Approval strategy

The IBM Security QRadar® Suite Software operator can be upgraded seamlessly when new compatible versions are available. However, you can control whether an operator is upgraded seamlessly by configuring an approval strategy.

Two approval strategies are available:

  • Manual - When a new operator version is available on the subscription channel, the subscription indicates that an update is available, but you must approve the update manually. This option gives you more control over the upgrade procedure.
  • Automatic (default) - New operator versions are installed seamlessly when they are available on the subscription channel.

When you install the QRadar Suite Software operator, you can choose to install it with Manual approval. However, configuring any operator in the QRadar Suite Software namespace to use Manual approval means that all operators in the QRadar Suite Software namespace are treated as though they are set to Manual.

Modifying approval strategies on the Red Hat OpenShift CLI

Before you begin

  • The Red Hat OpenShift CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.

    1. Download Red Hat OpenShift CLI 4.16 or 4.18 from https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.16/. The file to download is called openshift-client-<platform>-<version>.tar.gz.
    2. Extract the binary file that you downloaded by typing the following command, where <oc_cli_archive_file> is the name of the archive file that you downloaded.
      tar -xf <oc_cli_archive_file>
    3. Modify the permissions of the binary file by typing the following command, where <oc_cli_binary> is the name of the Red Hat OpenShift binary that you extracted from the archive.
      chmod 755 <oc_cli_binary>
    4. Move the binary file to the /usr/local/bin directory by typing the following command.
      mv <oc_cli_binary> /usr/local/bin/oc
      Tip: If this command returns a No such file or directory or Not a directory error message, create the /usr/local/bin directory by typing the following command.
      sudo mkdir /usr/local/bin
    5. Ensure that the Red Hat OpenShift CLI client is working by typing the following command.
      oc version
      Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the oc version command.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster by typing either of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <username> -p <password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software.
    Important: If you install QRadar Suite Software in the all namespace mode, set the <cp4s_namespace> value as openshift-operators.
    export CP4S_NAMESPACE=<cp4s_namespace>
  3. Set the $FS_NAMESPACE environment variable to your foundational services namespace by typing the following command. 
    export FS_NAMESPACE=$(oc get cm cp4s-config -o jsonpath="{.data.CSNamespace}" -n $CP4S_NAMESPACE)
  4. Modify the approval strategy in the QRadar Suite Software operator subscription by typing the following command, where <approval_strategy> is either Automatic or Manual. 
    for sub in $(oc get sub -n $CP4S_NAMESPACE -o name); do
  oc patch -n $CP4S_NAMESPACE $sub --type merge -p '{"spec":{"installPlanApproval": "'"<approval_strategy>"'"}}'
done
  5. Modify the approval strategy for the foundational services subscription in the foundational services namespace by typing the following command, where <approval_strategy> is either Automatic or Manual. 
    csns=$(oc get cm -n $CP4S_NAMESPACE cp4s-config -o jsonpath="{.data.CSNamespace}")
for sub in $(oc get sub -n $csns -o name); do
  oc patch -n $csns $sub --type merge -p '{"spec":{"installPlanApproval": "'"<approval_strategy>"'"}}'
done

Approving installation plans by using the Red Hat OpenShift CLI

Procedure

  1. Set the $CP4S_NAMESPACE environment variable by typing the following command, where <cp4s_namespace> is the namespace where you are installing QRadar Suite Software.
    Important: If you install QRadar Suite Software in the all namespace mode, set the <cp4s_namespace> value as openshift-operators.
    export CP4S_NAMESPACE=<cp4s_namespace>
  2. Set the $FS_NAMESPACE environment variable to your foundational services namespace by typing the following command. 
    export FS_NAMESPACE=$(oc get cm cp4s-config -o jsonpath="{.data.CSNamespace}" -n $CP4S_NAMESPACE)
  3. Query the installation plans in the namespaces. Unapproved plans show an approved status of false. The following examples show the commands and results for querying installation plans in the Red Hat OpenShift CLI.
    • QRadar Suite Software namespace
      oc get ip -n $CP4S_NAMESPACE
      NAME            CSV                                 APPROVAL    APPROVED
install-9kqw8   ibm-cloud-databases-redis.v1.6.11   Manual      false
install-mhdn7   ibm-cloud-databases-redis.v1.6.11   Manual      false
    • Foundational services namespace
      oc get ip -n $FS_NAMESPACE
      NAME            CSV                                       APPROVAL    APPROVED
install-4sfw9   ibm-ingress-nginx-operator.v1.20.9        Automatic   true
install-7vz5b   ibm-iam-operator.v3.23.10                 Automatic   false
  4. Approve all the installation plans in the namespace by running the following commands.
    • QRadar Suite Software namespace
      for ip in $(oc get installplan -oname -n $CP4S_NAMESPACE); do
oc patch $ip --type merge -p '{"spec":{"approved":true}}' -n $CP4S_NAMESPACE
done
    • Foundational services namespace
      csns=$(oc get cm -n $CP4S_NAMESPACE cp4s-config -o jsonpath="{.data.CSNamespace}")
for ip in $(oc get installplan -oname -n $csns); do
oc patch $ip --type merge -p '{"spec":{"approved":true}}' -n $csns
done

Results

To confirm that you approved the installation plans successfully, run the following commands:
oc get csv -n $CP4S_NAMESPACE
csns=$(oc get cm -n $CP4S_NAMESPACE cp4s-config -o jsonpath="{.data.CSNamespace}")
oc get csv -n $csns

Modifying approval strategies on the Red Hat OpenShift Console

About this task

The following steps apply to both the QRadar Suite Software namespace and the foundational services namespace.
Important: The procedure must be completed individually for each installation plan.

Procedure

  1. Login to your Red Hat OpenShift cluster.
  2. In the sidebar, click Search.
  3. Click the Project menu, and select the project where the QRadar Suite Software operators are installed.
  4. In the Resources filter menu, select the Subscription filter.
  5. Update the approval strategy for each subscription by completing the following steps:
    1. Select a subscription.
    2. Click Update approval.
    3. Choose the approval strategy that you want to use.
    4. Click Save.

Approving installation plans on the Red Hat OpenShift Console

About this task

The following steps apply to both the QRadar Suite Software namespace and the foundational services namespace.
Important: The procedure must be completed individually for each installation plan.

Procedure

  1. Login to your Red Hat OpenShift cluster.
  2. In the sidebar, click Search.
  3. Click the Project menu, and select the project where the QRadar Suite Software operators are installed.
  4. In the Resources filter menu, select the InstallPlan filter.
  5. If an InstallPlan has a RequiresApproval status, click the InstallPlan name.
  6. Click Preview InstallPlan, and click Approve after you review the install plan.

Results

After you complete the steps inModifying approval strategies on the Red Hat OpenShift Console and Approving installation plans on the Red Hat OpenShift Console, confirm the success by completing the following validation steps.
  1. Login to your Red Hat OpenShift cluster.
  2. In the sidebar, click Search.
  3. Click the Project menu, and select the project where the QRadar Suite Software operators are installed.
  4. In the Resources filter menu, select the Subscription filter.
  5. Click the subscription that you want to validate, and then check that the Installed version is correct.