OpenShift docs are moving and will soon only be available at docs.redhat.com, the home of all Red Hat product documentation. Explore the new docs experience today.
  1. Documentation
    2. history bug_report picture_as_pdf
×

Red Hat Advanced Cluster Security for Kubernetes 4.6

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.

Table 1. Release dates
RHACS version Released on

4.6.0

3 December 2024

4.6.1

18 December 2024

About release 4.6.0

RHACS 4.6 includes the following new features, improvements, and updates:

Architecture
Compliance
Documentation
Network
Platform
Policy
Vulnerability Management

New features

This release adds improvements related to the following components and concepts:

Support for ARM architecture in secured clusters (Technology Preview)

Support for ARM architecture in secured clusters is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

RHACS now provides support for ARM architecture in RHACS secured clusters only. This architecture provides enhanced flexibility and performance for secured clusters, including the following benefits:

  • Efficient power consumption

  • Better handling of resource-intensive tasks

  • Cost-effective scaling

For more information, see Installation methods for different architectures. The RHACS Central component is not supported on ARM.

Scanner V4 use of CSAF-VEX for vulnerability data

Red Hat is switching to Common Security Advisory Framework (CSAF) Vulnerability Exploitability eXchange (VEX) vulnerability data as standardized security advisory formats to communicate vulnerabilities affecting Red Hat products. In particular, the VEX profile describes which Red Hat products and components are impacted or known not to be impacted by a specific vulnerability identified by the Common Vulnerability and Exposures (CVE) ID. This format also describes vulnerability data with greater detail than before. RHACS now uses the Red Hat CSAF-VEX vulnerability data source if you have Scanner V4 configured for vulnerability scanning.

For more information about Red Hat security data and VEX, see the following sources:

For more information on Scanner V4 and CSAF-VEX, see the following documentation:

Scanner V4 support for RHCOS (Technology Preview)

Scanner V4 support for RHCOS is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

RHACS now supports scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes with Scanner V4. For more information, see Enabling RHCOS node scanning with Scanner V4.

Support for policy as code (Technology Preview)

Policy as code is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

With this release, RHACS adds the ability to manage RHACS policies as Kubernetes custom resources, enabling GitOps workflows such as Argo CD. For more information, see Managing policies as code.

Compliance reporting (Technology Preview)

Compliance reporting is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Compliance reporting is available as a Technology Preview for all OpenShift clusters running Compliance Operator version 1.6 or later. With this feature, you can more easily access the compliance results of a given scan schedule in a CSV file.

Compliance reporting provides the following options:

  • Generating the report on-demand directly by using the RHACS portal or the API

  • Sending the report periodically by email every time a scan is scheduled

  • Creating email notifiers when creating a scan configuration as a destination to send on-demand reports

  • Generating an on-demand report for a given scan configuration, which RHACS sends to any notifiers configured on that scan configuration

For more information, see Scheduling compliance scans and assessing profile compliance.

Visualizing external entities in the network graph (Technology Preview)

Visualizing external entities is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

The network graph now provides additional insights into connections to external entities. With this update, you can view specific IP addresses associated with these external connections, offering a more comprehensive overview of network activity.

To configure RHACS to collect this information for a cluster, you modify the secured cluster’s runtime configuration by using a ConfigMap. For more information, see Visualizing external entities.

Microsoft Sentinel notifier added

RHACS has added a Microsoft Sentinel notifier to send alerts and audit logs to Azure Log Analytics Workspace. For more information, see Integrating with Microsoft Sentinel notifier.

Support for backups using non-AWS S3 compatible providers

RHACS has added a new external backup integration for non-AWS S3 compatible providers. For more information, see Integrating with S3 API compatible services.

Vulnerability Management page updates

The Vulnerability Management page has updates and improvements, including the following changes:

CVE published date

RHACS now reports the CVE published date in vulnerability management data shown in the portal and obtained from the API. This field uses the first published date for the CVE that is obtained from vendor-specific security data feeds, when those are available. If data from the vendor is missing, data from the National Vulnerability Database (NVD) is used to populate the CVE published date field.

Hiding unwanted display columns

RHACS now provides the ability to hide unwanted columns in tables by using column management. Starting with the Workload CVEs section of RHACS, a button is displayed above the table containing the text "Columns" and provides a count of the number of columns that are enabled. You can click this button to open a menu to hide unwanted columns. These settings are saved per table in your browser and remain in place across separate sessions.

Certifications

Red Hat Advanced Cluster Security Cloud Service is certified according to the following global standards for security, compliance, and data protection:

  • ISO/IEC 27001:2022

  • ISO/IEC 27017:2015

  • ISO/IEC 27018:2019

  • PCI DSS 4.0

  • SOC 2 Type 2

  • SOC 2 Type 3

Notable technical changes

This release contains the following changes:

Secured cluster upgrade behavior enhancements

The following changes were made to the upgrade functionality on secured clusters:

  • RHACS Cloud Service: Secured clusters that were deployed by using the roxctl CLI, also called the manifest method, can now be automatically upgraded by using the cluster upgrader.

  • RHACS Central:

    • Messages and errors for the secured cluster upgrader are now simpler and clearer.

    • Typical failure scenarios for cluster upgrader are now documented. For more information, see Troubleshooting the cluster upgrader.

Flag for diagnostic bundles to include only database information

The roxctl central debug download-diagnostics command that is used to create diagnostic bundles for troubleshooting has a new flag, --with-database-only. The flag generates only database metrics in the diagnostic bundle. This flag is helpful when you only need database information to diagnose performance issues in large clusters.

Additional changes

  • Automatic sensing within the Helm charts for detecting OpenShift clusters has been changed. Automatic sensing now depends on the project.openshift.io/v1 object APIVersion.

  • Sensor now stores pull secrets by secret name and registry host instead of only by registry host. This change reduces delegated scanning authentication failures when multiple secrets exist for the same registry within a namespace and more closely aligns with Kubernetes secrets handling. To disable this feature and cause secrets to be stored by only registry host, set ROX_SENSOR_PULL_SECRETS_BY_NAME to false.

  • The endpoint /v2/compliance/scan/configurations/reports/run method has changed from PUT to POST.

Documentation updates

Documentation updates include the following:

Feature flag documentation

Documentation has been added to show you how to manage features that are enabled as Technology Preview features. For more information, see Managing feature flags.

API documentation available publicly

Previously, API documentation was only available by clicking ? and selecting API Reference to view the API documentation in the product. The API documentation is now publicly available; see the API Reference.

Deprecated and removed features

Some features available in earlier releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability

  • TP: Technology Preview

  • DEP: Deprecated

  • REM: Removed

  • NA: Not applicable

Table 2. Deprecated and removed features tracker
Feature RHACS 4.4 RHACS 4.5 RHACS 4.6

API token authentication for Red Hat OpenShift Cluster Manager[1]

GA

GA

DEP

definitions.stackrox.io

DEP

DEP

DEP

Google Container Registry integration[2]

GA

GA

DEP

Kernel support packages and driver download functionality [3]

NA

DEP

DEP

Reporting of Istio vulnerabilities

DEP

DEP

DEP

rhacs-collector-slim* images[4]

NA

DEP

DEP

stackrox-db Central PVC[5]

GA

GA

REM

StackRox Scanner

GA

GA

DEP

/v1/availableAuthProviders endpoint

GA

DEP

DEP

/v1/clustercves/suppress APIs[6,7]

DEP

DEP

DEP

/v1/clustercves/unsuppress APIs[6,7]

DEP

DEP

DEP

/v1/cve/requests APIs[8]

DEP

DEP

REM

/v1/nodecves/suppress APIs[6,7]

DEP

DEP

DEP

/v1/nodecves/unsuppress APIs[6,7]

DEP

DEP

DEP

/v1/summary/counts endpoint

NA

DEP

DEP

/v1/tls-challenge endpoint

DEP

DEP

DEP

Vulnerability Management (1.0) menu item[9]

DEP

DEP

DEP

Vulnerability Report Creator permission

DEP

DEP

DEP

  1. API token authentication has been deprecated by Red Hat OpenShift Cluster Manager. The corresponding cloud source integration now uses service accounts for authentication.

  2. The Google Container Registry integration is now deprecated in response to the deprecation of Container Registry by Google. Users should use Artifact Registry as a registry replacement and Scanner V4 as a scanner replacement.

  3. Kernel support packages and driver download functionality are deprecated.

  4. The rhacs-collector-slim* images have been deprecated. rhacs-collector images used to contain kernel modules and eBPF probes, but those items are no longer needed by RHACS. The rhacs-collector* `image and the `rhacs-collector-slim* images are now functionally the same. The rhacs-collector-slim* image is planned for removal in a future release.

  5. The Central PVC stackrox-db is removed and existing volumes are released. The following flags for configuring Central attached persistent storage have been removed from roxctl:

    • roxctl central generate k8s pvc and roxctl central generate openshift pvc no longer have the flags --name, --size, and --storage-class.

    • roxctl central generate k8s hostpath and roxctl central generate openshift hostpath no longer have the flags --hostpath, --node-selector-key, and --node-selector-value.

  6. This object is controlled by a feature flag and can be enabled or disabled by using the ROX_VULN_MGMT_LEGACY_SNOOZE environment variable.

  7. The format for specifying duration in JSON requests to v1/nodecves/suppress, v1/clustercves/suppress, and v1/imagecves/suppress has changed to the ProtoJSON format. Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the s suffix is supported. For example, 0.300s, -5400s, or 9900s. The previously valid time units of ns, us, µs, ms, m, and h are no longer supported.

  8. The /v1/cve/requests API for managing vulnerability exceptions is removed. Use the new /v2/vulnerability-exceptions/ API.

  9. The Dashboard view under Vulnerability Management is deprecated. Use the Workload CVEs, Exception Management, Platform CVEs, and Node CVEs views as alternatives.

Deprecated features

The following section provides information about additional deprecated features:

  • To unify the response data for stream and unary API requests, the following changes were made:

    • The error field returned for failed unary API requests is deprecated. Use the message field to retrieve error information instead of the error field. The message field has the same information as the error field.

    • In this release, Red Hat removed the following fields in the returned error response for gRPC stream APIs:

      • grpcCode

      • httpCode

      • httpStatus

        With this release, the response includes the new code field that includes the grpcCode data.

Bug fixes in version 4.6.0

Release date: 3 December 2024

  • Before this release, the timestamp data displayed incorrectly when viewing affected images in the First discovered column of the Workload CVE single page view. This update resolves the issue.

  • Before this release, the Vulnerability Management window that contains CVEs with an unknown severity displayed incorrect CVE counts when viewing an image. This update resolves the issue.

  • In runtime monitoring, process names and arguments could cause serialization problems when containing invalid UTF-8 characters. This resulted in error messages in the collector logs. Those characters are now filtered and replaced with a ? when necessary.

  • Previously, when using delegated scanning, newer image metadata and layers were pulled incorrectly for an older image referenced by tag when the image registry contents had changed since deployment. Now, the metadata and layers pulled are based on the digest of the image provided by the container runtime when available, instead of just the tag.

About release 4.6.1

Release date: 18 December 2024

This release of RHACS fixes the following bugs:

  • Fixed an issue where Sensor went online prematurely due to HTTP reachability, assuming the gRPC connection was active.

  • Fixed an issue where the HTML code in column values was rendered in PDFs due to insufficient sanitization.

Image versions

You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes images to your registry. The current version includes the following images:

Table 3. Red Hat Advanced Cluster Security for Kubernetes images
Image Description Current version

Main

Includes Central, Sensor, Admission controller, and Compliance components. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.6.1

Central DB

PostgreSQL instance that provides the database storage for Central.

registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.6.1

Scanner

Scans images and nodes.

  1. registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.6.1

  2. registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.1

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.1

Scanner V4

Scans images.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.1

Scanner V4 DB

Stores image scan results and vulnerability definitions for Scanner V4.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.1

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

  1. registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.6.1

  2. registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.1