A security upgrade updates the container images and operating system-level packages of a StackGres cluster without changing the PostgreSQL major or minor version. This is distinct from a minor version upgrade which changes the PostgreSQL version itself. Security upgrades address vulnerabilities in the base container images, libraries, and system packages. StackGres allows you to perform security upgrades declaratively through SGDbOps.
Since the SGCluster version is now updated on any restart, the
securityUpgradeandrestartSGDbOps operations are logically equivalent. You can also perform this operation without creating an SGDbOps by using the rollout functionality, which allows the operator to automatically roll out Pod updates based on the cluster’s update strategy.
The security upgrade operation supports two methods:
| Method | Description |
|---|---|
InPlace |
Restarts each Pod in the existing cluster one at a time. Does not require additional resources but causes longer service disruption when only a single instance is present. |
ReducedImpact |
Creates a new updated replica before restarting existing Pods. Requires additional resources to spawn the temporary replica but minimizes downtime. Recommended for production environments. |
Perform a security upgrade using the reduced impact method:
apiVersion: stackgres.io/v1
kind: SGDbOps
metadata:
name: security-upgrade
spec:
sgCluster: my-cluster
op: securityUpgrade
securityUpgrade:
method: ReducedImpact
For non-production environments or when additional resources are not available:
apiVersion: stackgres.io/v1
kind: SGDbOps
metadata:
name: security-upgrade-inplace
spec:
sgCluster: my-cluster
op: securityUpgrade
securityUpgrade:
method: InPlace
For production environments with a single instance, the in-place method will cause service disruption for the duration of the Pod restart. Use
ReducedImpactwhen possible.
After creating the SGDbOps resource, you can monitor the progress:
kubectl get sgdbops security-upgrade -w
The operation status is tracked in SGDbOps.status.conditions. When the operation completes successfully, the status will show Completed.