Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Upgrading by using the Operator

Upgrades through the Red Hat Advanced Cluster Security for Kubernetes (RHACS) Operator are performed automatically or manually, depending on the Update approval option you chose at installation.

If you installed RHACS using the Operator and selected Automatic in the Update approval field, RHACS is automatically updated when a new software version is released. If you selected Manual, you must approve subsequent Operator updates by using Operator Lifecycle Manager (OLM). For more information, see Manually approving a pending Operator update.

To roll back an Operator upgrade, you must perform the steps described in one of the following sections. You can roll back an Operator upgrade by using the CLI or the OpenShift Container Platform web console.

You can roll back the Operator version by using CLI commands.

Procedure

  1. Delete the OLM subscription by running the following command:

    • For OpenShift Container Platform, run the following command: 

      $ oc -n rhacs-operator delete subscription rhacs-operator
      Copy to Clipboard Toggle word wrap

    • For Kubernetes, run the following command: 

      $ kubectl -n rhacs-operator delete subscription rhacs-operator
      Copy to Clipboard Toggle word wrap

  2. Delete the cluster service version (CSV) by running the following command:

    • For OpenShift Container Platform, run the following command: 

      $ oc -n rhacs-operator delete csv -l operators.coreos.com/rhacs-operator.rhacs-operator
      Copy to Clipboard Toggle word wrap

    • For Kubernetes, run the following command: 

      $ kubectl -n rhacs-operator delete csv -l operators.coreos.com/rhacs-operator.rhacs-operator
      Copy to Clipboard Toggle word wrap

  3. Determine the previous version you want to roll back to by choosing one of the following options:

    • If the current Central instance is running, query the RHACS API to get the rollback version by running the following command: 

      $ curl -k -s -u <user>:<password> https://<central hostname>/v1/centralhealth/upgradestatus | jq -r .upgradeStatus.forceRollbackTo
      Copy to Clipboard Toggle word wrap

    • If the current Central instance is not running, perform the following steps:

      Note

      This procedure can only be used for RHACS release 3.74 and earlier when the rocksdb database is installed.

      1. Ensure the Central deployment is scaled down by running the following command:

        • For OpenShift Container Platform, run the following command: 

          $ oc scale -n <central namespace> –replicas=0 deploy/central
          Copy to Clipboard Toggle word wrap

        • For Kubernetes, run the following command: 

          $ kubectl scale -n <central namespace> –replicas=0 deploy/central
          Copy to Clipboard Toggle word wrap

      2. Save the following pod spec as a YAML file: 

        apiVersion: v1
kind: Pod
metadata:
  name: get-previous-db-version
spec:
  containers:
  - name: get-previous-db-version
    image: registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<rollback version>
    command:
    - sh
    args:
    - '-c'
    - "cat /var/lib/stackrox/.previous/migration_version.yaml | grep '^image:' | cut -f 2 -d : | tr -d ' '"
    volumeMounts:
    - name: stackrox-db
      mountPath: /var/lib/stackrox
  volumes:
  - name: stackrox-db
    persistentVolumeClaim:
      claimName: stackrox-db
        Copy to Clipboard Toggle word wrap

      3. Create a pod in your Central namespace by running the following command using the YAML file that you saved:

        • For OpenShift Container Platform, run the following command: 

          $ oc create -n <central namespace> -f pod.yaml
          Copy to Clipboard Toggle word wrap

        • For Kubernetes, run the following command: 

          $ kubectl create -n <central namespace> -f pod.yaml
          Copy to Clipboard Toggle word wrap

      4. After pod creation is complete, get the version by running the following command:

        • For OpenShift Container Platform, run the following command: 

          $ oc logs -n <central namespace> get-previous-db-version
          Copy to Clipboard Toggle word wrap

        • For Kubernetes, run the following command: 

          $ kubectl logs -n <central namespace> get-previous-db-version
          Copy to Clipboard Toggle word wrap

  4. Edit the central-config.yaml ConfigMap to set the maintenance.forceRollBackVersion:<version> parameter by running the following command:

    • For OpenShift Container Platform, run the following command: 

      $ oc get configmap -n <central namespace> central-config -o yaml | sed -e "s/forceRollbackVersion: none/forceRollbackVersion: <version>/" | oc -n <central namespace> apply -f -
      Copy to Clipboard Toggle word wrap

    • For Kubernetes, run the following command: 

      $ kubectl get configmap -n <central namespace> central-config -o yaml | sed -e "s/forceRollbackVersion: none/forceRollbackVersion: <version>/" | kubectl -n <central namespace> apply -f -
      Copy to Clipboard Toggle word wrap

  5. Set the image for the Central deployment using the version string shown in Step 3 as the image tag. For example, run the following command:

    • For OpenShift Container Platform, run the following command: 

      $ oc set image -n <central namespace> deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<version>
      Copy to Clipboard Toggle word wrap

    • For Kubernetes, run the following command: 

      $ kubectl set image -n <central namespace> deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<version>
      Copy to Clipboard Toggle word wrap

Verification

  1. Ensure that the Central pod starts and has a ready status. If the pod crashes, check the logs to see if the backup was restored. A successful log message appears similar to the following example: 

    Clone to Migrate ".previous", ""
    Copy to Clipboard Toggle word wrap
  2. Reinstall the Operator on the rolled back channel. For example, 3.71.3 is installed on the rhacs-3.71 channel.

You can roll back the Operator version by using the OpenShift Container Platform web console.

Prerequisites

  • You have access to an OpenShift Container Platform cluster web console using an account with cluster-admin permissions.

Procedure

  1. Navigate to the Operators Installed Operators page.
  2. Locate the RHACS Operator and click on it.
  3. On the Operator Details page, select Uninstall Operator from the Actions list. Following this action, the Operator stops running and no longer receives updates.

  4. Determine the previous version you want to roll back to by choosing one of the following options:

    • If the current Central instance is running, you can query the RHACS API to get the rollback version by running the following command from a terminal window: 

      $ curl -k -s -u <user>:<password> https://<central hostname>/v1/centralhealth/upgradestatus | jq -r .upgradeStatus.forceRollbackTo
      Copy to Clipboard Toggle word wrap

    • You can create a pod and extract the previous version by performing the following steps:

      Note

      This procedure can only be used for RHACS release 3.74 and earlier when the rocksdb database is installed.

      1. Navigate to Workloads Deployments central.
      2. Under Deployment details, click the down arrow next to the pod count to scale down the pod.

      3. Navigate to Workloads Pods Create Pod and paste the contents of the pod spec as shown in the following example into the editor: 

        apiVersion: v1
kind: Pod
metadata:
  name: get-previous-db-version
spec:
  containers:
  - name: get-previous-db-version
    image: registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<rollback version>
    command:
    - sh
    args:
    - '-c'
    - "cat /var/lib/stackrox/.previous/migration_version.yaml | grep '^image:' | cut -f 2 -d : | tr -d ' '"
    volumeMounts:
    - name: stackrox-db
      mountPath: /var/lib/stackrox
  volumes:
  - name: stackrox-db
    persistentVolumeClaim:
      claimName: stackrox-db
        Copy to Clipboard Toggle word wrap
      4. Click Create.
      5. After the pod is created, click the Logs tab to get the version string.

  5. Update the rollback configuration by performing the following steps:

    1. Navigate to Workloads ConfigMaps central-config and select Edit ConfigMap from the Actions list.
    2. Find the forceRollbackVersion line in the value of the central-config.yaml key.
    3. Replace none with 3.73.3, and then save the file.

  6. Update Central to the earlier version by performing the following steps:

    1. Navigate to Workloads Deployments central and select Edit Deployment from the Actions list.
    2. Update the image name, and then save the changes.

Verification

  1. Ensure that the Central pod starts and has a ready status. If the pod crashes, check the logs to see if the backup was restored. A successful log message appears similar to the following example: 

    Clone to Migrate ".previous", ""
    Copy to Clipboard Toggle word wrap
  2. Reinstall the Operator on the rolled back channel. For example, 3.71.3 is installed on the rhacs-3.71 channel.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat