Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Red Hat Advanced Cluster Security for Kubernetes 4.10

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle.

RHACS deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.

1.1. Release dates
Copy link

Review the official release dates and update schedule for RHACS 4.10.

Expand
Table 1.1. Release dates
RHACS versionReleased on

4.10.0

3 March 2026

4.10.1

8 April 2026

1.2. About release 4.10
Copy link

RHACS 4.10 includes new features, improvements, and updates.

1.3. New features
Copy link

To strengthen your security posture, implement the new configuration and monitoring standards in RHACS 4.10. You can configure global node taints, define standardized base images, and monitor file activity to support strict workload isolation and compliance. When you register new secured clusters, select the cluster registration secret (CRS) method instead of an init bundle to securely isolate your bootstrapping credentials.

This release adds improvements related to the following components and concepts:

In RHACS 4.10, you are automatically redirected from HTTP to HTTPS when accessing the Central URL. Before this update, the system did not automatically redirect HTTP requests. As a result, this enhancement improves security, user experience, and consistency with Red Hat OpenShift platform standards.

For example, if you enter http://central-stackrox.apps.ocp.example.com, Central automatically redirects the connection to https://central-stackrox.apps.ocp.example.com.

In RHACS 4.10, you can configure global node taints and tolerations within both the Central and Secured Cluster custom resources (CRs). When you define these once at the CR level, the system automatically applies your settings to all RHACS components that run as Kubernetes deployments.

Before this update, you had to duplicate configurations for environments by using tainted or dedicated node pools. With this update, you ensure consistent scheduling behavior across your Central services and secured cluster components, which provides greater flexibility when you deploy RHACS into clusters with strict workload isolation policies.

For more information, see Central configuration options in the RHACS installation documentation.

In RHACS 4.10, you can define standardized base images that your organization has approved for application development. When you use these images, RHACS detects and distinguishes the layers originating from the base image from those added by the application owner.

This new capability establishes a clear separation of duties between base image owners and application owners. This structure ensures clear accountability and faster remediation while enabling more exact patch responsiveness metrics for each team.

For more information about base image definition, see "Defining base images used in application development".

For more information about viewing vulnerabilities from base images, see "Viewing vulnerabilities from base images".

In RHACS 4.10, RHACS supports vulnerability management of virtual machine (VM) workloads at runtime on Red Hat OpenShift Virtualization (RHOCPV). This feature requires you to run a VM agent, which performs continuous package scanning from inside the VM. As a result, you gain visibility into vulnerabilities within your virtualized workloads. This capability is a Technology Preview feature.

For more information, see "Scanning virtual machines".

In RHACS 4.10, you gain access to a new dynamic plugin for the OpenShift console on your secured clusters. This plugin adds a Security tab that displays real-time vulnerability information about your cluster. You can now analyze vulnerability data directly within your OpenShift console interface without switching applications. This capability is a Technology Preview feature.

For more information, see "Accessing vulnerability information in the OpenShift Container Platform web console".

1.3.6. Policy criteria for CVE fix availability
Copy link

In RHACS 4.10, teams can allow violation grace periods based on the date a fix became available for a published vulnerability.

1.3.7. Administrative events for scan failures
Copy link

In RHACS 4.10, the roxctl CLI and API requests that trigger image scans now generate administrative events when scanning fails. As a result, administrators gain better visibility into scanning reliability and failures.

In RHACS 4.10, the cluster registration secret (CRS), introduced in RHACS 4.9 as a Technology Preview, is fully supported with this release. Additionally, you can now use this method when installing by using the Operator. CRS provides a means to securely bootstrap secured cluster registration with RHACS Central. This method replaces the init bundle for registration.

CRS provides clear separation of credentials used for bootstrapping registration of secured cluster components from the workflow of internal communication between these components. Existing clusters that used the init bundle for registration are not impacted. However, you should use CRS for new cluster registrations.

For more information, see the RHACS installation documentation.

In RHACS 4.10, file activity monitoring provides real-time visibility into file execution and modifications. Different security standards such as PCI-DSS specify requirements for ensuring file integrity that traditional solutions such as the File Integrity Operator could not fully meet. As a result, this feature bridges visibility gaps by capturing the timestamp, process name, execution path, and UID for every change. It distinguishes between host and container initiated changes and automatically maps activity to specific Kubernetes deployments and namespaces.

You can scope deployment policies to filter out expected activity and tune policies for relevant file operations. Enable this feature per cluster by using the Operator options or the Helm installation. In this release, you can monitor the four most critical paths of a node. This capability is a Technology Preview feature.

For more information, see "Configuring file activity monitoring".

In RHACS 4.10, when you install RHACS by using the Operator, the output for the oc get central and oc get securedcluster commands provides key information fields, including the software version and immediate visibility into resource health and operational detail. As a result, administrators can more quickly assess and confirm if the resource is currently processing or is fully operational.

1.4. Notable technical changes
Copy link

This release includes notable technical changes.

This release has the following changes:

Node.js version update for user interface
The UI folder requires Node.js version 22.13.0.
Lower limit reduction for parallel image scan variable
The lower limit for the ROX_MAX_PARALLEL_IMAGE_SCAN_INTERNAL environment variable on Sensor decreases to 1 from 10. You can now configure a single parallel image scan if necessary.
Operator adoption of secrets without owner references
The Operator adopts secrets that include the app.stackrox.io/managed-by: operator label but lack ownerReferences. This behavior resolves reconciliation failures that occurred when backup and restore operations stripped ownerReferences from secrets.
Removal of certificate initialization container
The init-tls-certs init container is removed from all secured cluster services and is no longer supported. Sensor performs the certificate initialization logic at startup.
Removal of Sensor certificate distribution API
The Sensor certdistribution API is removed and is no longer supported. The admission controller earlier used this API to retrieve its Transport Layer Security (TLS) certificate from Sensor, but this mechanism is no longer necessary.
Upgrade path requirements for versions earlier than 4.6
Direct upgrades from versions earlier than RHACS 4.6 are not supported. To upgrade to version 4.10 from a version earlier than 4.6, you must first upgrade to 4.6, 4.7, 4.8, or 4.9. Rollbacks to versions earlier than 4.6 from version 4.10 or later are not supported.
Risk page redesign in PatternFly
You can access the redesigned Risk page in the RHACS portal. The interface is updated across all views, pages, and menus, but the functionality remains the same.

1.5. Deprecated and removed features
Copy link

Identify the deprecated and removed features in RHACS 4.10 to ensure your deployment remains secure and fully functional.

Some features available in earlier releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments.

For the most recent list of major functionality deprecated and removed, see the following table. Information about additional removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability
  • TP: Technology Preview
  • DEP: Deprecated
  • REM: Removed
  • NA: Not applicable
Expand
Table 1.2. Deprecated and removed features tracker
FeatureRHACS 4.8RHACS 4.9RHACS 4.10

Admission controller configuration parameters:

  • admissionControl.contactImageScanners
  • admissionControl.dynamic.enforceOnCreates
  • admissionControl.dynamic.enforceOnUpdates
  • user configuration ability of admissionControl.dynamic.scanInline
  • user configuration ability of admissionControl.dynamic.timeout
  • admissionControl.listenOnCreates
  • admissionControl.listenOnEvents
  • admissionControl.listenOnUpdates
  • admissionControl.timeoutSeconds

GA

GA

DEP

API token authentication for Red Hat OpenShift Cluster Manager

DEP

DEP

DEP

Collections hierarchical implementation

GA

GA

DEP

Compliance dashboard

NA

DEP

DEP

definitions.stackrox.io

DEP

DEP

DEP

Google Container Registry integration

DEP

DEP

DEP

GraphQL endpoints

GA

GA

DEP

Kernel support packages and driver download functionality

DEP

DEP

DEP

Reporting of Istio vulnerabilities

DEP

DEP

DEP

roxctl admission controller parameters:

  • --admission-controller-enforce-on-creates
  • --admission-controller-enforce-on-updates
  • --admission-controller-listen-on-creates
  • --admission-controller-listen-on-updates
  • --admission-controller-listen-on-events
  • --admission-controller-timeout

GA

GA

DEP

Scanner V2

DEP

DEP

DEP

/v1/clustercves/suppress APIs

DEP

DEP

DEP

/v1/clustercves/unsuppress APIs

DEP

DEP

DEP

/v1/nodecves/suppress APIs

DEP

DEP

DEP

/v1/nodecves/unsuppress APIs

DEP

DEP

DEP

Vulnerability Management (1.0) menu item

DEP

DEP

DEP

Vulnerability Report Creator permission

DEP

DEP

DEP

Init Bundle

GA

GA

DEP

/v1/cluster-init/init-bundles/revoke API

GA

GA

DEP

/v1/cluster-init/init-bundles API

GA

GA

DEP

Configuration Management Dashboard and sub-menus

GA

GA

DEP

OpenShift auth identity provider

GA

GA

DEP

Compliance V1

GA

GA

DEP

/v1/cve/requests APIs

DEP

DEP

REM

Active vulnerability management feature

DEP

DEP

REM

/v1/imagecves/suppress APIs

DEP

DEP

REM

/v1/imagecves/unsuppress APIs

DEP

DEP

REM

Graph view in the Process discovery tab

GA

GA

DEP

Vulnerability reports using attached collections

GA

GA

DEP

Vulnerability Management Dashboard (1.0) and sub-menus

GA

GA

DEP

Install-time Istio integration

GA

GA

DEP

Kubernetes components view

GA

GA

DEP

Manifest install method and the related /v1/clusters API

GA

DEP

DEP

Deprecated features
Manifest install method and related API
The manifest install method and the related /v1/clusters API, which deployed and managed clusters, is deprecated and is anticipated to be removed in a future release.
Init Bundle
The Init Bundle feature, which registers secured clusters with RHACS Central, is deprecated and is anticipated to be removed in a future release. The associated APIs /v1/cluster-init/init-bundles/revoke and /v1/cluster-init/init-bundles are also deprecated. You can register new clusters by using the cluster registration secret (CRS) instead.
Configuration Management Dashboard and sub-menus
The Configuration Management Dashboard and all of its sub-menus, which provided security configuration data, are deprecated and are anticipated to be removed in a future release. API access for Secrets or role-based access control (RBAC) information remains available. Security configuration data integrates directly into risk and policy management workflows to enhance visibility without relying on a standalone dashboard.
OpenShift auth identity provider
The OpenShift auth identity provider, which served as an identity provider (IdP) for RHACS, is deprecated and is anticipated to be removed in a future release. You can authenticate users by using OpenID Connect (OIDC) IdP integrations instead.
Compliance V1

The Compliance V1 functionality, including the Compliance Dashboard, compliance APIs, and compliance configuration management board, which provided the earlier compliance implementation, is deprecated and is anticipated to be removed in a future release.

This includes NIST SP 800-190 and HIPAA benchmarks, as they are currently not supported by the Compliance Operator and are anticipated to be removed in a future release at the same time as the Compliance V1 implementation. Additionally, Compliance support for non-OpenShift Kubernetes distributions is deprecated and is anticipated to be removed in a future release. If you rely on this functionality, you should prepare for a loss of functionality.

For clusters running OpenShift, you can access improved compliance features by using the new compliance version instead.

Graph view in the Process discovery tab
The Graph view, within the Risk section of the Event Timeline in the Process discovery tab, is deprecated and is anticipated to be removed in a future release.
Scanner V2
Starting with RHACS 4.6, Scanner V2, also known as StackRox Scanner is deprecated and is anticipated to be removed in a future release. To maintain supported vulnerability scanning capabilities and access the latest security features, you should migrate to Scanner V4.
Vulnerability reports by using attached collections
The vulnerability reports by using attached collections, which provided report scoping through hierarchical relationships, are deprecated and are anticipated to be removed in a future release. You can prepare for future updates to the scoping mechanism by avoiding attached collections.
Vulnerability Management Dashboard (1.0) and sub-menus
Starting with RHACS 4.3, the Vulnerability Management Dashboard (1.0) and all of its sub-menus, which provided traditional vulnerability management views, are deprecated and is anticipated to be removed in a future release. You can access vulnerability information by using the current Vulnerability Management Dashboard instead.
Install-time Istio integration
The creation of networking.istio.io/v1alpha3/DestinationRule resources by RHACS installation, which automatically generated networking configurations during setup, is deprecated and is anticipated to be removed in a future release. You can manage Istio configurations by creating DestinationRule resources out-of-band instead.
Kubernetes components view
The Kubernetes components view available in the RHACS portal at Vulnerability Management Results More Views is deprecated and is anticipated to be removed in a future release.
Removed features
/v1/cve/requests APIs
The /v1/cve/requests APIs, which managed vulnerability exceptions, are removed and are no longer supported. You can manage vulnerability exceptions by using the /v2/vulnerability-exceptions/ APIs instead.
Active vulnerability management
The active vulnerability management feature, which provided traditional vulnerability handling, is removed and is no longer supported. You can manage vulnerabilities by using the standard vulnerability management workflow instead.
/v1/imagecves/suppress and /v1/imagecves/unsuppress APIs
The /v1/imagecves/suppress and /v1/imagecves/unsuppress APIs, which suppressed and unsuppressed image CVEs, are removed and are no longer supported. You can manage vulnerability exceptions by using the /v2/vulnerability-exceptions/ APIs instead.

1.6. Bug fixes in version 4.10.0
Copy link

This release has bug fixes and enhancements.

  • Before this update, a stale endpoint in your declarative M2M configuration could cause Central to hoard database connections. This often caused performance issues when endpoints became unreachable. With this release, the system now automatically rolls back database connections after creating a token exchanger or if the creation process fails. As a result, you no longer experience DB connection hoarding caused by stale M2M endpoints.
  • Before this update, you might have noticed slower response times because the image data store shifted from partial to full query fetching. This release optimizes the query method by transitioning from Search to Walk. This change improves your image search speed and overall response time while maintaining high security standards.
  • Before this update, conflicting casing requirements between the controller and the user interface (UI) caused you to see duplicate policy categories in the dashboard. We have synchronized the casing validation across both interfaces. You can now see a clean, unified list of policy categories without duplicates.
  • Before this update, you could only view port numbers in the Network Policy dashboard, as port names were not supported in the UI. We have updated the visualization to fully support and display port names. You can now easily identify and manage NetworkPolicies by their assigned names, providing better visibility into your network configurations.

1.7. Bug fixes in version 4.10.1
Copy link

This release provides the following bug fixes:

  • Before this update, admission controller webhooks made unnecessary requests to fetch image scan data even when no enforced policies required image enrichment data evaluation, which reduced throughput. With this release, Red Hat has optimized the admission controller to skip image fetch requests when either there are no enforced policies that require image enrichment data or when an enforced policy that does not require image enrichment data blocks the review request. As a result, admission controller webhook throughput has improved.
  • Before this update, images with empty names were improperly uploaded, causing global search to return blank image results. With this release, empty-named images no longer appear in search results.
  • Before this update, the script failed to run on a Linux system due to missing executable program permissions, causing user interface elements to display incorrectly. With this release, Red Hat corrected the issue with inaccurate data processing in the report generator. As a result, the system no longer hangs during data transfer.
  • Before this update, missing executable permissions prevented the script from running on Linux, which caused user interface elements to display incorrectly. With this release, the update corrects the inaccurate data processing in the report generator. As a result, the system transfers data without hanging.
  • Before this update, selected execution paths in Sensor did not check whether the cluster entities store history enabled or disabled the history feature. This caused an issue where Sensor allocated memory that was never used for clusters with enabled history. With this release, Red Hat has added a check for cluster entities history to prevent unnecessary storage. As a result, the system maintains optimal memory usage because it no longer stores unnecessary items in the cluster entities store history.
  • Before this update, the endpointsStore.addToHistory function performed unnecessary operations, which increased sensor CPU load and elevated event-processing latency in larger clusters. With this release, Red Hat has improved CPU efficiency in endpointsStore mutations to reduce latency. As a result, the system processes events faster and maintains lower CPU usage in large clusters with many endpoints.
  • Before this update, File Activity Monitoring did not generate node violations when you accessed monitored files by using sudo privileges. With this release, Red Hat has corrected the issue to properly detect and report file access violations regardless of privilege escalation. As a result, node violations are now generated for all file access to monitored paths.
  • Before this update, Helm charts did not configure image pull secrets for the Scanner service account when you disabled Scanner V4 and used only Scanner V2. This caused Scanner images to fail to pull. With this release, Red Hat has corrected the Helm chart configuration to properly inject image pull secrets into the Scanner service account. As a result, Scanner images pull successfully in all configurations.

1.8. Known issues in version 4.10.1
Copy link

This release has the following known issues:

  • OpenShift Container Platform 4.22 dropped PatternFly 5 support, causing runtime issues with the plugin in OpenShift Container Platform 4.21 and later versions. As a consequence, you encounter runtime issues due to the disabled plugin.

    To work around this problem, Red Hat has updated the Red Hat OpenShift version list for the dynamic plugin in versions 4.19, 4.20, and 4.21, disabling PatternFly 5 in OpenShift Container Platform 4.21 and later versions. As a result, this avoids runtime issues.

  • The Helm chart linter incorrectly rejected valid reencrypt route configurations that specified both central.spec.central.exposure.route.reencrypt.tls.certificate and central.spec.central.exposure.route.reencrypt.tls.key parameters. As a consequence, you encounter Operator validation errors even when both parameters were correctly provided, causing the Operator to crash loop.

    No known workaround exists.

1.9. Image versions
Copy link

You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes (RHACS) images to your registry. The current version includes the following images:

Expand
Table 1.3. Red Hat Advanced Cluster Security for Kubernetes images
ImageDescriptionCurrent version

Main

Includes Central, Sensor, Admission controller, and Compliance components. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.10.1

Central DB

PostgreSQL instance that provides the database storage for Central.

registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.10.1

Scanner

Scans images and nodes.

  1. registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.10.1
  2. registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.10.1

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.10.1

Scanner V4

Scans images.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8:4.10.1

Scanner V4 DB

Stores image scan results and vulnerability definitions for Scanner V4.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.10.1

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.10.1

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top