It's been over two years since Red Hat acquired StackRox, turned it into Red Hat Advanced Cluster Security for Kubernetes (RHACS), and evolved into the original Kubernetes security leader it is today. These two years have seen UI improvements and many new features and enhancements (such as theLog4Shell Policies,apply Cosign signature verification at runtimeeCLI netpol policy workflow), but we're excited for the first major release of the Red Hat ACS era!
What to expect from version 4.0!
Version 4.0 contains a major product transformation with many feature additions and updates. However, architecture and storage change is the reason to update major version according tosemantic version specification. Version 4.0 includes the following:
- Switch to standard databases, switch to PostgreSQL
- An updated and improved network diagram (Tech Preview)
- Comprehensive host-level scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes.
- Secure cluster support for IBM Power, IBM zSystems and IBM LinuxONE systems
- Improved runtime events and reporting
- Updated search functions
- Improved Syslog Integration Features
- A new collection feature for easy reference
- A "Policy Category" label for a wider range of breaches and vulnerabilities
- An API to report all processes listening on ports in a secure cluster
- FIPS Compliance Validation
We are happy to share all these updates. Let's dive into each feature update below!
PostgreSQL will be the default database for RHACS in version 4.0
WhenStackRox 3.0 release first released, laid the groundwork for securing Kubernetes with configuration and vulnerability management capabilities. The latest version, 4.0, usesPostgreSQLName, which replaces the database in standard memory,RocksDBName, used in previous versions. This approach has many advantages, including performance improvements, and it also helps introduce many new features to the platform, which are covered below.
Benefits of using PostgreSQL as RHACS support include;:
- Support scale and performance improvements
- Allow use of standard backup and restore tools
- Minimize the use of persistent volumes
For RHACS customers, PostgreSQL will be the default database starting with version 4.0. Upgrading to 4.0 will involve a database migration fromRocksDBNameto PostgreSQL that will happen as part of the upgrade. Before upgrading, be sure to back up your database following the existing documented procedure so that you can restore your database backup if you encounter any issues.
ACS Subject Matter Experts (SMEs) are available to guide prem customers through testing functionality to complete the necessary steps throughRed Hat Customer Portal.
Chegou o Network Graph 2.0!
As mentioned in version 3.74, the RHACS network graph has been updated withBiblioteca Patternfly, which provides enhanced functionality and sharp graphics. The diagram provides detailed information about environment deployment, network flows, and policies. There are two views:
- The Active Streams view (default) displays streams with observed traffic focused on the selected namespace or specific implementation.
- The inactive flows view shows you the flows that your network policies allow, even if they didn't deliver traffic in the observed time window. This view helps you identify necessary changes to your network policies for tighter isolation.
Filters and controls can be used to customize the displayed information. The chart includes a legend that explains the use of icons. Here's an example showing the deployments and the traffic flows between them, with a red mark indicating the missing policies.
This visual update and additionroxctl CLI netpol create capability(technology preview) enables a more efficient workflow for creating network policies to help developers, operations, and security teams achieve zero trust networking goals.
The network graph update and netpol features can be seen in a short demowhether.
Full host-level scanning for RHCOS nodes
You read that right! RHACS will now have full host-level scanning for RHCOS nodes.
Prior to this update, the RHACS platform only scanned Red Hat OpenShift cluster nodes for vulnerabilities in core Kubernetes and container runtime components. But now RHACS will provide Red Hat customers with vulnerability scanning of the entire host operating system (node) in addition to Kubernetes components, using vulnerability data provided by Red Hat for scan accuracy.
RACHS we:
- Identify all installed RPM packages, including Kubernetes components for ACS-secured OpenShift cluster nodes running on RHCOS
- Identify known vulnerabilities affecting these Kubernetes packages and components
- Use vulnerability data provided by Red Hat for RHCOS components to provide accurate scan results
This is the first step towards improving the vulnerability management process in RHACS. Stay tuned for future releases for more updates and tips on how to improve your vulnerability management workflow.
IBM Power, IBM zSystems and IBM LinuxONE support RHACS secure cluster services
RHACS has a very comprehensive support policy for various Kubernetes platforms and architectures. We've expanded this support panel to include OpenShift on IBM Power, IBM zSystems and IBM LinuxONE systems. please verifyThe RHACS Support PanelFor mere information.
you can install itRHACS Secured Cluster Services no Red Hat OpenShift no IBM Power, IBM zSystems e IBM LinuxONEusing the RHACS operator. With version 4.0, RHACS supports checking multi-arc structures with roxctl and extends support for safe RHACS clusters to:
- Red Hat OpenShift 4.12 para IBM Power (ppc64le)
- Red Hat OpenShift 4.10 e 4.12 no IBM zSystems (s390x) e IBM LinuxONE (s390x)
API for reporting all processes listening on ports in a secure cluster
Security-conscious Kubernetes users need a list of all processes listening on secure cluster ports. ACS already provides information about which implementations and namespaces have open ports. With version 4.0, we added information about processes listening on ports to help more effectively assess the security posture of the cluster.
This feature will be visible in the UI in a future release.
Updated Global Search in Dashboard
A proper search bar is an extremely powerful tool. In RHACS 4.0, we've improved the search experience to make finding and using security information much faster and more targeted.
Our updated global search feature has been redesigned and is now presented on a dedicated search page that provides a comprehensive list of search criteria to help you quickly find what you need. With over ten search categories and individual search results presented as line items, you can easily zoom in on areas of interest and explore the results further. And the best part? Search now uses URLs, so you can navigate with your browser, open results in new tabs, and even share search links with your team.
For example, with the RHACS global search, users can search for deployments with SYS_ADMIN resources and share the connection with other professionals, allowing them to quickly find and efficiently share information across teams. RHACS is committed to providing the best user experience, and the updated global search feature is just one example of that commitment.
Additional fields for improved syslog integration
When integrating with a syslog receiver, RHACS automatically sends all violations and audit events to the configured syslog receiver. With RHACS 3.74, you can specify custom key-value pairs to send to the remote system. New extra fields let you customize the data you can filter on the syslog receiver.
For more information, seeIntegration using the syslog protocol.
A smaller rack
The introduction of PostgreSQL comes with the introduction of a new feature that the RHACS team calls "Collections". Collections functionality allows users to define a collection of implementations using matching patterns, name it for repeated use, and eliminate the need to repeatedly clone and edit RHACS properties. It defines a logical grouping using selection rules, allowing you to express the following:
- Rules can be matched using the name or tag of a deployment, namespace, or cluster.
- You can specify rules using exact matches or regular expressions.
- Assemblies are resolved at runtime. Rules can refer to objects that do not exist at the time of definition.
- Collections can be constructed using other collections to describe complex hierarchies.
- Identify any group of deployments on your system by group, environment tags, namespaces, cluster names, etc.
In version 4.0, collections are only available in the updated Vulnerability Reporting feature. Over time, the collections will be available in dashboards, network graphs, and anywhere an RHACS search or filter is used, making it easier to focus on areas of interest.
Update policy categories
The RHACS team is updating the Policy Categories feature to help you manage related policies. This feature is accompanied by the new Policy Categories tab, which allows you to view, create, rename, or delete categories. This workflow protects system-defined policies and ensures that you cannot delete them, while providing the granular ability to customize groupings as needed. The same actions for policy categories that are available in the RHACS portal are also available through the API using the PolicyCategoryService service. For more information, see the API documentation by going to Help > API Reference in the RHACS portal.
FIPS compliance
RHACS is now validated in OpenShift 4.12 for FIPS (Federal Information Processing Standard) mode enabled. This helps meet compliance requirements for different customers.
Try RHACS 4.0 today!
O4.0 release notesare available for browsing and, as always, RHACS is available for a60 day free trial(self-administered).
However, if you are not currently using RHACS, we recommend that you start using Red Hat Advanced Cluster Security Cloud Service, a fully managed SaaS version of RHACS, by going toamazon marketoasking for a demo.