Red Hat Advanced Cluster Security 4.7 simplifies management, enhances workflows, and generates SBOMs

Today, ensuring the security and integrity of your software supply chain is more critical than ever. Red Hat Advanced Cluster Security for Kubernetes is focused on providing users the tools to tackle the greatest security challenges.

One essential tool in this effort is the software bill of materials (SBOM), which provides a comprehensive list of all components and libraries used within a software product. With the growing importance of SBOMs for supply chain security—especially in light of the NIST Executive Order—Red Hat Advanced Cluster Security 4.7 introduces new features for generating and analyzing SBOMs, providing users with deeper visibility and control. Red Hat Advanced Cluster Security 4.7 brings several other key updates, including EPSS scores for vulnerability prioritization, streamlined certificate management, and enhanced machine authentication integrations.

The product documentation contains the full list of updates and you can always try the newest product version by starting your free trial of Red Hat Advanced Cluster Security for Kubernetes today.

SBOM generation, Analyzed Type (Tech Preview)

A SBOM provides detailed lists of all components and libraries in a software product, allowing organizations and government agencies to know exactly what software they’re using. An SBOM is essential in customer supply chain security, especially with the announcement of the NIST Executive Order from 2021. As a technology preview in Red Hat Advanced Cluster Security 4.7, you can generate SBOMs from the command line or through the user interface (UI). 

For SBOM users, it is essential to understand the benefits and limitations of different types of SBOMs. An SBOM is a great tool to add to your overall software supply chain security efforts, but it doesn't solve all hardening and security considerations. 

User workload focus

Since the general availability of the Vulnerability Management Dashboard in Red Hat Advanced Cluster Security 4.5, we’ve prioritized simplifying and enhancing our user's workflows. In Red Hat Advanced Cluster Security 4.7, targeted views in the Vulnerability Management window promotes consistency across the product, and is critical in bridging the gap between user-facing software and platform management, as depicted in the User Workload vs Platform Views walkthrough below.

The Vulnerability Management Dashboard has a view of results containing:

• User Workloads
• Platform
• Nodes
• More Views
  • All vulnerable images
  • Inactive images
  • Images without CVEs
  • Kubernetes Components

This change provides information on issues you're trying to solve.

EPSS score

Red Hat Advanced Cluster Security 4.7 release brings exploit prediction scoring system (EPSS) scores to the Vulnerability Management dashboard. By enriching the ACS vulnerability management data, ACS provides a probability score in percentage (between 0 and 100%) produced by the EPSS framework, which highlights how probable it is for a particular vulnerability to be exploited. The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS scores enable security teams to prioritize vulnerabilities based on their likelihood of exploitation. EPSS scores are based on various factors, including the availability of exploit code, exploit trends and the prevalence of vulnerabilities in the wild. This extra information gives organizations another piece of information to manage the vulnerabilities in their clusters effectively.

Secure credential management 

In Red Hat Advanced Cluster Security 4.7, the certificate renewal process for secured clusters has been streamlined with the automatic renewal of mTLS certificates for communication within secured clusters. This greatly simplifies management of your certificates.

This feature also creates separate credentials, called a Cluster Registration Secret (CRS), for the initial bootstrap scenario of a secured cluster. The previous initBundle installation process is being deprecated in favor of Cluster Registration Secret, which provides a clear separation of bootstrap credentials and certificates used for internal component communication. CRS can be easily revoked when not necessary without impacting functionality on the secured cluster.

Machine identity auth integrations

Red Hat Advanced Cluster Security 4.7 enables access and integration with Azure registry and Microsoft Sentinel using short-lived OpenID Connect (OIDC) credentials provided by Microsoft's Identity provider. These credentials are used for authenticating Red Hat Advanced Cluster Security services to Azure APIs. The Red Hat Advanced Cluster Security 4.4 release brought the framework to integrate with other cloud providers, such as AWS and GCP, via short-lived OIDC federated credentials, providing more secure communications. 

EntraID for machine<>machine authentication

Red Hat Advanced Cluster Security now provides a way to allow machine<>machine authentication using Azure AD Service Principals that represent application identity.

In the Red Hat Advanced Cluster Security 4.3 release, API access was enabled for machine<>machine Auth with short-lived OIDC tokens. With this release, we document how OIDC Identity tokens from Microsoft EntraID can be exchanged for RHACS access tokens to authenticate to RHACS APIs and run automated tasks such as image scans and image checks. 

Red Hat Developer Hub Plugin (Tech Preview)

Red Hat Developer Hub is a Red Hat build of the open source Backstage project designed to create customizable internal developer portals, improving developers' productivity. Red Hat Developer Hub provides enterprise-grade support with role-based access control plugins that simplify user management and supported Red Hat plugins.

Regarding plugins, the Red Hat Advanced Cluster Security plugin will be available in the Backstage community and can be installed on any developer platform based on Backstage. Providing consistent and targeted vulnerability information in your developers' dashboard will enable them to catch issues early in the development lifecycle and simplify communication between developers and your security teams.

GitHub Container Registry integration

The Red Hat Advanced Cluster Security for Kubernetes vulnerability scanner requires access to the registry where container images are hosted to produce vulnerability scan results.

To facilitate organizations that host their container images in ghcr.io, Red Hat Advanced Cluster Security now offers an out-of-the-box integration option for GitHub Container Registry (GHCR). This integration allows for integration with public or private instances of GHCR.

Try Red Hat Advanced Cluster Security 4.7 today

If you’re interested in learning more about Red Hat Advanced Cluster Security for Kubernetes or Red Hat Advanced Cluster Security for Kubernetes Cloud Service, you can take a free test drive.