×

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.

Table 1. Release dates
RHACS version Released on

4.5.0

24 July 2024

4.5.1

14 August 2024

4.5.2

16 September 2024

4.5.3

1 October 2024

4.5.4

16 October 2024

4.5.5

22 November 2024

New features

This release adds improvements related to the following components and concepts:

Scanner V4 is generally available

Scanner V4 is now generally available. It integrates the features of the StackRox Scanner and the upstream Clair V4 Scanner and provides the following improvements:

  • Consistent and accurate scanning: Scanner V4 provides reliable vulnerability scan results across the entire Red Hat product ecosystem.

  • Expanded language and operating system support:

    • RHACS now supports Golang for language vulnerability scanning.

    • RHACS now supports Oracle Linux, SUSE Linux Enterprise, and Photon OS for operating system scanning.

  • Comprehensive vulnerability database source: Scanner V4 uses OSV.dev as the vulnerability database source for all supported programming language packages.

For more details, see About RHACS Scanner V4.

Vulnerability Management 2.0 is generally available

With this release, Vulnerability Management 2.0 is generally available. Red Hat has consolidated all updates into a single, unified Vulnerability Management dashboard, providing an enhanced user experience with intuitive navigation.

  • It includes persona-specific vulnerability management views. For example, the Node CVEs view shows only information about CVEs impacting the underlying CoreOS hosts. The team responsible for host updates can use that information to take targeted action.

  • It provides actionable data to triage and remediate vulnerabilities efficiently.

  • It includes enhanced Exception management workflows with audit capabilities.

  • The default filter view now persists across user sessions.

  • You can download comprehensive vulnerability on-demand reports scoped with collections.

As part of this update, the Risk Acceptance workflow is replaced with Exception Management. When you upgrade to RHACS 4.5, the following changes occur:

  • Existing deferrals and false positive requests are migrated to Exception Management.

  • Globally snoozed Image CVEs are migrated to create approved deferrals under Exception Management.

Compliance updates

This release includes the following updates to the Compliance view:

  • You can integrate with an email server to send scheduled reports.

  • You can now generate an on-demand report for any scan configuration. RHACS can send it by email.

  • You can filter scan results by profile so that you can focus on specific compliance standards.

  • Profiles now include benchmark names, providing more context and clarity.

  • Scan results now include control data associated with the benchmark, giving you a comprehensive view of your compliance posture.

Built-in email notifier in RHACS Cloud Service

If you are using Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), you can use the new built-in email notifier to send email notifications without configuring a third-party email provider.

roxctl installation GitHub action

The roxctl-installer-action GitHub action is now available. You can use it to install roxctl in your GitHub workflows and run roxctl image check and roxctl image scan commands in your CI pipelines.

Bring your own PKI for signature verification

Before this release, you could verify image signatures against pre-configured keys only. With RHACS 4.5, Red Hat has extended the image signature verification to include verifying certificates. This method is available in addition to verifying public keys, so that you can bring your own public key infrastructure (PKI) to verify signatures.

Build-time network policy tools updates

This release introduces an update to the roxctl netpol generate command.

  • By default, the command uses port 53 for DNS connections.

  • You can use the --dnsport option to override the default DNS port. If you are using OpenShift Container Platform, you must always change the port when generating network policies with roxctl because OpenShift Container Platform uses port 5353 by default. For example, roxctl netpol generate --dnsport 5353 <other-options>.

To simplify usage for OpenShift Container Platform and other systems that use named ports, Red Hat plans to enhance the --dnsport option in a future release to accept strings and numbers. With that change, the generated network policy can use a named port, such as dns, instead of a specific port number, which is a more portable approach.

Enhanced RHACS Cloud Service experience

The RHACS Cloud Service experience on console.redhat.com is improved, making signing up for a trial and getting support easier.

Notable technical changes

  • For RHACS Operator, Red Hat has added a label selector for caching configuration of secrets and config maps, resulting in a significant reduction in memory consumption, especially on large clusters. In testing, a 28% decrease was noted in memory usage on a new OpenShift Container Platform cluster.

  • The RHACS Operator now adds a app.stackrox.io/managed-by: operator label to all Helm chart resources and secrets created by the operator, providing better organization and visibility.

  • The RHACS Operator increases the number of requests sent to the API server to retrieve the following types of secrets:

    • Secrets that the Operator does not manage

    • Secrets that do not match the cache label selector

  • Scanner DB now runs on PostgreSQL 15, replacing the earlier version, PostgreSQL 12. Because the database is not persisted, no migration is required, and you can continue using the scanner without any additional steps.

  • The Nexus and Red Hat registry integrations now attempt to pull manifest digests by using a HEAD request to /v2/<name>/manifests/<reference>. This change resolves an issue that previously resulted in an unsupported digest algorithm error when using Scanner V4. You can turn off this new behavior by setting the environment variable ROX_ATTEMPT_MANIFEST_DIGEST to false.

  • RHACS includes new policy categories, and some default policies are tagged with these new policy categories.

    Table 2. New policy categories
    Policy category Policy

    Zero Trust

    Deployments should have at least one ingress Network Policy

    Unauthorized Network Flow

    Supply Chain Security

    Images with no scans

    30-day Scan Age

    90-day Image Age

    Required Annotation: Email

    Required Annotation: Owner/Team

    Required Label: Owner/Team

    Latest tag

  • When roxctl CLI generates manifests for OpenShift Container Platform, it now defaults to OpenShift Container Platform 4.x instead of OpenShift Container Platform 3.x.

  • You can now delegate the Image scans triggered by image watch reprocessing based on the delegated scanning configuration. To turn off this feature, set the Central environment variable ROX_DELEGATE_WATCHED_IMAGE_REPROCESSING to false.

  • The Scanner V4 Matcher now completes concurrent vulnerability updates using iterators, reducing memory consumption from 4GB to 500MB.

  • RHACS 4.5 slowly populates the initial registry integration repository list /v2/_catalog to improve Central startup performance. This change reduces startup time in environments with many autogenerated integrations.

  • RHACS 4.5 includes a new configuration option, ROX_SCANNER_V4_ALLOW_ANONYMOUS_AUTH, to enable anonymous access to Scanner V4 for debugging purposes. This feature is on by default for development builds and off for release builds.

  • Deployment bundles created with the roxctl CLI no longer contain PodSecurityPolicies (PSPs) by default. You must specify the --enable-pod-security-policies option when you generate deployment bundles to deploy to Kubernetes 1.25 or earlier.

  • RHACS 4.5 includes improved event handling for Sensor image scan when ROX_UNQUALIFIED_SEARCH_REGISTRIES is set to true. This enhancement ensures that only one simultaneous scan request is allowed per unique image, reducing redundant scans. Additionally, it increases the chances of scan cache hits when multiple names for the same image are observed. This feature is on by default when ROX_UNQUALIFIED_SEARCH_REGISTRIES is true. To turn it off, set ROX_SENSOR_SINGLE_SCAN to false on Sensor.

  • Red Hat has reduced the default timeout setting for RHACS admission controller webhooks from 20 seconds to 10 seconds, resulting in an effective timeout of 12 seconds within the ValidatingWebhookConfiguration. This change aligns with the unconditional cap of 13 seconds in OpenShift Container Platform. If you rely on longer timeouts, such as those with inline image scanning, you must specify a longer timeout explicitly in the SecuredCluster custom resource admissionControl.timeoutSeconds, in Helm admissionControl.dynamic.timeout, or within a sensor deployment bundle ValidatingWebhookConfiguration manifest within the admission-controller.yaml file.

  • With RHACS 4.5, the ability to snooze Node and Platform CVEs is disabled by default. You must set ROX_VULN_MGMT_LEGACY_SNOOZE to true on Central to return to the earlier behavior.

Documentation updates

  • The documentation now clarifies that when you update Scanner definitions in offline mode, Scanner retrieves data from Central every 5 minutes, with Central updating the online data every 5 - 20 minutes and the offline data every 3 hours. For more information, see Updating Scanner definitions in offline mode.

  • The documentation to view and configure default policies, manage policy categories, and create your own categories was updated. For more information, see Managing security policies.

  • The documentation was updated to include the --dnsport option and the example links in the Generating build-time network policies section.

  • The list of supported operating systems and versions was updated in the Supported operating systems section.

  • The documentation was updated to include new information about using the built-in email notifier in RHACS Cloud Service. For more information, see Integrating with email on RHACS Cloud Service.

  • The managing compliance guide where you can find detailed instructions on how to use the compliance feature in RHACS was updated. For more information, see Compliance feature overview.

Deprecated and removed features

Some features available in earlier releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional information about some removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability

  • TP: Technology Preview

  • DEP: Deprecated

  • REM: Removed

  • NA: Not applicable

Table 3. Deprecated and removed features tracker
Feature RHACS 4.3 RHACS 4.4 RHACS 4.5

definitions.stackrox.io

GA

DEP

DEP

roxctl connectivity-map

DEP

DEP

DEP

roxctl generate netpol

DEP

DEP

DEP

/v1/clustercves/suppress APIs

DEP

DEP

DEP

/v1/clustercves/unsuppress APIs

DEP

DEP

DEP

/v1/cve/requests APIs

DEP

DEP

DEP

/v1/nodecves/suppress APIs

DEP

DEP

DEP

/v1/nodecves/unsuppress APIs

DEP

DEP

DEP

Vulnerability Management (1.0) menu item

DEP

DEP

DEP

Vulnerability Report Creator permission

DEP

DEP

DEP

/v1/availableAuthProviders endpoint

GA

DEP

DEP

/v1/tls-challenge endpoint

GA

DEP

DEP

/v1/summary/counts endpoint

NA

NA

DEP

Reporting of Istio vulnerabilities

GA

DEP

DEP

Custom Security Context Constraints (SCCs):

  • stackrox-collector

  • stackrox-admission-control

  • stackrox-sensor

DEP

REM

NA

CIS Docker v1.2.0 Compliance standard

DEP

REM

NA

PCI DSS 3.2.1 Compliance standard

DEP

REM

NA

NIST SP 800-53 Compliance standard

DEP

REM

NA

NIST SP 800-190 Compliance standard

DEP

REM

NA

HIPAA 164 Compliance standard

DEP

REM

NA

CIS Kubernetes v1.5 Compliance standard

DEP

REM

NA

Reference image pull secret names for the Central components:

  • stackrox

  • stackrox-scanner

GA

REM

NA

Reference image pull secret names for the secured cluster components:

  • stackrox

  • stackrox-scanner

  • secured-cluster-services-main

  • secured-cluster-services-collector

  • collector-stackrox

GA

REM

NA

rhacs-collector-slim* images

NA

NA

DEP

Kernel support packages and driver download functionality

NA

NA

DEP

Deprecated features

The following section provides information about deprecated features listed in the preceding table and other changes:

  • To unify the response data for stream and unary API requests:

    • The error field returned for failed unary API requests is deprecated. Instead of the error field, use the message field to retrieve error information. The message field has the same information as the error field.

    • In the next RHACS release, Red Hat will remove the grpcCode, httpCode, and httpStatus fields in returned error response for gRPC stream APIs. Instead, the response will include a new field, code which includes the grpcCode data.

  • The /v1/summary/counts API has been deprecated.

  • The /v1/cve/requests API for managing vulnerability exceptions is deprecated. Use the new /v2/vulnerability-exceptions/ API.

  • The rhacs-collector-slim* images have been deprecated. rhacs-collector images used to contain kernel modules and eBPF probes, but those items are no longer needed by RHACS. The rhacs-collector* image and the rhacs-collector-slim* images are now functionally the same. The rhacs-collector-slim* image is planned for removal in a future release.

  • Kernel support packages and driver download functionality are deprecated.

  • The Dashboard view under Vulnerability Management is deprecated. Use the Workload CVEs, Exception Management, Platform CVEs, and Node CVEs views as alternatives.

  • The Amazon S3 external backup integration interoperability with Google Cloud Storage is deprecated. You must use the Google Cloud Storage integration for backups.

Removed features

The following section provides information about removed features listed in the preceding table and other changes:

  • Red Hat has dropped the support for Helm versions older than 3.9.0. RHACS now requires Helm version 3.9.0 or later to render the stackrox-central-services and the stackrox-secured-cluster-services Helm charts.

  • The ROX_SCANNER_V4_NODE_JS_SUPPORT environment variable has been replaced with the ROX_SCANNER_V4_PARTIAL_NODE_JS_SUPPORT environment variable.

  • EBPF collection has been removed. Configurations are automatically converted to CORE_BPF when you upgrade, and the forceCollection option is no longer applicable.

  • Direct upgrades from RHACS version 3.74 or earlier to version 4.5 are no longer supported. To upgrade to version 4.5 or later, you must first upgrade to version 4.4.

Bug fixes in version 4.5.0

Release date: 24 July 2024

  • Previously, a bug prevented users without administrator privileges from accessing the listening endpoint data for clusters and namespaces for which they had read permission. With this update, users with read permission can now receive data from the listening endpoints service.

About release 4.5.1

This release includes notable technical changes and bug fixes.

Changes in version 4.5.1

  • The network graph and the network policy generator in the RHACS portal were updated to clarify that AdminNetworkPolicy and BaselineAdminNetworkPolicy resources are not taken into consideration in the network graph or during network policy generation.

  • RHACS components were updated to versions that include a fix for CVE-2024-41110: Vulnerability in authorization plugins in Docker Engine (AuthZ).

Bug fixes in version 4.5.1

Release date: 14 August 2024

  • When upgrading to RHACS 4.5.0, in some situations, the upgrade failed with a central-db error for the uni_compliance_integrations_clusterid constraint. This problem has been fixed.

  • After upgrading to RHACS 4.5.0, for nodes with more than 64 cores, Collector displayed an error about the ring buffer size not being allowed. This problem has been fixed.

  • The network graph was broken for users with clusters running Google Kubernetes Engine (GKE) version 1.29 and later due to a change from Google to use the managed public IP address range 34.118.224.0/20 for default networking services. The network graph marked this IP address range as external. This problem has been fixed.

About release 4.5.2

Release date: 16 September 2024

This release of RHACS introduces the following change:

  • The handling of orphaned node CVEs has been updated to prevent immediate removal and maintain accurate discovery times. To enable the updated feature, you must set the ROX_ORPHANED_CVES_KEEP_ALIVE variable in the Central deployment to true.

This release of RHACS fixes the following bugs:

  • Fixed an issue where Sensor was unable to identify OpenShift Container Platform internal registry secrets due to a change in the pull secret annotation.

  • Fixed an issue where policies incorrectly displayed an enforced value of Yes in the Configuration ManagementApplication & InfrastructureDeployments page due to inconsistent status handling, while showing No in the Violations page.

  • Fixed an issue where vulnerability data differed between the Vulnerability Management Workload CVE pages and the deprecated Vulnerability Management dashboard due to inconsistencies in vulnerability reporting.

This release of RHACS fixes the following security vulnerability:

  • CVE-2024-3727: Fixed a vulnerability related to Scanner where the containers/image digest type did not guarantee a valid type.

About release 4.5.3

Release date: 1 October 2024

This release of RHACS includes the following changes:

  • Fixed a broken pipe error that caused the RHACS web console to display incomplete data.

  • Added the --with-database-only option to the roxctl central debug download-diagnostics command. You can use this option to generate diagnostic bundles for troubleshooting connection issues related to policy violations and deployments.

This release of RHACS fixes the following security vulnerability:

  • CVE-2024-39249: Fixed a Regular expression denial of service (ReDoS) vulnerability in the RHACS main container.

About release 4.5.4

Release date: 16 October 2024

This release of RHACS includes the following bug fixes:

  • Fixed incorrect timestamp data for the First discovered column on the Workload CVE single page when viewing affected images.

  • Fixed incorrect CVE counts when viewing an image in the Vulnerability Management window that contains CVEs with an unknown severity.

  • In runtime monitoring, process names and arguments could cause serialization problems when containing invalid UTF-8 characters. This resulted in error messages in the collector logs. Those characters are now filtered and replaced with a ? when necessary.

  • Fixed a panic issue where the Central pod restarted on systems that were using Scanner V4. When this issue occurred, the logs displayed an "invalid memory address or nil pointer dereference" runtime error.

About release 4.5.5

Release date: 21 November 2024

This release of RHACS includes the following bug fix:

  • Fixed an issue where you could not view detailed scan results for certain images in RHACS because the page redirected to an error after a brief display. (ROX-24326)

Additionally, this release addresses the following security vulnerabilities:

  • CVE-2024-34156 (Stack exhaustion issue in the encoding/gob package).

  • CVE-2024-45590 (Denial of service vulnerability in the body-parser package).

  • CVE-2024-48910 (Tampering vulnerability in DOMPurify due to prototype pollution).

  • CVE-2024-24789 (Improper handling of certain ZIP files in the archive/zip package).

  • CVE-2024-24790 (Unexpected behavior in the net/netip package’s Is methods for IPv4-mapped IPv6 addresses).

Image versions

You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes images to your registry. The current version includes the following images:

Table 4. Red Hat Advanced Cluster Security for Kubernetes images
Image Description Current version

Main

Includes Central, Sensor, Admission controller, and Compliance components. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.5.5

Central DB

PostgreSQL instance that provides the database storage for Central.

registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.5.5

Scanner

Scans images and nodes.

  1. registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.5.5

  2. registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.5

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.5

Scanner V4

Scans images.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.5

Scanner V4 DB

Stores image scan results and vulnerability definitions for Scanner V4.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.5

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

  1. registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.5.5

  2. registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.5