×

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across build, deploy, and runtime stages of the application lifecycle. It deploys in your infrastructure and integrates with your DevOps tooling and workflows to deliver better security and compliance and to enable DevOps and InfoSec teams to operationalize security.

Table 1. Release dates
RHACS version Released on

3.72.0

26 September 2022

3.72.1

20 October 2022

Because of an unexpected schema change in an upstream vulnerability feed on 20 October 2022, Red Hat published a corrupted CVE data file to https://definitions.stackrox.io, and many Central instances downloaded the corrupted file. As a result, when Central processes the corrupted feed data, it fails and enters a CrashLoopBackOff state. Although Red Hat has already taken steps to fix the corrupted CVE data file, already affected Central instances do not automatically get out of the CrashLoopBackOff state.

To get Central back to working condition, follow the instructions at Central in CrashLoopBackOff - 2022-10-20 Incident.

About this release

RHACS 3.72 includes:

  • Automatic removal of nonactive clusters from RHACS

  • Support for non-authenticated email integration

  • Support for Quay robot accounts

  • Ability to view Dockerfile lines in images that introduced components with Common Vulnerabilities and Exposures (CVEs)

  • Network graph improvements

  • Scanning support for Red Hat Enterprise Linux 9

  • Policy for CVEs with fixable CVSS of 6 or greater disabled by default

  • Additional feature enhancements and bug fixes

New features

Automatic removal of nonactive clusters from RHACS

RHACS provides the ability to configure your system to automatically remove nonactive clusters from RHACS so that you can monitor active clusters only. Note that only clusters that were installed and performed a handshake with Central at least one time are monitored initially. If this feature is enabled, when Central has been unable to reach Sensor in a cluster for the period of time configured in the Decommissioned cluster age field, the cluster is considered nonactive in RHACS. Central will then no longer monitor nonactive clusters. You can configure the Decommissioned cluster age field in the Platform ConfigurationSystem Configuration page. When configuring this feature, you can add a label for the cluster so that RHACS continues to monitor the cluster even if it becomes nonactive. For more information, see Configuring automatic removal of nonactive clusters from RHACS.

Support for unauthenticated email integration

RHACS now supports unauthenticated SMTP for email integrations. This is insecure and not recommended. However, you might need to use unauthenticated SMTP for some integrations; for example, if you use an internal server for notifications that does not require authentication. For more information, see Configuring the email plug-in.

Support for Quay robot accounts

RHACS now supports use of robot accounts in quay.io integrations. You can create robot accounts in Quay that allow you to share credentials for use in multiple repositories. Robot accounts authenticate with the Quay Container Registry and replace OAuth tokens, which are deprecated by Quay. For more information, see Manually configuring Quay Container Registry.

Ability to view Dockerfile lines in images that introduced components with Common Vulnerabilities and Exposures (CVEs)

In the Images view, under Image Findings, you can view individual lines in the Dockerfile that introduced the components that have been identified as containing CVEs. To view this information, locate the CVE from the list of CVEs provided in the Image Findings page. In the Affected Components column, click on the <number> components link. You can expand the display to show the line where the component was introduced that contains the CVE. For more information, see Identifying Dockerfile lines in images that introduced components with CVEs.

Network graph improvements

RHACS 3.72 includes the following improvements to the Network Graph:

  • The updated legend in the Network Graph shows the symbols and explanatory text together. Before this improvement, the legend required hovering over the symbols representing namespaces, deployments, and connections.

  • Sometimes, the graph view edges did not connect the edges of nodes and overlapped on namespaces. This issue is fixed.

  • With this update, RHACS shows the same formatting and interface when you view YAML files. Before this improvement, there were differences in the YAML file viewer instances.

Documentation updates

The RHACS documentation has been updated to include a list of default security policies.

Notable technical changes

Scanning support for Red Hat Enterprise Linux 9

RHEL 9 is now generally available (GA). RHACS 3.72 introduces support for analyzing images built with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux (RHEL) 9 RPMs for vulnerabilities.

Policy for CVEs with fixable CVSS of 6 or greater disabled by default

Beginning with this release, the Fixable CVSS >= 6 and Privileged policy is no longer enabled by default for new RHACS installations. The configuration of this policy is not changed when upgrading an existing system. A new policy Privileged Containers with Important and Critical Fixable CVEs, which gives an alert for containers running in privileged mode that have important or critical fixable vulnerabilities, has been added. The new policy is also in the Deploy lifecycle. Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected components or running your container with lower privileges.

Deprecated and removed features

Some features available in previous releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, refer to the table below. Additional information about some removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability

  • TP: Technology Preview

  • DEP: Deprecated

  • REM: Removed

Table 2. Deprecated and removed features tracker
Category Feature RHACS 3.70 RHACS 3.71 RHACS 3.72

API

Endpoints:

  • RenamePolicyCategory

  • DeletePolicyCategory

DEP

DEP

DEP

API

vulns fields of storage.Node object in response payload of v1/nodes

GA

DEP

DEP

API

  • /v1/cves/suppress

  • /v1/cves/unsuppress

For more information, see 1 under "Deprecated features."

GA

DEP

DEP

API

ids field in the /v1/cves/suppress and /v1/cves/unsuppress RHACS payload

GA

DEP

DEP

API

cves.ids field of the storage.VulnerabilityRequest object in the response of VulnerabilityRequestService endpoints

GA

DEP

DEP

API

Property retrieval fields for groups.

For more information, see 2 under "Deprecated features."

GA

DEP

DEP

Permissions

ClusterCVE

For more information, see 3 under "Deprecated features."

GA

GA

DEP

Permissions

Permissions for permission sets.

For more information, see 4 under "Deprecated features."

GA

DEP

DEP

Tags

Support for violation tags and process tags

DEP

DEP

REM

Scanning

Support for Ubuntu 21.10

GA

GA

DEP

Search Options

  • Label

  • Annotation

For more information, see 5 under "Deprecated features."

GA

GA

DEP

Deprecated features

This section provides additional information about some of the deprecated features listed in the previous table.

  1. /v1/cves/suppress and /v1/cves/unsuppress have been deprecated and will be removed in a future release. After these are removed:

    • Use /v1/imagecves/suppress and /v1/imagecves/unsuppress to snooze and unsnooze image vulnerabilities.

    • Use /v1/nodecves/suppress and /v1/nodecves/unsuppress to snooze and unsnooze node and host vulnerabilities.

    • Use /v1/clustercves/suppress and /v1/clustercves/unsuppress to snooze and unsnooze platform (Kubernetes, Istio, and OpenShift Container Platform) vulnerabilities.

  2. Previously, groups were retrieved by using the field props: props.authProviderId, props.key, and props.value. This field will be replaced by the new props.id field. Use the props.id field to retrieve groups in the RHACS API. Note the following:

    • Retrieval by using the props fields will be removed in a future release.

    • Until removal, retrieval by using the props field will work if the result is unambiguous (no more than one group is found with the props field).

  3. Permission ClusterCVE is deprecated and will be superseded by the existing permission Cluster.

  4. Permissions for permission sets will be grouped for simplification. The following list describes the new permissions and indicates the deprecated permissions that will be removed in a future release:

    • The Access permission will replace the following permissions: AuthProvider, Group, Licenses, Role, and User.

    • The DeploymentExtension permission will replace the following permissions: Indicator, NetworkBaseline, ProcessWhitelist, and Risk.

    • The Integration permission will deprecate the following permissions: APIToken, BackupPlugins, ImageIntegration, Notifier, and SignatureIntegration.

    • The Image permission will replace the permission ImageComponent.

  5. Label and Annotation search options in RHACS are deprecated and will be removed in the RHACS 3.73 release. They will be replaced by the search options listed in the following table.

    Table 3. Search options
    Resource Deprecated search option New search option

    Node

    Label

    Node Label

    Node

    Annotation

    Node Annotation

    Namespace

    Label

    Namespace Label

    Deployment

    Label

    Deployment Label

    ServiceAccount

    Label

    Service Account Label

    ServiceAccount

    Annotation

    Service Account Annotation

    K8sRole

    Label

    Role Binding Label

    K8sRoleAnnotation

    Annotation

    Role Binding Annotation

PodSecurityPolicy (PSP) objects and Kubernetes 1.25

The following changes were made in RHACS to support the removal of PSP objects in Kubernetes 1.25:

  • PSP objects are created by default in installations for backward compatibility with Kubernetes versions prior to 1.25. However, you can manually disable PSP creation by setting system.enablePodSecurityPolicies: false in the Helm chart.

  • Beginning with RHACS version 3.71, auto-sensing has been added to RHACS Helm charts. If you install RHACS using the Operator or Helm charts, and RHACS detects a Kubernetes version of 1.25 or later, it will not install PSPs. If you are using the roxctl CLI to install RHACS, you need to disable PSP usage by setting the --enable-pod-security-policies flag to false for the roxctl central generate and roxctl sensor generate commands.

Kubernetes users must disable the admission controller plugin for PSPs before upgrading to Kubernetes version 1.25.

Notice of upcoming RHACS API changes

  • CSV export: Beginning in the RHACS 3.73 release, the CSV export API /api/vm/export/csv will require the CVE Type filter as part of the input query parameter. Requests that do not have the filter will return an error. Supported values for CVE Type are IMAGE_CVE, K8S_CVE, ISTIO_CVE, NODE_CVE, and OPENSHIFT_CVE.

  • Suppress and unsuppress payloads:

    • The field ids in the /v1/cves/suppress and /v1/cves/unsuppress API payloads will be renamed to cves in the RHACS 3.73 release.

    • The cves.ids field of the storage.VulnerabilityRequest object in the response of VulnerabilityRequestService endpoints will be renamed to cves.cves in the RHACS 3.73 release.

Known issues

RHACS shows the wrong severity when two severities exist for a single vulnerability in a single distribution. This issue occurs because RHACS scopes severities by namespace rather than component. There is no workaround. It is anticipated that an upcoming release will include a fix for this issue. (ROX-12527)

Bug fixes

Resolved in version 3.72.0

Release date: 26 September 2022

  • Before this update, the steps to configure OpenShift Container Platform OAuth for more than one URI were missing. The documentation has been revised to include instructions for configuring OAuth in OpenShift Container Platform to use more than one URI. For more information, see Creating additional routes for the OpenShift Container Platform OAuth server. (ROX-11296)

  • Before this update, the autogenerated image integration, such as a Docker registry integration, for a cluster is not deleted when the cluster is removed from Central. This issue is fixed. (ROX-9398)

  • Before this update, the Image OS policy criteria did not support regular expressions, or regex. However, the documentation indicated that regular expressions were supported. This issue is fixed by adding support for regular expressions for the Image OS policy criteria. (ROX-12301)

  • Before this update, the syslog integration did not respect a configured TCP proxy. This is now fixed.

  • Before this update, the scanner-db pod failed to start when a resource quota was set for the stackrox namespace, because the init-db container in the pod did not have any resources assigned to it. The init-db container for ScannerDB now specifies resource requests and limits that match the db container. (ROX-12291)

Resolved in version 3.72.1

Release date: 20 October 2022

  • Because of a bug in RHACS 3.72.0, the Collector pods previously stopped responding and reach a segmentation fault after allocating a memory block for the protocol buffer heap under certain load conditions. The patch release 3.72.1 fixes this issue.

  • In RHACS 3.72.0, scheduled vulnerability reports consistently reported zero vulnerabilities, even if there were images with CVEs within the clusters. The patch release 3.72.1 fixes this error and the reports show the correct CVEs.

  • In RHACS 3.72.0, when you created a deployment bundle by using the roxctl CLI that explicitly disabled Pod Security Policies (PSP), the generated bundle still created manifests for the PSP. As a result, installing the deployment bundle failed when deploying on Kubernetes versions 1.25 or later. The patch release 3.72.1 correctly disables PSP when you specify --enable-pod-security-policies=false with the roxctl CLI.

Image versions

Image Description Current version

Main

Includes Central, Sensor, Admission Controller, and Compliance. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:3.72

Scanner

Scans images and nodes.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.72

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:3.72

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

  • registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:3.72

  • registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:3.72