Red Hat Advanced Cluster Security 4.4: What’s included

The Red Hat Advanced Cluster Security (RHACS) engineering team is excited to announce the pending release of the latest RHACS version, packed with brand-new features and updates. The team continues to build on the 4.0 major release and RHACS Cloud Service announcements last year with a feature-packed release to kick off 2024. The RHACS 4.4 release will focus on increased consistency of scan results, strengthened security posture management, and more automated security features to alleviate monotonous security tasks.

Significant updates include:

• A new vulnerability scanner termed “Scanner V4” (tech preview) utilizing upstream ClairCore, enabling consistent and more comprehensive vulnerability updates
• Compliance capabilities released in tech preview, with more to come in future releases
• CO-RE BPF becomes the default collection method for RHACS
• Cluster discovery by using cloud source integrations
• Bring your own database for Central database
• Build-time network policy tools
• Release life cycles have been extended to include a Full and Maintenance Support Phases. This change now extends the lifecycle of each ACS release to 10 months from previous six months life cycle
• RHACS support matrix outlines details on RHACS compatibility with OpenShift releases and supportability 

However, make sure to check out the many RHACS platform updates, such as:

• Init-bundle graphical user interface improvements  
• Support for RHACS on ROSA-hosted control plane
• Short-lived API tokens for Central
• Authenticating AWS and GCP integrations by using short-lived tokens (Tech Preview)
• Operator life cycle updates
• Enhanced policy management roxctl deployment check command

As always, you can find more information about the release in the RHACS documentation and release notes, and you can explore the newest version of RHACS through the 60-day, no-cost trial of RHACS Cloud Service.

Introducing the unified ‘Vulnerability Scanner V4’ (tech preview)

We're thrilled to unveil the latest RHACS vulnerability management workflow update with the all-new RHACS ‘Scanner V4,’ available in tech preview. This release marks a significant milestone as we integrate the finest features from the existing StackRox Scanner and the upstream Clair V4 Scanner from Red Hat Quay. Here's what you can expect from the new Scanner V4:

Consistent and accurate scanning: Reliable vulnerability scan results across the entire Red Hat product ecosystem, including RHACS and Red Hat Quay.

Expanded language and operating system support: We've listened to your feedback and expanded our support to include Golang in language vulnerability scanning. Additionally, we're proud to include Oracle Linux, SUSE Linux Enterprise, and Photon OS in our operating system scanning capabilities.

Comprehensive vulnerability database source: We've adopted OSV.dev as the primary source for all supported programming language packages to help deliver the most up-to-date vulnerability information.

It is important to note that all RHACS upgrades and new installations will use the StackRox Scanner by default. Still, you will now have the option to choose the new Vulnerability Scanner V4 instead of the default StackRox Scanner, which offers additional compatibility benefits and an extended scope.

For more information about enabling the RHACS Scanner V4, see:

• “Scanner settings” in Installing RHACS on Red Hat OpenShift.
• “Scanner V4” in Installing RHACS on other platforms.

RHACS new compliance capabilities (Technology preview)

The RHACS team is excited to announce the Compliance (2.0) launch as a Technology Preview feature in RHACS 4.4! As part of a larger compliance workflow initiative, RHACS users will have access to the latest updates and be able to give feedback about features they wish to see in the product.

With Compliance (2.0) in RHACS 4.4, users can expect the following:

• A more seamless integration of Compliance Operator and RHACS for a unified experience. Configuration, scheduling, and execution of infrastructure scans directly from the RHACS interface.
• Convenient access to OpenShift compliance operator scan results within RHACS for easy review and analysis.

We anticipate future releases to bring even more powerful capabilities, including:

• Remediation of deficiencies and exporting scan results directly from the RHACS dashboard.
• Creation of custom profiles tailored to specific compliance requirements.
• Support for workload compliance, driving more comprehensive coverage across your environment.

For further details on the support scope of Red Hat Technology Preview features, please refer to the Technology Preview Features Support Scope documentation.

CO-RE BPF becomes the default collection method for RHACS

Starting with RHACS 4.4, the default runtime collection method is powered by eBPF CO-RE (Compile Once, Run Everywhere), offering compatibility across different kernel versions and providing smoother upgrades. This collection method was introduced in the RHACS 4.0 release, and unless explicitly configured otherwise, your cluster will seamlessly transition upon upgrading.

Discover more about the requirements for the CO-RE BPF collector in the RHACS documentation.

Discover unprotected clusters with Paladin Cloud integration

A standout feature of RHACS 4.4 is ease of integration with Red Hat OpenShift Cluster Manager and Paladin Cloud, enabling you to uncover new clusters that lack protection within your environment. With this integration, RHACS now offers a comprehensive list of clusters across your OpenShift environment and major cloud platforms, including Amazon Elastic Kubernetes Service (Amazon EKS), Google Kubernetes Engine (Google GKE), and Microsoft Azure Kubernetes Service (Microsoft AKS). Learn more about the tight integration of RHACS Cloud Service and Paladin Cloud in this joint blog post.

Bring your own PostgreSQL database

We are pleased to announce that users can utilize their own PostgreSQL-compatible database for the RHACS Central database in this release. This option offers the flexibility to deploy PostgreSQL within or outside the cluster. Whether deployed on bare metal, virtual machines, or as a cloud-hosted service, users can customize their deployment to suit their specific requirements.

Please refer to the RHACS Support Matrix for further details regarding supported platforms.

Build-time network policy tools 

Creating Network Policies can be time complicated and time-consuming, and our customers want an easier way to enforce zero-trust networking across their clusters. Build-time network policy tools aim to create an automated approach to network policy creation that is as close to the developer as possible, saving time for everyone involved in the DevSecOps pipeline.

Build-time network policy tools enable users to generate network policies locally or as a part of a build-deploy pipeline. This automation enables zero-trust networking by explicitly defining the network traffic in your Kubernetes clusters, and we are excited to announce its general availability!

Try out RHACS today!

Interested in checking out these features and more? Try out the latest release of RHACS in our 60-day, no-cost trial of RHACS Cloud Service today!