×

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across build, deploy, and runtime stages of the application lifecycle. It deploys in your infrastructure and integrates with your DevOps tools and workflows to deliver better security and compliance and to enable DevOps and InfoSec teams to operationalize security.

Table 1. Release dates
RHACS version Released on

4.0

3 May 2023

4.0.1

18 May 2023

4.0.2

31 May 2023

4.0.3

13 July 2023

4.0.4

9 August 2023

4.0.5

24 October 2023

About this release

RHACS 4.0 includes the following new features, improvements, and updates:

For offline configured installations that have set the collector.slimMode option to false: the rhacs-collector-rhel8 image now contains a subset of kernel modules and eBPF probes available in the support package download. If the collector status is unhealthy after an upgrade, follow the instructions for downloading kernel support packages and then upload them to Central.

New features

Major release version change to 4.0

With this release, RHACS includes a major architecture change, moving the Central database to PostgreSQL. This change provides important performance and scale benefits.

By default, RHACS installation includes the PostgreSQL database. Future plans include the ability to use your own PostgreSQL-compliant software. RHACS 4.0 includes this feature as a Technology Preview with certain limitations. For more information, see "Installing Central with an external PostgreSQL database (Technology Preview)".

RHACS includes features that depend on the new architecture. Specifically, policy criteria and vulnerability reporting with collections were introduced in 3.74 as a Technology Preview, and are now generally available.

For instructions for a new installation of RHACS 4.0, see Supported platforms and installation methods.

Upgrading RHACS to version 4.0

To prevent automatic upgrades when using the Operator, RHACS 4.0 uses a new subscription channel. This update allows the RHACS Operator to comply with Red Hat standards and provides consistency with other Red Hat Operators. As documented in the upgrade instructions, you must explicitly change your subscription channel when upgrading. Customers who remain on the latest channel in the current RHACS Operator channel will continue to receive 3.74 updates until it is no longer supported. The life cycle of RHACS 3.74 has been extended by 3 months to allow you more time to migrate to RHACS 4.0. The upgrade process includes automatically migrating the database, and requires no intervention.

After Central is upgraded, upgrade the subscription channel on all Secured Clusters.

You are encouraged to evaluate the upgrade in a staging environment before pushing it to production to ensure that your unique environment does not present unforeseen issues.

The documentation provides detailed instructions for rolling back to the previous version if necessary. Before the upgrade, back up the existing Central database following the documented backup procedure so that you can roll back to the previous version if necessary. You are encouraged to practice rolling back to the previous version in the staging environment to ensure that your backup was successful and that rolling back the previous version brings the system back to the expected operational state.

To upgrade RHACS to 4.0, perform the following steps:

  1. Upgrade to RHACS version 3.74 if you have an earlier version installed.

  2. Back up the database for Central.

  3. Upgrade Central to version 4.0.

  4. Upgrade secured clusters to version 4.0.

For additional instructions on upgrading, see the documentation in the "Upgrade documentation" section. Procedures for upgrading by using Helm and roxctl now include a step to back up the Central database before upgrading Central.

Upgrading Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) to version 4.0

To upgrade RHACS, you must switch the Operator channel to stable for your secured clusters.

Manifest-based upgrades using roxctl and Helm upgrade procedures for secured clusters remain unchanged.

Upgrade documentation

For more information about upgrading to release 4.0, see the following documentation:

Installing Central with an external PostgreSQL database (Technology Preview)

With this release, you can test the use of your existing PostgreSQL infrastructure to provision a database for RHACS.

External PostgreSQL database is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

RHACS 4.0 includes this feature as a Technology Preview and it is not supported for production systems. It currently has several limitations, including the need for privileged superuser access. Red Hat is seeking customer feedback and testing.

RHACS Cloud Service Limited Availability

Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) provides a fully hosted and managed Central instance that allows you to secure your on-premise and cloud-based Kubernetes clusters.

RHACS Cloud Service is available for approved customers. Customers can get RHACS Cloud Service by using the Amazon Web Services (AWS) Marketplace or from their regular Red Hat channels. For more information, contact Red Hat Sales.

During the Limited Availability phase, Red Hat will provide full support with committed service level agreements (SLAs) and response times. Red Hat will also continue to provide an email list for feedback and general questions. The following items apply to RHACS Cloud Service limited availability:

  • RHACS Cloud Service provides the capability to access repositories local to the secured clusters. This functionality is supported only for OpenShift secured clusters and Red Hat Quay that will have local scanning capabilities for internal and extended registries in the customer environments.

  • The Ireland (eu-west-1) region is now available when creating an RHACS Cloud Service instance. Red Hat will ensure all data residency requirements for data are met per the EU standards.

  • RHACS Cloud Service is fully integrated into the AWS Marketplace.

Telemetry data collection in RHACS Cloud Service

With this release, Telemetry, where RHACS Cloud Service collects anonymized aggregated information about product usage and product configuration, is enabled by default. To learn more about telemetry or see instructions for opting out, see About Telemetry.

Red Hat Enterprise Linux CoreOS (RHCOS) node host scanning for security vulnerabilities

RHACS provides RHCOS node host scanning for security vulnerabilities. The scope of this feature is limited to scanning RHCOS RPMs installed on the node host as part of the RHCOS installation for any known vulnerabilities. This feature provides the following functionality:

  • Analysis and detection of RHCOS components

  • Matching of vulnerabilities on the components by using RHEL and Red Hat OpenShift 4.X OVALv2 security data streams

To view a list of RHEL versions for OpenShift Container Platform and RHCOS, see RHEL Versions Utilized by RHEL CoreOS and OCP.

OpenShift Container Platform/RHCOS 4.10 or later is supported.

For more information about vulnerability scanning, see Scanning RHCOS node hosts.

Processes listening on endpoints API

RHACS now provides a list of all processes that are listening on ports in secured clusters. This information can help you associate which deployments and associated processes have open ports and better assess cluster security.

This functionality is available for deployments by using the v1/listening_endpoints API. Changes to the RHACS web portal for this feature are planned for a future release. In this release, the following known limitations exist:

  • It is possible that the process ID (PID) information attached to an endpoint reflects a process of the same name and parameters, but earlier execution time. Additionally, only the pod ID, process name, process arguments, port, and protocol are guaranteed to be populated for a given deployment.

  • Under rare circumstances, network endpoints reported by the API might have process information reflecting the characteristics of the parent process instead of the process that created the listening endpoint.

  • Only TCP endpoints are currently reported.

For more information, navigate to HelpAPI reference in the RHACS portal.

Network graph 2.0 (Technology Preview) updates

Network graph 2.0 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

The Network Graph (2.0 preview) has been updated to address user feedback and add improvements. The following changes have been made:

  • Differentiated Filtered namespaces from Derived namespaces

  • Changed behavior of the display to dim additional items in the background when an item is selected

  • Separated Anomalous flows and Baseline flows in the Details tab for deployments

  • Added container configurations

  • Renamed Extraneous flows to Inactive flows

For more information, see Network graph (2.0 preview).

FIPS ready

RHACS functionality has been validated on OpenShift Container Platform 4.12 clusters running in Federal Information Processing Standards (FIPS) mode.

Alert messages sent to Central logs for expiring tokens

API tokens are used in RHACS for some system integrations, authentication processes, and system functions. API tokens expire in 1 year. This release adds an automatic notification process to create warning messages for tokens that will expire in less than 1 week. These messages appear in the Central logs. You can configure your system to alert you when you receive these messages so that you know when you need to generate new tokens. For more information, see About API token expiration.

Improvements for Sensor resync (Technology Preview)

Sensor resync is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

RHACS has reduced the amount of CPU usage needed for Sensor to resync with Central. The improvement can be enabled with the environment flag of ROX_RESYNC_DISABLED="true" in all sensors running RHACS version 4.0. By default, this variable is disabled, or set to false.

Without this improvement, Sensor reprocesses Kubernetes and Red Hat OpenShift-specific events every minute, which increases the CPU consumption considerably, especially for large clusters with many pods or deployments. With this improvement, reprocessing is no longer required, considerably reducing the load on the CPU.

Documentation additions

Notable technical changes

  • Active vulnerability management is now controlled by a ROX_ACTIVE_VULN_MGMT variable with a default value of false to improve performance. If you need active vulnerability management, set this variable to true to reactivate it. However, if you reactivate this variable, increase the memory limit of Central.

  • Previously, the Analyst permission set had read access on all permissions except the now-deprecated DebugLogs permission. This permission set now has read access to all permissions except Administration.

  • The default resources for Sensor have increased to a request of 2 cores and 4 GB of RAM and a limit of 4 cores and 8 GB of RAM to support a larger number of clusters without modification.

  • The RHACS Operator default channel has changed from latest to stable. If you are running a version earlier than 4.0, you must follow the upgrade procedure to preserve RHACS data in case of issues with the upgrade. For more information, see Upgrading by using the Operator.

  • The versioning scheme for the RHACS Helm charts has changed. Previously, the product version (Major).(Minor).(Patch) was rendered to the Helm chart version (Minor).(Patch).0; for example, 3.74.274.2.0. The new versioning scheme maps product version (Major).(Minor).(Patch) to the Helm chart version as (Major*100).(Minor).(Patch); for example, 4.0.2400.0.2.

Deprecated and removed features

Some features available in previous releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional information about some removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability

  • TP: Technology Preview

  • DEP: Deprecated

  • REM: Removed

  • NA: Not applicable

Table 2. Deprecated and removed features tracker
Feature RHACS 3.73 RHACS 3.74 RHACS 4.0

AllComments permission

DEP

DEP

REM

BuildDate attribute

GA

DEP

REM

Clair scanner version 2

GA

DEP

REM

ComplianceRuns permission

DEP

DEP

REM

DebugLogs permission

DEP

DEP

REM

Examining images for Application-level dependencies for vulnerability reporting: dotnet/shared/Microsoft.AspNetCore.App/ and dotnet/shared/Microsoft.NETCore.App/

GA

GA

DEP

Expiration field in Exclusion proto

GA

GA

DEP

ids field in the /v1/cves/suppress and /v1/cves/unsuppress API payload

  • DEP in RHACS 3.73

  • REM in RHACS Cloud Service (Field Trial)

DEP

REM

Kernel module collection method

GA

DEP

DEP

Network Graph version 1.0

GA

GA

DEP

NetworkGraphConfig permission

DEP

DEP

REM

Policy permission

GA

DEP

REM

ProbeUpload permission

DEP

DEP

REM

Role permission

GA

DEP

REM

roxctl scanner generate flag offline-mode (flag only)

GA

GA

DEP

ScannerBundle permission

DEP

DEP

REM

ScannerDefinitions permission

DEP

DEP

REM

ScopeManager default role

GA

DEP

REM

SensorUpgradeConfig permission

DEP

DEP

REM

ServiceIdentity permission

DEP

DEP

REM

Support for OpenShift Container Platform versions earlier than 4.10

GA

DEP

REM

/v1/cves/suppress and /v1/cves/unsuppress

  • DEP in RHACS 3.73

  • REM in RHACS Cloud Service (Field Trial)

DEP

REM

/v1/report endpoint

GA

GA

DEP

/v1/serviceaccounts endpoint

GA

GA

DEP

VulnerabilityReports permission

GA

DEP

REM

vulns field of storage.Node object in response payload of v/nodes

  • DEP in RHACS 3.73

  • REM in RHACS Cloud Service (Field Trial)

DEP

REM

Deprecated features

The following section provides additional information about deprecated features listed in the preceding table.

  • The --offline-mode flag for the roxctl scanner generate command is deprecated, as Scanner’s default behavior is to fetch vulnerability updates from Central. The flag is planned for removal in the RHACS 4.2.0 release.

  • The Network Graph version 1.0 is deprecated. Use the Network Graph version 2.0 for improved functionality and a better user experience.

  • The PDF export feature in the Vulnerability Management section of the RHACS web portal is deprecated and is planned for removal in the RHACS 4.2.0 release. Use the vulnerability reporting feature instead for more comprehensive CSV data.

  • Vulnerability scanning support for non-RPM (ASP).NET Core Runtime is deprecated and is planned for removal in the RHACS 4.2.0 release.

  • All /v1/report APIs for creating and managing vulnerability reports are deprecated and will be replaced with new /v2/report APIs in a future release.

Remove kernel module as collection method

Currently, secured clusters can specify three options of collection methods for runtime events: eBPF (selected by default), kernel module, or no collection. Kernel module as a collection method was deprecated in the RHACS version 3.74 release and is planned for removal in the RHACS version 4.1 release.

Actions you must take

Verify the collection method of your secured clusters. This value is set in the collector.collectionMethod parameter and is one of the following methods:

  • EBPF

  • KERNEL_MODULE

  • NO_COLLECTION

If any of your secured clusters uses KERNEL_MODULE as a collection method, change it to EBPF.

Removed features

The following section provides additional information about removed features listed in the preceding table.

Permissions and permission sets

As announced in the Release Notes for RHACS 3.73.0, some permissions are now grouped for simplification. The deprecation process in 4.0 will remove and replace the deprecated permissions with the replacing permission. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.

The following list provides more information about permission and permission set changes:

  • Permission Administration replaces the deprecated following permissions:

    • AllComments

    • Config

    • DebugLogs

    • NetworkGraphConfig

    • ProbeUpload

    • ScannerBundle

    • ScannerDefinitions

    • SensorUpgradeConfig

    • ServiceIdentity

  • Permission Compliance replaces the deprecated permission ComplianceRuns.

  • The Analyst permission set will change behavior. Instead of allowing read access to all resources except DebugLogs, it will allow read access to all resources except Administration. This change affects you if you were using the Analyst role or permission set for actions requiring read access on the following resources:

    • AllComments

    • Config

    • NetworkGraphConfig

    • ProbeUpload

    • ScannerBundle

    • ScannerDefinitions

    • SensorUpgradeConfig

    • ServiceIdentity

    To address this change, preemptively create a new permission set with read access on the Administration and other required resources, and reference it instead of Analyst in the created roles.

Bug fixes

Resolved in version 4.0

Release date: 3 May 2023

  • Previously, in the RHACS portal, the Platform ConfigurationClusters page did not display information in the Cloud Provider field for Azure Red Hat OpenShift and Red Hat OpenShift Service on AWS (ROSA) clusters. This has been fixed. (ROX-14399)

  • If the most recent critical alert in an environment was from a custom policy that triggers off of Kubernetes audit logs, it could cause the widgets on the main dashboard to fail. This has been fixed. (ROX-15103)

  • Previously, the image scan_time value was not updated for some images in the Image entity list. This issue occurred because the workflow for updating watched images and the workflow for manually scanning images did not actually re-scan the images when the image SHA remained the same. This has been fixed. (ROX-15808)

  • Fixed an issue in consistency with roxctl output and API output for the image vulnerability data. Previously, roxctl showed the total number of CVEs. Now the unique number of CVEs is shown instead. (ROX-15277)

  • Fixed an issue with the roxctl generate netpol command. Previously, the command generated network policies with the status{} field, which prevented applying policies to a cluster. The command no longer generates network policies with this field. (ROX-14775)

  • Fixed an issue where the Create Policy buttons were not visible when the certificate expiration banner was displayed. (ROX-12433)

  • Error messages generated during runtime policy validation have been improved. (ROX-15809)

  • Previously, RHACS failed to suspend a cron job when enforcing a deploy time policy. This issue has been fixed. (ROX-15113)

Resolved in version 4.0.1

Release date: 18 May 2023

  • Fixed issue with manifest-based secured cluster installations for Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service).

  • Fixed issue with unwanted logging for RHACS Cloud Service.

Resolved in version 4.0.2

Release date: 31 May 2023

  • This release of RHACS fixes the following security vulnerabilities:

    • CVE-2023-24540: Fixed by building RHACS with updated Golang.

    • CVE-2023-29400: Fixed a vulnerability in Golang that affects templates with actions in unquoted HTML attributes.

    • CVE-2023-24539: Fixed a vulnerability in Golang related to the handling of angle brackets (<>) in cascading style sheets (CSS) contexts.

  • Fixed an issue that caused frequent Central pod restarts with the context deadline exceeded error.

Resolved in version 4.0.3

Release date: 13 July 2023

  • Fixed an issue where RHACS sometimes incorrectly attempted to install PodSecurityPolicies (PSPs), causing the installation to fail because PSPs are not supported in Kubernetes version 1.25 and later. (ROX-17796, ROX-16652)

  • Fixed an issue with upgrades failing because RHACS applied PSPs, even when not enabled. (ROX-17771, ROX-17734)

  • Fixed an issue with failed database migration due to a duplicate key value. (ROX-18059)

  • Fixed a memory leak in Collector. (ROX-17553, ROX-17096)

  • Provides a Python3 security update. (RHSA-2023:3591).

Resolved in version 4.0.4

Release date: 9 August 2023

  • Removed the Pod Security Policies (PSPs) from the Helm release manifest when upgrading from an outdated version. (ROX-17687)

Resolved in version 4.0.5

Release date: 24 October 2023

This release of RHACS fixes the following security vulnerabilities:

A new default policy has been added, "Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol". This policy alerts on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers, as described in CVE-2023-44487 and CVE-2023-39325. This policy applies to the build or deploy life cycle stage.

Known issues

  • Currently, RHACS does not support alerts for security policy violations for containers running with default seccomp profiles-Unconfined. The alert violations for Unconfined seccomp profiles are generated only if the seccomp profile is explicitly set to "Unconfined" in the container specification. No workaround exists. (ROX-13490)

Image versions

Image Description Current version

Main

Includes Central, Sensor, Admission controller, and Compliance. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.0.5

Scanner

Scans images and nodes.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.0.5

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.0.5

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

  • registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.0.5

  • registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:4.0.5