-
DEP in RHACS 3.73
-
REM in ACSCS
Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across build, deploy, and runtime stages of the application lifecycle. It deploys in your infrastructure and integrates with your DevOps tools and workflows to deliver better security and compliance and to enable DevOps and InfoSec teams to operationalize security.
RHACS version | Released on |
---|---|
|
6 December 2022 |
|
19 December 2022 |
|
6 February 2023 |
|
6 March 2023 |
|
11 April 2023 |
|
31 May 2023 |
RHACS 3.73 includes:
Red Hat Advanced Cluster Security Cloud service (Field Trial)
Improved Vulnerability management dashboard for ACSCS users
PostgreSQL database option (Technology Preview)
Build-time Kubernetes network policy generator (Technology Preview)
Feature enhancements and bug fixes
Red Hat Advanced Cluster Security Cloud service (ACSCS) is a Red Hat managed service that simplifies and accelerates RHACS deployments.
ACSCS is available as a Field Trial release. A Field Trial provides approved customers access to Red Hat Advanced Cluster Security Cloud service for trial purposes. For more information, contact Red Hat Sales. |
With ACSCS, Red Hat hosts and maintains your RHACS Central instance. Red Hat assures high availability of your instance with an industry-standard service level agreement (SLA). After launching an ACSCS instance, you can connect your secured clusters and image repositories, and configure integrations to secure your hybrid Kubernetes infrastructure across Red Hat OpenShift Container Platform, Amazon Elastic Kubernetes service (EKS), Microsoft Azure Kubernetes service (AKS), and Google Kubernetes Engine (GKE).
For more information and to try ACSCS, see Request early access to Red Hat Advanced Cluster Security Cloud service.
The following new documentation topics are available for ACSCS installation:
The following documentation topics do not apply to ACSCS: |
ACSCS includes a few updates in the vulnerability management dashboard in the RHACS portal. On-premise RHACS installations will eventually include these updates in future versions. ACSCS includes the following changes:
The vulnerability management dashboard now groups Common Vulnerabilities and Exposures (CVEs) into Image CVEs, Node CVEs, and Platform CVEs categories. You can access these categories when you click CVEs on the Vulnerability Management view header. Or, when viewing a list of entities, these categories are listed under All entities.
In the Node CVEs and Image CVEs list views:
A new Operating System column shows the base operating system of the image that contains the CVE.
A new Severity column shows the severity of the package’s vulnerability in the operating system context. One CVE may have different severity levels depending on the operating system.
Some CVEs may occur in more than one category. When you select the Defer and Approve option for a CVE from a specific category, that CVE gets deferred only for the selected category. For example, if a CVE applies to both Node CVEs and Image CVEs, when you defer that CVE from the Node CVEs category, it still appears in the Image CVEs category.
PostgreSQL support is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
RHACS will use PostgreSQL as its backend database in the future, replacing the in-memory RocksDB database used today. This transition will be a part of a future release upgrade, with a fully-automated migration from the current architecture to PostgreSQL-based architecture.
With PostgreSQL, customers benefit from improved performance, standard database procedures for scaling the database, backup and restore, and recovery from a disaster using PostgreSQL database backups. In addition, you can use your existing PostgreSQL infrastructure to provision a PostgreSQL database for RHACS.
With RHACS version 3.73, the PostgreSQL option is available as a Technology Preview feature. If you are interested in participating in the Tech Preview program, Red Hat will work with you to manually migrate to PostgreSQL so that you can explore these benefits in a test environment before we release this feature. Contact your Red Hat account representative to participate.
When Red Hat releases this feature, PostgreSQL will become a requirement for RHACS, and you will not be able to upgrade RHACS without using PostgreSQL. |
Build-time Kubernetes network policy generator is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
RHACS 3.73 introduces a new build-time capability in the roxctl
command-line interface (CLI), to generate Kubernetes network policies based on Application YAML manifests.
You can use it to develop network policies as part of the CI/CD pipeline before deploying applications on your cluster.
Red Hat developed this feature in partnership with the developers of the NP-Guard project.
The build-time network policy generator analyzes Kubernetes manifests in a local folder, including service manifests, configuration maps and workload manifests such as Pod, Deployment, ReplicaSet, Job, DaemonSet, and StatefulSet.
It discovers the required connectivity and creates the Kubernetes network policies to achieve pod isolation.
These policies allow no more and no less than the needed ingress and egress traffic.
For the build-time network policy generation feature, roxctl
CLI does not need to communicate with RHACS Central. Therefore you can use it in any development environment.
For more details, see Using build-time network policy generator.
RHACS uses GraphQL internally to show data in the RHACS portal. However, Red Hat does not support querying RHACS using GraphQL. Instead, use the REST API queries to access data. The RHACS 3.73 release introduces some breaking changes in the existing GraphQL queries. If you are using GraphQL, see https://access.redhat.com/articles/6986289 and contact Red Hat Consulting.
Sensor no longer uses anyuid
Security Context Constraint (SCC). Instead, the default SCC for Sensor is now restricted[-v2]
or stackrox-sensor
, depending on the settings. In addition, the runAsUser
and fsGroup
for the Admission control and Sensor deployments are no longer hard-coded to 4000
on OpenShift clusters to allow using the restricted
and restricted-v2
SCCs. (ROX-9342)
The service account central
, which the Central deployment uses, now includes get
and list
access to the following resources in the namespace where you deploy Central:
pods
events
Namespaces
The CSV export API /api/vm/export/csv
now requires the CVE Type
filter as part of the input query parameter. Requests that do not have the filter returns an error. Supported values for CVE Type
are IMAGE_CVE
, K8S_CVE
, ISTIO_CVE
, NODE_CVE
, and OPENSHIFT_CVE
.
Some features available in previous releases have been deprecated or removed.
Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, refer to the table below. Additional information about some removed or deprecated functionality is available after the table.
In the table, features are marked with the following statuses:
GA: General Availability
TP: Technology Preview
DEP: Deprecated
REM: Removed
NA: Not applicable
Feature | RHACS 3.71 | RHACS 3.72 | RHACS 3.73 |
---|---|---|---|
RenamePolicyCategory and DeletePolicyCategory Application Programming Interface (API) endpoints |
DEP |
DEP |
REM |
Support for violation tags and process tags |
DEP |
REM |
NA |
Permissions: |
DEP |
DEP |
REM |
Retrieving groups by property |
DEP |
DEP |
REM |
|
DEP |
DEP |
REM |
|
DEP |
DEP |
|
|
DEP |
DEP |
|
|
DEP |
DEP |
REM |
Scanning support for Ubuntu 21.10 |
GA |
REM |
NA |
Permission |
GA |
DEP |
DEP |
|
GA |
DEP |
DEP |
Environment variable |
NA |
NA |
REM |
This section provides additional information about some of the removed features listed in the previous table.
The ROX_WHITELIST_GENERATION_DURATION
environment variable is removed in the RHACS 3.73 release.
You can use ROX_BASELINE_GENERATION_DURATION
instead.
Red Hat has removed whitelist_statuses
from the response of the /v1/deploymentswithprocessinfo
endpoint.
The ids
field in the /v1/cves/suppress
and /v1/cves/unsuppress
API payload is renamed to cves
in the RHACS 3.73 release.
The cves.ids
field of the storage.VulnerabilityRequest
object in the response of VulnerabilityRequestservice
endpoints is renamed to cves.cves
in the RHACS 3.73 release.
For the /v1/groups
endpoint, you can no longer use the Get, Update, Mutate, and Remove functions without specifying a value for props.id
field when using the props
field. (ROX-11592)
Red Hat has removed the ComplianceRunSchedule
resource, which RHACS did not use.
Red Hat has simplified the RHACS access permissions. The following list describes the new permissions and indicates the removed permissions in the RHACS 3.73.0 release:
The Access
permission replaces the AuthPlugin
, AuthProvider
, Group
, Licenses
, Role
, and User
permissions.
The DeploymentExtension
permission replaces the Indicator
, NetworkBaseline
, ProcessWhitelist
, and Risk
permissions.
The Integration
permission deprecates the APIToken
, BackupPlugins
, ImageIntegration
, Notifier
, and SignatureIntegration
permissions.
The Image
permission replaces the ImageComponent
permission.
Central reaches out to Scanner on the scanner.<namespace>.svc
endpoint instead of scanner.<namespace>
to respect OpenShift Container Platform’s NO_PROXY
configuration.
If you are using NO_PROXY
and you experience connectivity issues for image scanning, add *.svc
or scanner.<namespace>.svc
to your NO_PROXY
configuration. (ROX-13034)
Label
and Annotation
search options are removed in the RHACS 3.73 release.
They are replaced by the search options listed in the following table:
Resource | Deprecated search option | New search option |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following list describes the new permissions and indicates the deprecated permissions that will be removed in a future release:
New permission Administration
will deprecate the permissions AllComments
, Config
, DebugLogs
, NetworkGraphConfig
, ProbeUpload
, ScannerBundle
, ScannerDefinitions
, SensorUpgradeConfig
, and serviceIdentity
.
The permission Compliance
will deprecate the permission ComplianceRuns
.
Beginning in the RHACS 3.74 release, Red Hat will remove the in-product docs accessible from the help menu. If you are using the in-product docs, you can instead download the required documentation in PDF format from Red Hat Customer Portal. (link:ROX-12839)
Previously, if you were using StackRox Kubernetes Security Platform - Splunk Technology Add-on, results for the ocp4-cis-node
compliance standard was missing from Splunk. The Splunk integration now includes the ocp4-cis-node
compliance standard results. (ROX-11937)
Previously, Central failed on the v1 CronJob
deployment YAML check. This issue is fixed. (ROX-13500)
Previously, when you rebooted the OpenShift Container Platform cluster scanner-db
pod would get stuck in the init
state. This issue is fixed. (ROX-12556)
Previously, after upgrading to RHACS 3.73.0, the Central pod entered a CrashLoopBackOff
state because of a failing readiness probe.
The patch release 3.73.1 fixes this issue.
The patch release 3.73.1 fixes an issue where the Compliance dashboard in the RHACS portal failed to load compliance results.
The patch release 3.73.2 fixes an issue where Central crashed during the migration from rocksDB to PostgreSQL. (ROX-14469)
Because of an issue in RHACS Operator versions 3.73.0 and 3.73.1, when you tried to update, the Operator incorrectly removed the metadata.ownerReferences
field on the central PersistentVolumeClaim (PVC), and you could not update Central and Scanner. The patch release 3.73.2 fixes this issue. (ROX-14335)
Release date: 6 March 2023
This release of RHACS fixes CVE-2022-47629 in the Docker base image.
Before this update, RHACS did not show runtime data when the secured cluster was running OpenShift Container Platform 4.12. For more information, refer to the Red Hat Knowledgebase article RHACS is not showing runtime data. This issue is now fixed.
Previously, due to an issue with the alert reconciliation workflow, Central could crash when reconciling stored and new runtime policy violations. RHACS now logs an error when an unexpected runtime process alert occurs. (ROX-15198)
Release date: 11 April 2023
This release of RHACS includes a fix for RHSA-2023:1405 OpenSSL security update for Red Hat Enterprise Linux (RHEL) 8.
Release date: 31 May 2023
This release of RHACS includes a fix for CVE-2023-24540 by building RHACS with updated Golang.
Image | Description | Current version |
---|---|---|
Main |
Includes Central, Sensor, Admission controller, and Compliance. Also includes |
|
Scanner |
Scans images and nodes. |
|
Scanner DB |
Stores image scan results and vulnerability definitions. |
|
Collector |
Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|