Security continues to be a top priority for organizations managing Kubernetes clusters. Red Hat has made significant strides for improved security for containers with its latest release of Red Hat Advanced Cluster Security 4.8. This release focuses on simplifying management, enhancing workflows and offering visibility into the security of containerized environments.
External IP visibility for improved security
Red Hat Advanced Cluster Security 4.8 introduces the general availability of a powerful new feature: The ability to visualize external IPs directly within the network graph dashboard. This feature addresses a long-standing blind spot for customers seeking a comprehensive understanding of their outbound connections. By providing a clear picture of potential threats from external sources, alongside Red Hat Advanced Cluster Security's renowned detailed Layer 4 network security features, this update significantly strengthens security posture.
By default, this feature is disabled. Once it's enabled, you see external IPs in the Network Graph, and Unauthorized Network Flow violations include detailed external IP information to streamline your investigation process.
Red Hat OpenShift Infrastructure Compliance
One of the standout features in Red Hat Advanced Cluster Security 4.8 is the general availability of OpenShift Infrastructure Compliance. Red Hat Advanced Cluster Security and the OpenShift Infrastructure Compliance operator assess compliance standards across your OpenShift fleet to help ensure that your OpenShift infrastructure adheres to organizational security policies.
The new capabilities also include enhanced compliance reporting. This ensures that you receive complete compliance reports, even when some clusters fail during a scheduled scan. This provides continuous visibility into the compliance status of successfully scanned clusters, enabling organizations to maintain security oversight even in the face of occasional scan failures.
Scanner V4 for vulnerability scanning
In RHACS 4.8, Scanner V4 is now the default scanner for reporting vulnerabilities in user workloads, platform components, and nodes. This marks a significant improvement in vulnerability scanning, because Scanner V4 brings advanced capabilities such as SBOM generation, CSAF VEX vulnerability feeds, and enhanced reporting for security vulnerabilities.
For new installations, Scanner V4 is used automatically, while existing installations continue to use the previously configured scanner unless you manually update it. This ensures there's no disruption to existing user workflows.
Enhanced vulnerability advisories
Starting with Red Hat Advanced Cluster Security 4.8, you can get separate reporting for the Common Vulnerability and Exposures (CVE) database and Red Hat Security Advisories (RHSA) in the vulnerability management dashboard. Previously, RHACS replaced CVE IDs with RHSA IDs once a fix was available. With this new enhancement, both CVE and RHSA issues are reported separately, providing detailed and transparent information about vulnerabilities and the fixes that have been issued.
This ensures that users have a clearer understanding of both the specific vulnerabilities and the advisories associated with them.
Support for keyless signing verification
We've significantly advanced our Keyless Sigstore integration by supporting validation of images signed with short-lived credentials. This crucial capability is made possible through seamless integration with Rekor and transparency logs, ensuring more robust security measures for your software supply chain and building on the Sigstore integration supported since Red Hat Advanced Cluster Security 4.4.
This advancement also facilitates a keyless signing workflow. Fulcio can now integrate with OIDC identity providers, allowing users to exchange an identity token for a short-lived credential used for image signing. This simplifies the signing process while supporting a robust security posture.
Build time network tools with B/ANP support for connectivity analysis
The Red Hat Advanced Cluster Security build time network tools help your Kubernetes network security shift left as you proactively develop network policies before deployment. This release introduces two key enhancements for connectivity mapping:
- Connectivity mapping now understands admin network policies (ANP) and baseline admin network policies (B/ANP). It considers B/ANP resources when present , and correctly computes effective connectivity rules.
Explainability is a feature that identifies the resources and rules allowing or denying workload connectivity. It clarifies network policy interactions, aiding administrators in understanding and troubleshooting network security.
For more information on build time network tools, read the product documentation.
Platform components customization
Red Hat Advanced Cluster Security helps you focus on actionable data by classifying vulnerability and policy violation issues as either User Workload or Platform. With Red Hat Advanced Cluster Security 4.8, you can view and customize this definition (should you install Red Hat products, including Red Hat Advanced Cluster Security itself, into a non-default namespace, then you must update the layered products definition.) You can also classify other namespaces as Platform, which is useful for excluding third-party applications from the focused User Workloads views.
Policy as Code
Formerly available as a technology preview, policy as code in Red Hat Advanced Cluster Security 4.8 is generally available. This feature enables organizations to manage Red Hat Advanced Cluster Security policies as Kubernetes custom resources, integrating them into your GitOps workflow. With this release, a policy can be managed using Red Hat GitOps (Argo CD) and similar tools.
Try it today
You can read the full Red Hat Advanced Cluster Security 4.8 release notes for details, and try Red Hat Advanced Cluster Security4.8 for 60 days to experience it for yourself.
