registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.3.8
Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.
RHACS version | Released on |
---|---|
|
15 November 2023 |
|
11 December 2023 |
|
8 January 2024 |
|
16 January 2024 |
|
22 January 2024 |
|
13 March 2024 |
|
27 March 2024 |
|
13 May 2024 |
|
11 June 2024 |
This release adds improvements related to the following components and concepts.
RHACS support has been increased for the following hardware and software:
Red Hat OpenShift on IBM Cloud: You can now protect Red Hat OpenShift on IBM Cloud by using RHACS. With this release, you can run secured clusters on Red Hat OpenShift on IBM Cloud.
IBM Power and IBM Z: RHACS Central Services are now supported on IBM Power and IBM Z.
Red Hat OpenShift Service on AWS: RHACS is supported on ROSA hosted control plane (HCP) enabled clusters.
Red Hat OpenShift: This release is supported with OpenShift Container Platform 4.14.
For more information, see the Red Hat Advanced Cluster Security for Kubernetes Support Matrix.
With this release, the Vulnerability Reporting option under the Vulnerability Management (2.0) menu is generally available. Several enhancements have been made to vulnerability reporting, including the ability to customize email templates that are used when reports are sent. For more information, see Vulnerability Reporting.
Reports created in the Vulnerability Management 1.0 → Reporting page are automatically migrated. For more information, see Migration of vulnerability reports when upgrading to RHACS version 4.3 and later. |
The ability to mark an image as watched has been migrated from the Vulnerability Management (1.0) menu item to Vulnerability Management 2.0. Watched images are still scanned for vulnerabilities even when not in use by an active deployment.
For more information, see Scanning inactive images.
With this release, RHACS introduces an administration events dashboard that allows you to efficiently manage and troubleshoot events within your RHACS instance and significantly improves the reliability and security of your RHACS instance.
For more information, see Using the administration events page.
You can now scan images stored in image registries, including cluster local registries such as the OpenShift Container Platform integrated image registry, by using the roxctl
CLI.
For more information, see Image scanning by using the roxctl
CLI.
You can now invite users and define their roles to ensure accurate access control and improve the security of your RHACS instance.
For more information, see Inviting users to your RHACS instance.
When audit logging is enabled, audit log messages now include the source IP address of the audit log request. For more information, see Enabling audit logging.
The default policy "Iptables Executed in Privileged Container" has been renamed to "Iptables or nftables Executed in Privileged Container" and now also detects the nft
process that is used by nftables
.
Risk reprocessing has been changed from potentially being computed every 15 seconds to 10 minutes. This improves system performance by debouncing expensive risk calculations. To use the earlier value for risk reprocessing, set the environment variable ROX_RISK_REPROCESSING_INTERVAL to 15s
.
In the past several RHACS releases, we have optimized and enhanced RHACS features and functionality available in the Vulnerability Management (1.0) menu item and migrated them to the Vulnerability Management (2.0) menu item.
The existing page for Risk Acceptance in the Vulnerability Management (1.0) menu item will be migrated to the Vulnerability Management (2.0) menu item in an upcoming release. It will be renamed Vulnerability Exception Management.
We invite you to review the existing features in the Vulnerability Management (2.0) menu item and give us feedback by clicking the red Feedback button in the RHACS web portal.
Some features available in earlier releases have been deprecated or removed.
Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional information about some removed or deprecated functionality is available after the table.
In the table, features are marked with the following statuses:
GA: General Availability
TP: Technology Preview
DEP: Deprecated
REM: Removed
NA: Not applicable
Feature | RHACS 4.1 | RHACS 4.2 | RHACS 4.3 |
---|---|---|---|
CIS Docker v1.2.0 Compliance Standard |
NA |
DEP |
DEP |
Custom Security Context Constraints (SCCs): |
DEP |
DEP |
REM |
Examining images for Application-level dependencies for vulnerability reporting: |
DEP |
DEP |
REM |
|
DEP |
DEP |
REM |
|
NA |
DEP |
DEP |
|
NA |
DEP |
DEP |
|
NA |
NA |
DEP |
|
NA |
NA |
DEP |
|
NA |
NA |
DEP |
|
NA |
NA |
DEP |
|
NA |
NA |
DEP |
|
DEP |
DEP |
REM |
|
DEP |
DEP |
REM |
Vulnerability Management (1.0) menu item |
GA |
GA |
DEP |
Vulnerability Management (1.0): Image CVEs, Image Components, Images, Deployments, and Namespaces |
DEP |
DEP |
REM |
Vulnerability Management (1.0) → Vulnerability Reporting page |
DEP |
DEP |
REM |
|
DEP |
DEP |
REM |
|
GA |
DEP |
DEP |
|
DEP |
DEP |
REM |
The following section provides additional information about deprecated features listed in the preceding table.
The Vulnerability Management (1.0) menu item in the RHACS web portal has been deprecated and future removal is planned. It is replaced by Vulnerability Management (2.0).
The /v1/cve/requests
APIs have been deprecated and will be replaced by /v2/vulnerability-exceptions/
APIs in the future.
Vulnerability deferral management for host (/node
) and platform (/cluster
) vulnerabilities has been deprecated and will be removed in the future. After deferral management is removed, deferrals cannot be created for host and platform vulnerabilities and the existing exceptions enforced on host and platform vulnerabilities will be reverted. The affected APIs are /v1/nodecves/suppress
, /v1/nodecves/unsuppress
, /v1/clustercves/suppress
, and /v1/clustercves/unsuppress
.
Release date: 15 November 2023
Fixed the diagnostic bundle generation returning an incomplete .zip file when the connection to a secured cluster is lost.
Fixed an issue with the Sensor upgrade tool failing to upgrade from earlier versions on OpenShift Container Platform clusters.
In some cases, Common Vulnerabilities and Exposures (CVEs) that were deferred and approved were not added to the list of snoozed CVEs. This behavior was caused by an issue with the /v1/suppress
and /v1/unsuppress
APIs and has been fixed.
Fixed file search in the ca-setup.sh
file that is used to configure additional Certificate Authorities (CAs). Previously, the script could not find any files in the directory, even with the correct .crt and .pem extensions.
Release date 11 December 2023
Fixed an issue where a user could not log in if a role mapped to the user did not have at least read
access for the Access
permission.
Fixed an issue with editing user-defined vulnerability reports in version 4.3 that were created in a previous version and linked to a specific report scope. When editing the report in version 4.3, the report scope reference was missing, and the system returned an error message.
Updated and removed golang dependencies to address reported vulnerabilities, including false positives.
Release date: 8 January 2024
Fixed an issue with manual delegated scanning that caused Central to crash.
Fixed PostgreSQL vulnerabilities in scanner-db
containers.
Release date: 16 January 2024
This release contains updates to the versions of golang and go-git used in RHACS.
Release date: 22 January 2024
This release contains the following bug fixes and enhancements.
The following fixes and enhancements for integration with Jira and Jira Cloud are implemented:
The priority is now correctly set on Jira issues created by RHACS.
The RHACS integration with Jira Cloud can successfully be created.
The default priority mappings in the integration creation page in the RHACS portal have been updated to match the default Jira priorities.
Checks were added for integration creation to minimize the risk that issue creation will fail after the integration is saved.
A checkbox was added to give you the option to disable setting the priority.
A TLS certificate rotation fix is included. In the past, the Operator attempted to rotate TLS certificates for Central components only after they expired. Additionally, a bug prevented update of the expired certificate in the central-tls
secret. With this fix, the Operator will rotate all Central components' service TLS certificates 6 months before they expire. The following conditions apply:
The rotation of certificates in the secrets does not trigger the components to automatically reload them. However, reloads typically occur when the pod is replaced as part of an RHACS upgrade or as a result of node reboots. If neither of those events happens at least every 6 months, you must restart the pods before the old (in-memory) service certificates expire. For example, you can delete the pods with an app
label that contains one of the values of central
, central-db
, scanner
, or scanner-db
.
CA certificates are not updated. They are valid for 5 years.
The service certificates in the init bundles used by secured cluster components are not updated. You must rotate the init bundles at regular intervals.
Release date: 13 March 2024
This release provides the following bug fix:
Fixed an issue where an upgrade to version 4.3 from an earlier version caused the Central component to enter a crash loop.
It provides the following security fixes:
pgx: SQL Injection via Protocol Message Size Overflow (CVE-2024-27304)
pgx: SQL Injection via Line Comment Creation (CVE-2024-27289)
Release date: 27 March 2024
This release provides the following bug fix:
Fixed an issue where an incorrectly configured Jira notifier causes the Central component of RHACS to enter a crash loop
It provides the following security fix where an image is flagged due to an indirect dependency of RHACS:
go-git: Maliciously crafted Git server replies can lead to path traversal and remote code execution (RCE) on go-git clients (CVE-2023-49569)
It also provides the following security fixes:
Helm: Missing YAML content leads to panic (CVE-2024-26147)
Helm: Shows secrets with --dry-run
option in clear text (CVE-2019-25210)
Release date: 13 May 2024
This release provides the following bug fixes:
This release fixes an issue where the Central pod failed with a SQLSTATE 23503
error after updating RHACS to release 4.3.6. This resulted in the collector pods showing the CrashLoopBackoff
state because the collector probe was unavailable.
This release updates the Scanner baseline vulnerability data to address changes made to the Red Hat security data feeds that were not compatible with earlier data from Scanner’s scheduled feed processing. This fixes various issues where vulnerabilities were detected for images containing packages that were incorrectly indicated as affected by a vulnerability.
This release fixes a crash and rendering error in the network graph that occurs when Central is running an RHACS release of 4.3.6 or earlier and Sensor is running an RHACS release of 4.4.0 or later.
This release provides the following change:
The default telemetry endpoint is now set to a Red Hat proxy.
This releases updates the following items to patch vulnerabilities:
Go has been updated to release 1.20.12.
The golang.org/x/net
module has been updated from release v0.22.0 to v0.23.0.
Release date: 11 June 2024
This release contains updates to patch vulnerabilities, including the following update:
webpack-dev-middleware
has been updated from version 5.3.3 to version 5.3.4.
The following Scanner packages have been updated:
github.com/containers/image/v5
from v5.28.0 to v5.29.3
github.com/docker/docker
from v24.0.7 to v24.0.9
RHACS version 4.2 introduced additional logic that considers the socket connection state to decide whether Collector reports a connection or not. The expected behavior is that the connection is not reported until it is successfully established. A known issue on the ppc64le
architecture can cause a blocked or failing connection to be reported instead of being silenced. No workaround exists for this issue.
RHACS Central components do not deploy correctly on a default ROSA cluster. The workaround is to scale the worker nodes to allow the RHACS components to be scheduled. See RHACS Central pods do not schedule on a default ROSA cluster for more information.
Image | Description | Current version |
---|---|---|
Main |
Includes Central, Sensor, Admission controller, and Compliance. Also includes |
|
Scanner |
Scans images and nodes. |
|
Scanner DB |
Stores image scan results and vulnerability definitions. |
|
Collector |
Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|
Central DB |
PostgreSQL instance that provides the database storage for Central. |
|