Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Release notes

Red Hat Advanced Cluster Security for Kubernetes 4.6

Highlights what is new and what has changed with Red Hat Advanced Cluster Security for Kubernetes releases

Red Hat OpenShift Documentation Team

Abstract

The release notes for Red Hat Advanced Cluster Security for Kubernetes summarize all new features and enhancements, notable technical changes, deprecated and removed features, bug fixes, and any known bugs upon general availability.

Chapter 1. Red Hat Advanced Cluster Security for Kubernetes 4.6

Red Hat Advanced Cluster Security for Kubernetes (RHACS) is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. Red Hat Advanced Cluster Security for Kubernetes deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security.

Table 1.1. Release dates
RHACS versionReleased on

4.6.0

3 December 2024

4.6.1

18 December 2024

4.6.2

4 February 2025

4.6.3

10 March 2025

4.6.4

31 March 2025

4.6.5

15 April 2025

4.6.6

27 May 2025

4.6.7

11 June 2025

1.1. About release 4.6.0

RHACS 4.6 includes the following new features, improvements, and updates:

Architecture
Compliance
Documentation
Network
Platform
Platform components
Policy
Vulnerability Management

1.2. New features

This release adds improvements related to the following components and concepts:

1.2.1. Support for ARM architecture in secured clusters (Technology Preview)

Important

Support for ARM architecture in secured clusters is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

RHACS now provides support for ARM architecture in RHACS secured clusters only. This architecture provides enhanced flexibility and performance for secured clusters, including the following benefits:

  • Efficient power consumption
  • Better handling of resource-intensive tasks
  • Cost-effective scaling

For more information, see Installation methods for different architectures. The RHACS Central component is not supported on ARM.

1.2.2. Scanner V4 use of CSAF-VEX for vulnerability data

Red Hat is switching to Common Security Advisory Framework (CSAF) Vulnerability Exploitability eXchange (VEX) vulnerability data as standardized security advisory formats to communicate vulnerabilities affecting Red Hat products. In particular, the VEX profile describes which Red Hat products and components are impacted or known not to be impacted by a specific vulnerability identified by the Common Vulnerability and Exposures (CVE) ID. This format also describes vulnerability data with greater detail than before. RHACS now uses the Red Hat CSAF-VEX vulnerability data source if you have Scanner V4 configured for vulnerability scanning.

For more information about Red Hat security data and VEX, see the following sources:

For more information on Scanner V4 and CSAF-VEX, see the following documentation:

1.2.3. Scanner V4 support for RHCOS (Technology Preview)

Important

Scanner V4 support for RHCOS is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

RHACS now supports scanning of Red Hat Enterprise Linux CoreOS (RHCOS) nodes with Scanner V4. For more information, see Enabling RHCOS node scanning with Scanner V4.

1.2.4. Platform components

When addressing security issues, your approach might vary depending on whether the issues originate from the underlying platform, such as OpenShift Container Platform, or other user workloads. RHACS 4.6 includes an internal definition of the underlying platform. This internal definition enhances RHACS views, enabling you to focus on either aspect.

  • The policy violations view and API support this differentiation.

  • The platform definition is built-in and is not yet customizable. You can see the impact of the definition in your environment by using the global search. To do this:

    1. Click Search.
    2. Select Show Orchestrator Components.
    3. Apply the filter Platform Component: true.

1.2.5. Support for policy as code (Technology Preview)

Important

Policy as code is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

With this release, RHACS adds the ability to manage RHACS policies as Kubernetes custom resources, enabling GitOps workflows such as Argo CD. For more information, see Managing policies as code.

1.2.6. Policy violation views

RHACS 4.6 introduces the following new features:

  • A new drop-down selector in the policy violations view. You can use it to focus on violations related to user application workloads, platform workloads, or both.
  • The policy violations view now lists violations across three panels to easily distinguish between active, resolved, and attempted violations.

1.2.7. Upgraded view filters

The violations view now includes comprehensive filtering capabilities similar to Vulnerability Management:

  • Filter by cluster, namespace, and deployment.
  • Filter by Violation date, time, and entity type.
  • Filter by Policy name, category, severity, and other options.

1.2.8. Policy editor updates

RHACS includes the following enhancements to the policy editor:

  • The policy editor now includes reordered sections to reflect the logical policy structure better, splitting the policy definition part (rules and metadata) from the behavior part (scope and actions).
  • The editor recognizes Policy as Code capabilities and shows a warning when editing an Externally Managed policy.

1.2.9. Exposure analysis in network policy generator

When you create a connectivity map by using the build-time network policy generator, an option is now available to show open connections. This configuration with open connections increases the exposure risk. Therefore, such connections are a good candidate for limiting exposure. For example, a network policy might allow ingress to a pod from any namespace instead of specifying individual consumers.

For more information, see the netpol connectivity map command reference.

1.2.10. Compliance reporting (Technology Preview)

Important

Compliance reporting is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Compliance reporting is available as a Technology Preview for all OpenShift clusters running Compliance Operator version 1.6 or later. With this feature, you can more easily access the compliance results of a given scan schedule in a CSV file.

Compliance reporting provides the following options:

  • Generating the report on-demand directly by using the RHACS portal or the API
  • Sending the report periodically by email every time a scan is scheduled
  • Creating email notifiers when creating a scan configuration as a destination to send on-demand reports
  • Generating an on-demand report for a given scan configuration, which RHACS sends to any notifiers configured on that scan configuration

For more information, see Scheduling compliance scans and assessing profile compliance.

1.2.11. Visualizing external entities in the network graph (Technology Preview)

Important

Visualizing external entities is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

The network graph now provides additional insights into connections to external entities. With this update, you can view specific IP addresses associated with these external connections, offering a more comprehensive overview of network activity.

To configure RHACS to collect this information for a cluster, you modify the secured cluster’s runtime configuration by using a ConfigMap. For more information, see Visualizing external entities.

1.2.12. Microsoft Sentinel notifier added

RHACS has added a Microsoft Sentinel notifier to send alerts and audit logs to Azure Log Analytics Workspace. For more information, see Integrating with Microsoft Sentinel notifier.

1.2.13. Support for backups using non-AWS S3 compatible providers

RHACS has added a new external backup integration for non-AWS S3 compatible providers. For more information, see Integrating with S3 API compatible services.

1.2.14. Vulnerability Management page updates

The Vulnerability Management page has updates and improvements, including the following changes:

CVE published date
RHACS now reports the CVE published date in vulnerability management data shown in the portal and obtained from the API. This field uses the first published date for the CVE that is obtained from vendor-specific security data feeds, when those are available. If data from the vendor is missing, data from the National Vulnerability Database (NVD) is used to populate the CVE published date field.
Hiding unwanted display columns
RHACS now provides the ability to hide unwanted columns in tables by using column management. Starting with the Workload CVEs section of RHACS, a button is displayed above the table containing the text "Columns" and provides a count of the number of columns that are enabled. You can click this button to open a menu to hide unwanted columns. These settings are saved per table in your browser and remain in place across separate sessions.

1.3. Certifications

Red Hat Advanced Cluster Security Cloud Service is certified according to the following global standards for security, compliance, and data protection:

  • ISO/IEC 27001:2022
  • ISO/IEC 27017:2015
  • ISO/IEC 27018:2019
  • PCI DSS 4.0
  • SOC 2 Type 2
  • SOC 2 Type 3

1.4. Notable technical changes

This release contains the following changes:

Secured cluster upgrade behavior enhancements

The following changes were made to the upgrade functionality on secured clusters:

  • RHACS Cloud Service: Secured clusters that were deployed by using the roxctl CLI, also called the manifest method, can now be automatically upgraded by using the cluster upgrader.

  • RHACS Central:

    • Messages and errors for the secured cluster upgrader are now simpler and clearer.
    • Typical failure scenarios for cluster upgrader are now documented. For more information, see Troubleshooting the cluster upgrader.
Flag for diagnostic bundles to include only database information
The roxctl central debug download-diagnostics command that is used to create diagnostic bundles for troubleshooting has a new flag, --with-database-only. The flag generates only database metrics in the diagnostic bundle. This flag is helpful when you only need database information to diagnose performance issues in large clusters.
Additional changes
  • Automatic sensing within the Helm charts for detecting OpenShift clusters has been changed. Automatic sensing now depends on the project.openshift.io/v1 object APIVersion.
  • Sensor now stores pull secrets by secret name and registry host instead of only by registry host. This change reduces delegated scanning authentication failures when multiple secrets exist for the same registry within a namespace and more closely aligns with Kubernetes secrets handling. To disable this feature and cause secrets to be stored by only registry host, set ROX_SENSOR_PULL_SECRETS_BY_NAME to false.
  • The endpoint /v2/compliance/scan/configurations/reports/run method has changed from PUT to POST.

1.5. Documentation updates

Documentation updates include the following:

1.5.1. Feature flag documentation

Documentation has been added to show you how to manage features that are enabled as Technology Preview features. For more information, see Managing feature flags.

1.5.2. API documentation available publicly

Previously, API documentation was only available by clicking ? and selecting API Reference to view the API documentation in the product. The API documentation is now publicly available; see the API Reference.

1.6. Deprecated and removed features

Some features available in earlier releases have been deprecated or removed.

Deprecated functionality is still included in RHACS and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed, see the following table. Additional removed or deprecated functionality is available after the table.

In the table, features are marked with the following statuses:

  • GA: General Availability
  • TP: Technology Preview
  • DEP: Deprecated
  • REM: Removed
  • NA: Not applicable
Table 1.2. Deprecated and removed features tracker
FeatureRHACS 4.4RHACS 4.5RHACS 4.6

API token authentication for Red Hat OpenShift Cluster Manager[1]

GA

GA

DEP

definitions.stackrox.io

DEP

DEP

DEP

Google Container Registry integration[2]

GA

GA

DEP

Kernel support packages and driver download functionality [3]

NA

DEP

DEP

Reporting of Istio vulnerabilities

DEP

DEP

DEP

rhacs-collector-slim* images[4]

NA

DEP

DEP

stackrox-db Central PVC[5]

GA

GA

REM

StackRox Scanner

GA

GA

DEP

/v1/availableAuthProviders endpoint

GA

DEP

DEP

/v1/clustercves/suppress APIs[6,7]

DEP

DEP

DEP

/v1/clustercves/unsuppress APIs[6,7]

DEP

DEP

DEP

/v1/cve/requests APIs[8]

DEP

DEP

REM

/v1/nodecves/suppress APIs[6,7]

DEP

DEP

DEP

/v1/nodecves/unsuppress APIs[6,7]

DEP

DEP

DEP

/v1/summary/counts endpoint

NA

DEP

DEP

/v1/tls-challenge endpoint

DEP

DEP

DEP

Vulnerability Management (1.0) menu item[9]

DEP

DEP

DEP

Vulnerability Report Creator permission

DEP

DEP

DEP

  1. API token authentication has been deprecated by Red Hat OpenShift Cluster Manager. The corresponding cloud source integration now uses service accounts for authentication.
  2. The Google Container Registry integration is now deprecated in response to the deprecation of Container Registry by Google. Users should use Artifact Registry as a registry replacement and Scanner V4 as a scanner replacement.
  3. Kernel support packages and driver download functionality are deprecated.
  4. The rhacs-collector-slim* images have been deprecated. rhacs-collector images used to contain kernel modules and eBPF probes, but those items are no longer needed by RHACS. The rhacs-collector* `image and the `rhacs-collector-slim* images are now functionally the same. The rhacs-collector-slim* image is planned for removal in a future release.

  5. The Central PVC stackrox-db is removed and existing volumes are released. The following flags for configuring Central attached persistent storage have been removed from roxctl:

    • roxctl central generate k8s pvc and roxctl central generate openshift pvc no longer have the flags --name, --size, and --storage-class.
    • roxctl central generate k8s hostpath and roxctl central generate openshift hostpath no longer have the flags --hostpath, --node-selector-key, and --node-selector-value.
  6. This object is controlled by a feature flag and can be enabled or disabled by using the ROX_VULN_MGMT_LEGACY_SNOOZE environment variable.
  7. The format for specifying duration in JSON requests to v1/nodecves/suppress, v1/clustercves/suppress, and v1/imagecves/suppress has changed to the ProtoJSON format. Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the s suffix is supported. For example, 0.300s, -5400s, or 9900s. The previously valid time units of ns, us, µs, ms, m, and h are no longer supported.
  8. The /v1/cve/requests API for managing vulnerability exceptions is removed. Use the new /v2/vulnerability-exceptions/ API.
  9. The Dashboard view under Vulnerability Management is deprecated. Use the Workload CVEs, Exception Management, Platform CVEs, and Node CVEs views as alternatives.

1.6.1. Deprecated features

The following section provides information about additional deprecated features:

  • To unify the response data for stream and unary API requests, the following changes were made:

    • The error field returned for failed unary API requests is deprecated. Use the message field to retrieve error information instead of the error field. The message field has the same information as the error field.

    • In this release, Red Hat removed the following fields in the returned error response for gRPC stream APIs:

      • grpcCode
      • httpCode

      • httpStatus

        With this release, the response includes the new code field that includes the grpcCode data.

1.7. Bug fixes in version 4.6.0

Release date: 3 December 2024

  • Before this release, the timestamp data displayed incorrectly when viewing affected images in the First discovered column of the Workload CVE single page view. This update resolves the issue.
  • Before this release, the Vulnerability Management window that contains CVEs with an unknown severity displayed incorrect CVE counts when viewing an image. This update resolves the issue.
  • In runtime monitoring, process names and arguments could cause serialization problems when containing invalid UTF-8 characters. This resulted in error messages in the collector logs. Those characters are now filtered and replaced with a ? when necessary.
  • Previously, when using delegated scanning, newer image metadata and layers were pulled incorrectly for an older image referenced by tag when the image registry contents had changed since deployment. Now, the metadata and layers pulled are based on the digest of the image provided by the container runtime when available, instead of just the tag.

1.8. About release 4.6.1

Release date: 18 December 2024

This release of RHACS fixes the following bugs:

  • Fixed an issue where Sensor went online prematurely due to HTTP reachability, assuming the gRPC connection was active.
  • Fixed an issue where the HTML code in column values was rendered in PDFs due to insufficient sanitization.

1.9. About release 4.6.2

Release date: 4 February 2025

This release of RHACS fixes the following bugs:

  • Fixed an issue in StackRox Scanner V2 where scan results for Red Hat Enterprise Linux (RHEL)-based images displayed inaccurate package and vulnerability data due to incorrect layer hierarchy assumptions.
  • Fixed an issue where the output format of the roxctl CLI command for timestamps changed in RHACS 4.6, interrupting customer automation workflows.

1.10. About release 4.6.3

Release date: 10 March 2025

This release of RHACS fixes the following bugs:

  • Fixed an issue where the Operator was not displayed as Federal Information Processing Standards (FIPS) compliant in the Operator catalog search.
  • Fixed an issue where vulnerability report jobs in RHACS could become deadlocked if a report took too long to complete, preventing new jobs from starting.

This release of RHACS fixes the following security vulnerabilities:

  • CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation.
  • GHSA-6wxm-mpqj-6jpf: Insecure temporary file usage in github.com/golang/glog.
  • CVE-2025-22868: Flaw in Golang in the token parsing component.

1.11. About release 4.6.4

Release date: 31 March 2025

This release of RHACS fixes the following bugs:

  • Fixed an issue where Scanner V4 performed TLS validation even for integrations where TLS validation was disabled.
  • Fixed an issue that prevented the "Container CPU Limit" field from being added to security policy rules.
  • Fixed an issue where the Network Policies tab in the network graph detail view would hang in the PatternFly Code editor due to a potential issue with the Monaco-based text editor.

This release of RHACS fixes the following security vulnerabilities:

  • CVE-2025-27144: Flaw in Go JOSE versions prior to 4.0.5.
  • CVE-2025-22868: Flaw in Golang in the token parsing component.
  • CVE-2025-22869: Flaw in golang.org/x/crypto Secure Shell (SSH) file transfer implementation.

1.12. About release 4.6.5

Release date: 15 April 2025

This release of RHACS fixes the following bugs:

  • Fixed an issue where Central could perform image scans even when delegated scanning was enabled, due to a race condition during Sensor reconnection.
  • Fixed an issue where mismatched aggregation fields in Compliance tables and widgets caused inconsistent percentage displays.
  • Fixed an issue where you ran into Google Kubernetes Engine (GKE) compatibility test failures because the tests still used a deprecated service in RHACS 4.6.
  • Fixed an issue where you could see the Configuration Management page despite only having Alert permissions, resulting in role-based access control (RBAC) errors.
  • Fixed an issue where verifying multi-signed images failed due to incorrect error handling.

This release of RHACS fixes the following security vulnerabilities:

  • CVE-2024-21536: Flaw in http-proxy-middleware allowed denial of service through unhandled promise rejections in micromatch.
  • CVE-2025-30204: Flaw in jwt-go allowed excessive memory allocation during header parsing, which could lead to a possible denial of service.
  • CVE-2024-57083: Flaw in redoc allowed prototypes in mergeObjects to be tainted, which allowed a denial of service through crafted payloads.

1.13. About release 4.6.6

Release date: 27 May 2025

This release of RHACS fixes the following bugs:

  • Fixed an issue where the number of failed policies reported in Configuration Management for a deployment were calculated incorrectly.
  • Before this update, long-running GraphQL-based requests would time out. With this update, the default client timeout for GraphQL-based queries has been increased from 60 seconds to 180 seconds to avoid timeouts for long-running requests.

1.14. About release 4.6.7

Release date: 11 June 2025

This release of RHACS 4.6 provides the following bug fixes:

  • Fixed an issue where images were mistakenly pruned when the inactive images retention value was set to 0. This action caused resetting of the firstDiscovered and firstImageOccurrence values for CVEs.
  • Fixed an issue with the web portal where you could not scroll when assigning roles to an auth provider.

This release provides fixes for these security issues:

1.15. Image versions

You can manually pull, retag, and push Red Hat Advanced Cluster Security for Kubernetes images to your registry. The current version includes the following images:

Table 1.3. Red Hat Advanced Cluster Security for Kubernetes images
ImageDescriptionCurrent version

Main

Includes Central, Sensor, Admission controller, and Compliance components. Also includes roxctl for use in continuous integration (CI) systems.

registry.redhat.io/advanced-cluster-security/rhacs-main-rhel8:4.6.7

Central DB

PostgreSQL instance that provides the database storage for Central.

registry.redhat.io/advanced-cluster-security/rhacs-central-db-rhel8:4.6.7

Scanner

Scans images and nodes.

  1. registry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:4.6.7
  2. registry.redhat.io/advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.7

Scanner DB

Stores image scan results and vulnerability definitions.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.7

Scanner V4

Scans images.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.7

Scanner V4 DB

Stores image scan results and vulnerability definitions for Scanner V4.

registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.7

Collector

Collects runtime activity in Kubernetes or OpenShift Container Platform clusters.

  1. registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:4.6.7
  2. registry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.7

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat