$ oc -n rhacs-operator delete subscription rhacs-operator
Red Hat provides regular service updates for the components that it manages, including Central services. These service updates include upgrades to new versions of Red Hat Advanced Cluster Security Cloud Service.
You must regularly upgrade the version of RHACS on your secured clusters to ensure compatibility with RHACS Cloud Service.
Before you upgrade the Red Hat Advanced Cluster Security for Kubernetes (RHACS) version, complete the following steps:
If the cluster you are upgrading contains the SecuredCluster
custom resource (CR), change the collection method to CORE_BPF
. For more information, see "Changing the collection method".
If the cluster that you are upgrading contains the SecuredCluster
CR, you must ensure that the per node collection setting is set to CORE_BPF
before you upgrade.
In the OpenShift Container Platform web console, go to the RHACS Operator page.
In the top navigation menu, select Secured Cluster.
Click the instance name, for example, stackrox-secured-cluster-services.
Use one of the following methods to change the setting:
In the Form view, under Per Node Settings → Collector Settings → Collection, select CORE_BPF.
Click YAML to open the YAML editor and locate the spec.perNode.collector.collection
attribute. If the value is KernelModule
or EBPF
, then change it to CORE_BPF
.
Click Save.
To roll back an Operator upgrade, you can use either the CLI or the OpenShift Container Platform web console.
On secured clusters, rolling back Operator upgrades is needed only in rare cases, for example, if an issue exists with the secured cluster. |
You can roll back the Operator version by using CLI commands.
Delete the OLM subscription by running the following command:
For OpenShift Container Platform, run the following command:
$ oc -n rhacs-operator delete subscription rhacs-operator
For Kubernetes, run the following command:
$ kubectl -n rhacs-operator delete subscription rhacs-operator
Delete the cluster service version (CSV) by running the following command:
For OpenShift Container Platform, run the following command:
$ oc -n rhacs-operator delete csv -l operators.coreos.com/rhacs-operator.rhacs-operator
For Kubernetes, run the following command:
$ kubectl -n rhacs-operator delete csv -l operators.coreos.com/rhacs-operator.rhacs-operator
Install the latest version of the Operator on the rolled back channel.
You can roll back the Operator version by using the OpenShift Container Platform web console.
You have access to an OpenShift Container Platform cluster web console using an account with cluster-admin
permissions.
Go to the Operators → Installed Operators page.
Click the RHACS Operator.
On the Operator Details page, select Uninstall Operator from the Actions list. Following this action, the Operator stops running and no longer receives updates.
Install the latest version of the Operator on the rolled back channel.
Follow these instructions to investigate and resolve upgrade-related issues for the RHACS Operator.
When RHACS Operator has the following conditions, you must check the custom resource conditions to find the issue:
If the Operator fails to deploy Secured Cluster
If the Operator fails to apply CR changes to actual resources
For Secured clusters, run the following command to check the conditions:
$ oc -n rhacs-operator describe securedclusters.platform.stackrox.io (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |
You can identify configuration errors from the conditions output:
Conditions:
Last Transition Time: 2023-04-19T10:49:57Z
Status: False
Type: Deployed
Last Transition Time: 2023-04-19T10:49:57Z
Status: True
Type: Initialized
Last Transition Time: 2023-04-19T10:59:10Z
Message: Deployment.apps "central" is invalid: spec.template.spec.containers[0].resources.requests: Invalid value: "50": must be less than or equal to cpu limit
Reason: ReconcileError
Status: True
Type: Irreconcilable
Last Transition Time: 2023-04-19T10:49:57Z
Message: No proxy configuration is desired
Reason: NoProxyConfig
Status: False
Type: ProxyConfigFailed
Last Transition Time: 2023-04-19T10:49:57Z
Message: Deployment.apps "central" is invalid: spec.template.spec.containers[0].resources.requests: Invalid value: "50": must be less than or equal to cpu limit
Reason: InstallError
Status: True
Type: ReleaseFailed
Additionally, you can view RHACS pod logs to find more information about the issue. Run the following command to view the logs:
oc -n rhacs-operator logs deploy/rhacs-operator-controller-manager manager (1)
1 | If you use Kubernetes, enter kubectl instead of oc . |