What's New In Red Hat Advanced Cluster Security

Red Hat Advanced Cluster Security Accelerates Security Adoption and Scaling Capabilities

The second half of 2022 included three minor Red Hat Advanced Cluster Security releases along with significant advancements to Red Hat Advanced Cluster Security (RHACS). The RHACS team continued to innovate in the 3.71, 3.72, and 3.73 releases. A few significant improvements and new features include:

• Improvements to vulnerability management.
• Automated generation of network policies prior to deployment.
• Support for analyzing images built with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux (RHEL) 9 RPMs for vulnerabilities. 
   

But the biggest announcement in the second half of 2022 was the service preview announcement for our RHACS Cloud Service.

RHACS Cloud Service as a Service Preview

At KubeCon, Red Hat announced the Service Preview of Advanced Cluster Security Cloud Service. The cloud service delivers all the features of ACS, protecting containerized applications and Kubernetes across the full application life cycle while shifting the operational, management and support responsibility for ACS to Red Hat, allowing customers to focus on increasing delivery speed with a greater focus on innovation and achieving their business goals.

In this solution, Red Hat is marrying Kubernetes-native security capabilities with the convenience and support of a cloud service, which helps organizations take a security-first approach as they build, deploy and maintain cloud-native applications, regardless of the underlying Kubernetes platform. Red Hat Advanced Cluster Security Cloud Service provides

• Faster time to value: Quickly deploy ACS in minutes as needed across clouds and geographies, enabling a focus on securing your applications, not managing infrastructure.
• Reduce complexity: Fully-Managed ACS with 24x7 expert SRE support and a simplified application lifecycle experience.
• Flexible pricing: ACS Cloud Service allows for flexible consumption-based pricing  ACSCS Early Access Program.

With the same platform support as the self managed Advanced Cluster Security product, ACS Cloud Service expands protections beyond Red Hat OpenShift and includes Kubernetes services from all major cloud providers, including Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE).

Qualified customers are welcome to request early access to Red Hat Advanced Cluster Security Cloud Service.

Vulnerability Management

Known vulnerabilities make it easier for adversaries to exploit applications, and highly-privileged containers pose a greater security risk. The 3.72 release introduced an improved policy that alerts when containers that run in privileged mode have essential or critical yet fixable vulnerabilities.

The new policy is called “Privileged Containers with Important and Critical Fixable CVEs” policy because “Critical” severity is a more accurate description of the risk than CVSS for Red Hat users. With release 3.72, the older policy, which was based on CVSS score and called "Fixable CVSS >= 6 and Privileged," is now disabled by default.  

Release 3.72 added the ability to pinpoint the Dockerfile lines where offending components, associated with each CVE in a vulnerable image were introduced. This enhancement allows admins to be able to communicate the precise lines in the Dockerfile, which introduced the offending components, with the team that is responsible for maintaining that layer of the image and in turn making it easier to take the corrective action.

Improved Vulnerability Management dashboard

In release of 3.71, Red Hat launched an improved Vulnerability Management dashboard with a filtering capability to help customers better prioritize. The vulnerability management dashboard now groups Common Vulnerabilities and Exposures (CVEs) into Image CVEs, Node CVEs, and Platform CVEs categories.

You can access these categories when you click CVEs on the Vulnerability Management view header. Or, when viewing a list of entities, these categories are listed under All entities. Read more about this feature here.

Improved Efficiency

Decommission clusters automatically

Leftover clusters that are not appropriately decommissioned can leave credentials floating in your environments. To counter this, RHACS can now automatically decommission clusters, which removes the security issue and alleviates any manual processes related to cluster management.   

Simplify authentication with robot accounts.

The 3.72 release includes support for Quay robot accounts. This addition helps customers that have multiple Quay repositories scan with ACS. The enhancement simplifies the authentication process by supporting the Quay robot account mechanism and replacing the OAuth token method.

Postgres database

Release 3.73, includes the new Postgres database as a Tech Preview option for select customers. Note that Tech Preview features should not be used in production environments. Advanced Cluster Security will use PostgreSQL as its backend database in the future, replacing the in-memory RocksDB database used today. This transition will be a part of a future release upgrade, with a fully-automated migration from the current architecture to PostgreSQL-based architecture.

With PostgreSQL, customers will benefit from improved performance, standard database procedures for scaling the database, backup and restore, and disaster recovery using PostgreSQL database backups. In addition, you will be able to use your existing PostgreSQL infrastructure to provision a PostgreSQL database for Advanced Cluster Security. Read more about the Tech Preview ProgreSQL here. If you are interested in participating in the Tech Preview program, Red Hat will work with you to manually migrate to PostgreSQL so that you can explore these benefits in a test environment before we release this feature. Contact your Red Hat account representative to participate.

Automate creation of Kubernetes Network Policies

Red Hat also delivered a keynote at the Cloud Native Security Con at KubeCon in 2022: Crossing the Kubernetes Network Policy Chasm - Michael Foster, Red Hat, Community Lead - StackRox. The talk discussed how isolating pods with Kubernetes network policies is vital in securing the Kubernetes cluster. The keynote explained how open source technology helps development and security teams automate the creation of application-specific Kubernetes network policies, prior to deployment, along with human-authored system policies to govern them.