Red Hat Advanced Cluster Security for Kubernetes (RHACS) 3.65 includes feature enhancements, bug fixes, scale improvements, and other changes.

Release date: September 6, 2021

New features

MITRE ATT&CK Containers Matrix

You can now use the MITRE ATT&CK Containers Matrix to categorize policies in the Red Hat Advanced Cluster Security for Kubernetes. When you create custom security policies, you can now add MITRE ATT&CK Matrix adversary tactics and techniques related information.

Install on more platforms

You can now install Red Hat Advanced Cluster Security for Kubernetes on:

Admission control configuration

You can now configure the dynamic admission control settings in the Red Hat Advanced Cluster Security for Kubernetes Operator. It now includes the following new admission control settings:

  • admissionControl.bypass: Use this parameter to bypass the admission controller.

  • admissionControl.contactImageScanners: Specify true to enable inline scanning of images that are not already scanned during a deployment’s admission review.

  • admissionControl.timeoutSeconds: Use this parameter to specify the maximum number of seconds Red Hat Advanced Cluster Security for Kubernetes should wait for an admission review before marking it as fail open.

See admission controller settings to view all available configuration options.

Important bug fixes

  • ROX-6988: Previously, Red Hat Advanced Cluster Security for Kubernetes did not delete the CVEs and did not update the advisory when some Red Hat packages that transitioned from unfixable to a fixable state.

  • ROX-7170: Previously, Red Hat Advanced Cluster Security for Kubernetes only collected the error logs in the diagnostic bundle if you have installed Red Hat Advanced Cluster Security for Kubernetes services in the stackrox namespace.

  • ROX-7861: Previously, Red Hat Advanced Cluster Security for Kubernetes compliance control NIST 800-190 Control 4.1.4 did not correctly detect policies used for secrets protection.

Resolved in version 3.65.1

Release date: September 22, 2021

  • ROX-8008: Previously, you could not use URN-based IdP Issuers while configuring SAML identity providers. This has been fixed.

  • ROX-8033: Due to how Red Hat Advanced Cluster Security for Kubernetes previously addressed its internal service endpoints, OpenShift clusters with enabled proxy failed to download the correct kernel probes.

  • ROX-8034: Previously, if you were using backported 5.11 kernels for Ubuntu 20.04, the Collector sometimes failed on upgrade due to a change in the Ubuntu kernel build.

Important system changes

  • Red Hat Advanced Cluster Security for Kubernetes 3.65 includes the updated host-pid policy, which adds an exception for the openshift-sdn namespace because the sdn deployment in the openshift-sdn namespace shares the host process namespace, and it resulted in an inaccurate violation.

  • The alert notification titles for PagerDuty, Slack, Microsoft Teams, JIRA, and email notifiers now include the cluster and the policy names in addition to the deployment or image name if it exists.

  • The alert notification for PagerDuty now includes the full alert in the JSON format as a custom detail.

  • All default policy criteria for security policies are now read-only. However, you can still edit the policy criteria fields for the custom policies or policies you create by cloning a system policy.

Upcoming changes

  • In Red Hat Advanced Cluster Security for Kubernetes 3.66, Red Hat will deprecate the following default security policies:

    • DockerHub NGINX 1.10

    • Shellshock: Multiple CVEs

    • Heartbleed: CVE-2014-0160

  • In Red Hat Advanced Cluster Security for Kubernetes 3.66, Red Hat will disable the following default security policy:

    • DOCKER CIS 4.4: Ensure images are scanned and rebuilt to include security patches

You can create custom policies to monitor for these violations.

Image versions

Image Description Current version

Main

Includes Central, Sensor, Admission Controller, and Compliance. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/rh-acs/main:3.65.1

Scanner

Scans images and nodes.

registry.redhat.io/rh-acs/scanner:2.19.1

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/rh-acs/scanner-db:2.19.1

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

registry.redhat.io/rh-acs/collector:3.3.1-latest