Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Setting a default enforcer version

About setting a default enforcer version on a namespace

When determining which version of the enforcer to install or upgrade to, Microsegmentation uses the following order of precedence.

  1. Version passed in apoctl install or upgrade commands

    • apoctl enforcer upgrade linux --migrate-version n.nnnn.n
    • apoctl enforcer install linux --enforcer-version n.nnnn.n
  2. Default enforcer version on the namespace

  3. Latest available enforcer version

By default, Microsegmentation installs or upgrades to the latest available enforcer version. A default enforcer version set on the namespace overrides this. The default enforcer version of a namespace can be further overridden by passing a different enforcer version to apoctl.

Setting a default enforcer version on a namespaces helps to ensure that all of the enforcers in the namespace are of the same version. While enforcers of different versions interoperate without issue, each update of the enforcer contains fixes at a minimum and potentially new features, as well. Keeping all of the enforcers at a specific version can help to ensure more predictability in behavior.

For example, if you have a Kubernetes or OpenShift cluster with node autoscaling enabled, you might end up with mixed enforcer versions. New nodes added automatically as part of the autoscaling feature would be the latest enforcer version, while existing nodes could have enforcers at a previous version.

Setting a default enforcer version on a namespace

NOTE

To complete the following procedure, you’ll need apoctl and jq.

  1. Obtain the URL of your Microsegmentation TUF repository and set it in a TUF_URL environment variable.

    TUF_URL=$(curl -sSL $MICROSEG_API/_meta/config | jq -r .tuf)
    
  2. Retrieve the semantic version numbers of the enforcers available in your TUF repository.

    curl -sSL $TUF_URL/targets.json | jq -r '.signed.targets | to_entries[] | select(.key|startswith("enforcerd/stable")) | .value.custom.version ' 
    
  3. After identifying the desired semantic version number of the enforcer, set it in an ENF_VER environment variable. Omit the prefatory v and just use the version number, as shown in the following example.

    export ENF_VER=1.1427.2
    
  4. Set a NAMESPACE environment variable containing the Microsegmentation namespace you wish to modify.

    export NAMESPACE=/803920923337065472/aws-dev-826088932159/k8s-cluster-01
    
  5. Retrieve the current default enforcer version set on the namespace.

    apoctl api get namespace $NAMESPACE -c defaultEnforcerVersion 
    

    TIP

    You can only modify a namespace from its parent.

  6. Set the default enforcer version on the namespace.

    apoctl api update namespace $NAMESPACE -k defaultEnforcerVersion $ENF_VER
    
  7. Confirm that the operation succeeded.

    apoctl api get namespace $NAMESPACE -c defaultEnforcerVersion