When researching how to do a CVE upgrade of 3Scale, for our hosted offering - RHMI (Integreatly), I found out that some deployments are not using ImageStreams. This makes CVE upgrade difficult because imagePullPolicy is set to "IfNotPresent", and floating tags are used. This means that once the image is present on each cluster node, new image won't be downloaded without some workaround (patching deployment to use new non-floating tag, e.g. memcache:1.4.15-89.1553103730).

If the all deployment configs will use ImageStreams, "CVE respin upgrade" will be much easier to execute for us(Integreatly) and for your onprem customers.

Deployment configs (and tags) in question:
system-mysql (rhscl/mysql-57-rhel7:5.7)
system-memcache (3scale-amp20/memcached:latest)
system-redis (rhscl/redis-32-rhel7:3.2)
backend-redis (rhscl/redis-32-rhel7:3.2)