Red Hat Advanced Cluster Security for Kubernetes (RHACS) 3.66 includes feature enhancements, bug fixes, scale improvements, and other changes.
Release date: October 19, 2021
You can now identify misconfigurations in your OpenShift Container Platform deployment configuration files by running the roxctl deployment check
command in your CI pipeline.
Red Hat Advanced Cluster Security for Kubernetes now identifies if a component is in use by a process at runtime and then asserts that component as an active component.
You can now configure tolerations for Central, Scanner, ScannerDB, Sensor, and Admission Controller in Red Hat Advanced Cluster Security for Kubernetes by using helm charts and the RHACS Operator.
You can now disable the automatic administrator password generation for Central by specifying the adminPasswordGenerationDisabled
as true
in the RHACS Operator configuration.
ROX-7912: Previously, Red Hat Advanced Cluster Security for Kubernetes reported the CVE-2019-9893 as both fixable and not fixable. This has been fixed.
ROX-7414 and ROX-5180: Previously, sometimes Central and Sensor consumed all available memory, and their pods stopped with OOMKilled
status. The high memory consumption was because of resource-intensive evaluation of roles, bindings, and service accounts. This issue has been fixed.
ROX-7978: Previously, Central crashed sometimes if you sent build-time notifications by using the Syslog protocol. This has been fixed.
ROX-8055: Previously, the downloading of runtime probes failed in IPV6 only environments. This has been fixed.
ROX-8093: Previously, the Red Hat Advanced Cluster Security for Kubernetes portal would sometimes show an error message under the MITRE ATT&CK section. This has been fixed.
In Red Hat Advanced Cluster Security for Kubernetes 3.66, Red Hat has deprecated the following default security policies:
DockerHub NGINX 1.10
Shellshock: Multiple CVEs
Heartbleed: CVE-2014-0160
Red Hat has deprecated the Alpine-based images of Red Hat Advanced Cluster Security for Kubernetes. All images are now based on Red Hat Universal Base Image (UBI).
The admission controller settings for the RHACS Operator now listen to both update
and create
events by default.
You can no longer delete the default security policies on fresh installations of Red Hat Advanced Cluster Security for Kubernetes 3.65 or newer. However, if you upgrade from an older version to 3.65 or newer, you can still delete the default security policies.
In Red Hat Advanced Cluster Security for Kubernetes 3.66:
the Analyst permission set and role does not contain the DebugLogs
permission.
the Mount Docker Socket policy is renamed to Mount Container Runtime Socket. This policy also detects if a deployment mounts the CRI-O socket for both Kubernetes and OpenShift Container Platform.
the Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches policy is disabled by default.
The roxctl
CLI now supports command-line completion for bash
, zsh
, fish
and PowerShell.
Image | Description | Current version |
---|---|---|
Main |
Includes Central, Sensor, Admission Controller, and Compliance.
Also includes |
registry.redhat.io/rh-acs/main:3.66.1 |
Scanner |
Scans images and nodes. |
registry.redhat.io/rh-acs/scanner:2.20.0 |
Scanner DB |
Stores image scan results and vulnerability definitions. |
registry.redhat.io/rh-acs/scanner-db:2.20.0 |
Collector |
Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
registry.redhat.io/rh-acs/collector:3.4.1-latest |