Red Hat Advanced Cluster Security for Kubernetes 4.5

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.

Table 1. Release dates
RHACS version	Released on
`4.5.0`	24 July 2024
`4.5.1`	14 August 2024
`4.5.2`	16 September 2024
`4.5.3`	1 October 2024
`4.5.4`	16 October 2024

About release 4.5.0

RHACS 4.5 includes the following new features, improvements, and updates:

Compliance

Compliance updates

Network

Build-time network policy tools updates

Platform

Vulnerability Management

New features

This release adds improvements related to the following components and concepts:

Scanner V4 is generally available

Scanner V4 is now generally available. It integrates the features of the StackRox Scanner and the upstream Clair V4 Scanner and provides the following improvements:

Consistent and accurate scanning: Scanner V4 provides reliable vulnerability scan results across the entire Red Hat product ecosystem.
Expanded language and operating system support:
- RHACS now supports Golang for language vulnerability scanning.
- RHACS now supports Oracle Linux, SUSE Linux Enterprise, and Photon OS for operating system scanning.
Comprehensive vulnerability database source: Scanner V4 uses OSV.dev as the vulnerability database source for all supported programming language packages.

For more details, see About RHACS Scanner V4.

Vulnerability Management 2.0 is generally available

With this release, Vulnerability Management 2.0 is generally available. Red Hat has consolidated all updates into a single, unified Vulnerability Management dashboard, providing an enhanced user experience with intuitive navigation.

It includes persona-specific vulnerability management views. For example, the Node CVEs view shows only information about CVEs impacting the underlying CoreOS hosts. The team responsible for host updates can use that information to take targeted action.
It provides actionable data to triage and remediate vulnerabilities efficiently.
It includes enhanced Exception management workflows with audit capabilities.
The default filter view now persists across user sessions.
You can download comprehensive vulnerability on-demand reports scoped with collections.

As part of this update, the Risk Acceptance workflow is replaced with Exception Management. When you upgrade to RHACS 4.5, the following changes occur:

Existing deferrals and false positive requests are migrated to Exception Management.
Globally snoozed Image CVEs are migrated to create approved deferrals under Exception Management.

Compliance updates

This release includes the following updates to the Compliance view:

You can integrate with an email server to send scheduled reports.
You can now generate an on-demand report for any scan configuration. RHACS can send it by email.
You can filter scan results by profile so that you can focus on specific compliance standards.
Profiles now include benchmark names, providing more context and clarity.
Scan results now include control data associated with the benchmark, giving you a comprehensive view of your compliance posture.

Built-in email notifier in RHACS Cloud Service

If you are using Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), you can use the new built-in email notifier to send email notifications without configuring a third-party email provider.

`roxctl` installation GitHub action

The roxctl-installer-action GitHub action is now available. You can use it to install roxctl in your GitHub workflows and run roxctl image check and roxctl image scan commands in your CI pipelines.

Bring your own PKI for signature verification

Before this release, you could verify image signatures against pre-configured keys only. With RHACS 4.5, Red Hat has extended the image signature verification to include verifying certificates. This method is available in addition to verifying public keys, so that you can bring your own public key infrastructure (PKI) to verify signatures.

Build-time network policy tools updates

This release introduces an update to the roxctl netpol generate command.

By default, the command uses port 53 for DNS connections.
You can use the --dnsport option to override the default DNS port. If you are using OpenShift Container Platform, you must always change the port when generating network policies with roxctl because OpenShift Container Platform uses port 5353 by default. For example, roxctl netpol generate --dnsport 5353 <other-options>.

To simplify usage for OpenShift Container Platform and other systems that use named ports, Red Hat plans to enhance the --dnsport option in a future release to accept strings and numbers. With that change, the generated network policy can use a named port, such as dns, instead of a specific port number, which is a more portable approach.

For more details, see Generating build-time network policies.

Enhanced RHACS Cloud Service experience

The RHACS Cloud Service experience on console.redhat.com is improved, making signing up for a trial and getting support easier.

Notable technical changes

For RHACS Operator, Red Hat has added a label selector for caching configuration of secrets and config maps, resulting in a significant reduction in memory consumption, especially on large clusters. In testing, a 28% decrease was noted in memory usage on a new OpenShift Container Platform cluster.
The RHACS Operator now adds a app.stackrox.io/managed-by: operator label to all Helm chart resources and secrets created by the operator, providing better organization and visibility.
The RHACS Operator increases the number of requests sent to the API server to retrieve the following types of secrets:
- Secrets that the Operator does not manage
- Secrets that do not match the cache label selector
Scanner DB now runs on PostgreSQL 15, replacing the earlier version, PostgreSQL 12. Because the database is not persisted, no migration is required, and you can continue using the scanner without any additional steps.
The Nexus and Red Hat registry integrations now attempt to pull manifest digests by using a HEAD request to /v2/<name>/manifests/<reference>. This change resolves an issue that previously resulted in an unsupported digest algorithm error when using Scanner V4. You can turn off this new behavior by setting the environment variable ROX_ATTEMPT_MANIFEST_DIGEST to false.

RHACS includes new policy categories, and some default policies are tagged with these new policy categories.

Table 2. New policy categories
Policy category	Policy
Zero Trust	Deployments should have at least one ingress Network Policy
Zero Trust	Unauthorized Network Flow
Supply Chain Security	Images with no scans
	30-day Scan Age
	90-day Image Age
	Required Annotation: Email
	Required Annotation: Owner/Team
	Required Label: Owner/Team
	Latest tag

When roxctl CLI generates manifests for OpenShift Container Platform, it now defaults to OpenShift Container Platform 4.x instead of OpenShift Container Platform 3.x.
You can now delegate the Image scans triggered by image watch reprocessing based on the delegated scanning configuration. To turn off this feature, set the Central environment variable ROX_DELEGATE_WATCHED_IMAGE_REPROCESSING to false.
The Scanner V4 Matcher now completes concurrent vulnerability updates using iterators, reducing memory consumption from 4GB to 500MB.
RHACS 4.5 slowly populates the initial registry integration repository list /v2/_catalog to improve Central startup performance. This change reduces startup time in environments with many autogenerated integrations.
RHACS 4.5 includes a new configuration option, ROX_SCANNER_V4_ALLOW_ANONYMOUS_AUTH, to enable anonymous access to Scanner V4 for debugging purposes. This feature is on by default for development builds and off for release builds.
Deployment bundles created with the roxctl CLI no longer contain PodSecurityPolicies (PSPs) by default. You must specify the --enable-pod-security-policies option when you generate deployment bundles to deploy to Kubernetes 1.25 or earlier.
RHACS 4.5 includes improved event handling for Sensor image scan when ROX_UNQUALIFIED_SEARCH_REGISTRIES is set to true. This enhancement ensures that only one simultaneous scan request is allowed per unique image, reducing redundant scans. Additionally, it increases the chances of scan cache hits when multiple names for the same image are observed. This feature is on by default when ROX_UNQUALIFIED_SEARCH_REGISTRIES is true. To turn it off, set ROX_SENSOR_SINGLE_SCAN to false on Sensor.
Red Hat has reduced the default timeout setting for RHACS admission controller webhooks from 20 seconds to 10 seconds, resulting in an effective timeout of 12 seconds within the ValidatingWebhookConfiguration. This change aligns with the unconditional cap of 13 seconds in OpenShift Container Platform. If you rely on longer timeouts, such as those with inline image scanning, you must specify a longer timeout explicitly in the SecuredCluster custom resource admissionControl.timeoutSeconds, in Helm admissionControl.dynamic.timeout, or within a sensor deployment bundle ValidatingWebhookConfiguration manifest within the admission-controller.yaml file.
With RHACS 4.5, the ability to snooze Node and Platform CVEs is disabled by default. You must set ROX_VULN_MGMT_LEGACY_SNOOZE to true on Central to return to the earlier behavior.

Documentation updates

The documentation now clarifies that when you update Scanner definitions in offline mode, Scanner retrieves data from Central every 5 minutes, with Central updating the online data every 5 - 20 minutes and the offline data every 3 hours. For more information, see Updating Scanner definitions in offline mode.
The documentation to view and configure default policies, manage policy categories, and create your own categories was updated. For more information, see Managing security policies.
The documentation was updated to include the --dnsport option and the example links in the Generating build-time network policies section.
The list of supported operating systems and versions was updated in the Supported operating systems section.
The documentation was updated to include new information about using the built-in email notifier in RHACS Cloud Service. For more information, see Integrating with email on RHACS Cloud Service.
The managing compliance guide where you can find detailed instructions on how to use the compliance feature in RHACS was updated. For more information, see Compliance feature overview.

Deprecated and removed features

Some features available in earlier releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional information about some removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

GA: General Availability
TP: Technology Preview
DEP: Deprecated
REM: Removed
NA: Not applicable

Table 3. Deprecated and removed features tracker
Feature	RHACS 4.3	RHACS 4.4	RHACS 4.5
`definitions.stackrox.io`	GA	DEP	DEP
`roxctl connectivity-map`	DEP	DEP	DEP
`roxctl generate netpol`	DEP	DEP	DEP
`/v1/clustercves/suppress` APIs	DEP	DEP	DEP
`/v1/clustercves/unsuppress` APIs	DEP	DEP	DEP
`/v1/cve/requests` APIs	DEP	DEP	DEP
`/v1/nodecves/suppress` APIs	DEP	DEP	DEP
`/v1/nodecves/unsuppress` APIs	DEP	DEP	DEP
Vulnerability Management (1.0) menu item	DEP	DEP	DEP
Vulnerability Report Creator permission	DEP	DEP	DEP
`/v1/availableAuthProviders` endpoint	GA	DEP	DEP
`/v1/tls-challenge` endpoint	GA	DEP	DEP
`/v1/summary/counts` endpoint	NA	NA	DEP
Reporting of Istio vulnerabilities	GA	DEP	DEP
Custom Security Context Constraints (SCCs): `stackrox-collector` `stackrox-admission-control` `stackrox-sensor`	DEP	REM	NA
CIS Docker v1.2.0 Compliance standard	DEP	REM	NA
PCI DSS 3.2.1 Compliance standard	DEP	REM	NA
NIST SP 800-53 Compliance standard	DEP	REM	NA
NIST SP 800-190 Compliance standard	DEP	REM	NA
HIPAA 164 Compliance standard	DEP	REM	NA
CIS Kubernetes v1.5 Compliance standard	DEP	REM	NA
Reference image pull secret names for the Central components: `stackrox` `stackrox-scanner`	GA	REM	NA
Reference image pull secret names for the secured cluster components: `stackrox` `stackrox-scanner` `secured-cluster-services-main` `secured-cluster-services-collector` `collector-stackrox`	GA	REM	NA
`rhacs-collector-slim*` images	NA	NA	DEP
Kernel support packages and driver download functionality	NA	NA	DEP

Deprecated features

The following section provides information about deprecated features listed in the preceding table and other changes:

To unify the response data for stream and unary API requests:
- The error field returned for failed unary API requests is deprecated. Instead of the error field, use the message field to retrieve error information. The message field has the same information as the error field.
- In the next RHACS release, Red Hat will remove the grpcCode, httpCode, and httpStatus fields in returned error response for gRPC stream APIs. Instead, the response will include a new field, code which includes the grpcCode data.
The /v1/summary/counts API has been deprecated.
The /v1/cve/requests API for managing vulnerability exceptions is deprecated. Use the new /v2/vulnerability-exceptions/ API.
The rhacs-collector-slim* images have been deprecated. rhacs-collector images used to contain kernel modules and eBPF probes, but those items are no longer needed by RHACS. The rhacs-collector* image and the rhacs-collector-slim* images are now functionally the same. The rhacs-collector-slim* image is planned for removal in a future release.
Kernel support packages and driver download functionality are deprecated.
The Dashboard view under Vulnerability Management is deprecated. Use the Workload CVEs, Exception Management, Platform CVEs, and Node CVEs views as alternatives.
The Amazon S3 external backup integration interoperability with Google Cloud Storage is deprecated. You must use the Google Cloud Storage integration for backups.

Removed features

The following section provides information about removed features listed in the preceding table and other changes:

Red Hat has dropped the support for Helm versions older than 3.9.0. RHACS now requires Helm version 3.9.0 or later to render the stackrox-central-services and the stackrox-secured-cluster-services Helm charts.
The ROX_SCANNER_V4_NODE_JS_SUPPORT environment variable has been replaced with the ROX_SCANNER_V4_PARTIAL_NODE_JS_SUPPORT environment variable.
EBPF collection has been removed. Configurations are automatically converted to CORE_BPF when you upgrade, and the forceCollection option is no longer applicable.
Direct upgrades from RHACS version 3.74 or earlier to version 4.5 are no longer supported. To upgrade to version 4.5 or later, you must first upgrade to version 4.4.

Bug fixes in version 4.5.0

Release date: 24 July 2024

Previously, a bug prevented users without administrator privileges from accessing the listening endpoint data for clusters and namespaces for which they had read permission. With this update, users with read permission can now receive data from the listening endpoints service.

About release 4.5.1

This release includes notable technical changes and bug fixes.

Changes in version 4.5.1

The network graph and the network policy generator in the RHACS portal were updated to clarify that AdminNetworkPolicy and BaselineAdminNetworkPolicy resources are not taken into consideration in the network graph or during network policy generation.
RHACS components were updated to versions that include a fix for CVE-2024-41110: Vulnerability in authorization plugins in Docker Engine (AuthZ).

Bug fixes in version 4.5.1

Release date: 14 August 2024

When upgrading to RHACS 4.5.0, in some situations, the upgrade failed with a central-db error for the uni_compliance_integrations_clusterid constraint. This problem has been fixed.
After upgrading to RHACS 4.5.0, for nodes with more than 64 cores, Collector displayed an error about the ring buffer size not being allowed. This problem has been fixed.
The network graph was broken for users with clusters running Google Kubernetes Engine (GKE) version 1.29 and later due to a change from Google to use the managed public IP address range 34.118.224.0/20 for default networking services. The network graph marked this IP address range as external. This problem has been fixed.

About release 4.5.2

Release date: 16 September 2024

This release of RHACS introduces the following change:

The handling of orphaned node CVEs has been updated to prevent immediate removal and maintain accurate discovery times. To enable the updated feature, you must set the ROX_ORPHANED_CVES_KEEP_ALIVE variable in the Central deployment to true.

This release of RHACS fixes the following bugs:

Fixed an issue where Sensor was unable to identify OpenShift Container Platform internal registry secrets due to a change in the pull secret annotation.
Fixed an issue where policies incorrectly displayed an enforced value of Yes in the Configuration Management → Application & Infrastructure → Deployments page due to inconsistent status handling, while showing No in the Violations page.
Fixed an issue where vulnerability data differed between the Vulnerability Management Workload CVE pages and the deprecated Vulnerability Management dashboard due to inconsistencies in vulnerability reporting.

This release of RHACS fixes the following security vulnerability:

CVE-2024-3727: Fixed a vulnerability related to Scanner where the containers/image digest type did not guarantee a valid type.

About release 4.5.3

Release date: 1 October 2024

This release of RHACS includes the following changes:

Fixed a broken pipe error that caused the RHACS web console to display incomplete data.
Added the --with-database-only option to the roxctl central debug download-diagnostics command. You can use this option to generate diagnostic bundles for troubleshooting connection issues related to policy violations and deployments.