Custom Security Context Constraints (SCCs):
-
stackrox-collector
-
stackrox-admission-control
-
stackrox-sensor
roxctl
installation GitHub actionRed Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.
RHACS version | Released on |
---|---|
|
24 July 2024 |
|
14 August 2024 |
|
16 September 2024 |
|
1 October 2024 |
|
16 October 2024 |
|
22 November 2024 |
RHACS 4.5 includes the following new features, improvements, and updates:
This release adds improvements related to the following components and concepts:
Scanner V4 is now generally available. It integrates the features of the StackRox Scanner and the upstream Clair V4 Scanner and provides the following improvements:
Consistent and accurate scanning: Scanner V4 provides reliable vulnerability scan results across the entire Red Hat product ecosystem.
Expanded language and operating system support:
RHACS now supports Golang for language vulnerability scanning.
RHACS now supports Oracle Linux, SUSE Linux Enterprise, and Photon OS for operating system scanning.
Comprehensive vulnerability database source: Scanner V4 uses OSV.dev as the vulnerability database source for all supported programming language packages.
For more details, see About RHACS Scanner V4.
With this release, Vulnerability Management 2.0 is generally available. Red Hat has consolidated all updates into a single, unified Vulnerability Management dashboard, providing an enhanced user experience with intuitive navigation.
It includes persona-specific vulnerability management views. For example, the Node CVEs view shows only information about CVEs impacting the underlying CoreOS hosts. The team responsible for host updates can use that information to take targeted action.
It provides actionable data to triage and remediate vulnerabilities efficiently.
It includes enhanced Exception management workflows with audit capabilities.
The default filter view now persists across user sessions.
You can download comprehensive vulnerability on-demand reports scoped with collections.
As part of this update, the Risk Acceptance workflow is replaced with Exception Management. When you upgrade to RHACS 4.5, the following changes occur:
|
This release includes the following updates to the Compliance view:
You can integrate with an email server to send scheduled reports.
You can now generate an on-demand report for any scan configuration. RHACS can send it by email.
You can filter scan results by profile so that you can focus on specific compliance standards.
Profiles now include benchmark names, providing more context and clarity.
Scan results now include control data associated with the benchmark, giving you a comprehensive view of your compliance posture.
If you are using Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), you can use the new built-in email notifier to send email notifications without configuring a third-party email provider.
roxctl
installation GitHub actionThe roxctl-installer-action GitHub action is now available. You can use it to install roxctl
in your GitHub workflows and run roxctl image check
and roxctl image scan
commands in your CI pipelines.
Before this release, you could verify image signatures against pre-configured keys only. With RHACS 4.5, Red Hat has extended the image signature verification to include verifying certificates. This method is available in addition to verifying public keys, so that you can bring your own public key infrastructure (PKI) to verify signatures.
This release introduces an update to the roxctl netpol generate
command.
By default, the command uses port 53
for DNS connections.
You can use the --dnsport
option to override the default DNS port. If you are using OpenShift Container Platform, you must always change the port when generating network policies with roxctl
because OpenShift Container Platform uses port 5353
by default. For example, roxctl netpol generate --dnsport 5353 <other-options>
.
To simplify usage for OpenShift Container Platform and other systems that use named ports, Red Hat plans to enhance the --dnsport
option in a future release to accept strings and numbers. With that change, the generated network policy can use a named port, such as dns
, instead of a specific port number, which is a more portable approach.
For more details, see Generating build-time network policies.
For RHACS Operator, Red Hat has added a label selector for caching configuration of secrets and config maps, resulting in a significant reduction in memory consumption, especially on large clusters. In testing, a 28% decrease was noted in memory usage on a new OpenShift Container Platform cluster.
The RHACS Operator now adds a app.stackrox.io/managed-by: operator
label to all Helm chart resources and secrets created by the operator, providing better organization and visibility.
The RHACS Operator increases the number of requests sent to the API server to retrieve the following types of secrets:
Secrets that the Operator does not manage
Secrets that do not match the cache label selector
Scanner DB now runs on PostgreSQL 15, replacing the earlier version, PostgreSQL 12. Because the database is not persisted, no migration is required, and you can continue using the scanner without any additional steps.
The Nexus and Red Hat registry integrations now attempt to pull manifest digests by using a HEAD request to /v2/<name>/manifests/<reference>
. This change resolves an issue that previously resulted in an unsupported digest algorithm error
when using Scanner V4. You can turn off this new behavior by setting the environment variable ROX_ATTEMPT_MANIFEST_DIGEST
to false
.
RHACS includes new policy categories, and some default policies are tagged with these new policy categories.
Policy category | Policy |
---|---|
Zero Trust |
Deployments should have at least one ingress Network Policy |
Unauthorized Network Flow |
|
Supply Chain Security |
Images with no scans |
30-day Scan Age |
|
90-day Image Age |
|
Required Annotation: Email |
|
Required Annotation: Owner/Team |
|
Required Label: Owner/Team |
|
Latest tag |
When roxctl
CLI generates manifests for OpenShift Container Platform, it now defaults to OpenShift Container Platform 4.x instead of OpenShift Container Platform 3.x.
You can now delegate the Image scans triggered by image watch reprocessing based on the delegated scanning configuration. To turn off this feature, set the Central environment variable ROX_DELEGATE_WATCHED_IMAGE_REPROCESSING
to false
.
The Scanner V4 Matcher now completes concurrent vulnerability updates using iterators, reducing memory consumption from 4GB to 500MB.
RHACS 4.5 slowly populates the initial registry integration repository list /v2/_catalog
to improve Central startup performance. This change reduces startup time in environments with many autogenerated integrations.
RHACS 4.5 includes a new configuration option, ROX_SCANNER_V4_ALLOW_ANONYMOUS_AUTH
, to enable anonymous access to Scanner V4 for debugging purposes. This feature is on by default for development builds and off for release builds.
Deployment bundles created with the roxctl
CLI no longer contain PodSecurityPolicies (PSPs) by default. You must specify the --enable-pod-security-policies
option when you generate deployment bundles to deploy to Kubernetes 1.25 or earlier.
RHACS 4.5 includes improved event handling for Sensor image scan when ROX_UNQUALIFIED_SEARCH_REGISTRIES
is set to true
. This enhancement ensures that only one simultaneous scan request is allowed per unique image, reducing redundant scans. Additionally, it increases the chances of scan cache hits when multiple names for the same image are observed. This feature is on by default when ROX_UNQUALIFIED_SEARCH_REGISTRIES
is true
. To turn it off, set ROX_SENSOR_SINGLE_SCAN
to false
on Sensor.
Red Hat has reduced the default timeout setting for RHACS admission controller webhooks from 20 seconds to 10 seconds, resulting in an effective timeout of 12 seconds within the ValidatingWebhookConfiguration. This change aligns with the unconditional cap of 13 seconds in OpenShift Container Platform. If you rely on longer timeouts, such as those with inline image scanning, you must specify a longer timeout explicitly in the SecuredCluster
custom resource admissionControl.timeoutSeconds
, in Helm admissionControl.dynamic.timeout
, or within a sensor deployment bundle ValidatingWebhookConfiguration
manifest within the admission-controller.yaml
file.
With RHACS 4.5, the ability to snooze Node and Platform CVEs is disabled by default. You must set ROX_VULN_MGMT_LEGACY_SNOOZE
to true
on Central to return to the earlier behavior.
The documentation now clarifies that when you update Scanner definitions in offline mode, Scanner retrieves data from Central every 5 minutes, with Central updating the online data every 5 - 20 minutes and the offline data every 3 hours. For more information, see Updating Scanner definitions in offline mode.
The documentation to view and configure default policies, manage policy categories, and create your own categories was updated. For more information, see Managing security policies.
The documentation was updated to include the --dnsport
option and the example links in the Generating build-time network policies section.
The list of supported operating systems and versions was updated in the Supported operating systems section.
The documentation was updated to include new information about using the built-in email notifier in RHACS Cloud Service. For more information, see Integrating with email on RHACS Cloud Service.
The managing compliance guide where you can find detailed instructions on how to use the compliance feature in RHACS was updated. For more information, see Compliance feature overview.
Some features available in earlier releases have been deprecated or removed.
Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional information about some removed or deprecated functionality is available after the table.
In the table, features are marked with the following statuses:
GA: General Availability
TP: Technology Preview
DEP: Deprecated
REM: Removed
NA: Not applicable
Feature | RHACS 4.3 | RHACS 4.4 | RHACS 4.5 |
---|---|---|---|
|
GA |
DEP |
DEP |
|
DEP |
DEP |
DEP |
|
DEP |
DEP |
DEP |
|
DEP |
DEP |
DEP |
|
DEP |
DEP |
DEP |
|
DEP |
DEP |
DEP |
|
DEP |
DEP |
DEP |
|
DEP |
DEP |
DEP |
Vulnerability Management (1.0) menu item |
DEP |
DEP |
DEP |
Vulnerability Report Creator permission |
DEP |
DEP |
DEP |
|
GA |
DEP |
DEP |
|
GA |
DEP |
DEP |
|
NA |
NA |
DEP |
Reporting of Istio vulnerabilities |
GA |
DEP |
DEP |
Custom Security Context Constraints (SCCs):
|
DEP |
REM |
NA |
CIS Docker v1.2.0 Compliance standard |
DEP |
REM |
NA |
PCI DSS 3.2.1 Compliance standard |
DEP |
REM |
NA |
NIST SP 800-53 Compliance standard |
DEP |
REM |
NA |
NIST SP 800-190 Compliance standard |
DEP |
REM |
NA |
HIPAA 164 Compliance standard |
DEP |
REM |
NA |
CIS Kubernetes v1.5 Compliance standard |
DEP |
REM |
NA |
Reference image pull secret names for the Central components:
|
GA |
REM |
NA |
Reference image pull secret names for the secured cluster components:
|
GA |
REM |
NA |
|
NA |
NA |
DEP |
Kernel support packages and driver download functionality |
NA |
NA |
DEP |
The following section provides information about deprecated features listed in the preceding table and other changes:
To unify the response data for stream and unary API requests:
The error
field returned for failed unary API requests is deprecated. Instead of the error
field, use the message
field to retrieve error information. The message
field has the same information as the error
field.
In the next RHACS release, Red Hat will remove the grpcCode
, httpCode
, and httpStatus
fields in returned error response for gRPC stream APIs. Instead, the response will include a new field, code
which includes the grpcCode
data.
The /v1/summary/counts
API has been deprecated.
The /v1/cve/requests
API for managing vulnerability exceptions is deprecated. Use the new /v2/vulnerability-exceptions/
API.
The rhacs-collector-slim*
images have been deprecated. rhacs-collector
images used to contain kernel modules and eBPF probes, but those items are no longer needed by RHACS. The rhacs-collector*
image and the rhacs-collector-slim*
images are now functionally the same. The rhacs-collector-slim*
image is planned for removal in a future release.
Kernel support packages and driver download functionality are deprecated.
The Dashboard view under Vulnerability Management is deprecated. Use the Workload CVEs, Exception Management, Platform CVEs, and Node CVEs views as alternatives.
The Amazon S3 external backup integration interoperability with Google Cloud Storage is deprecated. You must use the Google Cloud Storage integration for backups.
The following section provides information about removed features listed in the preceding table and other changes:
Red Hat has dropped the support for Helm versions older than 3.9.0. RHACS now requires Helm version 3.9.0 or later to render the stackrox-central-services
and the stackrox-secured-cluster-services
Helm charts.
The ROX_SCANNER_V4_NODE_JS_SUPPORT
environment variable has been replaced with the ROX_SCANNER_V4_PARTIAL_NODE_JS_SUPPORT
environment variable.
EBPF
collection has been removed. Configurations are automatically converted to CORE_BPF
when you upgrade, and the forceCollection
option is no longer applicable.
Direct upgrades from RHACS version 3.74 or earlier to version 4.5 are no longer supported. To upgrade to version 4.5 or later, you must first upgrade to version 4.4.
Release date: 24 July 2024
Previously, a bug prevented users without administrator privileges from accessing the listening endpoint data for clusters and namespaces for which they had read
permission. With this update, users with read
permission can now receive data from the listening endpoints service.
This release includes notable technical changes and bug fixes.
The network graph and the network policy generator in the RHACS portal were updated to clarify that AdminNetworkPolicy
and BaselineAdminNetworkPolicy
resources are not taken into consideration in the network graph or during network policy generation.
RHACS components were updated to versions that include a fix for CVE-2024-41110: Vulnerability in authorization plugins in Docker Engine (AuthZ).
Release date: 14 August 2024
When upgrading to RHACS 4.5.0, in some situations, the upgrade failed with a central-db
error for the uni_compliance_integrations_clusterid
constraint. This problem has been fixed.
After upgrading to RHACS 4.5.0, for nodes with more than 64 cores, Collector displayed an error about the ring buffer size not being allowed. This problem has been fixed.
The network graph was broken for users with clusters running Google Kubernetes Engine (GKE) version 1.29 and later due to a change from Google to use the managed public IP address range 34.118.224.0/20
for default networking services. The network graph marked this IP address range as external. This problem has been fixed.
Release date: 16 September 2024
This release of RHACS introduces the following change:
The handling of orphaned node CVEs has been updated to prevent immediate removal and maintain accurate discovery times. To enable the updated feature, you must set the ROX_ORPHANED_CVES_KEEP_ALIVE
variable in the Central deployment to true
.
This release of RHACS fixes the following bugs:
Fixed an issue where Sensor was unable to identify OpenShift Container Platform internal registry secrets due to a change in the pull secret annotation.
Fixed an issue where policies incorrectly displayed an enforced value of Yes
in the Configuration Management → Application & Infrastructure → Deployments page due to inconsistent status handling, while showing No
in the Violations page.
Fixed an issue where vulnerability data differed between the Vulnerability Management Workload CVE pages and the deprecated Vulnerability Management dashboard due to inconsistencies in vulnerability reporting.
This release of RHACS fixes the following security vulnerability:
CVE-2024-3727: Fixed a vulnerability related to Scanner where the containers/image
digest type did not guarantee a valid type.
Release date: 1 October 2024
This release of RHACS includes the following changes:
Fixed a broken pipe error that caused the RHACS web console to display incomplete data.
Added the --with-database-only
option to the roxctl central debug download-diagnostics
command. You can use this option to generate diagnostic bundles for troubleshooting connection issues related to policy violations and deployments.
This release of RHACS fixes the following security vulnerability:
CVE-2024-39249: Fixed a Regular expression denial of service (ReDoS) vulnerability in the RHACS main container.
Release date: 16 October 2024
This release of RHACS includes the following bug fixes:
Fixed incorrect timestamp data for the First discovered column on the Workload CVE single page when viewing affected images.
Fixed incorrect CVE counts when viewing an image in the Vulnerability Management window that contains CVEs with an unknown severity.
In runtime monitoring, process names and arguments could cause serialization problems when containing invalid UTF-8 characters. This resulted in error messages in the collector logs. Those characters are now filtered and replaced with a ?
when necessary.
Fixed a panic issue where the Central pod restarted on systems that were using Scanner V4. When this issue occurred, the logs displayed an "invalid memory address or nil pointer dereference" runtime error.
Release date: 21 November 2024
This release of RHACS includes the following bug fix:
Fixed an issue where you could not view detailed scan results for certain images in RHACS because the page redirected to an error after a brief display. (ROX-24326)
Additionally, this release addresses the following security vulnerabilities:
CVE-2024-34156 (Stack exhaustion issue in the encoding/gob
package).
CVE-2024-45590 (Denial of service vulnerability in the body-parser
package).
CVE-2024-48910 (Tampering vulnerability in DOMPurify
due to prototype pollution).
CVE-2024-24789 (Improper handling of certain ZIP files in the archive/zip
package).
CVE-2024-24790 (Unexpected behavior in the net/netip
package’s Is methods for IPv4-mapped IPv6 addresses).
You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes images to your registry. The current version includes the following images:
Image | Description | Current version |
---|---|---|
Main |
Includes Central, Sensor, Admission controller, and Compliance components. Also includes |
|
Central DB |
PostgreSQL instance that provides the database storage for Central. |
|
Scanner |
Scans images and nodes. |
|
Scanner DB |
Stores image scan results and vulnerability definitions. |
|
Scanner V4 |
Scans images. |
|
Scanner V4 DB |
Stores image scan results and vulnerability definitions for Scanner V4. |
|
Collector |
Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|