-
DEP in RHACS 3.73
-
REM in RHACS Cloud Service (Field Trial)
Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across build, deploy, and runtime stages of the application lifecycle. It deploys in your infrastructure and integrates with your DevOps tools and workflows to deliver better security and compliance and to enable DevOps and InfoSec teams to operationalize security.
RHACS version | Released on |
---|---|
|
3 May 2023 |
|
18 May 2023 |
|
31 May 2023 |
|
13 July 2023 |
|
9 August 2023 |
|
24 October 2023 |
RHACS 4.0 includes the following new features, improvements, and updates:
For offline configured installations that have set the |
With this release, RHACS includes a major architecture change, moving the Central database to PostgreSQL. This change provides important performance and scale benefits.
By default, RHACS installation includes the PostgreSQL database. Future plans include the ability to use your own PostgreSQL-compliant software. RHACS 4.0 includes this feature as a Technology Preview with certain limitations. For more information, see "Installing Central with an external PostgreSQL database (Technology Preview)".
RHACS includes features that depend on the new architecture. Specifically, policy criteria and vulnerability reporting with collections were introduced in 3.74 as a Technology Preview, and are now generally available.
For instructions for a new installation of RHACS 4.0, see Supported platforms and installation methods.
To prevent automatic upgrades when using the Operator, RHACS 4.0 uses a new subscription channel. This update allows the RHACS Operator to comply with Red Hat standards and provides consistency with other Red Hat Operators. As documented in the upgrade instructions, you must explicitly change your subscription channel when upgrading. Customers who remain on the latest
channel in the current RHACS Operator channel will continue to receive 3.74 updates until it is no longer supported. The life cycle of RHACS 3.74 has been extended by 3 months to allow you more time to migrate to RHACS 4.0. The upgrade process includes automatically migrating the database, and requires no intervention.
After Central is upgraded, upgrade the subscription channel on all Secured Clusters.
You are encouraged to evaluate the upgrade in a staging environment before pushing it to production to ensure that your unique environment does not present unforeseen issues.
The documentation provides detailed instructions for rolling back to the previous version if necessary. Before the upgrade, back up the existing Central database following the documented backup procedure so that you can roll back to the previous version if necessary. You are encouraged to practice rolling back to the previous version in the staging environment to ensure that your backup was successful and that rolling back the previous version brings the system back to the expected operational state.
To upgrade RHACS to 4.0, perform the following steps:
Upgrade to RHACS version 3.74 if you have an earlier version installed.
Back up the database for Central.
Upgrade Central to version 4.0.
Upgrade secured clusters to version 4.0.
For additional instructions on upgrading, see the documentation in the "Upgrade documentation" section. Procedures for upgrading by using Helm and roxctl
now include a step to back up the Central database before upgrading Central.
To upgrade RHACS, you must switch the Operator channel to stable
for your secured clusters.
Manifest-based upgrades using |
For more information about upgrading to release 4.0, see the following documentation:
With this release, you can test the use of your existing PostgreSQL infrastructure to provision a database for RHACS.
External PostgreSQL database is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
RHACS 4.0 includes this feature as a Technology Preview and it is not supported for production systems. It currently has several limitations, including the need for privileged superuser access. Red Hat is seeking customer feedback and testing.
For more information, see Installing Central with an external database using the Operator method.
Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service) provides a fully hosted and managed Central instance that allows you to secure your on-premise and cloud-based Kubernetes clusters.
RHACS Cloud Service is available for approved customers. Customers can get RHACS Cloud Service by using the Amazon Web Services (AWS) Marketplace or from their regular Red Hat channels. For more information, contact Red Hat Sales.
During the Limited Availability phase, Red Hat will provide full support with committed service level agreements (SLAs) and response times. Red Hat will also continue to provide an email list for feedback and general questions. The following items apply to RHACS Cloud Service limited availability:
RHACS Cloud Service provides the capability to access repositories local to the secured clusters. This functionality is supported only for OpenShift secured clusters and Red Hat Quay that will have local scanning capabilities for internal and extended registries in the customer environments.
The Ireland (eu-west-1
) region is now available when creating an RHACS Cloud Service instance. Red Hat will ensure all data residency requirements for data are met per the EU standards.
RHACS Cloud Service is fully integrated into the AWS Marketplace.
With this release, Telemetry, where RHACS Cloud Service collects anonymized aggregated information about product usage and product configuration, is enabled by default. To learn more about telemetry or see instructions for opting out, see About Telemetry.
RHACS provides RHCOS node host scanning for security vulnerabilities. The scope of this feature is limited to scanning RHCOS RPMs installed on the node host as part of the RHCOS installation for any known vulnerabilities. This feature provides the following functionality:
Analysis and detection of RHCOS components
Matching of vulnerabilities on the components by using RHEL and Red Hat OpenShift 4.X OVALv2 security data streams
To view a list of RHEL versions for OpenShift Container Platform and RHCOS, see RHEL Versions Utilized by RHEL CoreOS and OCP.
OpenShift Container Platform/RHCOS 4.10 or later is supported. |
For more information about vulnerability scanning, see Scanning RHCOS node hosts.
RHACS now provides a list of all processes that are listening on ports in secured clusters. This information can help you associate which deployments and associated processes have open ports and better assess cluster security.
This functionality is available for deployments by using the v1/listening_endpoints
API. Changes to the RHACS web portal for this feature are planned for a future release. In this release, the following known limitations exist:
It is possible that the process ID (PID) information attached to an endpoint reflects a process of the same name and parameters, but earlier execution time. Additionally, only the pod ID, process name, process arguments, port, and protocol are guaranteed to be populated for a given deployment.
Under rare circumstances, network endpoints reported by the API might have process information reflecting the characteristics of the parent process instead of the process that created the listening endpoint.
Only TCP endpoints are currently reported.
For more information, navigate to Help → API reference in the RHACS portal.
Network graph 2.0 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
The Network Graph (2.0 preview) has been updated to address user feedback and add improvements. The following changes have been made:
Differentiated Filtered namespaces from Derived namespaces
Changed behavior of the display to dim additional items in the background when an item is selected
Separated Anomalous flows and Baseline flows in the Details tab for deployments
Added container configurations
Renamed Extraneous flows to Inactive flows
For more information, see Network graph (2.0 preview).
RHACS functionality has been validated on OpenShift Container Platform 4.12 clusters running in Federal Information Processing Standards (fips) mode.
API tokens are used in RHACS for some system integrations, authentication processes, and system functions. API tokens expire in 1 year. This release adds an automatic notification process to create warning messages for tokens that will expire in less than 1 week. These messages appear in the Central logs. You can configure your system to alert you when you receive these messages so that you know when you need to generate new tokens. For more information, see About API token expiration.
Sensor resync is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
RHACS has reduced the amount of CPU usage needed for Sensor to resync with Central. The improvement can be enabled with the environment flag of ROX_RESYNC_DISABLED="true"
in all sensors running RHACS version 4.0. By default, this variable is disabled, or set to false
.
Without this improvement, Sensor reprocesses Kubernetes and Red Hat OpenShift-specific events every minute, which increases the CPU consumption considerably, especially for large clusters with many pods or deployments. With this improvement, reprocessing is no longer required, considerably reducing the load on the CPU.
Instructions for adding integrations with Microsoft Azure have been added. See Connecting Azure AD to RHACS using SSO configuration.
(Version 4.0.1) Service description documentation that provides an overview of Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), including its features, capabilities, and architecture have been added. See RHACS Cloud Service service description.
(Version 4.0.1) Revised and improved the documentation for Getting started with RHACS Cloud Service, including setting up Red Hat OpenShift and Kubernetes secured clusters.
Active vulnerability management is now controlled by a ROX_ACTIVE_VULN_MGMT
variable with a default value of false
to improve performance. If you need active vulnerability management, set this variable to true
to reactivate it. However, if you reactivate this variable, increase the memory limit of Central.
Previously, the Analyst
permission set had read
access on all permissions except the now-deprecated DebugLogs
permission. This permission set now has read
access to all permissions except Administration
.
The default resources for Sensor have increased to a request of 2 cores and 4 GB of RAM and a limit of 4 cores and 8 GB of RAM to support a larger number of clusters without modification.
The RHACS Operator default channel has changed from latest
to stable
. If you are running a version earlier than 4.0, you must follow the upgrade procedure to preserve RHACS data in case of issues with the upgrade. For more information, see Upgrading by using the Operator.
The versioning scheme for the RHACS Helm charts has changed. Previously, the product version (Major).(Minor).(Patch)
was rendered to the Helm chart version (Minor).(Patch).0
; for example, 3.74.2
→ 74.2.0
. The new versioning scheme maps product version (Major).(Minor).(Patch)
to the Helm chart version as (Major*100).(Minor).(Patch)
; for example, 4.0.2
→ 400.0.2
.
Some features available in previous releases have been deprecated or removed.
Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional information about some removed or deprecated functionality is available after the table.
In the table, features are marked with the following statuses:
GA: General Availability
TP: Technology Preview
DEP: Deprecated
REM: Removed
NA: Not applicable
Feature | RHACS 3.73 | RHACS 3.74 | RHACS 4.0 |
---|---|---|---|
|
DEP |
DEP |
REM |
|
GA |
DEP |
REM |
Clair scanner version 2 |
GA |
DEP |
REM |
|
DEP |
DEP |
REM |
|
DEP |
DEP |
REM |
Examining images for Application-level dependencies for vulnerability reporting: |
GA |
GA |
DEP |
|
GA |
GA |
DEP |
|
|
DEP |
REM |
Kernel module collection method |
GA |
DEP |
DEP |
Network Graph version 1.0 |
GA |
GA |
DEP |
|
DEP |
DEP |
REM |
|
GA |
DEP |
REM |
|
DEP |
DEP |
REM |
|
GA |
DEP |
REM |
|
GA |
GA |
DEP |
|
DEP |
DEP |
REM |
|
DEP |
DEP |
REM |
|
GA |
DEP |
REM |
|
DEP |
DEP |
REM |
|
DEP |
DEP |
REM |
Support for OpenShift Container Platform versions earlier than 4.10 |
GA |
DEP |
REM |
|
|
DEP |
REM |
|
GA |
GA |
DEP |
|
GA |
GA |
DEP |
|
GA |
DEP |
REM |
|
|
DEP |
REM |
The following section provides additional information about deprecated features listed in the preceding table.
The --offline-mode
flag for the roxctl scanner generate
command is deprecated, as Scanner’s default behavior is to fetch vulnerability updates from Central. The flag is planned for removal in the RHACS 4.2.0 release.
The Network Graph version 1.0 is deprecated. Use the Network Graph version 2.0 for improved functionality and a better user experience.
The PDF export feature in the Vulnerability Management section of the RHACS web portal is deprecated and is planned for removal in the RHACS 4.2.0 release. Use the vulnerability reporting feature instead for more comprehensive CSV data.
Vulnerability scanning support for non-RPM (ASP).NET Core Runtime is deprecated and is planned for removal in the RHACS 4.2.0 release.
All /v1/report
APIs for creating and managing vulnerability reports are deprecated and will be replaced with new /v2/report
APIs in a future release.
Currently, secured clusters can specify three options of collection methods for runtime events: eBPF (selected by default), kernel module, or no collection. Kernel module as a collection method was deprecated in the RHACS version 3.74 release and is planned for removal in the RHACS version 4.1 release.
Verify the collection method of your secured clusters. This value is set in the collector.collectionMethod
parameter and is one of the following methods:
EBPF
KERNEL_MODULE
NO_COLLECTION
If any of your secured clusters uses KERNEL_MODULE
as a collection method, change it to EBPF
.
The following section provides additional information about removed features listed in the preceding table.
As announced in the Release Notes for RHACS 3.73.0, some permissions are now grouped for simplification. The deprecation process in 4.0 will remove and replace the deprecated permissions with the replacing permission. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.
The following list provides more information about permission and permission set changes:
Permission Administration
replaces the deprecated following permissions:
AllComments
Config
DebugLogs
NetworkGraphConfig
ProbeUpload
ScannerBundle
ScannerDefinitions
SensorUpgradeConfig
ServiceIdentity
Permission Compliance
replaces the deprecated permission ComplianceRuns
.
The Analyst
permission set will change behavior. Instead of allowing read
access to all resources except DebugLogs
, it will allow read
access to all resources except Administration
. This change affects you if you were using the Analyst
role or permission set for actions requiring read
access on the following resources:
AllComments
Config
NetworkGraphConfig
ProbeUpload
ScannerBundle
ScannerDefinitions
SensorUpgradeConfig
ServiceIdentity
To address this change, preemptively create a new permission set with read
access on the Administration
and other required resources, and reference it instead of Analyst
in the created roles.
Release date: 3 May 2023
Previously, in the RHACS portal, the Platform Configuration → Clusters page did not display information in the Cloud Provider field for Azure Red Hat OpenShift and Red Hat OpenShift Service on AWS (ROSA) clusters. This has been fixed. (ROX-14399)
If the most recent critical alert in an environment was from a custom policy that triggers off of Kubernetes audit logs, it could cause the widgets on the main dashboard to fail. This has been fixed. (ROX-15103)
Previously, the image scan_time
value was not updated for some images in the Image entity list. This issue occurred because the workflow for updating watched images and the workflow for manually scanning images did not actually re-scan the images when the image SHA remained the same. This has been fixed. (ROX-15808)
Fixed an issue in consistency with roxctl
output and API output for the image vulnerability data. Previously, roxctl showed the total number of CVEs. Now the unique number of CVEs is shown instead. (ROX-15277)
Fixed an issue with the roxctl generate netpol
command. Previously, the command generated network policies with the status{}
field, which prevented applying policies to a cluster. The command no longer generates network policies with this field. (ROX-14775)
Fixed an issue where the Create Policy buttons were not visible when the certificate expiration banner was displayed. (ROX-12433)
Error messages generated during runtime policy validation have been improved. (ROX-15809)
Previously, RHACS failed to suspend a cron job when enforcing a deploy time policy. This issue has been fixed. (ROX-15113)
Release date: 18 May 2023
Fixed issue with manifest-based secured cluster installations for Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service).
Fixed issue with unwanted logging for RHACS Cloud Service.
Release date: 31 May 2023
This release of RHACS fixes the following security vulnerabilities:
CVE-2023-24540: Fixed by building RHACS with updated Golang.
CVE-2023-29400: Fixed a vulnerability in Golang that affects templates with actions in unquoted HTML attributes.
CVE-2023-24539: Fixed a vulnerability in Golang related to the handling of angle brackets (<>) in cascading style sheets (CSS) contexts.
Fixed an issue that caused frequent Central pod restarts with the context deadline exceeded
error.
Release date: 13 July 2023
Fixed an issue where RHACS sometimes incorrectly attempted to install PodSecurityPolicies (PSPs), causing the installation to fail because PSPs are not supported in Kubernetes version 1.25 and later. (ROX-17796, ROX-16652)
Fixed an issue with upgrades failing because RHACS applied PSPs, even when not enabled. (ROX-17771, ROX-17734)
Fixed an issue with failed database migration due to a duplicate key value. (ROX-18059)
Fixed a memory leak in Collector. (ROX-17553, ROX-17096)
Provides a Python3 security update. (RHSA-2023:3591).
Release date: 9 August 2023
Removed the Pod Security Policies (PSPs) from the Helm release manifest when upgrading from an outdated version. (ROX-17687)
Release date: 24 October 2023
This release of RHACS fixes the following security vulnerabilities:
CVE-2023-44487 and CVE-2023-39325: Flaw in handling multiplexed streams in the HTTP/2 protocol
Various CVEs in containers, including CVE-2023-4527, CVE-2023-4806, CVE-2023-4813, and CVE-2023-4911: glibc security issues
A new default policy has been added, "Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol". This policy alerts on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers, as described in CVE-2023-44487 and CVE-2023-39325. This policy applies to the build or deploy life cycle stage.
Currently, RHACS does not support alerts for security policy violations for containers running with default seccomp profiles-Unconfined
. The alert violations for Unconfined seccomp
profiles are generated only if the seccomp
profile is explicitly set to "Unconfined" in the container specification. No workaround exists. (ROX-13490)
Image | Description | Current version |
---|---|---|
Main |
Includes Central, Sensor, Admission controller, and Compliance. Also includes |
|
Scanner |
Scans images and nodes. |
|
Scanner DB |
Stores image scan results and vulnerability definitions. |
|
Collector |
Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|