Red Hat Advanced Cluster Security for Kubernetes (RHACS) 3.65 includes feature enhancements, bug fixes, scale improvements, and other changes.
Release date: September 6, 2021
You can now install Red Hat Advanced Cluster Security for Kubernetes on:
You can now configure the dynamic admission control settings in the Red Hat Advanced Cluster Security for Kubernetes Operator. It now includes the following new admission control settings:
admissionControl.bypass: Use this parameter to bypass the admission controller.
true to enable inline scanning of images that are not already scanned during a deployment’s admission review.
admissionControl.timeoutSeconds: Use this parameter to specify the maximum number of seconds Red Hat Advanced Cluster Security for Kubernetes should wait for an admission review before marking it as fail open.
See admission controller settings to view all available configuration options.
ROX-6988: Previously, Red Hat Advanced Cluster Security for Kubernetes did not delete the CVEs and did not update the advisory when some Red Hat packages that transitioned from unfixable to a fixable state.
ROX-7170: Previously, Red Hat Advanced Cluster Security for Kubernetes only collected the error logs in the diagnostic bundle if you have installed Red Hat Advanced Cluster Security for Kubernetes services in the
ROX-7861: Previously, Red Hat Advanced Cluster Security for Kubernetes compliance control NIST 800-190 Control 4.1.4 did not correctly detect policies used for secrets protection.
Release date: September 22, 2021
ROX-8008: Previously, you could not use URN-based IdP Issuers while configuring SAML identity providers. This has been fixed.
ROX-8033: Due to how Red Hat Advanced Cluster Security for Kubernetes previously addressed its internal service endpoints, OpenShift clusters with enabled proxy failed to download the correct kernel probes.
ROX-8034: Previously, if you were using backported 5.11 kernels for Ubuntu 20.04, the Collector sometimes failed on upgrade due to a change in the Ubuntu kernel build.
Red Hat Advanced Cluster Security for Kubernetes 3.65 includes the updated
host-pid policy, which adds an exception for the
openshift-sdn namespace because the
sdn deployment in the
openshift-sdn namespace shares the host process namespace, and it resulted in an inaccurate violation.
The alert notification titles for PagerDuty, Slack, Microsoft Teams, JIRA, and email notifiers now include the cluster and the policy names in addition to the deployment or image name if it exists.
The alert notification for PagerDuty now includes the full alert in the JSON format as a custom detail.
All default policy criteria for security policies are now read-only. However, you can still edit the policy criteria fields for the custom policies or policies you create by cloning a system policy.
In Red Hat Advanced Cluster Security for Kubernetes 3.66, Red Hat will deprecate the following default security policies:
DockerHub NGINX 1.10
Shellshock: Multiple CVEs
In Red Hat Advanced Cluster Security for Kubernetes 3.66, Red Hat will disable the following default security policy:
DOCKER CIS 4.4: Ensure images are scanned and rebuilt to include security patches
You can create custom policies to monitor for these violations.
Includes Central, Sensor, Admission Controller, and Compliance.
Scans images and nodes.
Stores image scan results and vulnerability definitions.
Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.