# Updating the Container Image Update the AI Runtime Security container image deployed to Kubernetes when a new version is released. ## Overview The container image is hosted on `images.hiddenlayer.ai` and referenced in the deployment manifest: ```yaml image: images.hiddenlayer.ai/proxy/aidr-genai/ghcr.io/hiddenlayer-engineering/distro-enterprise-aidr-genai: ``` Avoid the latest tag Do not use the `:latest` tag in production. Kubernetes will not detect a change if the tag stays the same, so new images won't be pulled automatically. Use explicit version tags (e.g., `26.1.0`) to ensure updates are applied reliably. ## Prerequisites - `kubectl` configured with access to your cluster - Access to `images.hiddenlayer.ai` with valid registry credentials and `imagePullSecret` configured in your cluster - Your deployment name and namespace (referenced as `$NAMESPACE` and `aidr-genai` in the commands below) ## Release Workflow ### Step 1: Identify the new image tag HiddenLayer publishes [release notes](https://docs.hiddenlayer.ai/docs/products/runtime/releasenotes) for each new version. When you receive a release notification, use the tag from the release notes in the steps below. New releases are published to `images.hiddenlayer.ai`. Find the version you want to deploy: ``` images.hiddenlayer.ai/proxy/aidr-genai/ghcr.io/hiddenlayer-engineering/distro-enterprise-aidr-genai:$TAG ``` You do not need to pull the image locally, as Kubernetes pulls it directly from the registry during the rolling update. ### Step 2: Apply the update You can update the image using either the manifest file or a direct `kubectl` patch. Update manifest (recommended) Edit the image tag in your deployment manifest: ```yaml image: images.hiddenlayer.ai/proxy/aidr-genai/ghcr.io/hiddenlayer-engineering/distro-enterprise-aidr-genai:$TAG ``` Apply the updated manifest: ```bash kubectl apply -f $MANIFEST_FILE.yaml ``` Kubernetes detects the tag change and triggers a rolling update automatically. Patch inline Update the image directly without editing the manifest file: ```bash kubectl set image deployment/aidr-genai \ service=images.hiddenlayer.ai/proxy/aidr-genai/ghcr.io/hiddenlayer-engineering/distro-enterprise-aidr-genai:$TAG \ -n $NAMESPACE ``` ### Step 3: Verify the rollout Monitor the rolling update until it completes: ```bash kubectl rollout status deployment/aidr-genai -n $NAMESPACE ``` When the rollout is complete, you will see: ``` deployment "aidr-genai" successfully rolled out ``` ## Rolling Back If the new image causes issues, roll back to the previous version: ```bash kubectl rollout undo deployment/aidr-genai -n $NAMESPACE ``` To roll back to a specific revision: ```bash kubectl rollout history deployment/aidr-genai -n $NAMESPACE kubectl rollout undo deployment/aidr-genai --to-revision=$REVISION -n $NAMESPACE ``` Keep your manifest in sync After rolling back, update the image tag in your deployment manifest to match the version now running in the cluster. If the manifest still references the newer tag, the next `kubectl apply` will re-deploy the broken version. ## Versioned vs. Latest Tags | | Versioned tag (`:26.1.0`) | `:latest` | | --- | --- | --- | | Kubernetes detects change | ✅ Yes | ❌ No | | Reliable rolling updates | ✅ Yes | ❌ No | | Easy rollback | ✅ Yes | ❌ No | | Recommended for production | ✅ Yes | ❌ No |