Red Hat Advanced Cluster Security 4.9: Security built with your workflows in mind

We’ve been dedicated to advancing Red Hat Advanced Cluster Security for Kubernetes in line with the rapid evolution of Kubernetes security. With version 4.9, we’re introducing key integrations and updates designed to help streamline your workflows. To that end, we’ve improved our ability to integrate with other tools and services, enhanced visibility into operations, and begun the work of bringing virtual machines (VMs) into our scope of reporting and scanning.

Red Hat Advanced Cluster Security Integration with ServiceNow

A significant highlight of Red Hat Advanced Cluster Security 4.9 is its integration with ServiceNow, allowing users to effortlessly import detailed container image vulnerability data into their ServiceNow dashboard using ServiceNow’s Container Vulnerability Response Application.

This aligns the rich data from Red Hat Advanced Cluster Security into the flexible ticket-based workflow that organizations use to resolve their security issues.

To add the integration to your ServiceNow instance, visit ServiceNow Marketplace.

View-based vulnerability reporting

Red Hat Advanced Cluster Security 4.9 simplifies the process of generating and sharing vulnerability reports with the direct CSV export of filtered vulnerability data. This feature provides security teams with increased flexibility to search and find the vulnerabilities they care about and share actionable insights with ease.

These customizable exports streamline workflows by enabling teams to see vulnerabilities and container information swiftly, to help security teams respond quickly and efficiently.

Vulnerability reporting for VMs [Dev Preview]

An exciting first step in the process to help enhance VM security with Red Hat Advanced Cluster Security includes vulnerability scanning for VMs that are managed with Red Hat OpenShift Virtualization. The solution requires lightweight agents installed in your Red Hat Enterprise Linux (RHEL) host to uncover hidden risks in your VM’s guest operating system (OS).

Capped at 50 VMs for now, it smoothly integrates into the existing vulnerability management dashboard.

Machine-to-machine (M2M) OIDC authentication

The latest release introduces declarative automation-friendly M2M OpenID Connect (OIDC) authentication to streamline secure access to products’ APIs. Simply add your OIDC issuer details as ConfigMaps or Secrets mounted into the Central pod and allow your teams to use short-lived OIDC tokens from identity providers for automated, security-focused API interactions. This simplifies authentication workflows, enabling machine access without long-lived credentials and allows for simplified third-party authentication.

Metrics exporting with Prometheus

Red Hat Advanced Cluster Security 4.9 ships with a dedicated /metrics API endpoint in Central Services that exposes custom product metrics for enhanced visibility. These custom product metrics will be stored in Prometheus time series database. Prometheus data can be used to visualize security metrics with tools like Grafana or Perses to craft tailored dashboards, and with Alertmanager, alerts can be sent to various receivers like email, Slack, or PagerDuty.

Gain actionable insights into key security areas—policy violations, image vulnerabilities, and node vulnerabilities—while monitoring system health through fixed metrics like Cluster Health and TLS Certificate Expiry. Version 4.9 embodies the SecOps approach providing the security and operational data useful to track risks and system status proactively.

Explore set-up details in the Red Hat Advanced Cluster Security 4.9 release notes here.

Autolock process baselines

Process baselining has been in the Red Hat Advanced Cluster Security for many versions. In version 4.9, this functionality is upgraded with automating the process of locking baselines. Previously a time-consuming and manual task for each deployment, this update frees up security teams to focus on more critical work.

Furthermore, this change allows for a more proactive security approach. Instead of waiting for a deployment to exist before setting up an alert, you can now define a policy for a specific scope, like a namespace. Any new deployment in that scope will automatically raise alerts, enabling consistent security from Day 1.

Policy editor changes and enhancements

Based on your feedback, we have refined the policy editor. Red Hat Advanced Cluster Security 4.9 focuses policy creation around a single policy lifecycle choice, cutting through the clutter of previous multi-option setups. The criteria fields are organized into sections with new sub-sections for faster, more intuitive selection, based on your lifecycle.

Criteria fields are smartly grouped into sections while dynamically showing only relevant options based on your lifecycle. Moreover, documentation now includes a comprehensive guide in addition to the traditional “how-to” instructions. This update makes it even easier for teams to apply security policies throughout the build, deploy, and runtime stages.

See the Red Hat Advanced Cluster Security 4.9 release notes here.

Admission Controller enforcement and lifecycle updates

First, Admission Controller settings are now more user-friendly. Red Hat Advanced Cluster Security 4.9 eliminates lower level knobs to provide a single ON/OFF choice for disabling admission controller enforcement. The settings are controlled by the installation method (Operator or Helm chart) per secured cluster and can be viewed in the Cluster Configuration page of the user interface (UI).

Second, we made the Admission Controller’s “failure policy” configurable. When Kubernetes processes an API request, the Admission Controller has a short time to respond. If it times out, Kubernetes can either:

• Fail Open: Let the request go through and ignore the Admission Controller (prioritizes availability).
• Fail Close: Block the request (prioritizes consistent security enforcement).

Previously Red Hat Advanced Cluster Security supported the Fail Close mode only with the Helm installation method. Now, this option is available in the operator installation method and updated in the UI.

Try it today

To learn more about the Red Hat Advanced Cluster Security 4.9 release, check out the release notes.