Red Hat Advanced Cluster Security for Kubernetes 4.2

When installing RHACS, instead of creating an exclusive RHACS PostgreSQL database instance, you can use your existing one.

For more information, see Installing Central with an external database using the Operator method.

The runtime collection method based on BPF CO-RE (Compile Once-Run Everywhere) introduced in RHACS 4.1 is now generally available on x86_64 and s390x architectures. To enable it, set the value of your backed-up cluster’s collector.collectionMethod parameter to CORE_BPF.

RHACS now provides a product usage report to help estimate RHACS consumption for licensing. It lists the number of secured OpenShift Container Platform or Kubernetes nodes and the number of CPU units used for secured clusters. To download this report in CSV format, go to the System Health dashboard and click Show product usage. You can also get the product usage data using the API.

For more information, see Viewing product usage data.

RHACS 4.2 includes significant performance improvements for the Compliance dashboard.

Based on testing with a 50-cluster and 4900-node-environment, these improvement includes:

If you have a disconnected environment or use registry mirrors to satisfy your organizational controls on external content, RHACS can now scan images from your registry mirrors in OpenShift Container Platform environments.

This feature leverages the delegated image scanning functionality introduced in RHACS 4.1. The delegated image scanning functionality allows RHACS Secured cluster services to use Sensor to pull images for scanning from registry mirrors you have set up by using the ImageContentSourcePolicy, ImageDigestMirrorSet, or ImageTagMirrorSet custom resources.

For more details, see Accessing delegated image scanning.

RHACS 4.1 introduced Scanning support for images pulled from on-premise registries to support RHACS Cloud Service environments, allowing you to delegate vulnerability scanning to the RHACS secured cluster services using APIs. With RHACS 4.2, the delegated image scanning feature is now available in RHACS, and you can configure it using the RHACS portal.

For more information, see Accessing delegated image scanning.

To support your organization’s vulnerability management policies, you can now use the following new vulnerability management policy criteria:

RHACS 4.2 introduces workload vulnerability reporting in Vulnerability Management 2.0 (Technology Preview). You can now create on-demand reports and download them in CSV format. Like VM 1.0, you can continue generating scheduled or on-demand reports and sending them by an email notifier. The report includes rich detail for detected CVEs, including Deployment info, Image info, and detailed CVE data such as Fixable Status, Component Upgrade Version, Severity, CVSS score, and more.

For more information, see Vulnerability reporting in Vulnerability Management 2.0.

RHACS 4.2 can now identify vulnerabilities in images with the following Linux distributions:

For more information, see Scanning Images.

With this release, you can now generate policies from within the Network Graph and narrow down policies that apply to specific deployments and namespaces in a cluster. You can also use the Filter deployments section criteria to narrow the generated policies' scope further. After generating network policies, you can compare the generated policies with the existing network policies and view them side-by-side to understand the differences in the YAML files for the policies. You can download the generated policies or share them with system notifiers, such as Slack, that you have previously set up using integrations in RHACS.

Based on user feedback, Red Hat has restructured the command-line syntax and expanded the toolset. The following three netpol tools operate on a given file directory, which includes all of the project’s workload manifests, including network policy manifests if available.

These command line tools help teams to shift network security left. With the automated generation of Kubernetes network policies and the supplementary validation tools, Dev and DevOps teams can include network policy development into their Build pipeline, using the RHACS command-line interface, roxctl.

Currently, you can use these tools without authenticating with RHACS. Red Hat plans to include more advanced features when you authenticate with RHACS in a future release.

RHACS provides information about processes listening on ports for all deployments in a secured cluster. Until now, this information was only accessible through the API. In RHACS 4.2, you can see detailed information about which processes are listening on what ports using the RHACS portal. It includes details about the process, port, pod, and container, and you can sort and filter the list using Deployment, Namespace, or Cluster criteria.

For more information, see Auditing listening endpoints.

In the RHACS portal, the Deployment tab shows a new Network policies section when viewing violations for a specific policy. If the namespace to which the deployment belongs has network policies listed, you can click on a listed policy to view or download the entire YAML file for that network policy.

The following section provides additional information about deprecated features listed in the preceding table.

The following section provides additional information about the removed features listed in the preceding table.

Release date: 18 September 2023

Release date: 3 October 2023

Release date: 23 October 2023

This release of RHACS fixes the following security vulnerabilities:

It contains the following bug fixes and changes:

Release date: 27 November 2023

This release of RHACS includes updates to Red Hat Enterprise Linux (RHEL) base images and includes the following fixes:

Release date: 22 January 2024

Release date: 14 March 2024

This release provides the following bug fix: