Security
Headlines
HeadlinesLatestCVEs

Headline

3 key features in Red Hat Advanced Cluster Security for Kubernetes 4.6

Red Hat Advanced Cluster Security for Kubernetes and Red Hat Advanced Cluster Security for Kubernetes Cloud Service versions 4.6 are now available. This update lays the foundation for a future based on policy as code and improves the UI to make it easier for users to find what they need.The significant changes in this version can be found here, but the highlights are:Violations Management UX improvementsACS Scanner v4 adopts Red Hat CSAF/VEXNVD CVSS scores for all CVEs (when available)Compliance reportingACSCS PCI DSS 4.0.0 complianceRed Hat Advanced Cluster Management for Kubernetes GlobalHub

Red Hat Blog
#vulnerability#mac#red_hat#git#kubernetes#auth

Red Hat Advanced Cluster Security for Kubernetes and Red Hat Advanced Cluster Security for Kubernetes Cloud Service versions 4.6 are now available. This update lays the foundation for a future based on policy as code and improves the UI to make it easier for users to find what they need.

The significant changes in this version can be found here, but the highlights are:

  • Violations Management UX improvements
  • ACS Scanner v4 adopts Red Hat CSAF/VEX
  • NVD CVSS scores for all CVEs (when available)
  • Compliance reporting
  • ACSCS PCI DSS 4.0.0 compliance
  • Red Hat Advanced Cluster Management for Kubernetes GlobalHub Integrations
  • Policy as Code (tech preview)
  • ARM support for Secured cluster (tech preview)
  • External Entity IP (tech preview)

This blog post goes into more detail about 3 of the most significant changes made for our customers and why.

Violations

A significant change for version 4.6 comes within the violations management interface, to help users focus on corrective actions.

First, policy violations are now split into three tabs, that group violations by Active, Resolved, or Attempted.

  • Active violations are current violations
  • Resolved violations are typically Build and Deploy phase violations where the offending deployment is already gone. Another source is somewhat less known: Runtime phase violations that have been manually resolved by the user
  • Attempted violations are actions that were attempted but were blocked by Red Hat Advanced Cluster Security (ACS) before being carried out, with enforcement action on the policy

Second, a View filter has been added to set aside violations triggered by platform workloads from violations triggered by application (end user) workloads. The default view is Applications view, and users may switch to Platform view or Full view. With these views, users can focus on each of the corrective actions paths in their organization:

  • Application workload violations: Communicate with application owners when an application may need to be modified or rebuilt with an updated image
  • Platform workload violations: Communicate with the team that owns the Red Hat OpenShift instance, where an OpenShift upgrade may be required

Third, the policy violations page now enjoys an easier to use (but comprehensive) filter widget. This filter allows you to further focus your attention on areas where corrective actions are needed, by narrowing down listed violations by policy attributes, violation attributes, cluster/namespace attributes, and deployment attributes.

We are aware of two violations UI limitations in this release:

  1. The selected view is cleared when you switch tabs
  2. The filter is cleared when you switch views

We plan to improve this in the next Advanced Cluster Security major release.

Vulnerabilities

FedRAMP Vulnerability Scanning Requirements documentation states that any organization wanting to meet FedRAMP requirements must use the NVD CVSS v3 base score (unless it’s unavailable, in which case it’s acceptable to use CVSS v2). To help organizations meet FedRAMP requirements, ACS Scanner v4 now provides NVD CVSS scores (v3 when available, and v2 when v3 is not available) for all CVEs and vendor-specific CVSS scores (when available).

ACS policy Image Content fields have also been enhanced to include the NVD CVSS score as one of the fields that ACS policies can be built upon.

ACS Scanner v4 now consumes Red Hat Product Security published Common Security Advisory Framework (CSAF) and Vulnerability Exploitability Exchange (VEX) data instead of OVAL v2 security data for Workload CVEs. The primary advantage of the CSAF and VEX profile is that it provides a standardized, machine-readable format for sharing vulnerability information, enabling efficient automation in vulnerability management processes. It’s now the recommended authoritative security data source for Red Hat.

Global Hub

Red Hat Advanced Cluster Management for Kubernetes (part of Red Hat OpenShift Platform Plus) is our overarching tool for managing clusters and clusters of clusters worldwide. As this product has grown in capabilities, it’s also become a place where many of the other tools within the Red Hat OpenShift Platform Plus offering can integrate to enable management at scale. Red Hat Advanced Cluster Management for Kubernetes offers a Global Hub interface to enable these integrations.

Red Hat Advanced Cluster Security for Kubernetes has joined the tooling integrated into Global Hub. This means that, from a single interface, security administrators can push down and manage policies globally. This greatly simplifies the management of security policies across multiple clusters and allows for the management of multiple instances of Red Hat Advanced Cluster Security for Kubernetes across those clusters.

Local administrators can still manage specific clusters, while global administrators can rest easy knowing that they can immediately implement a new policy across the entire cluster estate as needed.

Bonus: technology previews

We’ve also been working hard to redesign Red Hat Advanced Cluster Security for Kubernetes as a platform to enable policy as code. Many of the supports we’ve built to allow for this feature are available in this release as a technology preview.

Over the years, we’ve seen a fundamental split in the security administration community: some people want automation, and some people want to put their hands on the policies. When combined with a GitOps enabled Kubernetes environment utilizing something like Argo CD, these are conflicting desires. For those who want to automate security policy management and rollouts, our policy as code features will enable those users to roll their code into GitHub and then automatically deploy it to the cluster.

We do, however, understand that sometimes a security administrator just wants to do things by hand and do them right now. We’ve surfaced some warnings in the interface for this type of usage to ensure people doing this understand that their changes get pushed out when Argo CD enforces its Git repository upon the cluster, but we do allow such behavior.

This technology is in a stable and usable form, but it is not yet flagged as generally available for three reasons:

  1. The CRD API is still in Alpha, and thus policy as code might have to change to adapt to an evolving specification
  2. Some gaps remain, most notably around resolving UUIDs in YAML objects to actual names
  3. Generally, we want your feedback before we set this in stone

Policy as code can significantly improve the lives of our users, so we want to get it right and build the platform’s future around these capabilities.

We’ve also got a few other features available as a technology preview with this release. Our network graph was a little myopic about external IP entities, so we’ve improved that in this release, surfacing more information on network entities outside your firewalls but inside your security purview. We’ve also added ARM support.

Try Red Hat Advanced Cluster Security 4.6 today

If you’re interested in learning more about Red Hat Advanced Cluster Security for Kubernetes or Red Hat Advanced Cluster Security for Kubernetes Cloud Service, you can take a free test drive here.

Red Hat Blog: Latest News

Automatically acquire and renew certificates using mod_md and Automated Certificate Management Environment (ACME) in Identity Management (IdM)