New Features in Red Hat Advanced Cluster Security
Security Adoption and Scaling Capabilities are Accelerated by Red Hat Advanced Cluster Security
Three minor Red Hat Advanced Cluster Security updates and major improvements to Red Hat Advanced Cluster Security(RHACS) were released in the second half of 2022. Throughout the 3.71, 3.72, and 3.73 releases, the RHACS team kept pushing the envelope. Several notable upgrades and additions include:
- The management of vulnerabilities has improved.
- Creation of network policy automatically before implementation.
- Support for the vulnerability scanning of images created using Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux (RHEL) 9 RPMs.
The service preview announcement for our RHACS Cloud Service, however, was the biggest news in the second half of 2022.
RHACS Cloud Service as a Service Preview
Red Hat revealed the Advanced Cluster Security Cloud Service in the Service Preview at KubeCon. With Red Hat taking on the operational, management, and support duties for ACS, the cloud service offers all the features of ACS while protecting Kubernetes and containerized applications throughout the entire application life cycle. This frees up customers to concentrate on accelerating delivery times with a stronger emphasis on innovation and achieving their business objectives.
Red Hat’s solution combines Kubernetes-native security capabilities with the practicality and support of a cloud service, enabling businesses to design, deploy, and maintain cloud-native apps while putting security first, regardless of the Kubernetes platform used. Cloud Service for Red Hat Advanced Cluster Security offers
Faster time to value: ACS can be swiftly deployed in a matter of minutes across clouds and locations, allowing you to concentrate on protecting your applications rather than maintaining infrastructure.
Reduce complexity: A simplified application lifecycle experience and fully-managed ACS with expert SRE support reduce complexity.
Flexible pricing: It is possible with the ACS Cloud Service’s consumption-based pricing system and the ACSCS Early Access Program.
ACS Cloud Service offers protections for Kubernetes services from all major cloud providers, including Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine(GKE), and does so with the same platform support as the self-managed Advanced Cluster Security product.
Requests for early access to the Red Hat Advanced Cluster Security Cloud Service are accepted by qualified customers.
Applications with known vulnerabilities are simpler for attackers to exploit, and highly privileged containers present a bigger security risk. With the 3.72 updates, a better policy was added that warns when privileged mode-running containers have critical or critical-yet-fixable vulnerabilities.
Because “Critical” severity better captures the risk for Red Hat users than CVSS, the new policy is known as “Privileged Containers with Important and Critical Fixable CVEs.” The previous policy, known as “Fixable CVSS >= 6 and Privileged,” which was based on the CVSS score, is now removed by default with release 3.72.
With the addition of release 3.72, it is now possible to identify the Dockerfile lines in a vulnerable image that introduced the offending components linked to each CVE. With the help of this improvement, administrators will be able to share with the group in charge of maintaining that layer of the image the exact lines in the Dockerfile that introduced the problematic components, making it simpler to take the necessary remedial action.
Improved VulnerabilityY Management Dashboard
Red Hat introduced an enhanced Vulnerability Management dashboard with filtering functionality in release 3.71 to assist clients in setting priorities. Common Vulnerabilities and Exposures (CVEs) are now divided into three categories: Image CVEs, Node CVEs, and Platform CVEs in the vulnerability management dashboard.
When you click CVEs on the Vulnerability Management view header, you can see these categories. Alternatively, these categories are presented under All entities when viewing a list of entities. Read more about this feature here.
Decommission clusters automatically
Unproperly retired leftover clusters may leave credentials floating around in your environments. To address this, RHACS can now automatically decommission clusters, eliminating the security concern and removing the need for any manual cluster management activities.
Simplify Authentication with robot accounts
Quay robot accounts are supported in version 3.72. Customers who have numerous Quay repositories can now scan with ACS thanks to this addition. By replacing the OAuth token approach with the Quay robot account mechanism, the upgrade streamlines the authentication procedure.
The new Postgres database is available as a Tech Preview option for a limited number of clients in Release 3.73. Keep in mind that Tech Preview features shouldn’t be used in settings where products are being produced. In the future, PostgreSQL will take the place of the current in-memory RocksDB database as the backend database for Advanced Cluster Security. The switch from the existing design to a PostgreSQL-based architecture will be entirely automated as part of an upcoming version upgrade.
Customers will experience better performance, standardized database practices for database scaling, backup and restore, and disaster recovery using PostgreSQL database backups with PostgreSQL. Additionally, you will be able to provision a PostgreSQL database for Advanced Cluster Security using your current PostgreSQL infrastructure. Learn more about the ProgreSQL Tech Preview here. Red Hat will work with you to manually migrate to PostgreSQL if you’re interested in taking part in the Tech Preview program so you may test these advantages in a testing environment before we release this feature. To participate, get in touch with your Red Hat account representative.
Automate the creation of Kubernetes network policies
Crossing the Kubernetes Network Policy Chasm – Michael Foster, Red Hat, Community Lead – StackRox was the title of a keynote speech given by Red Hat at the Cloud Native Security Con during KubeCon in 2022. The session covered how protecting the Kubernetes cluster depends on isolating pods with Kubernetes network policies. In the keynote, it was explained how development and security teams may automate the establishment of application-specific Kubernetes network policies before deployment, together with the human-authored system policies that will control them.