Update vsatctl to upgrade security of existing VSatellite connections
Table of Contents
Update vsatctl to upgrade security of existing VSatellite connections
Updated 11 February 2025
VSatellite has been updated to improve security by enabling TLS certificate validation when k3s connects to the Venafi registry. Previously, k3s did not validate TLS certificates, which could allow insecure connections. This security update is automatically applied to new VSatellite installations, but if you have existing VSatellite servers, you must manually update them.
To upgrade a VSatellite server
- Download the latest version of vsatctl:curl -O https://dl.venafi.cloud/vsatctlMake the file executable and run the security update:chmod +x ./vsatctl && ./vsatctl update securityIf your registries.yaml file is in a non-default location, specify the path:sudo ./vsatctl update security --registries-file /path/to/registries.yaml
Important considerations
- If you have custom configurations in registries.yaml, they will be overwritten when you run the security update.To preserve custom configurations, back up the file before updating:cp /etc/rancher/k3s/registries.yaml /etc/rancher/k3s/registries.yaml.bakAfter updating, manually reapply your custom configurations.Alternatively, you can skip running the security update and manually edit the registries.yaml file:
- Open the file in a text editor:nano /etc/rancher/k3s/registries.yamlLocate the insecure_skip_verify setting and change it to false:mirrors: your-registry: endpoint: - "https://your-registry-url" tls: insecure_skip_verify: falseSave and exit the file.Restart k3s to apply the changes:sudo systemctl restart k3s
How will I know if my server needs this update?
If your vsatctl is older than version 2.0.32, you should apply this update as a best practice to align with the latest security standards.Where can I get support?
For additional guidance or troubleshooting, contact CyberArk support or visit our Customer Support site.
