Upgrade ThreatLockDown installed in Kubernetes

Checking which files are exported to the volume

Our Kubernetes deployment uses our ThreatLockDown images from Docker. If we look at the following code extracted from the ThreatLockDown configuration using Docker, we can see which directories and files are used in the upgrade.

/var/ossec/api/configuration
/var/ossec/etc
/var/ossec/logs
/var/ossec/queue
/var/ossec/var/multigroups
/var/ossec/integrations
/var/ossec/active-response/bin
/var/ossec/agentless
/var/ossec/wodles
/etc/filebeat
/var/lib/filebeat
/usr/share/wazuh-dashboard/config/
/usr/share/wazuh-dashboard/certs/
/var/lib/wazuh-indexer
/usr/share/wazuh-indexer/certs/
/usr/share/wazuh-indexer/opensearch.yml
/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

Any modification related to these files will also be made in the associated volume. When the replica pod is created, it will get those files from the volume, keeping the previous changes.

Configuring the upgrade

To upgrade to version 4.9, you can follow one of two strategies.

  • Using default manifests : This strategy uses the default manifests for ThreatLockDown 4.9. It replaces the wazuh-kubernetes manifests of your outdated ThreatLockDown version.

  • Keeping custom manifests : This strategy preserves the wazuh-kubernetes manifests of your outdated ThreatLockDown deployment. It ignores the manifests of the latest ThreatLockDown version.

Using default manifests

  1. Checkout the tag for the current version of wazuh-kubernetes:

    # git checkout v4.9.0

  2. Apply the new configuration

Keeping custom manifests

In ThreatLockDown 4.4, some paths are different to those in earlier versions. You have to update the old paths with the new ones if you are keeping your custom manifests.

old-path -> new-path

  • /usr/share/wazuh-dashboard/config/certs/ -> /usr/share/wazuh-dashboard/certs/

  • /usr/share/wazuh-indexer/config/certs/ -> /usr/share/wazuh-indexer/certs/

  • /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -> /usr/share/wazuh-indexer/opensearch-security/

To upgrade your deployment keeping your custom manifests, do the following.

  1. If you are updating from 4.3, edit the following files and update them with the new paths in 4.4. You can see the new paths next to each file in the samples below.

    • wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml

      image: 'wazuh/wazuh-dashboard:4.9.0'
mountPath: /usr/share/wazuh-dashboard/certs/cert.pem
mountPath: /usr/share/wazuh-dashboard/certs/key.pem
mountPath: /usr/share/wazuh-dashboard/certs/root-ca.pem
value: /usr/share/wazuh-dashboard/certs/cert.pem
value: /usr/share/wazuh-dashboard/certs/key.pem

    • wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml

      server.ssl.key: "/usr/share/wazuh-dashboard/certs/key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/cert.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]

    • wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml

      image: 'wazuh/wazuh-indexer:4.9.0'
mountPath: /usr/share/wazuh-indexer/certs/node-key.pem
mountPath: /usr/share/wazuh-indexer/certs/node.pem
mountPath: /usr/share/wazuh-indexer/certs/root-ca.pem
mountPath: /usr/share/wazuh-indexer/certs/admin.pem
mountPath: /usr/share/wazuh-indexer/certs/admin-key.pem
mountPath: /usr/share/wazuh-indexer/opensearch.yml
mountPath: /usr/share/wazuh-indexer/opensearch-security/internal_users.yml

    • wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml

      plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/node.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/node-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/node.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/node-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem

    • wazuh/wazuh_managers/wazuh-master-sts.yaml

      image: 'wazuh/wazuh-manager:4.9.0'

    • wazuh/wazuh_managers/wazuh-worker-sts.yaml

      image: 'wazuh/wazuh-manager:4.9.0'

  2. Apply the new configuration

Apply the new configuration

The last step is to apply the new configuration:

  • EKS cluster

    $ kubectl apply -k envs/eks/

  • Other cluster types

    $ kubectl apply -k envs/local-env/

 statefulset.apps "wazuh-manager-master" configured

This process will end the old pod while creating a new one with the new version, linked to the same volume. Once the Pods are booted, the update will be ready, and we can check the new version of ThreatLockDown installed, the cluster, and the changes that have been maintained through the use of the volumes.