General Page
Starting with FTM 3.2.13.0 iFix4, 4.0.6.0 iFix5, & 4.0.7.0 the kube-rbac-proxy has been decoupled within the new Go-based FTM OpenShift Operator to facilitate upgrades independent of an FTM release. This means FTM customers can accept out-of-band security updates for the kube-rbac-proxy image without needing to upgrade to a newer version of FTM.
Date: June 3, 2025
Product: IBM Financial Transaction Manager (FTM):
- V4.0.7.0 for Red Hat OpenShift across all offerings
- V4.0.6.0 iFix5 for Red Hat OpenShift, across all offerings
- V3.2.13.0 iFix4 for Multiplatform, across all offerings
Version/Patch: 4.0.7.0 / V4.0.6.0 iFix5 / V3.2.13.0 iFix4
Details
The FTM Operator requires image SHA values for all images including the kube-rbac-proxy. Follow these steps to update the SHA vaule of the kube-rbac-proxy image with the newer image SHA value made available by a support notification.
An example of a kube-rbac-proxy image SHA value:
sha256:bb84ead437042603254efcb703442be8500a9450b10bbcaaee81b48a6ed869ea
sha256:bb84ead437042603254efcb703442be8500a9450b10bbcaaee81b48a6ed869ea
Note: Use the specific SHA value provided to you in the notification of a newer version of the kube-rbac-proxy.
Instructions to upgrade or downgrade the kube-rbac-proxy:
1. Ensure you have admin access to the cluster
2. In the OpenShift console, browse to Operators -> Installed Operators
3. Search for IBM Financial Transaction Manager Controller
4. Click the name of the instance to modify. Take note of the namespace and managed namespaces to ensure you’re modifying the correct instance
5. Click on the YAML tab
6. Search for ose-kube-rbac-proxy
7. Record the current SHA value.
1. Ensure you have admin access to the cluster
2. In the OpenShift console, browse to Operators -> Installed Operators
3. Search for IBM Financial Transaction Manager Controller
4. Click the name of the instance to modify. Take note of the namespace and managed namespaces to ensure you’re modifying the correct instance
5. Click on the YAML tab
6. Search for ose-kube-rbac-proxy
7. Record the current SHA value.
There are two ways to update the SHA value:
8.1 Update the SHA for both instances using the new value provided. One instance will be at path spec.relatedImages and the other at spec.install.spec.deployments.spec.template.spec.containers.image
OR
8.2 Update the SHA for both instances by running the command below.
- In the command, change icr.io/cpopen/ibm-ftm/openshift4/ose-kube-rbac-proxy@sha256:<sha_value> to be the new value for the kube-rbac-proxy image.
- Ensure that the CSV name matches the version of the FTM operator you have installed. For example, the below command uses ibm-ftm-operator.v4.6.0 which is the operator name for the FTM 4.0.7 release.
oc get csv ibm-ftm-operator.v4.6.0 -o json | jq --arg kubeProxyName "kube-rbac-proxy" --arg kubeProxyImage "icr.io/cpopen/ibm-ftm/openshift4/ose-kube-rbac-proxy@sha256:<sha_value>" 'del(.metadata.annotations."kubectl.kubernetes.io/last-applied-configuration") | ( (.spec.relatedImages[] | select(.name == $kubeProxyName) ).image = $kubeProxyImage) | ( .spec.install.spec.deployments[0].spec.template.spec.containers[] | select(.name == $kubeProxyName) ).image = $kubeProxyImage' | oc replace -f -
9. Save the changes
10. The ibm-ftm-operator-controller-manager POD will automatically restart
11. Browse to Workload -> PODs, search for ibm-ftm-operator-controller-manager, click on the POD, browse to the YAML tab, and verify the ose-kube-rbac-proxy image SHA
Optional: You can also verify the update using the OpenShift console. After logging in to the OpenShift console, run the following command:
For Linux/MacOS:
oc get pods --all-namespaces -o jsonpath='{range .items[*]}{@.metadata.namespace}{" "}{@.metadata.name}{" "}{range @.status.containerStatuses[*]}{@.image}{"\n"}{end}{end}' | grep '<sha_value>'
Replace the <sha_value> with the sha value you specified in the YAML. For e.g.
oc get pods --all-namespaces -o jsonpath='{range .items[*]}{@.metadata.namespace}{" "}{@.metadata.name}{" "}{range @.status.containerStatuses[*]}{@.image}{"\n"}{end}{end}' | grep 'sha256:bb84ead437042603254efcb703442be8500a9450b10bbcaaee81b48a6ed869ea'
Windows:
oc get pods --all-namespaces -o jsonpath="{range .items[*]}{@.metadata.namespace}{' '}{@.metadata.name}{' '}{range @.status.containerStatuses[*]}{@.image}{'\n'}{end}{end}" | findstr "'<sha_value>'"
Replace <sha_value> with the sha value specified in the YAML.
Expected result: If a matching container is deployed, the results will be displayed, resembling the following example:
your-namespace your-app-name-operator-controller-manager-864c68ccd5-wr862 icr.io/cpopen/ibm-ftm/openshift4/ose-kube-rbac-proxy@sha256:bb84ead437042603254efcb703442be8500a9450b10bbcaaee81b48a6ed869ea
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPKQ5","label":"IBM Financial Transaction Manager"},"ARM Category":[{"code":"a8m50000000KzFMAA0","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2.13;4.0.6;4.0.7"}]
Was this topic helpful?
Document Information
Modified date:
13 June 2025
UID
ibm17235417