$ oc -n rhacs-operator delete subscription rhacs-operator
Upgrades through the Red Hat Advanced Cluster Security for Kubernetes (RHACS) Operator are performed automatically or manually, depending on the Update approval option you chose at installation.
If you installed RHACS using the Operator and selected Automatic in the Update approval field, RHACS is automatically updated when a new software version is released. If you selected Manual, you must approve subsequent Operator updates by using Operator Lifecycle Manager (OLM). For more information, see Manually approving a pending Operator update.
To roll back an Operator upgrade, you must perform the steps described in one of the following sections. You can roll back an Operator upgrade by using the CLI or the OpenShift Container Platform web console.
You can roll back the Operator version by using CLI commands.
Delete the OLM subscription by running the following command:
For OpenShift Container Platform, run the following command:
$ oc -n rhacs-operator delete subscription rhacs-operator
For Kubernetes, run the following command:
$ kubectl -n rhacs-operator delete subscription rhacs-operator
Delete the cluster service version (CSV) by running the following command:
For OpenShift Container Platform, run the following command:
$ oc -n rhacs-operator delete csv -l operators.coreos.com/rhacs-operator.rhacs-operator
For Kubernetes, run the following command:
$ kubectl -n rhacs-operator delete csv -l operators.coreos.com/rhacs-operator.rhacs-operator
Determine the previous version you want to roll back to by choosing one of the following options:
If the current Central instance is running, query the RHACS API to get the rollback version by running the following command:
$ curl -k -s -u <user>:<password> https://<central hostname>/v1/centralhealth/upgradestatus | jq -r .upgradeStatus.forceRollbackTo
If the current Central instance is not running, perform the following steps:
This procedure can only be used for RHACS release 3.74 and earlier when the |
Ensure the Central deployment is scaled down by running the following command:
For OpenShift Container Platform, run the following command:
$ oc scale -n <central namespace> –replicas=0 deploy/central
For Kubernetes, run the following command:
$ kubectl scale -n <central namespace> –replicas=0 deploy/central
Save the following pod spec as a YAML file:
apiVersion: v1
kind: Pod
metadata:
name: get-previous-db-version
spec:
containers:
- name: get-previous-db-version
image: registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<rollback version>
command:
- sh
args:
- '-c'
- "cat /var/lib/stackrox/.previous/migration_version.yaml | grep '^image:' | cut -f 2 -d : | tr -d ' '"
volumeMounts:
- name: stackrox-db
mountPath: /var/lib/stackrox
volumes:
- name: stackrox-db
persistentVolumeClaim:
claimName: stackrox-db
Create a pod in your Central namespace by running the following command using the YAML file that you saved:
For OpenShift Container Platform, run the following command:
$ oc create -n <central namespace> -f pod.yaml
For Kubernetes, run the following command:
$ kubectl create -n <central namespace> -f pod.yaml
After pod creation is complete, get the version by running the following command:
For OpenShift Container Platform, run the following command:
$ oc logs -n <central namespace> get-previous-db-version
For Kubernetes, run the following command:
$ kubectl logs -n <central namespace> get-previous-db-version
Edit the central-config.yaml
ConfigMap
to set the maintenance.forceRollBackVersion:<version>
parameter by running the following command:
For OpenShift Container Platform, run the following command:
$ oc get configmap -n <central namespace> central-config -o yaml | sed -e "s/forceRollbackVersion: none/forceRollbackVersion: <version>/" | oc -n <central namespace> apply -f -
For Kubernetes, run the following command:
$ kubectl get configmap -n <central namespace> central-config -o yaml | sed -e "s/forceRollbackVersion: none/forceRollbackVersion: <version>/" | kubectl -n <central namespace> apply -f -
Set the image for the Central deployment using the version string shown in Step 3 as the image tag. For example, run the following command:
For OpenShift Container Platform, run the following command:
$ oc set image -n <central namespace> deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<version>
For Kubernetes, run the following command:
$ kubectl set image -n <central namespace> deploy/central central=registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<version>
Ensure that the Central pod starts and has a ready
status. If the pod crashes, check the logs to see if the backup was restored. A successful log message appears similar to the following example:
Clone to Migrate ".previous", ""
Reinstall the Operator on the rolled back channel. For example, 3.71.3
is installed on the rhacs-3.71
channel.
You can roll back the Operator version by using the OpenShift Container Platform web console.
You have access to an OpenShift Container Platform cluster web console using an account with cluster-admin
permissions.
Navigate to the Operators → Installed Operators page.
Locate the RHACS Operator and click on it.
On the Operator Details page, select Uninstall Operator from the Actions list. Following this action, the Operator stops running and no longer receives updates.
Determine the previous version you want to roll back to by choosing one of the following options:
If the current Central instance is running, you can query the RHACS API to get the rollback version by running the following command from a terminal window:
$ curl -k -s -u <user>:<password> https://<central hostname>/v1/centralhealth/upgradestatus | jq -r .upgradeStatus.forceRollbackTo
You can create a pod and extract the previous version by performing the following steps:
This procedure can only be used for RHACS release 3.74 and earlier when the |
Navigate to Workloads → deployments → central.
Under deployment details, click the down arrow next to the pod count to scale down the pod.
Navigate to Workloads → Pods → Create Pod and paste the contents of the pod spec as shown in the following example into the editor:
apiVersion: v1
kind: Pod
metadata:
name: get-previous-db-version
spec:
containers:
- name: get-previous-db-version
image: registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:<rollback version>
command:
- sh
args:
- '-c'
- "cat /var/lib/stackrox/.previous/migration_version.yaml | grep '^image:' | cut -f 2 -d : | tr -d ' '"
volumeMounts:
- name: stackrox-db
mountPath: /var/lib/stackrox
volumes:
- name: stackrox-db
persistentVolumeClaim:
claimName: stackrox-db
Click Create.
After the pod is created, click the Logs tab to get the version string.
Update the rollback configuration by performing the following steps:
Navigate to Workloads → ConfigMaps → central-config and select Edit ConfigMap from the Actions list.
Find the forceRollbackVersion
line in the value of the central-config.yaml
key.
Replace none
with 3.73.3
, and then save the file.
Update Central to the earlier version by performing the following steps:
Navigate to Workloads → deployments → central and select Edit deployment from the Actions list.
Update the image name, and then save the changes.
Ensure that the Central pod starts and has a ready
status. If the pod crashes, check the logs to see if the backup was restored. A successful log message appears similar to the following example:
Clone to Migrate ".previous", ""
Reinstall the Operator on the rolled back channel. For example, 3.71.3
is installed on the rhacs-3.71
channel.