Red Hat Advanced Cluster Security for Kubernetes Support Matrix
Table of Contents
Foreword
Red Hat Advanced Cluster Security for Kubernetes Support Policy defines general support terms and lifecycle policy for RHACS releases. Since RHACS is a distributed system with various internal and external dependencies, this document further details support requirements and supported combinations of RHACS and other software.
Overview
Red Hat Advanced Cluster Security for Kubernetes (RHACS or ACS) provides the tools and capabilities to address the security needs of a cloud-native development approach on Kubernetes. The RHACS solution offers visibility into the security of your cluster, vulnerability management, and security compliance through auditing, network segmentation awareness and configuration, security risk profiling, security-related configuration management, threat detection, and incident response. In addition, ACS grants an ability to apply security policies into the application code development process through the CLI and APIs. These security features represent the primary work any developer or administrator faces as they work across a range of Kubernetes environments, including multiple datacenters, private clouds, or public clouds.
RHACS Architecture overview
RHACS consists of two logical groups of services: Central Services and Secured Cluster Services. Central provides the policy and violation management interface, data persistence and image scanning. Secured Cluster provides components for monitoring cluster and workload activity and enforcing security policies. Central is typically installed on one cluster with multiple Secured Clusters connected to it. More information is available in the Product Architecture page of RHACS documentation.
RHACS Cloud Service (RHACS CS or Cloud Service) is a Red Hat offering where Central is deployed to Red Hat managed infrastructure, and is upgraded, monitored and managed by Red Hat Software Engineering and Site Reliability Engineering (SRE) teams. More information is available in the RHACS CS Service Description page of RHACS documentation.
RHACS Secured Cluster services work with either self-managed RHACS Central or with an instance of RHACS CS. In both cases Secured Cluster is the same set of components which are deployed, upgraded and managed by the customer.
New versions and patches for RHACS Secured Cluster and self-managed Central are released simultaneously. The list of currently supported RHACS versions is available in the RHACS Support Policy document.
RHACS Central and Secured Cluster compatibility
The Secured Cluster hardware architecture does not need to match Central hardware architecture. A common Central instance can connect with multiple Secured Clusters with the same or different hardware architectures.
Secured Cluster versions with self-managed Central
Use of any Secured Cluster versions currently supported by Red Hat connected to a self-managed Central is supported. However, when Secured Cluster and Central versions don’t match, newer product features may not function. I.e. functioning is guaranteed only for features that were present in the version of the product that's the oldest among versions of Central and connected Secured Cluster. Therefore, Red Hat recommends maintaining Secured Cluster components at the same version as the self-managed Central it is connected to for optimal compatibility.
Red Hat does not recommend upgrading Secured Clusters ahead of Central.
Secured Cluster versions with RHACS CS
Use of any Secured Cluster versions currently supported by Red Hat connected to a RHACS CS instance is supported. However, only the use of the most recent version of the Secured Cluster ensures functioning of all features. Red Hat recommends enabling automatic upgrades for Secured Clusters connected to RHACS CS.
RHACS compatibility with different kubernetes platforms
Kubernetes Platform[2] | Supported for Self-managed Central | Supported for Secured Clusters |
---|---|---|
Red Hat OpenShift Container Platform (OCP) 4.x | Yes[3] | Yes[3] |
Red Hat OpenShift Kubernetes Engine (OKE) 4.x | No | Yes |
Red Hat OpenShift Dedicated (OSD) | Yes[4] | Yes[4] |
Azure Red Hat OpenShift (ARO) | Yes[4] | Yes[4] |
Red Hat OpenShift Service on AWS (ROSA) | Yes[4, 9] | Yes[4] |
Amazon Elastic Kubernetes Service (Amazon EKS) | Limited[5] | Yes |
Google Kubernetes Engine (Google GKE) | Limited[5] | Yes |
Microsoft Azure Kubernetes Service (Microsoft AKS) | Limited[5] | Yes |
IBM Red Hat OpenShift Kubernetes Service/Red Hat OpenShift on IBM Cloud (ROKS/RHOIC) | Yes[9] | Yes |
Upgradability
RHACS self-managed Central and RHACS Secured Cluster can be upgraded by skipping intermediate versions (e.g. 4.0 -> 4.2) with the following constraints.
- Central upgrades from versions 3.x to 4.x must be done by first upgrading 3.x to 3.74, then from 3.74 to 4.0 and then from 4.0 to the desired version.
- When upgrading manifest-based installations, manual instructions must be followed.
Supported browsers
RHACS browser support complies with Red Hat policy, which specifies that we support recent versions of the following browsers:
- Google Chrome
- Mozilla Firefox
- Apple Safari
- Microsoft Edge
Support by architecture
RHACS support for OpenShift Container Platform[1] - x86_64
OpenShift version supported for Central | OpenShift version supported for Secured Clusters | |
---|---|---|
ACS v3.74 | 4.9 - 4.13 | 4.9 - 4.13 |
ACS v4.0 | 4.10 - 4.13 | 4.10 - 4.13 |
ACS v4.1 | 4.10 - 4.14 | 4.10 - 4.14 |
ACS v4.2 | 4.11 - 4.14 | 4.11 - 4.14 |
ACS v4.3 | 4.11 - 4.15 | 4.11 - 4.15 |
ACS v4.4 | 4.12 - 4.16 | 4.12 - 4.16[7] |
ACS v4.5 | 4.12 - 4.17 | 4.12 - 4.17 |
RHACS support for OpenShift Container Platform[1,8] - ppc64le (IBM Power)
OpenShift version supported for Central | OpenShift version supported for Secured Clusters | |
---|---|---|
ACS v3.74 | No | 4.12 - 4.13 |
ACS v4.0 | No | 4.12 - 4.13 |
ACS v4.1 | No | 4.12 - 4.14 |
ACS v4.2 | No | 4.12 - 4.14 |
ACS v4.3 | 4.12 - 4.15 | 4.12 - 4.15 |
ACS v4.4 | 4.12 - 4.16 | 4.12 - 4.16[7] |
ACS v4.5 | 4.13 - 4.17 | 4.13 - 4.17 |
RHACS support for OpenShift Container Platform[1] - s390x (IBM Z and IBM® LinuxONE)
OpenShift version supported for Central | OpenShift version supported for Secured Clusters | |
---|---|---|
ACS v3.74 | No | 4.12 - 4.13 |
ACS v4.0 | No | 4.12 - 4.13 |
ACS v4.1 | No | 4.12 - 4.14 |
ACS v4.2 | No | 4.12 - 4.14 |
ACS v4.3 | 4.12 - 4.15 | 4.12 - 4.15 |
ACS v4.4 | 4.12 - 4.16 | 4.12 - 4.16[7] |
ACS 4.5 | 4.12 - 4.17 | 4.12 - 4.17 |
Database Scope of Coverage
Starting RHACS 4.4, RHACS can be installed with two exclusive varieties of database:
- Database installed by RHACS
- Customer-provided database (new in 4.4)
Database installed by RHACS
This database consists of an instance of Red Hat PostgreSQL installed via RHACS installation methods. This instance runs as a pod on the same cluster as the RHACS Central services and uses the official RHACS PostgreSQL database image. This is the default installation option.
Customer-provided database
This is an external PostgreSQL-compatible database that is provided by the customer. It may be deployed on or off-cluster: on bare metal, virtual machine, or as a cloud hosted service. For the best performance, it is recommended to run the database near the RHACS Central services. When RHACS Central services are installed, the database connection string and credentials need to be provided.
A customer-provided database must be a PostgreSQL-compatible database of the appropriate version for the installed version of RHACS. See the RHACS external DB documentation for requirements. The external database must be deployed before installing RHACS.
The above options carry the following scope of support:
RHACS-Provided[6] | Customer-Provided | |
---|---|---|
RHACS configuration and operation connected to the database | Yes | Yes |
Backup and restore | Yes | 3rd Party Support[5] |
Performance diagnosis and potential tuning | Yes | 3rd Party Support[5] |
Software and version upgrades | Yes | 3rd Party Support[5] |
HA/DR operation | No | 3rd Party Support[5] |
Footnotes
1. The currently supported versions of Red Hat Advanced Cluster Security are supported on all currently supported versions of Red Hat OpenShift Container Platform. For example, If Red Hat Advanced Cluster Security 4.2 is deployed on Red Hat OpenShift Container Platform 4.10 and Red Hat OpenShift Container Platform 4.10 is End of Life, but Red Hat Advanced Cluster Security 4.2 is still supported, Red Hat will not test this combination and will not provide fixes related to this combination.
OpenShift Container Platform EUS Term 2 is not covered.
2. The availability of support for any platform may be subject to the overarching platform life cycle and end of life dates.
3. Detailed support matrix for Red Hat OpenShift Container Platform versions and Red Hat Advanced Cluster Security for Kubernetes is given below under Support by architecture
section.
4. Advanced Cluster Security for Kubernetes (ACS) can be purchased as a managed (ACS CS) or self-managed add-on for managed OpenShift services which meet the installation and sizing pre-reqs for ACS. With the self-managed add-on, the deployment and management of ACS Central and Secured services do not fall within the service description for the managed service, and as such ACS would not be included in the SRE Service.
5. Advanced Cluster Security for Kubernetes (ACS) Central is tested, qualified and fully supported exclusively on Red Hat OpenShift 4. Deployment and use of Central on non-OpenShift 4 environments is possible; support is limited to the ACS product software and not the underlying infrastructure provider. As part of diagnosing and isolating the issue, customers could be required to reproduce issues on an OpenShift 4 environment. In the event of an issue being specific to a provider and cluster which is not OpenShift 4, Red Hat provides commercially reasonable support to isolate issues. Customers may be expected to open a case with their respective provider. Please see the Red Hat 3rd party support policy.
6. Upgrading or customizing your database manually outside a full platform upgrade renders the database customer provided
and limits the supportability as such.
7. With eBPF collection method, ACS 4.4. supports OpenShift version 4.16 starting from 4.4.3. With CORE_BPF collection method, ACS 4.4. supports OpenShift version 4.16 starting from 4.4.0.
8. OpenShift Container Platform 4.12 is now End of Life on IBM Power. If you are using ACS on OpenShift Container Platform 4.12 on Power, Red Hat recommends that you update to OpenShift Container Platform 4.13 or later.
9. RHACS Central components do not deploy correctly on a default ROSA or ROKS/RHOIC cluster. The workaround is to scale the worker nodes to allow the RHACS components to be scheduled. For more information, see RHACS Central pods do not schedule on a default ROSA cluster.
Comments