What’s in Red Hat Advanced Cluster Security 4.4
The engineering team of Red Hat Advanced Cluster Security (RHACS) is thrilled to announce the impending release of the most recent RHACS version, which is jam-packed with all-new features and upgrades. With a feature-rich release scheduled to launch in 2024, the team is continuing to build upon the RHACS Cloud Service announcements made last year and the 4.0 major release. The RHACS 4.4 release will prioritize improved security posture management, more automated security features to reduce tedious security tasks and more consistency in scan results.
Notable updates consist of:
- Using upstream ClairCore, a new vulnerability scanner known as “Scanner V4” (tech preview) enables more frequent and thorough vulnerability updates.
- Compliance features were made available in the tech preview, and more will be available in later releases.
- RHACS starts using CO-RE BPF as its default collection method.
- Utilizing cloud source integrations for cluster discovery
- For the central database, bring your own database.
- Tools for network policy at build time
- Full and Maintenance Support Phases are now included in release life cycles. The previous six-month life cycle of each ACS release has been extended to ten months due to this modification.
- The RHACS support matrix provides information on supportability and compatibility of RHACS with various OpenShift releases.
But be sure to take a look at the numerous RHACS platform updates, like:
- Enhancements to the Init-bundle graphical user interface
- Support for RHACS on the control plane hosted by ROSA
- Brief-lived Central API Tokens
- Using short-lived tokens for authentication in AWS and GCP integrations (Tech Preview)
- Updates on the operator life cycle
- Better administration of policies Command for roxctl deployment check
As usual, the RHACS documentation and release notes contain additional information about the release. Additionally, you can test-drive the most recent RHACS version by signing up for a free 60-day trial of the RHACS Cloud Service.
The unified “Vulnerability Scanner V4” is now available (tech preview)
With the release of RHACS ‘Scanner V4,’ a brand-new vulnerability management workflow update, we are excited to present it to you. It is currently available in the tech preview. With the integration of the best features from both the upstream Clair V4 Scanner from Red Hat Quay and the current StackRox Scanner, this release represents a major milestone. What to anticipate from the new Scanner V4 is as follows:
Accurate and reliable scanning: Dependable vulnerability scan results for Red Hat Quay and RHACS, as well as the whole Red Hat product ecosystem.
Extended compatibility with more languages and OS systems: We’ve added Golang to our list of supported languages for language vulnerability scanning after taking your feedback into consideration. We’re also pleased to offer operating system scanning for Oracle Linux, SUSE Linux Enterprise, and Photon OS.
An extensive vulnerability database source: We have made OSV.dev our main resource for all supported programming language packages in order to provide you with the most recent vulnerability data.
It is significant to remember that the StackRox Scanner will be used by default for all RHACS upgrades and new installations. However, the default StackRox Scanner can now be replaced with the new Vulnerability Scanner V4, which has a wider scope and more compatibility advantages.
See: for additional details on how to enable the RHACS Scanner V4.
- “Scanner settings” in Red Hat OpenShift’s RHACS installation.
- “Scanner V4” in RHACS Installation on Different Platforms.
New compliance features for RHACS (Technology preview)
The Compliance (2.0) feature will be available as a Technology Preview in RHACS 4.4, and the RHACS team is thrilled to announce this! RHACS users will be able to provide feedback on features they would like to see in the product and receive access to the most recent updates as part of a broader compliance workflow initiative.
What users can anticipate from RHACS 4.4’s Compliance (2.0) is as follows:
- A more harmonious union of RHACS and Compliance Operator for a cohesive experience. Infrastructure scans can be configured, scheduled, and carried out right from the RHACS interface.
- Results of the OpenShift compliance operator scan are conveniently accessible within RHACS for quick review and analysis.
Future releases are expected to include even more potent features, such as:
- Fixing errors and exporting scan data straight from the RHACS dashboard.
- Creation of unique profiles based on particular regulations.
- Assistance with workload compliance, resulting in increased coverage throughout your environment.
Please refer to the Technology Preview Features Support Scope documentation for additional information regarding the support scope of Red Hat Technology Preview features.
RHACS starts using CO-RE BPF as its default collection method.
Beginning with RHACS 4.4, eBPF CO-RE (Compile Once, Run Everywhere) powers the default runtime collection method, enabling smoother upgrades and compatibility across various kernel versions. This collection technique was added in RHACS 4.0, and when you upgrade your cluster, it will operate without any issues unless you specifically configure it to do otherwise.
See the RHACS documentation to learn more about the specifications for the CO-RE BPF collector.
Find vulnerable clusters by integrating Paladin Cloud.
The simplicity of RHACS 4.4’s integration with Paladin Cloud and Red Hat OpenShift Cluster Manager is a notable feature that makes it possible to find new clusters in your environment that aren’t protected. As a result of this integration, RHACS can now provide an extensive list of clusters from major cloud platforms such as Google Kubernetes Engine (Google GKE), Microsoft Azure Kubernetes Service (Microsoft AKS), and Amazon Elastic Kubernetes Service (Amazon EKS) within your OpenShift environment. Read this joint blog post to find out more about the seamless integration of Paladin Cloud and RHACS Cloud Service.
Bring a PostgreSQL database with you.
We are happy to inform you that this release allows users to use their own PostgreSQL-compatible database as the RHACS Central database. The ability to install PostgreSQL both inside and outside of the cluster is provided by this option. Users can tailor their deployment to meet their unique needs, regardless of whether it is installed on virtual machines, bare metal, or as a cloud-hosted service.
For more information about supported platforms, please consult the RHACS Support Matrix.
Tools for network policy at build time
It can be laborious and time-consuming to create network policies, and our customers want a simpler method to ensure zero-trust networking throughout their clusters. The goal of build-time network policy tools is to automate the process of creating network policies as close to the developer as possible, thus saving time for all parties in the DevSecOps pipeline.
Users can create network policies locally or as part of a build-deploy pipeline with the help of build-time network policy tools. We are happy to announce the general availability of this automation, which allows zero-trust networking by explicitly defining the network traffic in your Kubernetes clusters!