Subscribe to the feed

Red Hat Advanced Cluster Security for Kubernetes and Red Hat Advanced Cluster Security for Kubernetes Cloud Service versions 4.6 are now available. This update lays the foundation for a future based on policy as code and improves the UI to make it easier for users to find what they need.

The significant changes in this version can be found here, but the highlights are:

  • Violations Management UX improvements
  • ACS Scanner v4 adopts Red Hat CSAF/VEX
  • NVD CVSS scores for all CVEs (when available)
  • Compliance reporting
  • ACSCS PCI DSS 4.0.0 compliance
  • Red Hat Advanced Cluster Management for Kubernetes GlobalHub Integrations
  • Policy as Code (tech preview)
  • ARM support for Secured cluster (tech preview)
  • External Entity IP (tech preview)

This blog post goes into more detail about 3 of the most significant changes made for our customers and why.

Violations

A significant change for version 4.6 comes within the violations management interface, to help users focus on corrective actions.

First, policy violations are now split into three tabs, that group violations by Active, Resolved, or Attempted.

  • Active violations are current violations
  • Resolved violations are typically Build and Deploy phase violations where the offending deployment is already gone. Another source is somewhat less known: Runtime phase violations that have been manually resolved by the user
  • Attempted violations are actions that were attempted but were blocked by Red Hat Advanced Cluster Security (ACS) before being carried out, with enforcement action on the policy

Second, a View filter has been added to set aside violations triggered by platform workloads from violations triggered by application (end user) workloads. The default view is Applications view, and users may switch to Platform view or Full view. With these views, users can focus on each of the corrective actions paths in their organization:

  • Application workload violations: Communicate with application owners when an application may need to be modified or rebuilt with an updated image
  • Platform workload violations: Communicate with the team that owns the Red Hat OpenShift instance, where an OpenShift upgrade may be required

Third, the policy violations page now enjoys an easier to use (but comprehensive) filter widget. This filter allows you to further focus your attention on areas where corrective actions are needed, by narrowing down  listed violations by policy attributes, violation attributes, cluster/namespace attributes, and deployment attributes.

We are aware of two violations UI limitations in this release:

  1. The selected view is cleared when you switch tabs
  2. The filter is cleared when you switch views

We plan to improve this in the next Advanced Cluster Security major release.

Vulnerabilities

FedRAMP Vulnerability Scanning Requirements documentation states that any organization wanting to meet FedRAMP requirements must use the NVD CVSS v3 base score (unless it's unavailable, in which case it's acceptable to use CVSS v2). To help organizations meet FedRAMP requirements, ACS Scanner v4 now provides NVD CVSS scores (v3 when available, and v2 when v3 is not available) for all CVEs and vendor-specific CVSS scores (when available).

ACS policy Image Content fields have also been enhanced to include the NVD CVSS score as one of the fields that ACS policies can be built upon.

ACS Scanner v4 now consumes Red Hat Product Security published Common Security Advisory Framework (CSAF) and Vulnerability Exploitability Exchange (VEX) data instead of OVAL v2 security data for Workload CVEs. The primary advantage of the CSAF and VEX profile is that it provides a standardized, machine-readable format for sharing vulnerability information, enabling efficient automation in vulnerability management processes. It's now the recommended authoritative security data source for Red Hat.

Global Hub

Red Hat Advanced Cluster Management for Kubernetes (part of Red Hat OpenShift Platform Plus) is our overarching tool for managing clusters and clusters of clusters worldwide. As this product has grown in capabilities, it’s also become a place where many of the other tools within the Red Hat OpenShift Platform Plus offering can integrate to enable management at scale. Red Hat Advanced Cluster Management for Kubernetes offers a Global Hub interface to enable these integrations.

Red Hat Advanced Cluster Security for Kubernetes has joined the tooling integrated into Global Hub. This means that, from a single interface, security administrators can push down and manage policies globally. This greatly simplifies the management of security policies across multiple clusters and allows for the management of multiple instances of Red Hat Advanced Cluster Security for Kubernetes across those clusters.

Local administrators can still manage specific clusters, while global administrators can rest easy knowing that they can immediately implement a new policy across the entire cluster estate as needed.

Bonus: technology previews

We’ve also been working hard to redesign Red Hat Advanced Cluster Security for Kubernetes as a platform to enable policy as code. Many of the supports we’ve built to allow for this feature are available in this release as a technology preview.

Over the years, we've seen a fundamental split in the security administration community: some people want automation, and some people want to put their hands on the policies. When combined with a GitOps enabled Kubernetes environment utilizing something like Argo CD, these are conflicting desires. For those who want to automate security policy management and rollouts, our policy as code features will enable those users to roll their code into GitHub and then automatically deploy it to the cluster.

We do, however, understand that sometimes a security administrator just wants to do things by hand and do them right now. We’ve surfaced some warnings in the interface for this type of usage to ensure people doing this understand that their changes get pushed out when Argo CD enforces its Git repository upon the cluster, but we do allow such behavior.

This technology is in a stable and usable form, but it is not yet flagged as generally available for three reasons:

  1. The CRD API is still in Alpha, and thus policy as code might have to change to adapt to an evolving specification
  2. Some gaps remain, most notably around resolving UUIDs in YAML objects to actual names
  3. Generally, we want your feedback before we set this in stone

Policy as code can significantly improve the lives of our users, so we want to get it right and build the platform's future around these capabilities.

We’ve also got a few other features available as a technology preview with this release. Our network graph was a little myopic about external IP entities, so we’ve improved that in this release, surfacing more information on network entities outside your firewalls but inside your security purview. We’ve also added ARM support.

Try Red Hat Advanced Cluster Security 4.6 today

If you’re interested in learning more about Red Hat Advanced Cluster Security for Kubernetes or Red Hat Advanced Cluster Security for Kubernetes Cloud Service, you can take a free test drive here.

resource

Red Hat Advanced Cluster Management for Kubernetes

Red Hat Advanced Cluster Management for Kubernetes

About the author

Red Hatter since 2018, technology historian and founder of The Museum of Art and Digital Entertainment. Two decades of journalism mixed with technology expertise, storytelling and oodles of computing experience from inception to ewaste recycling. I have taught or had my work used in classes at USF, SFSU, AAU, UC Law Hastings and Harvard Law. 

I have worked with the EFF, Stanford, MIT, and Archive.org to brief the US Copyright Office and change US copyright law. We won multiple exemptions to the DMCA, accepted and implemented by the Librarian of Congress. My writings have appeared in Wired, Bloomberg, Make Magazine, SD Times, The Austin American Statesman, The Atlanta Journal Constitution and many other outlets.

I have been written about by the Wall Street Journal, The Washington Post, Wired and The Atlantic. I have been called "The Gertrude Stein of Video Games," an honor I accept, as I live less than a mile from her childhood home in Oakland, CA. I was project lead on the first successful institutional preservation and rebooting of the first massively multiplayer game, Habitat, for the C64, from 1986: https://neohabitat.org . I've consulted and collaborated with the NY MOMA, the Oakland Museum of California, Cisco, Semtech, Twilio, Game Developers Conference, NGNX, the Anti-Defamation League, the Library of Congress and the Oakland Public Library System on projects, contracts, and exhibitions.

 
Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech