Red Hat Advanced Cluster Security for Kubernetes and Red Hat Advanced Cluster Security for Kubernetes Cloud Service versions 4.6 are now available. This update lays the foundation for a future based on policy as code and improves the UI to make it easier for users to find what they need.
The significant changes in this version can be found here, but the highlights are:
- Violations Management UX improvements
- ACS Scanner v4 adopts Red Hat CSAF/VEX
- NVD CVSS scores for all CVEs (when available)
- Compliance reporting
- ACSCS PCI DSS 4.0.0 compliance
- Red Hat Advanced Cluster Management for Kubernetes GlobalHub Integrations
- Policy as Code (tech preview)
- ARM support for Secured cluster (tech preview)
- External Entity IP (tech preview)
This blog post goes into more detail about 3 of the most significant changes made for our customers and why.
Violations
A significant change for version 4.6 comes within the violations management interface, to help users focus on corrective actions.
First, policy violations are now split into three tabs, that group violations by Active, Resolved, or Attempted.
- Active violations are current violations
- Resolved violations are typically Build and Deploy phase violations where the offending deployment is already gone. Another source is somewhat less known: Runtime phase violations that have been manually resolved by the user
- Attempted violations are actions that were attempted but were blocked by Red Hat Advanced Cluster Security (ACS) before being carried out, with enforcement action on the policy
Second, a View filter has been added to set aside violations triggered by platform workloads from violations triggered by application (end user) workloads. The default view is Applications view, and users may switch to Platform view or Full view. With these views, users can focus on each of the corrective actions paths in their organization:
- Application workload violations: Communicate with application owners when an application may need to be modified or rebuilt with an updated image
- Platform workload violations: Communicate with the team that owns the Red Hat OpenShift instance, where an OpenShift upgrade may be required
Third, the policy violations page now enjoys an easier to use (but comprehensive) filter widget. This filter allows you to further focus your attention on areas where corrective actions are needed, by narrowing down listed violations by policy attributes, violation attributes, cluster/namespace attributes, and deployment attributes.
We are aware of two violations UI limitations in this release:
- The selected view is cleared when you switch tabs
- The filter is cleared when you switch views
We plan to improve this in the next Advanced Cluster Security major release.
Vulnerabilities
FedRAMP Vulnerability Scanning Requirements documentation states that any organization wanting to meet FedRAMP requirements must use the NVD CVSS v3 base score (unless it's unavailable, in which case it's acceptable to use CVSS v2). To help organizations meet FedRAMP requirements, ACS Scanner v4 now provides NVD CVSS scores (v3 when available, and v2 when v3 is not available) for all CVEs and vendor-specific CVSS scores (when available).
ACS policy Image Content fields have also been enhanced to include the NVD CVSS score as one of the fields that ACS policies can be built upon.
ACS Scanner v4 now consumes Red Hat Product Security published Common Security Advisory Framework (CSAF) and Vulnerability Exploitability Exchange (VEX) data instead of OVAL v2 security data for Workload CVEs. The primary advantage of the CSAF and VEX profile is that it provides a standardized, machine-readable format for sharing vulnerability information, enabling efficient automation in vulnerability management processes. It's now the recommended authoritative security data source for Red Hat.
Global Hub
Red Hat Advanced Cluster Management for Kubernetes (part of Red Hat OpenShift Platform Plus) is our overarching tool for managing clusters and clusters of clusters worldwide. As this product has grown in capabilities, it’s also become a place where many of the other tools within the Red Hat OpenShift Platform Plus offering can integrate to enable management at scale. Red Hat Advanced Cluster Management for Kubernetes offers a Global Hub interface to enable these integrations.
Red Hat Advanced Cluster Security for Kubernetes has joined the tooling integrated into Global Hub. This means that, from a single interface, security administrators can push down and manage policies globally. This greatly simplifies the management of security policies across multiple clusters and allows for the management of multiple instances of Red Hat Advanced Cluster Security for Kubernetes across those clusters.
Local administrators can still manage specific clusters, while global administrators can rest easy knowing that they can immediately implement a new policy across the entire cluster estate as needed.
Bonus: technology previews
We’ve also been working hard to redesign Red Hat Advanced Cluster Security for Kubernetes as a platform to enable policy as code. Many of the supports we’ve built to allow for this feature are available in this release as a technology preview.
Over the years, we've seen a fundamental split in the security administration community: some people want automation, and some people want to put their hands on the policies. When combined with a GitOps enabled Kubernetes environment utilizing something like Argo CD, these are conflicting desires. For those who want to automate security policy management and rollouts, our policy as code features will enable those users to roll their code into GitHub and then automatically deploy it to the cluster.
We do, however, understand that sometimes a security administrator just wants to do things by hand and do them right now. We’ve surfaced some warnings in the interface for this type of usage to ensure people doing this understand that their changes get pushed out when Argo CD enforces its Git repository upon the cluster, but we do allow such behavior.
This technology is in a stable and usable form, but it is not yet flagged as generally available for three reasons:
- The CRD API is still in Alpha, and thus policy as code might have to change to adapt to an evolving specification
- Some gaps remain, most notably around resolving UUIDs in YAML objects to actual names
- Generally, we want your feedback before we set this in stone
Policy as code can significantly improve the lives of our users, so we want to get it right and build the platform's future around these capabilities.
We’ve also got a few other features available as a technology preview with this release. Our network graph was a little myopic about external IP entities, so we’ve improved that in this release, surfacing more information on network entities outside your firewalls but inside your security purview. We’ve also added ARM support.
Try Red Hat Advanced Cluster Security 4.6 today
If you’re interested in learning more about Red Hat Advanced Cluster Security for Kubernetes or Red Hat Advanced Cluster Security for Kubernetes Cloud Service, you can take a free test drive here.
Über den Autor
Red Hatter since 2018, technology historian and founder of The Museum of Art and Digital Entertainment. Two decades of journalism mixed with technology expertise, storytelling and oodles of computing experience from inception to ewaste recycling. I have taught or had my work used in classes at USF, SFSU, AAU, UC Law Hastings and Harvard Law.
I have worked with the EFF, Stanford, MIT, and Archive.org to brief the US Copyright Office and change US copyright law. We won multiple exemptions to the DMCA, accepted and implemented by the Librarian of Congress. My writings have appeared in Wired, Bloomberg, Make Magazine, SD Times, The Austin American Statesman, The Atlanta Journal Constitution and many other outlets.
I have been written about by the Wall Street Journal, The Washington Post, Wired and The Atlantic. I have been called "The Gertrude Stein of Video Games," an honor I accept, as I live less than a mile from her childhood home in Oakland, CA. I was project lead on the first successful institutional preservation and rebooting of the first massively multiplayer game, Habitat, for the C64, from 1986: https://neohabitat.org . I've consulted and collaborated with the NY MOMA, the Oakland Museum of California, Cisco, Semtech, Twilio, Game Developers Conference, NGNX, the Anti-Defamation League, the Library of Congress and the Oakland Public Library System on projects, contracts, and exhibitions.
Mehr davon
Nach Thema durchsuchen
Automatisierung
Das Neueste zum Thema IT-Automatisierung für Technologien, Teams und Umgebungen
Künstliche Intelligenz
Erfahren Sie das Neueste von den Plattformen, die es Kunden ermöglichen, KI-Workloads beliebig auszuführen
Open Hybrid Cloud
Erfahren Sie, wie wir eine flexiblere Zukunft mit Hybrid Clouds schaffen.
Sicherheit
Erfahren Sie, wie wir Risiken in verschiedenen Umgebungen und Technologien reduzieren
Edge Computing
Erfahren Sie das Neueste von den Plattformen, die die Operations am Edge vereinfachen
Infrastruktur
Erfahren Sie das Neueste von der weltweit führenden Linux-Plattform für Unternehmen
Anwendungen
Entdecken Sie unsere Lösungen für komplexe Herausforderungen bei Anwendungen
Original Shows
Interessantes von den Experten, die die Technologien in Unternehmen mitgestalten
Produkte
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud-Services
- Alle Produkte anzeigen
Tools
- Training & Zertifizierung
- Eigenes Konto
- Kundensupport
- Für Entwickler
- Partner finden
- Red Hat Ecosystem Catalog
- Mehrwert von Red Hat berechnen
- Dokumentation
Testen, kaufen und verkaufen
Kommunizieren
Über Red Hat
Als weltweit größter Anbieter von Open-Source-Software-Lösungen für Unternehmen stellen wir Linux-, Cloud-, Container- und Kubernetes-Technologien bereit. Wir bieten robuste Lösungen, die es Unternehmen erleichtern, plattform- und umgebungsübergreifend zu arbeiten – vom Rechenzentrum bis zum Netzwerkrand.
Wählen Sie eine Sprache
Red Hat legal and privacy links
- Über Red Hat
- Jobs bei Red Hat
- Veranstaltungen
- Standorte
- Red Hat kontaktieren
- Red Hat Blog
- Diversität, Gleichberechtigung und Inklusion
- Cool Stuff Store
- Red Hat Summit