Red Hat Advanced Cluster Security for Kubernetes 4.0

With this release, RHACS includes a major architecture change, moving the Central database to PostgreSQL. This change provides important performance and scale benefits.

By default, RHACS installation includes the PostgreSQL database. Future plans include the ability to use your own PostgreSQL-compliant software. RHACS 4.0 includes this feature as a Technology Preview with certain limitations. For more information, see "Installing Central with an external PostgreSQL database (Technology Preview)".

RHACS includes features that depend on the new architecture. Specifically, policy criteria and vulnerability reporting with collections were introduced in 3.74 as a Technology Preview, and are now generally available.

For instructions for a new installation of RHACS 4.0, see Supported platforms and installation methods.

To prevent automatic upgrades when using the Operator, RHACS 4.0 uses a new subscription channel. This update allows the RHACS Operator to comply with Red Hat standards and provides consistency with other Red Hat Operators. As documented in the upgrade instructions, you must explicitly change your subscription channel when upgrading. Customers who remain on the latest channel in the current RHACS Operator channel will continue to receive 3.74 updates until it is no longer supported. The life cycle of RHACS 3.74 has been extended by 3 months to allow you more time to migrate to RHACS 4.0. The upgrade process includes automatically migrating the database, and requires no intervention.

After Central is upgraded, upgrade the subscription channel on all Secured Clusters.

You are encouraged to evaluate the upgrade in a staging environment before pushing it to production to ensure that your unique environment does not present unforeseen issues.

The documentation provides detailed instructions for rolling back to the previous version if necessary. Before the upgrade, back up the existing Central database following the documented backup procedure so that you can roll back to the previous version if necessary. You are encouraged to practice rolling back to the previous version in the staging environment to ensure that your backup was successful and that rolling back the previous version brings the system back to the expected operational state.

To upgrade RHACS to 4.0, perform the following steps:

For additional instructions on upgrading, see the documentation in the "Upgrade documentation" section. Procedures for upgrading by using Helm and roxctl now include a step to back up the Central database before upgrading Central.

To upgrade RHACS, you must switch the Operator channel to stable for your secured clusters.

For more information about upgrading to release 4.0, see the following documentation:

With this release, you can test the use of your existing PostgreSQL infrastructure to provision a database for RHACS.

RHACS 4.0 includes this feature as a Technology Preview and it is not supported for production systems. It currently has several limitations, including the need for privileged superuser access. Red Hat is seeking customer feedback and testing.

For more information, see Installing Central with an external database using the Operator method.

Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) provides a fully hosted and managed Central instance that allows you to secure your on-premise and cloud-based Kubernetes clusters.

RHACS Cloud Service is available for approved customers. Customers can get RHACS Cloud Service by using the Amazon Web Services (AWS) Marketplace or from their regular Red Hat channels. For more information, contact Red Hat Sales.

During the Limited Availability phase, Red Hat will provide full support with committed service level agreements (SLAs) and response times. Red Hat will also continue to provide an email list for feedback and general questions. The following items apply to RHACS Cloud Service limited availability:

With this release, Telemetry, where RHACS Cloud Service collects anonymized aggregated information about product usage and product configuration, is enabled by default. To learn more about telemetry or see instructions for opting out, see About Telemetry.

RHACS provides RHCOS node host scanning for security vulnerabilities. The scope of this feature is limited to scanning RHCOS RPMs installed on the node host as part of the RHCOS installation for any known vulnerabilities. This feature provides the following functionality:

To view a list of RHEL versions for OpenShift Container Platform and RHCOS, see RHEL Versions Utilized by RHEL CoreOS and OCP.

For more information about vulnerability scanning, see Scanning RHCOS node hosts.

RHACS now provides a list of all processes that are listening on ports in secured clusters. This information can help you associate which deployments and associated processes have open ports and better assess cluster security.

This functionality is available for deployments by using the v1/listening_endpoints API. Changes to the RHACS web portal for this feature are planned for a future release. In this release, the following known limitations exist:

For more information, navigate to Help → API reference in the RHACS portal.

The Network Graph (2.0 preview) has been updated to address user feedback and add improvements. The following changes have been made:

For more information, see Network graph (2.0 preview).

RHACS functionality has been validated on OpenShift Container Platform 4.12 clusters running in Federal Information Processing Standards (FIPS) mode.

API tokens are used in RHACS for some system integrations, authentication processes, and system functions. API tokens expire in 1 year. This release adds an automatic notification process to create warning messages for tokens that will expire in less than 1 week. These messages appear in the Central logs. You can configure your system to alert you when you receive these messages so that you know when you need to generate new tokens. For more information, see About API token expiration.

RHACS has reduced the amount of CPU usage needed for Sensor to resync with Central. The improvement can be enabled with the environment flag of ROX_RESYNC_DISABLED="true" in all sensors running RHACS version 4.0. By default, this variable is disabled, or set to false.

Without this improvement, Sensor reprocesses Kubernetes and Red Hat OpenShift-specific events every minute, which increases the CPU consumption considerably, especially for large clusters with many pods or deployments. With this improvement, reprocessing is no longer required, considerably reducing the load on the CPU.

The following section provides additional information about deprecated features listed in the preceding table.

As announced in the Release Notes for RHACS 3.73.0, some permissions are now grouped for simplification. The deprecation process in 4.0 will remove and replace the deprecated permissions with the replacing permission. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.

The following list provides more information about permission and permission set changes:

Release date: 3 May 2023

Release date: 18 May 2023

Release date: 31 May 2023

Release date: 13 July 2023

Release date: 9 August 2023

Release date: 24 October 2023

This release of RHACS fixes the following security vulnerabilities:

A new default policy has been added, "Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol". This policy alerts on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers, as described in CVE-2023-44487 and CVE-2023-39325. This policy applies to the build or deploy life cycle stage.