1. Documentation
    2. history bug_report picture_as_pdf
×

Red Hat Advanced Cluster Security for Kubernetes 4.3

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.

Table 1. Release dates
RHACS version Released on

4.3.0

15 November 2023

4.3.1

11 December 2023

4.3.2

8 January 2024

4.3.3

16 January 2024

4.3.4

22 January 2024

4.3.5

13 March 2024

4.3.6

27 March 2024

About this release

RHACS 4.3 adds new features, improvements, and updates.

New features

This release adds improvements related to the following components and concepts.

Increased support for hardware and software

RHACS support has been increased for the following hardware and software:

  • Red Hat OpenShift on IBM Cloud: You can now protect Red Hat OpenShift on IBM Cloud by using RHACS. With this release, you can run secured clusters on Red Hat OpenShift on IBM Cloud.

  • IBM Power and IBM Z: RHACS Central Services are now supported on IBM Power and IBM Z.

  • Red Hat OpenShift Service on AWS: RHACS is supported on ROSA hosted control plane (HCP) enabled clusters.

  • Red Hat OpenShift: This release is supported with OpenShift Container Platform 4.14.

For more information, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix.

Vulnerability reporting 2.0 is generally available

With this release, the Vulnerability Reporting option under the Vulnerability Management (2.0) menu is generally available. Several enhancements have been made to vulnerability reporting, including the ability to customize email templates that are used when reports are sent. For more information, see Vulnerability Reporting.

Reports created in the Vulnerability Management 1.0Reporting page are automatically migrated. For more information, see Migration of vulnerability reports when upgrading to RHACS version 4.3 and later.

Watch and scan images in Vulnerability Management 2.0

The ability to mark an image as watched has been migrated from the Vulnerability Management (1.0) menu item to Vulnerability Management 2.0. Watched images are still scanned for vulnerabilities even when not in use by an active deployment.

For more information, see Scanning inactive images.

View administration events information

With this release, RHACS introduces an administration events dashboard that allows you to efficiently manage and troubleshoot events within your RHACS instance and significantly improves the reliability and security of your RHACS instance.

For more information, see Using the administration events page.

Scan images by using the roxctl CLI

You can now scan images stored in image registries, including cluster local registries such as the OpenShift Container Platform integrated image registry, by using the roxctl CLI.

For more information, see Image scanning by using the roxctl CLI.

Invite users to your RHACS instance

You can now invite users and define their roles to ensure accurate access control and improve the security of your RHACS instance.

For more information, see Inviting users to your RHACS instance.

Notable technical changes

  • When audit logging is enabled, audit log messages now include the source IP address of the audit log request. For more information, see Enabling audit logging.

  • The default policy "Iptables Executed in Privileged Container" has been renamed to "Iptables or nftables Executed in Privileged Container" and now also detects the nft process that is used by nftables.

  • Risk reprocessing has been changed from potentially being computed every 15 seconds to 10 minutes. This improves system performance by debouncing expensive risk calculations. To use the earlier value for risk reprocessing, set the environment variable ROX_RISK_REPROCESSING_INTERVAL to 15s.

Notice of upcoming changes to RHACS vulnerability management

In the past several RHACS releases, we have optimized and enhanced RHACS features and functionality available in the Vulnerability Management (1.0) menu item and migrated them to the Vulnerability Management (2.0) menu item.

The existing page for Risk Acceptance in the Vulnerability Management (1.0) menu item will be migrated to the Vulnerability Management (2.0) menu item in an upcoming release. It will be renamed Vulnerability Exception Management.

We invite you to review the existing features in the Vulnerability Management (2.0) menu item and give us feedback by clicking the red Feedback button in the RHACS web portal.

Deprecated and removed features

Some features available in earlier releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional information about some removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability

  • TP: Technology Preview

  • DEP: Deprecated

  • REM: Removed

  • NA: Not applicable

Table 2. Deprecated and removed features tracker
Feature RHACS 4.1 RHACS 4.2 RHACS 4.3

CIS Docker v1.2.0 Compliance Standard

NA

DEP

DEP

Custom Security Context Constraints (SCCs): stackrox-collector,stackrox-admission-control, and stackrox-sensor

DEP

DEP

REM

Examining images for Application-level dependencies for vulnerability reporting: dotnet/shared/Microsoft.AspNetCore.App/ and dotnet/shared/Microsoft.NETCore.App/

DEP

DEP

REM

Expiration field in Exclusion proto

DEP

DEP

REM

roxctl connectivity-map

NA

DEP

DEP

roxctl generate netpol

NA

DEP

DEP

/v1/clustercves/suppress APIs

NA

NA

DEP

/v1/clustercves/unsuppress APIs

NA

NA

DEP

/v1/cve/requests APIs

NA

NA

DEP

/v1/nodecves/suppress APIs

NA

NA

DEP

/v1/nodecves/unsuppress APIs

NA

NA

DEP

/v1/report endpoint

DEP

DEP

REM

/v1/serviceaccounts endpoint

DEP

DEP

REM

Vulnerability Management (1.0) menu item

GA

GA

DEP

Vulnerability Management (1.0): Image CVEs, Image Components, Images, Deployments, and Namespaces

DEP

DEP

REM

Vulnerability Management (1.0)Vulnerability Reporting page

DEP

DEP

REM

Vulnerability Management Approver permission

DEP

DEP

REM

Vulnerability Report Creator permission

GA

DEP

DEP

Vulnerability Management Requester permission

DEP

DEP

REM

Deprecated features

The following section provides additional information about deprecated features listed in the preceding table.

  • The Vulnerability Management (1.0) menu item in the RHACS web portal has been deprecated and future removal is planned. It is replaced by Vulnerability Management (2.0).

  • The /v1/cve/requests APIs have been deprecated and will be replaced by /v2/vulnerability-exceptions/ APIs in the future. Vulnerability deferral management for host (/node) and platform (/cluster) vulnerabilities has been deprecated and will be removed in the future. After deferral management is removed, deferrals cannot be created for host and platform vulnerabilities and the existing exceptions enforced on host and platform vulnerabilities will be reverted. The affected APIs are /v1/nodecves/suppress, /v1/nodecves/unsuppress, /v1/clustercves/suppress, and /v1/clustercves/unsuppress.

Removed features

  • The Vulnerability Reporting page in the Vulnerability Management (1.0) menu item has been removed. Vulnerability reporting is available under the Vulnerability Management (2.0) menu item.

  • The /v1/report APIs have been removed. Use the /v2/reports/ APIs.

Bug fixes

Resolved in version 4.3.0

Release date: 15 November 2023

  • Fixed the diagnostic bundle generation returning an incomplete .zip file when the connection to a secured cluster is lost.

  • Fixed an issue with the Sensor upgrade tool failing to upgrade from earlier versions on OpenShift Container Platform clusters.

  • In some cases, Common Vulnerabilities and Exposures (CVEs) that were deferred and approved were not added to the list of snoozed CVEs. This behavior was caused by an issue with the /v1/suppress and /v1/unsuppress APIs and has been fixed.

  • Fixed file search in the ca-setup.sh file that is used to configure additional Certificate Authorities (CAs). Previously, the script could not find any files in the directory, even with the correct .crt and .pem extensions.

Resolved in version 4.3.1

Release date 11 December 2023

  • Fixed an issue where a user could not log in if a role mapped to the user did not have at least read access for the Access permission.

  • Fixed an issue with editing user-defined vulnerability reports in version 4.3 that were created in a previous version and linked to a specific report scope. When editing the report in version 4.3, the report scope reference was missing, and the system returned an error message.

  • Updated and removed golang dependencies to address reported vulnerabilities, including false positives.

Resolved in version 4.3.2

Release date: 8 January 2024

  • Fixed an issue with manual delegated scanning that caused Central to crash.

  • Fixed PostgreSQL vulnerabilities in scanner-db containers.

Resolved in version 4.3.3

Release date: 16 January 2024

  • This release contains updates to the versions of golang and go-git used in RHACS.

Resolved in version 4.3.4

Release date: 22 January 2024

This release contains the following bug fixes and enhancements.

The following fixes and enhancements for integration with Jira and Jira Cloud are implemented:

  • The priority is now correctly set on Jira issues created by RHACS.

  • The RHACS integration with Jira Cloud can successfully be created.

  • The default priority mappings in the integration creation page in the RHACS portal have been updated to match the default Jira priorities.

  • Checks were added for integration creation to minimize the risk that issue creation will fail after the integration is saved.

  • A checkbox was added to give you the option to disable setting the priority.

A TLS certificate rotation fix is included. In the past, the Operator attempted to rotate TLS certificates for Central components only after they expired. Additionally, a bug prevented update of the expired certificate in the central-tls secret. With this fix, the Operator will rotate all Central components' service TLS certificates 6 months before they expire. The following conditions apply:

  • The rotation of certificates in the secrets does not trigger the components to automatically reload them. However, reloads typically occur when the pod is replaced as part of an RHACS upgrade or as a result of node reboots. If neither of those events happens at least every 6 months, you must restart the pods before the old (in-memory) service certificates expire. For example, you can delete the pods with an app label that contains one of the values of central, central-db, scanner, or scanner-db.

  • CA certificates are not updated. They are valid for 5 years.

  • The service certificates in the init bundles used by secured cluster components are not updated. You must rotate the init bundles at regular intervals.

Resolved in version 4.3.5

Release date: 13 March 2024

This release provides the following bug fix:

  • Fixed an issue where an upgrade to version 4.3 from an earlier version caused the Central component to enter a crash loop.

It provides the following security fixes:

Resolved in version 4.3.6

Release date: 27 March 2024

This release provides the following bug fix:

  • Fixed an issue where an incorrectly configured Jira notifier causes the Central component of RHACS to enter a crash loop

It provides the following security fix where an image is flagged due to an indirect dependency of RHACS:

  • go-git: Maliciously crafted Git server replies can lead to path traversal and remote code execution (RCE) on go-git clients (CVE-2023-49569)

It also provides the following security fixes:

Known issues

  • RHACS version 4.2 introduced additional logic that considers the socket connection state to decide whether Collector reports a connection or not. The expected behavior is that the connection is not reported until it is successfully established. A known issue on the ppc64le architecture can cause a blocked or failing connection to be reported instead of being silenced. No workaround exists for this issue.

  • RHACS Central components do not deploy correctly on a default ROSA cluster. The workaround is to scale the worker nodes to allow the RHACS components to be scheduled. See RHACS Central pods do not schedule on a default ROSA cluster for more information.

Image versions

Image Description Current version

Main

Includes Central, Sensor, Admission controller, and Compliance. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.3.6

Scanner

Scans images and nodes.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.3.6

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.3.6

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

  • registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.3.6

  • registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:4.3.6

Central DB

PostgreSQL instance that provides the database storage for Central.

registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.3.6