Red Hat Advanced Cluster Security for Kubernetes (RHACS) 3.69 includes feature enhancements, bug fixes, scale improvements, and other changes.
3.69.0 Release date: March 21, 2022
3.69.1 Release date: April 6, 2022
3.69.2 Release date: June 22, 2022
Because of an unexpected schema change in an upstream vulnerability feed on 20 October 2022, Red Hat published a corrupted CVE data file to https://definitions.stackrox.io, and many Central instances downloaded the corrupted file. As a result, when Central processes the corrupted feed data, it fails and enters a |
Release date: April 6, 2022
Red Hat Advanced Cluster Security for Kubernetes 3.69.1 includes a lightweight version of Scanner delivered as part of the secured cluster services on OpenShift Container Platform to more effectively scan the OpenShift Container Registry. For OpenShift Container Platform users who do not use the Red Hat Advanced Cluster Security for Kubernetes Operator, Red Hat advises you to update your helm charts to take advantage of these new capabilities.
RHACS 3.69.1 includes enhancements in Scanner to identify vulnerabilities in packages that follow the Spring naming conventions. Scanner now detects Spring packages impacted by the newly discovered critical vulnerabilities CVE-2022-22963 and CVE-2022-22965 (Spring4Shell).
Release date: March 21, 2022
With Red Hat Advanced Cluster Security for Kubernetes 3.69, you can now set policies to define the operational readiness of a deployment. New policies include checks for liveness and readiness probes and predefined replica counts.
You can now quickly identify if a software package inside a container image is inactive. You can use this information to consider removing the inactive software package as a hardening step or for vulnerability remediation.
Scanner includes the following new capabilities:
Support for Alpine 3.15
Scanner now identifies busybox as a base operating system.
Ubuntu vulnerability reference links now point to the updated address https://ubuntu.com/security/.
Release date: June 22, 2022
ROX-11489: CVE-2022-1902: Previously, improper sanitization allowed authenticated users to retrieve Notifier secrets from the GraphQL API. This flaw has been fixed.
Release date: March 21, 2022
ROX-9587: Previously, emailed vulnerability reports were incompatible with some e-mail clients. This issue has been fixed.
ROX-9166: Previously, snoozed CVEs that were unsnoozed were not reported in CI when scanning images. This issue has been fixed.
ROX-9400: Previously, RHACS did not remove the related service accounts when you deleted a cluster. This issue has been fixed.
ROX-9483: Previously, certain search conditions using a process name could sometimes cause Central to stop responding. This issue has been fixed.
Red Hat has changed the default grpcPort
in Scanner’s configuration map to 8443
.
Red Hat is deprecating the following API endpoints:
/v1/clusters-env/kernel-support-available
: Use /v1/cluster-defaults
instead.
/v1/helm/cluster/add
: Use the helm charts directly.
Empty values for role.access_scope_id
is deprecated in the RoleService_CreateRole
and RoleService_UpdateRole
methods for the /v1/roles/
endpoint. It is now set to the unrestricted access scope ID io.stackrox.authz.accessscope.unrestricted
.
Red Hat Advanced Cluster Security for Kubernetes 3.69 includes more intuitive and easier-to-use policy creation and editing workflows.
Red Hat Advanced Cluster Security for Kubernetes 3.69 includes new fields for vulnerabilities contained within an image that you use to sort and filter the vulnerabilities list.
Collector is incompatible with UEFI secure boot when collecting runtime data using kernel modules. In Red Hat Advanced Cluster Security for Kubernetes 3.69, when Collector detects that the host is using UEFI secure boot, it automatically fails over to use EBPF probes to prevent service disruption.
ROX-9750: The FROM
instruction in the DISALLOWED DOCKERFILE LINE
policy field is not recognized by RHACS. For example, creating a policy that disallows FROM:unwanted.example.com
in the Dockerfile does not generate a policy violation.
Red Hat is deprecating some of the features in Red Hat Advanced Cluster Security for Kubernetes 3.69. Red Hat will remove these deprecated features in the following release:
Red Hat Advanced Cluster Security for Kubernetes 3.71.0:
External authorization plug-in for scoped access control. Use the existing in-product scoped access control.
Anchore, Tenable, and Docker Trusted Registry integrations. The RHACS scanner supersedes these integrations.
Alerts and Process Comments.
Red Hat Advanced Cluster Security for Kubernetes 3.70.0:
Red Hat Advanced Cluster Security for Kubernetes will not allow deleting default policies. So rather than deleting, you can disable default policies that you do not need.
The /v1/policies
API endpoint response will not return the field response body parameter.
In RHACS 3.70, Red Hat will remove the support for security policies that do not have a policyVersion
. Therefore, if you have externally stored older policies (without policyVersion
or version prior to 1.1), you must convert them to use policyVersion
1.1. To do this, import the old policies into RHACS and then export them again. You can check the policyVersion
field for your stored policies to identify if they need conversion.
For any questions, please contact the Red Hat support team at support@redhat.com.
Image | Description | Current version |
---|---|---|
Main |
Includes Central, Sensor, Admission Controller, and Compliance.
Also includes |
|
Scanner |
Scans images and nodes. |
|
Scanner DB |
Stores image scan results and vulnerability definitions. |
|
Collector |
Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|