×

New features

Vulnerability triage workflows

Red Hat Advanced Cluster Security for Kubernetes 3.68 includes the ability to triage vulnerabilities in a variety of ways to support your vulnerability management process. See Managing vulnerabilities for more information.

Report scheduling for vulnerabilities

Red Hat Advanced Cluster Security for Kubernetes 3.68 includes the ability to schedule reports for vulnerabilities which helps you to send scheduled communications to key stakeholders to assist in the vulnerability management process. See Reporting vulnerabilities to teams for more information.

Use AWS AssumeRoles

AWS AssumeRoles allows you to define roles with specific permissions and then granting users access to those roles. With Red Hat Advanced Cluster Security for Kubernetes 3.68 you can use AssumeRoles when you intigrate with Amazon ECR. For more details, see Using AssumeRole with Amazon ECR.

Enhancements for CI outputs

Red Hat has improved the usability of Red Hat Advanced Cluster Security for Kubernetes CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds. For more details, see Configuring output format.

Automount Service Account Token policy criteria

Kubernetes automatically provisions a service account during pod creation and mounts the account’s secret token within the pod at runtime. Many containerized applications do not require direct access to the service account. If a threat actor compromises an application, they might obtain the account token to further compromise the server. Therefore, when an application does not need to access the service account directly, administrators must ensure that the pod specifications disable the default behaviour. You can now use the Automount Service Account Token policy criteria to find the pods that have the service account mounted.

Important bug fixes

  • ROX-8709: Previously, searching for CVEs with a specific severity did not returned any results. This issue has been fixed.

  • ROX-8983: Previously, when configuring the Manage Watches feature, if you added more than 12 images to the watch list, the image list did not display properly. This issue has been fixed.

  • ROX-8276: Previously, when the RHACS Operator accessed the central-htpasswd secret, it created a false positive policy violation for the OpenShift: Advanced Cluster Security Central Admin Secret Accessed default policy. This issue has been fixed.

Resolved in version 3.68.1

Release date: February 14, 2022

  • ROX-9243: In RHACS 3.68.0, Central would sometimes stop responding if the vulnerability data was not available. This issue has been fixed. Central now reports an error for such cases.

Security update

In earlier versions of Red Hat Advanced Cluster Security for Kubernetes, the write permission for the APIToken resource allowed users to create API tokens for any role, including the admin role. This issue has been fixed.

Important system changes

Changes in version 3.68.1

Release date: February 14, 2022

RHACS 3.68.1 includes stability improvements for the automatic registry integrations to handle failure and reduce the load on registries more effectively. RHACS 3.68.1 also includes a new ROX_DISABLE_AUTOGENERATED_REGISTRIES environment variable. You can set its value to true to ignore all new registry integrations from Sensors.

Changes in version 3.68.0

Release date: February 2, 2022

  • RHACS 3.68 includes updates for the Log4Shell vulnerability detection policy. With this update this policy also detects CVE-2021-45046, and it includes the updated remediation based on the latest guidance by the Apache Logging security team.

  • Before this release, snoozing CVEs required write permission for the Images resource. Beginning with RHACS 3.68:

    • To snooze CVEs, you must have write permission for the VulnerabilityManagementRequests resource.

    • To approve requests, you must have write permission for the VulnerabilityManagementApprovals resource.

  • When you upgrade to RHACS 3.68, roles that include write access on the Images resource will have write permissions for both VulnerabilityManagementRequests and VulnerabilityManagementApprovals resource. Red Hat recommends updating the roles to only include the least amount of resources required for each role.

  • If you installed Red Hat Advanced Cluster Security for Kubernetes using Helm, this update disabled the cluster configuration options in the RHACS portal. You can continue to use Helm configuration files.

  • RHACS 3.68 sends notifications for every runtime policy violation rather than sending notifications only the first encountered violation. This is the default behavior. To change it, you must set the NOTIFY_EVERY_RUNTIME_EVENT to false.

    Red Hat will remove this environment variable in future releases. Contact the support team for any related inquiries.

  • Red Hat has moved the following images to new repositories:

    Image Old repository New repository

    main

    registry.redhat.io/rh-acs/main

    registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8

    collector

    registry.redhat.io/rh-acs/collector, with the -latest tag.

    registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8

    collector-slim

    registry.redhat.io/rh-acs/collector-slim, with the -slim tag.

    registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8

    scanner

    registry.redhat.io/rh-acs/scanner

    registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8

    scanner-db

    registry.redhat.io/rh-acs/scanner-db

    registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8

  • Tags of the scanner, scanner-db, and collector images, including the collector-slim variant, are now identical to the main image tag. In addition, all these tags now match the version of Red Hat Advanced Cluster Security for Kubernetes. For example, a scanner image for RHACS 3.68.0 is now identified as registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.68.0 and stackrox.io/scanner:3.68.0. Make sure you follow the same versioning scheme when you upgrade manually.

  • Red Hat has changed the image names for collector-slim. -slim is no longer part of the image tag. Collector Slim image for the release 3.68.0 is identified as registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:3.68.0 and collector.stackrox.io/collector-slim:3.68.0.

  • Scanner DB image at registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8 is now based on rhel8/postgresql-12.

  • The roxctl CLI includes a new --image-defaults option for the roxctl helm output and roxctl central generate commands. It allows selecting the default registry from which container images are taken for deploying central and scanner.

  • Red Hat has deprecated the --rhacs option for the roxctl helm output command. Use --rhacs-image-defaults option instead.

  • By default, the roxctl helm output command now uses the images from registry.redhat.io rather than stackrox.io.

Image versions

Beginning with RHACS 3.68, Red Hat has updated the image versioning convention for the Scanner, Scanner DB, and Collector images. As a result, the version numbers for these images now match the version numbers for the Main image. In addition, due to the change in image repository names in registry.redhat.io, if you mirror RHACS image repositories, you must verify your mirroring is set up to mirror images from the new locations.

Image Description Current version

Main

Includes Central, Sensor, Admission Controller, and Compliance. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.68.1

Scanner

Scans images and nodes.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.68.1

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.68.1

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:3.68.1 registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:3.68.1