Red Hat Advanced Cluster Security for Kubernetes (RHACS) 3.66 includes feature enhancements, bug fixes, scale improvements, and other changes.

Release date: October 19, 2021

New features

Scan deployment configurations in your CI pipeline

You can now identify misconfigurations in your OpenShift Container Platform deployment configuration files by running the roxctl deployment check command in your CI pipeline.

Active component identification

Red Hat Advanced Cluster Security for Kubernetes now identifies if a component is in use by a process at runtime and then asserts that component as an active component.

New configuration settings for Operator and Helm charts

  • You can now configure tolerations for Central, Scanner, ScannerDB, Sensor, and Admission Controller in Red Hat Advanced Cluster Security for Kubernetes by using Helm charts and the RHACS Operator.

  • You can now disable the automatic administrator password generation for Central by specifying the adminPasswordGenerationDisabled as true in the RHACS Operator configuration.

Important bug fixes

  • ROX-7912: Previously, Red Hat Advanced Cluster Security for Kubernetes reported the CVE-2019-9893 as both fixable and not fixable. This has been fixed.

  • ROX-7414 and ROX-5180: Previously, sometimes Central and Sensor consumed all available memory, and their pods stopped with OOMKilled status. The high memory consumption was because of resource-intensive evaluation of roles, bindings, and service accounts. This issue has been fixed.

  • ROX-7978: Previously, Central crashed sometimes if you sent build-time notifications by using the Syslog protocol. This has been fixed.

  • ROX-8055: Previously, the downloading of runtime probes failed in IPV6 only environments. This has been fixed.

  • ROX-8093: Previously, the Red Hat Advanced Cluster Security for Kubernetes portal would sometimes show an error message under the MITRE ATT&CK section. This has been fixed.

Resolved in version 3.66.1

Release date: October 20, 2021

  • ROX-8281: Because of an issue in the cluster init bundle generation script, the downloaded cluster init bundles were base64 encoded rather than plain text. This issue has been fixed.

Important system changes

  • In Red Hat Advanced Cluster Security for Kubernetes 3.66, Red Hat has deprecated the following default security policies:

    • DockerHub NGINX 1.10

    • Shellshock: Multiple CVEs

    • Heartbleed: CVE-2014-0160

  • Red Hat has deprecated the Alpine-based images of Red Hat Advanced Cluster Security for Kubernetes. All images are now based on Red Hat Universal Base Image (UBI).

  • The admission controller settings for the RHACS Operator now listen to both update and create events by default.

  • You can no longer delete the default security policies on fresh installations of Red Hat Advanced Cluster Security for Kubernetes 3.65 or newer. However, if you upgrade from an older version to 3.65 or newer, you can still delete the default security policies.

  • In Red Hat Advanced Cluster Security for Kubernetes 3.66:

    • the Analyst permission set and role does not contain the DebugLogs permission.

    • the Mount Docker Socket policy is renamed to Mount Container Runtime Socket. This policy also detects if a deployment mounts the CRI-O socket for both Kubernetes and OpenShift Container Platform.

    • the Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches policy is disabled by default.

  • The roxctl CLI now supports command-line completion for bash, zsh, fish and PowerShell.

Image versions

Image Description Current version


Includes Central, Sensor, Admission Controller, and Compliance. Also includes roxctl for use in continuous integration (CI) systems.



Scans images and nodes.


Scanner DB

Stores image scan results and vulnerability definitions.



Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.