Red Hat Advanced Cluster Security for Kubernetes Support Policy
Red Hat Advanced Cluster Security for Kubernetes (Red Hat Advanced Cluster Security or ACS) provides the tools and capabilities to address the security needs of a cloud-native development approach on Kubernetes. The ACS solution offers visibility into the security of your cluster, vulnerability management, and security compliance through auditing, network segmentation awareness and configuration, security risk profiling, security-related configuration management, threat detection, and incident response. In addition, ACS grants an ability to pull the actions from that tooling deep into the application code development process through APIs. These security features represent the primary work any developer or administrator faces as they work across a range of environments, including multiple datacenters, private clouds, or public clouds that run Kubernetes clusters.
Using Red Hat Advanced Cluster Security for Kubernetes (Red Hat Advanced Cluster Security), you can gain comprehensive Kubernetes security that includes the following use cases:
- Visibility: See your entire landscape of images, registries, containers, deployments, and runtime behavior.
- Vulnerability Management: Identify and remediate vulnerabilities in both container images and Kubernetes across the entire software development life cycle.
- Compliance: Audit your systems against CIS Benchmarks, NIST, PCI, and HIPAA, with interactive dashboards and one-click audit reports.
- Network Segmentation: Visualize existing connections and enforce tighter segmentation using Kubernetes-native controls to reduce your blast radius.
- Risk Profiling: See all your deployments ranked by risk level, using context from Kubernetes’ declarative data, to prioritize remediation.
- Configuration Management: Apply best practices for Docker and Kubernetes to harden your environment for a more secure and stable application.
- Threat Detection: Use rules, automated allow lists, and baselining to accurately identify suspicious activity in your running applications.
- Incident Response: Take action, from failing builds and blocking deployments to killing pods and thwarting attacks, using Kubernetes for enforcement.
Supported Platforms for Red Hat Advanced Cluster Security for Kubernetes
Red Hat Advanced Cluster Security has 2 main architectural components with sub components:
- A server component called the “Central” where the scanner, persistent storage, API server, and user interface are running.
- A distributed framework wherein a “Collector” is run on each node inside the clusters, a single “Sensor” is run on each managed cluster, and a single “Admission Controller” is run on each managed cluster. These are the 3 components that are installed on all Kubernetes clusters that will be managed by the “Central”.
|Managed Services Platform||Supported for Central||Supported for Secured Clusters|
|Red Hat OpenShift Dedicated (OSD)||Yes||Yes|
|Azure Red Hat OpenShift (ARO)||Yes||Yes|
|Red Hat OpenShift Service on AWS (ROSA)||Yes||Yes|
|Amazon Elastic Kubernetes Service (Amazon EKS)||Limited||Yes|
|Google Kubernetes Engine (Google GKE)||Limited||Yes|
|Microsoft Azure Kubernetes Service (Microsoft AKS)||Limited||Yes|
|Self-Managed Platform||Supported for Central||Supported for Secured Clusters|
|Red Hat OpenShift Container Platform (OCP) 4.x*||Yes||Yes|
|Red Hat OpenShift Kubernetes Engine (OKE) 4.x||No||Yes|
|Supported Architectures||Supported for Central||Supported for Secured Clusters|
|ppc64le (IBM Power)||No||Yes (OpenShift Container Platform version 4.12 only)|
|s390x (IBM zSystems and IBM® LinuxONE)||No||Yes (OpenShift Container Platform versions 4.10 and 4.12 only)|
Support is provided for Red Hat Advanced Cluster Security for Kubernetes (ACS) software versions up to 6 months after they are released. You may be requested to upgrade to a newer released version of RHACS for full support when you fall outside of that timeline.
The Red Hat Advanced Cluster Security for Kubernetes Life Cycle dates are described here:
Note: For RHACS 3.74, additional 3 months of maintenance support were added to this release, extending the original support from August 27, 2023 to November 27, 2023 to allow customers more time to migrate to RHACS 4.0. During this time, only qualified Critical and Important Security Advisories (RHSAs) and Urgent and Selected High Priority Bug Fix Advisories (RHBAs) will be released as they become available. Other Bug Fix (and Enhancement (RHEA) Advisories may be released at Red Hat's discretion, but should not be expected.
Support Acquisition Information
Red Hat Advanced Cluster Security for Kubernetes (ACS) is an acquired offering. Should you have an existing support relationship with StackRox, that will be honored for its duration. Existing customers of StackRox at the time of the acquisition are grandfathered into their existing supported platforms as explained in the StackRox documentation.
- The availability of support for any platform may be subject to the overarching platform life cycle and end of life dates
- Advanced Cluster Security for Kubernetes (ACS) Central is tested, qualified and fully supported exclusively on Red Hat OpenShift 4. Deployment and use of Central on non-OpenShift 4 environments is possible; support is limited to the ACS product software and not the underlying infrastructure provider. As part of diagnosing and isolating the issue, customers could be required to reproduce issues on an OpenShift 4 environment. In the event of an issue being specific to a provider and cluster which is not OpenShift 4, Red Hat provides commercially reasonable support to isolate issues. Customers may be expected to open a case with their respective provider. Please see the Red Hat 3rd party support policy.
- Advanced Cluster Security for Kubernetes (ACS) is supported as a self-managed add-on for managed OpenShift services which meet the installation and sizing pre-reqs for ACS. The deployment and management of ACS components do not fall within the service description for the managed service, and as such ACS would not be included in the SRE Service.