×

Security vulnerabilities in your environment might be exploited by an attacker to perform unauthorized actions such as denial of service, remote code execution, or unauthorized access to sensitive data. Therefore, the management of vulnerabilities is a foundational step towards a successful Kubernetes security program.

Vulnerability management process

Vulnerability management is a continuous process to identify and remediate vulnerabilities. Red Hat Advanced Cluster Security for Kubernetes helps you to facilitate a vulnerability management process.

A successful vulnerability management program often includes the following critical tasks:

  • Performing asset assessment

  • Prioritizing the vulnerabilities

  • Assessing the exposure

  • Taking action

  • Continuously reassessing assets

Red Hat Advanced Cluster Security for Kubernetes helps organizations to perform continuous assessments on their OpenShift Container Platform and Kubernetes clusters. It provides organizations with the contextual information they need to prioritize and act on vulnerabilities in their environment more effectively.

Performing asset assessment

Performing an assessment of an organization’s assets involve the following actions:

  • Identifying the assets in your environment

  • Scanning these assets to identify known vulnerabilities

  • Reporting on the vulnerabilities in your environment to impacted stakeholders

When you install Red Hat Advanced Cluster Security for Kubernetes on your Kubernetes or OpenShift Container Platform cluster, it first aggregates the assets running inside of your cluster to help you identify those assets. RHACS allows organizations to perform continuous assessments on their OpenShift Container Platform and Kubernetes clusters. RHACS provides organizations with the contextual information to prioritize and act on vulnerabilities in their environment more effectively.

Important assets that should be monitored by the organization’s vulnerability management process using RHACS include:

  • Components: Components are software packages that may be used as part of an image or run on a node. Components are the lowest level where vulnerabilities are present. Therefore, organizations must upgrade, modify or remove software components in some way to remediate vulnerabilities.

  • Image: A collection of software components and code that create an environment to run an executable portion of code. Images are where you upgrade components to fix vulnerabilities.

  • Nodes: A server used to manage and run applications using OpenShift or Kubernetes and the components that make up the OpenShift Container Platform or Kubernetes service.

Red Hat Advanced Cluster Security for Kubernetes groups these assets into the following structures:

  • Deployment: A definition of an application in Kubernetes that may run pods with containers based on one or many images.

  • Namespace: A grouping of resources such as Deployments that support and isolate an application.

  • Cluster: A group of nodes used to run applications using OpenShift or Kubernetes.

Red Hat Advanced Cluster Security for Kubernetes scans the assets for known vulnerabilities and uses the Common Vulnerabilities and Exposures (CVE) data to assess the impact of a known vulnerability.

Viewing application vulnerabilities

You can view application vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementDashboard.

  2. On the Dashboard view header, select Application & InfrastructureNamespaces or Deployments.

  3. From the list, search for and select the Namespace or Deployment you want to review.

  4. To get more information about the application, select an entity from Related entities on the right.

Viewing image vulnerabilities

You can view image vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementDashboard.

  2. On the Dashboard view header, select Images.

  3. From the list of images, select the image you want to investigate. You can also filter the list by performing one of the following steps:

    1. Enter Image in the search bar and then select the Image attribute.

    2. Enter the image name in the search bar.

  4. In the image details view, review the listed CVEs and prioritize taking action to address the impacted components.

  5. Select Components from Related entities on the right to get more information about all the components that are impacted by the selected image. Or select Components from the Affected components column under the Image findings section for a list of components affected by specific CVEs.

Additional resources

Viewing workload CVEs in Vulnerability Management (2.0)

You can view a comprehensive list of vulnerabilities, or CVEs, in RHACS across images and deployments. You can use the search filter bar to select specific CVEs, images, deployments, namespaces, or clusters.

Vulnerability Management 2.0 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Procedure
  1. In the RHACS portal, navigate to Vulnerability Management 2.0Workload CVEs.

  2. From the drop-down list, select the search criteria you want to use. You can select an item type, such as a cluster, from the list, and then select the specific name of the item. You can add additional items to the filter by selecting another item from the list and selecting the specific name of the new item. For example, you can select a specific image and a specific cluster to limit results to those selections. You can filter on the following items:

    • CVE

    • Image

    • Deployment

    • Namespace

    • Cluster

  3. Optional: Use the CVE severity list to select the severities of the CVEs that you want to display.

  4. Click the relevant button to view a list of vulnerabilities, images, or deployments in the system.

    The Filtered view icon indicates that the displayed results were filtered based on the criteria that you selected. You can click Clear filters to remove all filters, or remove individual filters by clicking on them.

  5. In the list of results, click a CVE, image name, or deployment name to view more information about the item. For example, depending on the item type, you can view the following information:

    • Whether a CVE is fixable

    • Whether an image is active

    • The Dockerfile line in the image that contains the CVE

    • External links to information about the CVE in Red Hat and other CVE databases

Search example

The following graphic shows an example of search criteria for a cluster called "production" to view CVEs of critical and important severity in that cluster.

Workload CVE showing a search on the production cluster for CVEs with critical and important severity

Viewing infrastructure vulnerabilities

You can view vulnerabilities in nodes by using Red Hat Advanced Cluster Security for Kubernetes.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementDashboard.

  2. On the Dashboard view header, select Application & InfrastructureCluster.

  3. From the list of clusters, select the cluster you want to investigate.

  4. Review the clusters vulnerabilities and prioritize taking action on the impacted nodes on the cluster.

Viewing node vulnerabilities

You can view vulnerabilities in specific nodes by using Red Hat Advanced Cluster Security for Kubernetes.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementDashboard.

  2. On the Dashboard view header, select Nodes.

  3. From the list of nodes, select the node you want to investigate.

  4. Review vulnerabilities for the selected node and prioritize taking action.

  5. To get more information about the affected components in a node, select Components from Related entities on the right.

Prioritizing the vulnerabilities

Answer the following questions to prioritize the vulnerabilities in your environment for action and investigation:

  • How important is an affected asset for your organization?

  • How severe does a vulnerability need to be for investigation?

  • Can the vulnerability be fixed by a patch for the affected software component?

  • Does the existence of the vulnerability violate any of your organization’s security policies?

The answers to these questions help security and development teams decide if they want to gauge the exposure of a vulnerability.

Red Hat Advanced Cluster Security for Kubernetes provides you the means to facilitate the prioritization of the vulnerabilities in your applications and components.

Assessing the exposure

To assess your exposure to a vulnerability, answer the following questions:

  • Is your application impacted by a vulnerability?

  • Is the vulnerability mitigated by some other factor?

  • Are there any known threats that could lead to the exploitation of this vulnerability?

  • Are you using the software package which has the vulnerability?

  • Is spending time on a specific vulnerability and the software package worth it?

Take some of the following actions based on your assessment:

  • Consider marking the vulnerability as a false positive if you determine that there is no exposure or that the vulnerability does not apply in your environment.

  • Consider if you would prefer to remediate, mitigate or accept the risk if you are exposed.

  • Consider if you want to remove or change the software package to reduce your attack surface.

Taking action

Once you have decided to take action on a vulnerability, you can take one of the following actions:

  • Remediate the vulnerability

  • Mitigate and accept the risk

  • Accept the risk

  • Mark the vulnerability as a false positive

You can remediate vulnerabilities by performing one of the following actions:

  • Remove a software package

  • Update a software package to a non-vulnerable version.

Finding a new component version

The following procedure finds a new component version to upgrade to.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementDashboard.

  2. On the Dashboard view header, select Images.

  3. From the list of images, select the image you already assessed.

  4. Under the Image findings section, select the CVE.

  5. Select the Affected components of the CVE you want to take action on.

  6. Review the version of the component that the CVE is fixed in and update your image.

Accepting risks

Follow the instructions in this section to accept the risks in Red Hat Advanced Cluster Security for Kubernetes.

Prerequisites
  • You must have write permission for the VulnerabilityManagementRequests resource.

To accept risk with or without mitigation:

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementDashboard.

  2. On the Dashboard view header, select Images.

  3. From the list of images, select the image you already assessed.

  4. Find the row which lists the CVE you would like to take action on.

  5. Click kebab on the right for the CVE you identified and click Defer CVE.

  6. Select the date and time till you want to defer the CVE.

  7. Select if you want to defer the CVE for the selected image tag or all tags for this image.

  8. Enter the reason for the deferral.

  9. Click Request approval. Select the blue information icon on the right of the CVE and copy the approval link to share with your organization’s deferral approver.

Marking vulnerabilities as false positive

The following procedure marks a vulnerability as a false positive.

Prerequisites
  • You must have the write permission for the VulnerabilityManagementRequests resource.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementDashboard.

  2. On the Dashboard view header, select Images.

  3. From the list of images, select the image you already assessed.

  4. Find the row which lists the CVE you would like to take action on.

  5. Click the kebab on the right for the CVE you identified and click Defer CVE.

  6. Select the date and time you want to defer the CVE.

  7. Select if you want to defer the CVE for the selected image tag or all tags for this image.

  8. Enter the reason for the deferral.

  9. Click Request approval.

  10. Select the blue information icon on the right of the CVE and copy the approval link to share with your organization’s deferral approver.

Reviewing a false positive or deferred CVE

Use the following procedure to review a false positive or deferred CVE.

Prerequisites
  • You must have the write permission for the VulnerabilityManagementApprovals resource.

You can review a false positive or defered CVE:

Procedure
  1. Open the approval link in your browser or in the RHACS portal.

  2. Navigate to Vulnerability ManagementRisk Acceptance and search for the CVE.

  3. Review the vulnerabilities scope and action to decide if you would like to approve it.

  4. Click on the kebab at the far right of the CVE and approve or deny the request for approval.

Reporting vulnerabilities to teams

As organizations must constantly reassess and report on their vulnerabilities, some organizations find it helpful to have scheduled communications to key stakeholders to help in the vulnerability management process.

You can use Red Hat Advanced Cluster Security for Kubernetes to schedule these reoccurring communications through e-mail. These communications should be scoped to the most relevant information that the key stakeholders need.

For sending these communications, you must consider the following questions:

  • What schedule would have the most impact when communicating with the stakeholders?

  • Who is the audience?

  • Should you only send specific severity vulnerabilities in your report?

  • Should you only send fixable vulnerabilities in your report?

Scheduling vulnerability management reports

The following procedure creates a scheduled vulnerability report.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementReporting.

  2. Click Create report.

  3. Enter a name for your report in the Report name field.

  4. Select a weekly or monthly cadence for your report from the Repeat report…​ drop-down list.

  5. Select the days of the week for the report from the On…​ drop-down list.

  6. Optional: Enter text describing the report in the Description field.

  7. In the CVE fixability type field, select the common vulnerabilities and exposure (CVE) fixability types that you want to include in the report.

  8. In the Show vulnerabilities drop-down list, select whether you want to show all vulnerabilities or show only vulnerabilities discovered since the last successful report.

  9. In the CVE severities drop-down list, select the severities of the CVEs that should be included in the report.

  10. In the Configure report scope field, select an existing collection, or click Create collection to create a new one. Entering text in the field searches for collections matching that text string. For more information about collections, see "Creating deployment collections" in the Additional resources section.

    Collections replaced report scopes in RHACS release 3.74. Existing report scopes have been migrated to collections. See "Migration of access scopes to collections" in the Additional resources section for more information.

  11. Select an existing notifier or create a new email notifier to send your report by email. For more information on creating an email notifier, see "Configuring the email plugin" in the Additional resources section.

  12. Enter email addresses of report recipients in the Distribution list field.

  13. Select Create to create and schedule the report.

Sending a vulnerability report

The following procedure sends a vulnerability report.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementReporting.

  2. From the list of reports, select the report.

  3. Select the kebab on the right of the report and click Run report now.

Editing a vulnerability report

The following procedure edits a vulnerability report.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementReporting.

  2. From the list of reports, select the report.

  3. Select the kebab on the right of the report and click Edit.

  4. Modify the report as required.

  5. Click Save.

Deleting a vulnerability report

The following procedure deletes a vulnerability report.

Procedure
  1. On the RHACS portal, navigate to Vulnerability ManagementReporting.

  2. From the list of reports, select the report.

  3. Select the kebab on the right of the report and click Delete report.