Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
  1. Documentation
    2. history
×

Red Hat Advanced Cluster Security for Kubernetes 3.67

Red Hat Advanced Cluster Security for Kubernetes (RHACS) 3.67 includes feature enhancements, bug fixes, scale improvements, and other changes.

New features

Released in version 3.67.2

Release date: December 16, 2021

Log4Shell policy

Red Hat Advanced Cluster Security for Kubernetes 3.67.2 includes a new policy named Log4Shell: CVE-2021-44228 - log4j Remote Code Execution vulnerability. This policy creates alerts for deployments that have images containing the Log4Shell vulnerability (CVE-2021-44228).

Released in version 3.67.0

Release date: December 1, 2021

OpenShift Dedicated support

Red Hat Advanced Cluster Security for Kubernetes 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform.

Use OpenShift Container Platform OAuth server as an identity provider

If you are using Red Hat Advanced Cluster Security for Kubernetes with OpenShift Container Platform, you can now configure the built-in OpenShift Container Platform OAuth server as an identity provider for Red Hat Advanced Cluster Security for Kubernetes. For more details, see Configuring OpenShift Container Platform Oauth server as an identity provider in Red Hat Advanced Cluster Security for Kubernetes.

Enhancements for CI outputs

Red Hat has improved the usability of Red Hat Advanced Cluster Security for Kubernetes CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds.

Runtime Class policy criteria

Users can now use RHACS to define the container runtime configuration. This configuration can be used to run a pod’s containers using the Runtime Class policy criteria.

Important bug fixes

  • ROX-7815: Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This issue has been fixed.

  • ROX-7254: Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed.

Resolved in version 3.67.1

Release date: December 6, 2021

  • ROX-8698: In RHACS 3.67.0, the TLS verification would fail when you integrated RHACS with OpenShift Container Platform OAuth server for OpenShift Container Platform 4.8 and later. This issue has been fixed.

Resolved in version 3.67.2

Release date: December 16, 2021

  • ROX-8773: Before this update, when integrating with Microsoft Teams, the RHACS user interface field validation did not pass certain Microsoft Teams webhook addresses. This issue has been fixed.

  • ROX-8736: In RHACS 3.67.0, the roxctl image check command would retry on policy failures that broke builds. This issue has been fixed.

  • ROX-8702: In RHACS 3.67.0, when using OpenShift OAuth, the user name is incorrectly listed as the User email, if an email address is unavailable. This issue has been fixed.

Important system changes

  • Scanner now identifies vulnerabilities in Ubuntu 21.10 images.

  • The Port exposure method policy criteria now include route as an exposure method.

  • The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation.

  • The OpenShift Compliance Operator integration now supports using TailoredProfiles.

  • The Red Hat Advanced Cluster Security for Kubernetes Jenkins plugin now provides additional security information.

  • When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values.

    Red Hat recommends that you only use the ROX_NETWORK_ACCESS_LOG environment variable for debugging network connectivity issues.

  • The default uid:gid pair for the Scanner image is now 65534:65534. Red Hat Advanced Cluster Security for Kubernetes adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes. For more information, see the System roles topic.

  • If microdnf is part of an image or shows up in process execution, Red Hat Advanced Cluster Security for Kubernetes reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies.

  • In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode. Red Hat Advanced Cluster Security for Kubernetes always uses the most recent vulnerability definitions.

    Red Hat Advanced Cluster Security for Kubernetes ignores Kubernetes and Istio vulnerability definitions when you manually upload the vulnerability definitions in online mode.

  • You can now format the output of the following roxctl CLI commands in table, csv, or JSON format:

    • image scan

    • image check

    • deployment check

  • You can now use a regular expression for the deployment name while specifying policy exclusions.

Image versions

Image Description Current version

Main

Includes Central, Sensor, Admission Controller, and Compliance. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/rh-acs/main:3.67.2

Scanner

Scans images and nodes.

registry.redhat.io/rh-acs/scanner:2.21.3

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/rh-acs/scanner-db:2.21.3

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

registry.redhat.io/rh-acs/collector:3.5.0-latest