Announcing Red Hat Advanced Cluster Security for Kubernetes 4.10

Security is an important aspect of any digital undertaking, and Kubernetes is no different. We’ve built Red Hat Advanced Cluster Security for Kubernetes to form a foundational layer of security across fleets, estates, and platforms, be it public, private, or hybrid clouds. Today we release Red Hat Advanced Cluster Security for Kubernetes version 4.10 as part of our ongoing effort to make life easier for Red Hat OpenShift users when it comes to building and enforcing security policies for their clusters.

Chief among these updates is the new integration of vulnerability management into OpenShift Console, and the separation of duties between base images and layers. This makes it easier for administrators and operators to handle security-related information and remediation without having to switch between dashboards and contexts.

And as always, we’re laying even more groundwork for future support with this release: We’re releasing a tech preview of vulnerability management for virtual machines (VMs) running on Red Hat OpenShift Virtualization, and we’ve changed the way base images are handled. More on that further down.

New in Red Hat Advanced Cluster Security for Kubernetes

If you're eager to just get started, sign up for a free trial of Red Hat Advanced Cluster Security for Kubernetes. If you want more detail, here are some of the new features in the latest release:

• Vulnerability Management innovations
  • Base images: Separation of duties
  • OpenShift Console plug-in (Technology Preview)
  • Vulnerability management for virtual machines (Technology Preview)
• StackRox MCP server (upstream)
• File activity monitoring (Technology Preview)
• Cluster registration secrets
• Policy criteria for CVE fix date 

Base images: Separation of duties

Organizations typically use a standardized base image (also known as a golden image) to maintain a secure foundation. These often include third-party provider versions, such as Red Hat Enterprise Linux (RHEL), as well as custom images built by DevOps teams to meet specific security standards.

With Red Hat Advanced Cluster Security for Kubernetes 4.10, users can designate these standardized images. Red Hat Advanced Cluster Security for Kubernetes identifies the base image within an application image and distinguishes its layers from those added by the application owner. A new attribute, called "layer type," in vulnerability reporting clarifies exactly where a component is found. Note that the same vulnerable component can exist in both the base image and the application layers simultaneously.

As a result, you gain clear accountability and faster remediation, allowing for better metrics across base image hygiene, application dependency hygiene, and patch responsiveness per team.

OpenShift Console plug-in (Technology Preview)

In Red Hat Advanced Cluster Security for Kubernetes 4.10, you can enable a new dynamic plug-in for the OpenShift console on secured clusters. This plug-in adds a Security tab that displays real-time vulnerability information directly within the OpenShift console interface, eliminating the need to switch applications. Key benefits include:

• Zero context switching: Security data is available directly in the primary workspace, removing the need to jump between the OpenShift console and the Red Hat Advanced Cluster Security for Kubernetes portal.
• Faster remediation: Teams can identify and fix security flaws earlier in the lifecycle by viewing vulnerabilities alongside deployment configurations.
• Instant visibility: Real-time vulnerability data relevant to the specific cluster is immediately accessible.

This capability is a Technology Preview feature. 

Vulnerability management for virtual machines (Technology Preview)

As organizations modernize legacy workloads using Red Hat OpenShift Virtualization, maintaining a unified security posture across containers and VMs is critical. Red Hat Advanced Cluster Security for Kubernetes 4.10 introduces support for protecting these environments by providing visibility into VM vulnerabilities. Key benefits include:

• Unified vulnerability management: Identify and manage vulnerabilities for VMs directly within the Red Hat Advanced Cluster Security for Kubernetes console, alongside containerized workloads.
• Streamlined visibility: View all OpenShift assets, including those running as VMs, through a single interface to reduce management complexity.

This capability is a Technology Preview feature. Read the Scanning virtual machines documentation for details

StackRox MCP server (upstream)

The StackRox MCP server enables the identification of CVE exposures in seconds using natural language queries, requiring no prior expertise with Red Hat Advanced Cluster Security for Kubernetes. This is particularly valuable for addressing zero-day exploits, allowing users to assess risk instantly without navigating the Red Hat Advanced Cluster Security for Kubernetes UI or making multiple API calls. The MCP server can be connected to preferred clients, including OpenShift Lightspeed, with access scope tied to the specific API token used during the setup.

At this time, the MCP software is available upstream only.

• Try StackRox MCP server
• Integrate it with Red Hat Lightspeed

File activity monitoring (Technology Preview)

Red Hat Advanced Cluster Security for Kubernetes 4.10 introduces a new file activity monitoring capability to detect unauthorized or suspicious interactions with sensitive files on the underlying host. This capability helps organizations meet regulatory and compliance requirements (such as PCI DSS, HIPAA, and NIST) that mandate monitoring and auditing of file system integrity. This feature enables:

• Host and container distinction: Red Hat Advanced Cluster Security for Kubernetes distinguishes between host-initiated and container-initiated changes, automatically mapping activity to specific Kubernetes deployments and namespaces.
• Forensic visibility: The feature bridges visibility gaps by capturing the timestamp, process name, execution path, and UID for every change.
• Critical path monitoring: Users can monitor four critical node paths: /etc/passwd, /etc/shadow, /etc/sudoers, and /etc/ssh/sshd_config.

This capability is a Technology Preview feature.

Cluster registration secrets

The cluster registration secret (CRS), introduced in Red Hat Advanced Cluster Security for Kubernetes 4.9 as a technology preview, is now fully supported with RHACS 4.10.  Additionally, this method is now available when installing with the operator. 

 

CRS provides clear separation of credentials used for bootstrapping registration of secured cluster components from the workflow of internal communication between these components. 

This method replaces the deprecated init bundle for registration. Existing clusters that used the init bundle for registration are not impacted, however, use of CRS is recommended for new cluster registrations, as init bundle is anticipated to be removed in a future release.

Policy criteria for CVE fix date 

RHACS 4.10 adds a new policy criterion based on the CVE fix date. This allows organizations to define policies that trigger based on when a fix for a vulnerability was first made available by the vendor.

Using this criterion, security teams can automate the enforcement of remediation SLAs, ensuring that critical vulnerabilities are addressed within a specific timeframe after a patch is released. This provides a more precise measurement of patch responsiveness than using the CVE discovery date alone.

Find out more about Red Hat Advanced Cluster Security for Kubernetes 4.10 by reading the release notes.