Endpoints:
-
RenamePolicyCategory
-
DeletePolicyCategory
Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across build, deploy, and runtime stages of the application lifecycle. It deploys in your infrastructure and integrates with your DevOps tooling and workflows to deliver better security and compliance and to enable DevOps and InfoSec teams to operationalize security.
RHACS version | Released on |
---|---|
|
26 September 2022 |
|
20 October 2022 |
|
1 December 2022 |
|
12 January 2023 |
|
6 March 2023 |
RHACS 3.72 includes:
Automatic removal of nonactive clusters from RHACS
Support for non-authenticated email integration
Support for Quay robot accounts
Ability to view Dockerfile lines in images that introduced components with Common Vulnerabilities and Exposures (CVEs)
Network graph improvements
Scanning support for Red Hat Enterprise Linux 9
Policy for CVEs with fixable CVSS of 6 or greater disabled by default
Additional feature enhancements and bug fixes
RHACS provides the ability to configure your system to automatically remove nonactive clusters from RHACS so that you can monitor active clusters only. Note that only clusters that were installed and performed a handshake with Central at least one time are monitored initially. If this feature is enabled, when Central has been unable to reach Sensor in a cluster for the period of time configured in the Decommissioned cluster age field, the cluster is considered nonactive in RHACS. Central will then no longer monitor nonactive clusters. You can configure the Decommissioned cluster age field in the Platform Configuration → System Configuration page. When configuring this feature, you can add a label for the cluster so that RHACS continues to monitor the cluster even if it becomes nonactive. For more information, see Configuring automatic removal of nonactive clusters from RHACS.
RHACS now supports unauthenticated SMTP for email integrations. This is insecure and not recommended. However, you might need to use unauthenticated SMTP for some integrations; for example, if you use an internal server for notifications that does not require authentication. For more information, see Configuring the email plug-in.
RHACS now supports use of robot accounts in quay.io integrations. You can create robot accounts in Quay that allow you to share credentials for use in multiple repositories. Robot accounts authenticate with the Quay Container Registry and replace OAuth tokens, which are deprecated by Quay. For more information, see Manually configuring Quay Container Registry.
In the Images view, under Image Findings, you can view individual lines in the Dockerfile that introduced the components that have been identified as containing CVEs. To view this information, locate the CVE from the list of CVEs provided in the Image Findings page. In the Affected Components column, click on the <number> components link. You can expand the display to show the line where the component was introduced that contains the CVE. For more information, see Identifying Dockerfile lines in images that introduced components with CVEs.
RHACS 3.72 includes the following improvements to the Network Graph:
The updated legend in the Network Graph shows the symbols and explanatory text together. Before this improvement, the legend required hovering over the symbols representing namespaces, deployments, and connections.
Sometimes, the graph view edges did not connect the edges of nodes and overlapped on namespaces. This issue is fixed.
With this update, RHACS shows the same formatting and interface when you view YAML files. Before this improvement, there were differences in the YAML file viewer instances.
The RHACS documentation has been updated to include a list of default security policies.
RHEL 9 is now generally available (GA). RHACS 3.72 introduces support for analyzing images built with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux (RHEL) 9 RPMs for vulnerabilities.
Beginning with this release, the Fixable CVSS >= 6 and Privileged
policy is no longer enabled by default for new RHACS installations. The configuration of this policy is not changed when upgrading an existing system. A new policy Privileged Containers with Important and Critical Fixable CVEs
, which gives an alert for containers running in privileged mode that have important or critical fixable vulnerabilities, has been added. The new policy is also in the Deploy
lifecycle. Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected components or running your container with lower privileges.
Some features available in previous releases have been deprecated or removed.
Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, refer to the table below. Additional information about some removed or deprecated functionality is available after the table.
In the table, features are marked with the following statuses:
GA: General Availability
TP: Technology Preview
DEP: Deprecated
REM: Removed
Category | Feature | RHACS 3.70 | RHACS 3.71 | RHACS 3.72 |
---|---|---|---|---|
API |
Endpoints:
|
DEP |
DEP |
DEP |
API |
|
GA |
DEP |
DEP |
API |
For more information, see 1 under "Deprecated features." |
GA |
DEP |
DEP |
API |
|
GA |
DEP |
DEP |
API |
|
GA |
DEP |
DEP |
API |
Property retrieval fields for groups. For more information, see 2 under "Deprecated features." |
GA |
DEP |
DEP |
Permissions |
For more information, see 3 under "Deprecated features." |
GA |
GA |
DEP |
Permissions |
Permissions for permission sets. For more information, see 4 under "Deprecated features." |
GA |
DEP |
DEP |
Tags |
Support for violation tags and process tags |
DEP |
DEP |
REM |
Scanning |
Support for Ubuntu 21.10 |
GA |
GA |
DEP |
Search Options |
For more information, see 5 under "Deprecated features." |
GA |
GA |
DEP |
This section provides additional information about some of the deprecated features listed in the previous table.
/v1/cves/suppress
and /v1/cves/unsuppress
have been deprecated and will be removed in a future release. After these are removed:
Use /v1/imagecves/suppress
and /v1/imagecves/unsuppress
to snooze and unsnooze image vulnerabilities.
Use /v1/nodecves/suppress
and /v1/nodecves/unsuppress
to snooze and unsnooze node and host vulnerabilities.
Use /v1/clustercves/suppress
and /v1/clustercves/unsuppress
to snooze and unsnooze platform (Kubernetes, Istio, and OpenShift Container Platform) vulnerabilities.
Previously, groups were retrieved by using the field props
: props.authProviderId
, props.key
, and props.value
. This field will be replaced by the new props.id
field. Use the props.id
field to retrieve groups in the RHACS API. Note the following:
Retrieval by using the props
fields will be removed in a future release.
Until removal, retrieval by using the props
field will work if the result is unambiguous (no more than one group is found with the props
field).
Permission ClusterCVE
is deprecated and will be superseded by the existing permission Cluster
.
Permissions for permission sets will be grouped for simplification. The following list describes the new permissions and indicates the deprecated permissions that will be removed in a future release:
The Access
permission will replace the following permissions: AuthProvider
, Group
, Licenses
, Role
, and User
.
The DeploymentExtension
permission will replace the following permissions: Indicator
, NetworkBaseline
, ProcessWhitelist
, and Risk
.
The Integration
permission will deprecate the following permissions: APIToken
, BackupPlugins
, ImageIntegration
, Notifier
, and SignatureIntegration
.
The Image
permission will replace the permission ImageComponent
.
Label
and Annotation
search options in RHACS are deprecated and will be removed in the RHACS 3.73 release. They will be replaced by the search options listed in the following table.
Resource | Deprecated search option | New search option |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following changes were made in RHACS to support the removal of PSP objects in Kubernetes 1.25:
PSP objects are created by default in installations for backward compatibility with Kubernetes versions prior to 1.25. However, you can manually disable PSP creation by setting system.enablePodSecurityPolicies: false
in the helm chart.
Beginning with RHACS version 3.71, auto-sensing has been added to RHACS helm charts. If you install RHACS using the Operator or helm charts, and RHACS detects a Kubernetes version of 1.25 or later, it will not install PSPs. If you are using the roxctl
CLI to install RHACS, you need to disable PSP usage by setting the --enable-pod-security-policies
flag to false
for the roxctl central generate
and roxctl sensor generate
commands.
Kubernetes users must disable the admission controller plugin for PSPs before upgrading to Kubernetes version 1.25.
CSV export: Beginning in the RHACS 3.73 release, the CSV export API /api/vm/export/csv
will require the CVE Type
filter as part of the input query parameter. Requests that do not have the filter will return an error. Supported values for CVE Type
are IMAGE_CVE
, K8S_CVE
, ISTIO_CVE
, NODE_CVE
, and OPENSHIFT_CVE
.
Suppress and unsuppress payloads:
The field ids
in the /v1/cves/suppress
and /v1/cves/unsuppress
API payloads will be renamed to cves
in the RHACS 3.73 release.
The cves.ids
field of the storage.VulnerabilityRequest
object in the response of VulnerabilityRequestService
endpoints will be renamed to cves.cves
in the RHACS 3.73 release.
RHACS shows the wrong severity when two severities exist for a single vulnerability in a single distribution. This issue occurs because RHACS scopes severities by namespace rather than component. There is no workaround. It is anticipated that an upcoming release will include a fix for this issue. (ROX-12527)
Release date: 26 September 2022
Before this update, the steps to configure OpenShift Container Platform OAuth for more than one URI were missing. The documentation has been revised to include instructions for configuring OAuth in OpenShift Container Platform to use more than one URI. For more information, see Creating additional routes for the OpenShift Container Platform OAuth server. (ROX-11296)
Before this update, the autogenerated image integration, such as a Docker registry integration, for a cluster is not deleted when the cluster is removed from Central. This issue is fixed. (ROX-9398)
Before this update, the Image OS
policy criteria did not support regular expressions, or regex
. However, the documentation indicated that regular expressions were supported. This issue is fixed by adding support for regular expressions for the Image OS
policy criteria. (ROX-12301)
Before this update, the syslog integration did not respect a configured TCP proxy. This is now fixed.
Before this update, the scanner-db
pod failed to start when a resource quota was set for the stackrox
namespace, because the init-db
container in the pod did not have any resources assigned to it. The init-db
container for ScannerDB
now specifies resource requests and limits that match the db
container. (ROX-12291)
Release date: 20 October 2022
Because of a bug in RHACS 3.72.0, the Collector pods previously stopped responding and reach a segmentation fault after allocating a memory block for the protocol buffer heap under certain load conditions. The patch release 3.72.1 fixes this issue.
In RHACS 3.72.0, scheduled vulnerability reports consistently reported zero vulnerabilities, even if there were images with CVEs within the clusters. The patch release 3.72.1 fixes this error and the reports show the correct CVEs.
In RHACS 3.72.0, when you created a deployment bundle by using the roxctl
CLI that explicitly disabled Pod Security Policies (PSP), the generated bundle still created manifests for the PSP.
As a result, installing the deployment bundle failed when deploying on Kubernetes versions 1.25 or later.
The patch release 3.72.1 correctly disables PSP when you specify --enable-pod-security-policies=false
with the roxctl
CLI.
Release date: 1 December 2022
Before this update, if Central downloaded a corrupted CVE data file, it failed and entered a CrashLoopBackOff
state. The patch release 3.72.2 fixes this issue.
Release date: 12 January 2023
The release of RHACS 3.72.3 addresses the following security vulnerabilities identified in the previous release:
Release date: 6 March 2023
This release of RHACS fixes CVE-2022-47629 in the Docker base image.
Before this update, RHACS did not show runtime data when the secured cluster was running OpenShift Container Platform 4.12. For more information, refer to the Red Hat Knowledgebase article RHACS is not showing runtime data. This issue is now fixed.
Previously, due to an issue with the alert reconciliation workflow, Central could crash when reconciling stored and new runtime policy violations. RHACS now logs an error when an unexpected runtime process alert occurs. (ROX-15198)
Image | Description | Current version |
---|---|---|
Main |
Includes Central, Sensor, Admission Controller, and Compliance. Also includes |
|
Scanner |
Scans images and nodes. |
|
Scanner DB |
Stores image scan results and vulnerability definitions. |
|
Collector |
Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|