Release notes
Highlights what is new and what has changed with Red Hat Advanced Cluster Security for Kubernetes releases
Abstract
Chapter 1. Red Hat Advanced Cluster Security for Kubernetes 3.72
Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across build, deploy, and runtime stages of the application lifecycle. It deploys in your infrastructure and integrates with your DevOps tooling and workflows to deliver better security and compliance and to enable DevOps and InfoSec teams to operationalize security.
Table 1.1. Release dates
RHACS version | Released on |
---|---|
| 26 September 2022 |
| 20 October 2022 |
| 1 December 2022 |
| 12 January 2023 |
| 6 March 2023 |
1.1. About this release
RHACS 3.72 includes:
- Automatic removal of nonactive clusters from RHACS
- Support for non-authenticated email integration
- Support for Quay robot accounts
- Ability to view Dockerfile lines in images that introduced components with Common Vulnerabilities and Exposures (CVEs)
- Network graph improvements
- Scanning support for Red Hat Enterprise Linux 9
- Policy for CVEs with fixable CVSS of 6 or greater disabled by default
- Additional feature enhancements and bug fixes
1.2. New features
1.2.1. Automatic removal of nonactive clusters from RHACS
RHACS provides the ability to configure your system to automatically remove nonactive clusters from RHACS so that you can monitor active clusters only. Note that only clusters that were installed and performed a handshake with Central at least one time are monitored initially. If this feature is enabled, when Central has been unable to reach Sensor in a cluster for the period of time configured in the Decommissioned cluster age field, the cluster is considered nonactive in RHACS. Central will then no longer monitor nonactive clusters. You can configure the Decommissioned cluster age field in the Platform Configuration → System Configuration page. When configuring this feature, you can add a label for the cluster so that RHACS continues to monitor the cluster even if it becomes nonactive. For more information, see Configuring automatic removal of nonactive clusters from RHACS.
1.2.2. Support for unauthenticated email integration
RHACS now supports unauthenticated SMTP for email integrations. This is insecure and not recommended. However, you might need to use unauthenticated SMTP for some integrations; for example, if you use an internal server for notifications that does not require authentication. For more information, see Configuring the email plug-in.
1.2.3. Support for Quay robot accounts
RHACS now supports use of robot accounts in quay.io integrations. You can create robot accounts in Quay that allow you to share credentials for use in multiple repositories. Robot accounts authenticate with the Quay Container Registry and replace OAuth tokens, which are deprecated by Quay. For more information, see Manually configuring Quay Container Registry.
1.2.4. Ability to view Dockerfile lines in images that introduced components with Common Vulnerabilities and Exposures (CVEs)
In the Images view, under Image Findings, you can view individual lines in the Dockerfile that introduced the components that have been identified as containing CVEs. To view this information, locate the CVE from the list of CVEs provided in the Image Findings page. In the Affected Components column, click on the <number> components link. You can expand the display to show the line where the component was introduced that contains the CVE. For more information, see Identifying Dockerfile lines in images that introduced components with CVEs.
1.2.5. Network graph improvements
RHACS 3.72 includes the following improvements to the Network Graph:
- The updated legend in the Network Graph shows the symbols and explanatory text together. Before this improvement, the legend required hovering over the symbols representing namespaces, deployments, and connections.
- Sometimes, the graph view edges did not connect the edges of nodes and overlapped on namespaces. This issue is fixed.
- With this update, RHACS shows the same formatting and interface when you view YAML files. Before this improvement, there were differences in the YAML file viewer instances.
1.2.6. Documentation updates
The RHACS documentation has been updated to include a list of default security policies.
1.3. Notable technical changes
1.3.1. Scanning support for Red Hat Enterprise Linux 9
RHEL 9 is now generally available (GA). RHACS 3.72 introduces support for analyzing images built with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux (RHEL) 9 RPMs for vulnerabilities.
1.3.2. Policy for CVEs with fixable CVSS of 6 or greater disabled by default
Beginning with this release, the Fixable CVSS >= 6 and Privileged
policy is no longer enabled by default for new RHACS installations. The configuration of this policy is not changed when upgrading an existing system. A new policy Privileged Containers with Important and Critical Fixable CVEs
, which gives an alert for containers running in privileged mode that have important or critical fixable vulnerabilities, has been added. The new policy is also in the Deploy
lifecycle. Known vulnerabilities make it easier for adversaries to exploit your application, and highly-privileged containers pose greater risk. You can fix these high-severity vulnerabilities by updating to a newer version of the affected components or running your container with lower privileges.
1.4. Deprecated and removed features
Some features available in previous releases have been deprecated or removed.
Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, refer to the table below. Additional information about some removed or deprecated functionality is available after the table.
In the table, features are marked with the following statuses:
- GA: General Availability
- TP: Technology Preview
- DEP: Deprecated
- REM: Removed
Table 1.2. Deprecated and removed features tracker
Category | Feature | RHACS 3.70 | RHACS 3.71 | RHACS 3.72 |
---|---|---|---|---|
API | Endpoints:
| DEP | DEP | DEP |
API |
| GA | DEP | DEP |
API |
For more information, see 1 under "Deprecated features." | GA | DEP | DEP |
API |
| GA | DEP | DEP |
API |
| GA | DEP | DEP |
API |
Property retrieval fields for groups. For more information, see 2 under "Deprecated features." | GA | DEP | DEP |
Permissions |
For more information, see 3 under "Deprecated features." | GA | GA | DEP |
Permissions |
Permissions for permission sets. For more information, see 4 under "Deprecated features." | GA | DEP | DEP |
Tags | Support for violation tags and process tags | DEP | DEP | REM |
Scanning | Support for Ubuntu 21.10 | GA | GA | DEP |
Search Options |
For more information, see 5 under "Deprecated features." | GA | GA | DEP |
1.4.1. Deprecated features
This section provides additional information about some of the deprecated features listed in the previous table.
/v1/cves/suppress
and/v1/cves/unsuppress
have been deprecated and will be removed in a future release. After these are removed:-
Use
/v1/imagecves/suppress
and/v1/imagecves/unsuppress
to snooze and unsnooze image vulnerabilities. -
Use
/v1/nodecves/suppress
and/v1/nodecves/unsuppress
to snooze and unsnooze node and host vulnerabilities. -
Use
/v1/clustercves/suppress
and/v1/clustercves/unsuppress
to snooze and unsnooze platform (Kubernetes, Istio, and OpenShift Container Platform) vulnerabilities.
-
Use
Previously, groups were retrieved by using the field
props
:props.authProviderId
,props.key
, andprops.value
. This field will be replaced by the newprops.id
field. Use theprops.id
field to retrieve groups in the RHACS API. Note the following:-
Retrieval by using the
props
fields will be removed in a future release. -
Until removal, retrieval by using the
props
field will work if the result is unambiguous (no more than one group is found with theprops
field).
-
Retrieval by using the
-
Permission
ClusterCVE
is deprecated and will be superseded by the existing permissionCluster
. Permissions for permission sets will be grouped for simplification. The following list describes the new permissions and indicates the deprecated permissions that will be removed in a future release:
-
The
Access
permission will replace the following permissions:AuthProvider
,Group
,Licenses
,Role
, andUser
. -
The
DeploymentExtension
permission will replace the following permissions:Indicator
,NetworkBaseline
,ProcessWhitelist
, andRisk
. -
The
Integration
permission will deprecate the following permissions:APIToken
,BackupPlugins
,ImageIntegration
,Notifier
, andSignatureIntegration
. -
The
Image
permission will replace the permissionImageComponent
.
-
The
Label
andAnnotation
search options in RHACS are deprecated and will be removed in the RHACS 3.73 release. They will be replaced by the search options listed in the following table.Table 1.3. Search options
Resource Deprecated search option New search option Node
Label
Node Label
Node
Annotation
Node Annotation
Namespace
Label
Namespace Label
Deployment
Label
Deployment Label
ServiceAccount
Label
Service Account Label
ServiceAccount
Annotation
Service Account Annotation
K8sRole
Label
Role Binding Label
K8sRoleAnnotation
Annotation
Role Binding Annotation
1.4.2. PodSecurityPolicy (PSP) objects and Kubernetes 1.25
The following changes were made in RHACS to support the removal of PSP objects in Kubernetes 1.25:
-
PSP objects are created by default in installations for backward compatibility with Kubernetes versions prior to 1.25. However, you can manually disable PSP creation by setting
system.enablePodSecurityPolicies: false
in the Helm chart. -
Beginning with RHACS version 3.71, auto-sensing has been added to RHACS Helm charts. If you install RHACS using the Operator or Helm charts, and RHACS detects a Kubernetes version of 1.25 or later, it will not install PSPs. If you are using the
roxctl
CLI to install RHACS, you need to disable PSP usage by setting the--enable-pod-security-policies
flag tofalse
for theroxctl central generate
androxctl sensor generate
commands.
Kubernetes users must disable the admission controller plugin for PSPs before upgrading to Kubernetes version 1.25.
1.4.3. Notice of upcoming RHACS API changes
-
CSV export: Beginning in the RHACS 3.73 release, the CSV export
API /api/vm/export/csv
will require theCVE Type
filter as part of the input query parameter. Requests that do not have the filter will return an error. Supported values forCVE Type
areIMAGE_CVE
,K8S_CVE
,ISTIO_CVE
,NODE_CVE
, andOPENSHIFT_CVE
. Suppress and unsuppress payloads:
-
The field
ids
in the/v1/cves/suppress
and/v1/cves/unsuppress
API payloads will be renamed tocves
in the RHACS 3.73 release. -
The
cves.ids
field of thestorage.VulnerabilityRequest
object in the response ofVulnerabilityRequestService
endpoints will be renamed tocves.cves
in the RHACS 3.73 release.
-
The field
1.5. Known issues
RHACS shows the wrong severity when two severities exist for a single vulnerability in a single distribution. This issue occurs because RHACS scopes severities by namespace rather than component. There is no workaround. It is anticipated that an upcoming release will include a fix for this issue. (ROX-12527)
1.6. Bug fixes
1.6.1. Resolved in version 3.72.0
Release date: 26 September 2022
- Before this update, the steps to configure OpenShift Container Platform OAuth for more than one URI were missing. The documentation has been revised to include instructions for configuring OAuth in OpenShift Container Platform to use more than one URI. For more information, see Creating additional routes for the OpenShift Container Platform OAuth server. (ROX-11296)
- Before this update, the autogenerated image integration, such as a Docker registry integration, for a cluster is not deleted when the cluster is removed from Central. This issue is fixed. (ROX-9398)
-
Before this update, the
Image OS
policy criteria did not support regular expressions, orregex
. However, the documentation indicated that regular expressions were supported. This issue is fixed by adding support for regular expressions for theImage OS
policy criteria. (ROX-12301) - Before this update, the syslog integration did not respect a configured TCP proxy. This is now fixed.
-
Before this update, the
scanner-db
pod failed to start when a resource quota was set for thestackrox
namespace, because theinit-db
container in the pod did not have any resources assigned to it. Theinit-db
container forScannerDB
now specifies resource requests and limits that match thedb
container. (ROX-12291)
1.6.2. Resolved in version 3.72.1
Release date: 20 October 2022
- Because of a bug in RHACS 3.72.0, the Collector pods previously stopped responding and reach a segmentation fault after allocating a memory block for the protocol buffer heap under certain load conditions. The patch release 3.72.1 fixes this issue.
- In RHACS 3.72.0, scheduled vulnerability reports consistently reported zero vulnerabilities, even if there were images with CVEs within the clusters. The patch release 3.72.1 fixes this error and the reports show the correct CVEs.
-
In RHACS 3.72.0, when you created a deployment bundle by using the
roxctl
CLI that explicitly disabled Pod Security Policies (PSP), the generated bundle still created manifests for the PSP. As a result, installing the deployment bundle failed when deploying on Kubernetes versions 1.25 or later. The patch release 3.72.1 correctly disables PSP when you specify--enable-pod-security-policies=false
with theroxctl
CLI.
1.6.3. Resolved in version 3.72.2
Release date: 1 December 2022
-
Before this update, if Central downloaded a corrupted CVE data file, it failed and entered a
CrashLoopBackOff
state. The patch release 3.72.2 fixes this issue.
1.6.4. Resolved in version 3.72.3
Release date: 12 January 2023
The release of RHACS 3.72.3 addresses the following security vulnerabilities identified in the previous release:
1.6.5. Resolved in version 3.72.4
Release date: 6 March 2023
- This release of RHACS fixes CVE-2022-47629 in the Docker base image.
- Before this update, RHACS did not show runtime data when the secured cluster was running OpenShift Container Platform 4.12. For more information, refer to the Red Hat Knowledgebase article RHACS is not showing runtime data. This issue is now fixed.
- Previously, due to an issue with the alert reconciliation workflow, Central could crash when reconciling stored and new runtime policy violations. RHACS now logs an error when an unexpected runtime process alert occurs. (ROX-15198)
1.7. Image versions
Image | Description | Current version |
---|---|---|
Main |
Includes Central, Sensor, Admission Controller, and Compliance. Also includes |
|
Scanner | Scans images and nodes. |
|
Scanner DB | Stores image scan results and vulnerability definitions. |
|
Collector | Collects runtime activity in Kubernetes or OpenShift Container Platform clusters. |
|