console_<VERSION>
Retag the images so that they can be pushed to your
$ sudo docker tag \ registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/defender:defender_<VERSION> \ docker-registry.default.svc:5000/twistlock/private:defender_<VERSION> $ sudo docker tag \ registry-auth.twistlock.com/tw_<ACCESS_TOKEN>/twistlock/console:console_<VERSION> \ docker-registry.default.svc:5000/twistlock/private:console_<VERSION>
Push the Twistlock images to your cluster’s internal registry.
$ sudo docker push docker-registry.default.svc:5000/twistlock/private:defender_<VERSION> $ sudo docker push docker-registry.default.svc:5000/twistlock/private:console_<VERSION>
Generate new YAML configuration file for the latest version of Twistlock. Pass the same options to twistcli as you did in the original install. The following example command generates a YAML configuration file for the default basic install.
$ <PLATFORM>/twistcli console export openshift \ --persistent-volume-labels "app-volume=twistlock-console" \ --service-type "ClusterIP"
If you want to pull the image from the internal registry:
$ <PLATFORM>/twistcli console export openshift \ --persistent-volume-labels "app-volume=twistlock-console" \ --image-name "docker-registry.default.svc:5000/twistlock/private:console_<VERSION>" \ --service-type "ClusterIP"
For other command variations, see the OpenShift install guide.
If you’re upgrading from 19.03, then you must first delete the old ReplicationController. Starting with 19.07, Twistlock Console is managed by a Deployment controller.
This is a one time step only. After upgrading to 19.07, you no longer need to manually delete the ReplicationContoller when upgrading to newer versions of Twistlock.
$ oc delete rc twistlock-console -n twistlock
Update the Twistlock objects.
$ oc apply -f twistlock_console.yaml
You can now upgrade your Defender DaemonSet.
Delete the Defender DaemonSet, then rerun the original install procedure.
You know all the parameters passed to twistcli when you initially deployed the Defender DaemonSet. You’ll need them to recreate a working configuration file for your environment.
Delete the Defender DaemonSet.
$ oc -n twistlock delete ds twistlock-defender-ds
$ oc -n twistlock delete sa twistlock-service
$ oc -n twistlock delete secret twistlock-secrets
Determine the Console service’s external IP address.
$ oc get service -o wide -n twistlock
Generate a defender.yaml file. Pass the same options to twistcli as you did in the original install. The following example command generates a YAML configuration file for the default install.
The following command connects to Console’s API (specified in --address) as user <ADMIN> (specified in --user), and retrieves a Defender DaemonSet YAML config file according to the configuration options passed to twistcli. The --cluster_address option specifies the address Defender uses to connect to Console, and the value is encoded in the DaemonSet YAML file.
$ <PLATFORM>/twistcli defender export openshift \
--address https://yourconsole.example.com:8083 \
--user <ADMIN_USER> \
--cluster-address twistlock-console \
--selinux-enabled
<PLATFORM> can be linux or osx.
<ADMIN_USER> is the name of an admin user.
Deploy the Defender DaemonSet.
$ oc create -f defender.yaml
Open a browser, navigate to Console, then go to Manage > Defenders > Manage to see a list of deployed Defenders.
Upgrade the DaemonSet Defenders directly from the Console UI.
If you can’t access your cluster with oc, then you can upgrade Defender DaemonSets directly from the Console UI.
You’ve created a kubeconfig credential for your cluster so that Twistlock can access it to upgrade the Defender DaemonSet.
Log into Twistlock Console.
Go to Manage > Defenders > Manage.
Click DaemonSets.
For each cluster in the table, click Actions > Upgrade.
The table shows a count of deployed Defenders and their new version number.