diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 19f90ddc5061..8064354f437c 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -33,8 +33,8 @@ Name: Release notes Dir: release_notes Distros: openshift-acs Topics: -- Name: Red Hat Advanced Cluster Security for Kubernetes 4.8 - File: 48-release-notes +- Name: Red Hat Advanced Cluster Security for Kubernetes 4.9 + File: 49-release-notes --- Name: RHACS Cloud Service Dir: cloud_service diff --git a/modules/common-attributes.adoc b/modules/common-attributes.adoc index 46ab432893ab..5f5433de47c4 100644 --- a/modules/common-attributes.adoc +++ b/modules/common-attributes.adoc @@ -61,9 +61,12 @@ endif::[] :olm-first: Operator Lifecycle Manager (OLM) :olm: OLM :rhacs-version: 4.9.0 +:ga-date-490: 30 October 2025 :ocp-supported-version: 4.12 :ocp-latest-version: 4.17 :pipelines-shortname: OpenShift Pipelines +:ocp-virt-first: Red{nbsp}Hat OpenShift Virtualization (RHOCPV) +:ocp-virt: RHOCPV :plugin-acs-latest-version: 0.0.4 :product-registry: OpenShift image registry :product-rosa: Red{nbsp}Hat OpenShift Service on AWS diff --git a/modules/image-versions.adoc b/modules/image-versions.adoc index e34fbf233114..1fce1593ab77 100644 --- a/modules/image-versions.adoc +++ b/modules/image-versions.adoc @@ -41,6 +41,6 @@ a|`registry.redhat.io/advanced-cluster-security/rhacs-scanner-v4-db-rhel8:{rhacs |Collector |Collects runtime activity in Kubernetes or {ocp} clusters. -a|. `registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:{rhacs-version}` +a| `registry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8:{rhacs-version}` |=== \ No newline at end of file diff --git a/release_notes/48-release-notes.adoc b/release_notes/48-release-notes.adoc deleted file mode 100644 index 32c740f46828..000000000000 --- a/release_notes/48-release-notes.adoc +++ /dev/null @@ -1,378 +0,0 @@ -:_mod-docs-content-type: ASSEMBLY -[id="release-notes-48"] -= Red{nbsp}Hat Advanced Cluster Security for Kubernetes 4.8 -include::modules/common-attributes.adoc[] -:context: release-notes-48 - -toc::[] - -{rh-rhacs-first} is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. -{product-title} deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security. - -.Release dates -[options="header"] -|==== - -|{product-title-short} version |Released on - -|`4.8.0` | 9 July 2025 - -|==== - -[id="about-this-release-480_{context}"] -== About release 4.8.0 - -{product-title-short} 4.8 includes the following new features, improvements, and updates: - -Platform:: -* xref:../release_notes/48-release-notes.adoc#central-db-postgresql_15_release-notes-48[Central DB uses PostgreSQL 15] -* xref:../release_notes/48-release-notes.adoc#quay-registry-keyless-authentication_release-notes-48[Quay registry keyless authentication] -* xref:../release_notes/48-release-notes.adoc#arm-architecture-support-ga_release-notes-48[ARM architecture support is now generally available] -* xref:../release_notes/48-release-notes.adoc#view-and-customize-platform-components_release-notes-48[View and customize platform components] -* xref:../release_notes/48-release-notes.adoc#support-for-keyless-signing-verification_release-notes-48[Support for keyless signing verification] - -Compliance:: -* xref:../release_notes/48-release-notes.adoc#openshift-infrastructure-compliance-ga_release-notes-48[OpenShift Infrastructure Compliance is now generally available] - -Policy:: -* xref:../release_notes/48-release-notes.adoc#policy-as-code-ga_release-notes-48[Policy as code is now generally available] - -Vulnerability Management:: -* xref:../release_notes/48-release-notes.adoc#cve-and-rhsa-separation_release-notes-48[{product-title-short} now reports CVEs and RHSAs as separate entities] - -External integrations:: -* xref:../release_notes/48-release-notes.adoc#define-project-scope-for-google-registries_release-notes-48[Optionally define project scope when integrating with Google Registries] - -Network:: -* xref:../release_notes/48-release-notes.adoc#external-ip-visibility-ga_release-notes-48[External IP visibility is now generally available] -* xref:../release_notes/48-release-notes.adoc#build-time-network-policy-tools-enhancements_release-notes-48[Build-time network policy tool enhancements] - -[id="new-features_{context}"] -== New features - -This release adds improvements related to the following components and concepts: - -//ROX-20769 -[id="central-db-postgresql_15_{context}"] -=== Central DB uses PostgreSQL 15 - -The Central DB component now uses PostgreSQL 15, and {product-title-short} 4.8 supports this version for external databases. -A new installation with an internal database now uses this version by default. When upgrading an existing cluster to {product-title-short} 4.8, Central DB performs an upgrade of the data it has collected. - -[IMPORTANT] -==== -When preparing the upgrade to {product-title-short} 4.8, follow these -suggestions: - -* Back up the database before upgrading to {product-title-short} 4.8. -* If you are not upgrading by using the Operator, check the disk space available for the database by viewing the `rox_central_postgres_available_size_bytes` metric. -For the purposes of the upgrade, the value should be double the amount of the already-consumed disk space, as shown in the `rox_central_postgres_total_size_bytes` metric. -If the value is not correct, extend the database PVC. -* Do not interrupt the upgrade procedure. If you interrupt the upgrade, you might need to intervene manually to continue. -Depending on the amount of data, the upgrade can take extra time to finish. -==== - -For more information, see link:https://access.redhat.com/articles/7045053[{product-title-short} Support Matrix]. - -//ROX-29279 -[id="quay-registry-keyless-authentication_{context}"] -=== Quay registry keyless authentication - -You can now use keyless authentication to access the Quay registry when {product-title-short} has delegated scanning enabled for the Secured cluster. -For keyless authentication, {product-title-short} uses a Quay access token that is stored in a secret managed by the External Secrets Operator (ESO). -The ESO on the Secured cluster manages the rotation of the credential in secret, and {product-title-short} APIs can use this credential to authenticate to the Quay Image registry during image scans and check-ins in a particular namespace. - -For more information, see xref:../integration/integrate-with-image-registries.adoc#quay-keyless-eso_integrate-with-image-registries[Enabling Quay registry keyless authentication by using an external secret]. - -//ROX-28348 -[id="openshift-infrastructure-compliance-ga_{context}"] -=== {ocp} Infrastructure Compliance is now generally available - -With this release, {ocp} Infrastructure Compliance is now generally available. Use it to: - -* Easily assess compliance across your entire {ocp} Cluster Fleet. -* Ensure your {ocp} infrastructure consistently adheres to your organizational security policies. - -Additionally, this release also includes enhancement in Compliance Reporting. {product-title-short} now generates compliance reports even when some clusters encounter failures during a scheduled scan. It prevents data gaps and provides continuous visibility, ensuring that you always receive a report reflecting the compliance status of all successfully scanned clusters. - -//ROX-27659 -[id="arm-architecture-support-ga_{context}"] -=== ARM architecture support is now generally available -With this release, {product-title-short} now supports ARM architecture in Secured clusters. This update enables you to use ARM's efficient power consumption and high performance-per-watt benefits, making it ideal for resource-intensive tasks and cost-effective scaling while enhancing flexibility and performance. - -For more details, see link:https://access.redhat.com/articles/7045053[{product-title-short} Support Matrix] - -//ROX-27876 -[id="build-time-network-policy-tools-enhancements_{context}"] -=== Build-time network policy tool enhancements - -This release introduces two key enhancements to the Build-time network policy tools `roxctl netpol`: - -* **Expanded network policy visualization** - The `roxctl netpol connectivity map` command now supports visualizing Admin Network Policies (ANP) and Baseline Admin Network Policies (BANP). It gives you a more comprehensive view of your network's security posture. -* **Enhanced connectivity explainability** - A new `roxctl` explainability feature helps you pinpoint the exact resources, including network policies, ANP, and BANP, that allow or deny connectivity between any two workloads. You can use the report to verify expected connectivity outcomes and guide you in modifying resources to achieve your desired network configuration. - -For more information, see xref:../operating/build-time-network-policy-tools.adoc#build-time-network-policy-tools[Build-time network policy tools]. - -//ROX-26858 -[id="view-and-customize-platform-components_{context}"] -=== View and customize platform components - -{product-title-short} now allows you to view and modify the definition of platform components using the system menu in the user interface or through the API. Red Hat recommends updating the platform components definition if you install {ocp} Operators into non-default namespaces or if you want {product-title-short} to consider any third-party software as a "Platform component". You can focus on actionable data in the **User Workloads** tabs by customizing this definition. - -For more information, see xref:../configuration/customizing-platform-components.adoc#customizing-platform-components[Viewing and customizing platform components]. - -//ROX-27858 -[id="policy-as-code-ga_{context}"] -=== Policy as code is now generally available - -Policy as code, which enables you to manage {product-title-short} policies as Kubernetes custom resources, is now generally available. This feature supports GitOps workflows with tools like {ocp} GitOps (Argo CD). - -Key enhancements include: - -* Clusters and notifiers are addressed by name instead of by UUID. -* The system provides additional error handling. - -For more information, see xref:../operating/manage_security_policies/custom-security-policies.adoc#policy-as-code-about_custom-security-policies[Managing policies as code]. - -//ROX-23580 -[id="support-for-keyless-signing-verification_{context}"] -=== Support for keyless signing verification - -{product-title-short} 4.8 includes enhanced Sigstore integration with support for validating images signed using short-lived credentials. This enhancement uses an integration with Rekor transparency log, which records the public key or certificate used to sign the image. {product-title-short} retrieves this record to validate the signature. - -Additionally, Fulcio integrates with OIDC Identity Providers to exchange a user's identity token for a short-lived credential to sign images, which facilitates a keyless signing workflow. - -//ROX-29006 -[id="define-project-scope-for-google-registries_{context}"] -=== Optionally define project scope when integrating with Google Registries - -{product-title-short} now allows you to include multiple {ocp} projects or Kubernetes namespaces in a single Google Artifact Registry integration. For more details, see xref:../integration/integrate-with-image-registries.adoc#integrate-with-image-registries[Integrating with image registries]. - -//ROX-27696 -[id="external-ip-visibility-ga_{context}"] -=== External IP visibility is now generally available - -The external IP visibility feature is now generally available. This enhancement provides crucial insight into your cluster's external communications. You can now visualize the exact external IP addresses your deployments communicate with. This improves your ability to understand external connections, identify potential threats, and validate network policies. - -By default, this feature is disabled. However, when enabled, you see external IPs in the Network Graph. Additionally, Unauthorized Network Flow violations automatically include detailed external IP information, which streamlines your investigation process. - -For more information, see xref:../operating/visualizing-external-entities.adoc#visualizing-external-entities[Visualizing external entities]. - -//ROX-26476 -[id="cve-and-rhsa-separation_{context}"] -=== {product-title-short} now reports CVEs and RHSAs as separate entities - -Starting with {product-title-short} 4.8, the system now reports both the CVE ID (Common Vulnerabilities and Exposures) and the RHSA (Red Hat Security Advisory) when available. RHSAs might include one or more security fixes, and might also contain bug or enhancement updates. In previous versions up to {product-title-short} 4.7, {product-title-short} replaced the CVE ID with the corresponding RHSA ID once Red Hat released a fix for the associated vulnerability. - - -[id="notable-technical-changes_{context}"] -== Notable technical changes - -This release contains the following changes: - -//ROX-26577 -* Starting with {product-title-short} 4.8, Scanner V4 is the default scanner for reporting vulnerabilities in User Workloads, Platforms, and Nodes for all new installations of {product-title-short} Central and Secured Clusters. - -* {product-title-short} 4.8 preserves the current scanner configuration for existing deployments that you upgrade. If you are using the StackRox Scanner, it remains in use after the upgrade. For switching to Scanner V4, see xref:../operating/examine-images-for-vulnerabilities.adoc#enabling_scanner_v4_examine-images-for-vulnerabilities[Enabling Scanner V4]. - -* Scanner V4 runs in Central and you do not have to deploy it to secured clusters unless you have specific requirements, for example: -** Accessing image registries that are not reachable from Central. -** Using the {ocp} image registry. -** Running on {product-title-short} Cloud Service with firewall restrictions that limit registry access to internal traffic. -** Using registry mirroring. -+ -For more details, see xref:../operating/examine-images-for-vulnerabilities.adoc#accessing-delegated-image-scanning_examine-images-for-vulnerabilities[Accessing delegated image scanning]. - -* In `roxctl` CLI, certificate validation failures are now marked as errors. - -* {product-title-short} 4.8 includes the updated `roxctl` help command output making it more readable. The output is now more consistent with other command-line tools. - -* Red Hat has moved the `SecurityPolicy`` Custom Resource Definition (CRD) to the template directory within the Helm chart. This change simplifies CRD maintenance if you are using Helm, as it now automatically upgrades. -+ -[IMPORTANT] -==== -If you are using Helm to manage your {product-title-short} installation, you must apply the following changes to the `SecurityPolicy` CRD before upgrading to avoid upgrade failures: -[source,terminal] ----- -$ kubectl annotate crd/securitypolicies.config.stackrox.io meta.helm.sh/release-name=stackrox-central-services <1> -$ kubectl annotate crd/securitypolicies.config.stackrox.io meta.helm.sh/release-namespace=stackrox <2> -$ kubectl label crd/securitypolicies.config.stackrox.io app.kubernetes.io/managed-by=Helm ----- -<1> If you used a different name during your initial installation, update the `release-name` annotation to match that name. The default value is `stackrox-central-services`. -<2> If you used a different namespace during your initial installation, update the `release-namespace` annotation to match that namespace. The default value is `stackrox`. -==== - -* Sensor now ignores entries that contain invalid UTF-8 characters when reading Docker configuration pull secrets from Kubernetes. - -* The S3 integration type no longer supports Google Cloud Storage (GCS) buckets. Red Hat announced this change in RHACS 4.5.0. If you use GCS buckets for backups, you must now use the dedicated GCS integration. - -* Scoping Google image integrations by project is now optional. - -* The default output of the `roxctl image scan` command now includes three new fields when you use the `--output` option: **CVSS**, **Advisory**, and **Advisory Link**. The exact names of these fields depend on the specific output format you select. -** **CVSS** represents the CVSS score of the vulnerability. -** **Advisory** and **Advisory Link** represent the advisory related to the vulnerability, if {product-title-short} tracks it. For example, a CVE's associated Red Hat Security Advisory (RHSA), if the CVE relates to a Red Hat product. - -[id="deprecated-and-removed-features_{context}"] -== Deprecated and removed features - -Some features available in earlier releases have been deprecated or removed. - -Deprecated functionality is still included in {product-title-short} and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. -For the most recent list of major functionality deprecated and removed, see the following table. -Additional removed or deprecated functionality is available after the table. - -In the table, features are marked with the following statuses: - -* GA: General Availability -* TP: Technology Preview -* DEP: Deprecated -* REM: Removed -* NA: Not applicable - -.Deprecated and removed features tracker -[cols="4,1,1,1",options="header"] -|=== -|Feature |{product-title-short} 4.6 |{product-title-short} 4.7 |{product-title-short} 4.8 - -|API token authentication for {cloud-redhat-com}^[1]^ -|DEP -|DEP -|DEP - -|Compliance dashboard -|NA -|NA -|DEP - -|`definitions.stackrox.io` -|DEP -|DEP -|DEP - -|Google Container Registry integration^[2]^ -|DEP -|DEP -|DEP - -|Kernel support packages and driver download functionality ^[3]^ -|DEP -|DEP -|DEP - -|Reporting of Istio vulnerabilities -|DEP -|DEP -|DEP - -|StackRox Scanner -|DEP -|DEP -|DEP - -|S3 backup on GCS buckets -|DEP -|DEP -|REM - -|`/v1/clustercves/suppress` APIs^[5,6]^ -|DEP -|DEP -|DEP - -|`/v1/clustercves/unsuppress` APIs^[5,6]^ -|DEP -|DEP -|DEP - -|`/v1/nodecves/suppress` APIs^[5,6]^ -|DEP -|DEP -|DEP - -|`/v1/nodecves/unsuppress` APIs^[5,6]^ -|DEP -|DEP -|DEP - -|`/v1/summary/counts` endpoint -|DEP -|DEP -|DEP - -|Vulnerability Management (1.0) menu item^[7]^ -|DEP -|DEP -|DEP - -|Vulnerability Report Creator permission -|DEP -|DEP -|DEP - -|=== - -[.small] --- -1. API token authentication is deprecated. The corresponding cloud source integration now uses service accounts for authentication. - -2. The Google Container Registry integration is deprecated in response to the deprecation of Container Registry. You can use the Artifact Registry as a registry replacement and Scanner V4 as a scanner replacement. -+ -For more information, see link:https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr[Transition from Container Registry] (Google Cloud documentation). - -3. Kernel support packages and driver download functionality are deprecated. - -4. The `{product-title-short}-collector-slim*` image is deprecated and has been removed in {product-title-short} 4.7.0. `{product-title-short}-collector*` image used to contain kernel modules and eBPF probes, but {product-title-short} no longer needs those items. -The `{product-title-short}-collector*` and the `{product-title-short}-collector-slim*` images are now functionally the same. - -5. A feature flag controls this API object, and you can enable or disable this API object by using the `ROX_VULN_MGMT_LEGACY_SNOOZE` environment variable. - -6. The format for specifying duration in JSON requests to `v1/nodecves/suppress`, `v1/clustercves/suppress`, and `v1/imagecves/suppress` has been changed to the ProtoJSON format. -Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the `s` suffix is supported. -+ -For example, `0.300s`, `-5400s`, or `9900s`. The previously valid time units of `ns`, `us`, `µs`, `ms`, `m`, and `h` are no longer supported. - -7. The *Vulnerability Management* -> *Dashboard* view is deprecated and is planned to be removed in a future release. You can use the *User workload vulnerabilities*, *Exception management*, *Platform vulnerabilities*, and *Node CVEs* views as alternatives. - --- - -[id="bug-fixes_{context}"] -== Bug fixes in version 4.8.0 - -*Release date*: 9 July 2025 - -* Previously, if messages contained non-UTF-8 characters, the Secured Cluster sensor would remain uninitialized and offline. -It prevented proper monitoring of affected clusters. With this release, the Sensor now handles non-UTF-8 characters in user-provided data. -As a result, the Secured Cluster sensor no longer fails to initialize due to these characters and correctly monitors all clusters. - -* Previously, warning messages in sensor pod logs incorrectly indicated that images were *Not Pullable* because the system attempted to determine pullability even when the image ID was empty. -As a consequence, images were skipped from workload CVE scans. -RHACS 4.8 correctly scans the images for vulnerabilities. - -* Fixed an issue where signing images multiple times with different keys led to failed image signature verification. - -* Previously, sometimes RHACS did not correctly initialize the Scanner V4 integration with default indexer and matcher endpoints, which caused scanner pods to fail and prevented images from being scanned. -With this update, RHACS correctly initializes the Scanner V4 integration, scans the images, and creates vulnerability reports as expected. - -* Previously, creating a security policy with a cluster scope using the cluster's name would cause the UI to crash upon viewing the policy. -It was due to the system's inability to resolve the cluster name to its corresponding ID correctly. -This update enables proper resolution of cluster names to IDs in security policies. -As a result, you can now view policies with cluster scope in the UI without encountering errors. - -* Previously, the Scanner V4 failed to identify some critical CVEs in Java workloads because an `unidentified jar` error caused the scanner to skip valid JAR files during the scanning process. -As a consequence, RHACS did not detect these vulnerabilities in the scan results. -This update eliminates the `unidentified jar" error, enabling the scanner to process JAR files properly. -As a result, the Scanner V4 now accurately identifies critical CVEs in Java workloads, providing comprehensive vulnerability scanning. - -* Previously, the **Cancel** button on the delegated scanning page provided no visual feedback if you made no changes, leading to confusion about its functionality. -This lack of feedback occurred because the button only reset the form for unpersisted changes. -This update introduces an **Edit** button to initiate editing, making the **Save** and **Cancel** buttons visible and enabled only when you make changes. - -[id="upcoming-changes_49"] -== Upcoming admission controller enforcement changes in version 4.9.0 - -{product-title-short} 4.9 streamlines the admission controller configuration by consolidating the existing `listen` and `enforce` settings into a single **Enforcement** option. You can select the following settings for the **Enforcement** option for create, update, and scale events: - -* `Yes` to enable enforcement for events. -* `No` to disable enforcement for events. - -include::modules/image-versions.adoc[leveloffset=+1] diff --git a/release_notes/49-release-notes.adoc b/release_notes/49-release-notes.adoc new file mode 100644 index 000000000000..b19f6972dfab --- /dev/null +++ b/release_notes/49-release-notes.adoc @@ -0,0 +1,503 @@ +:_mod-docs-content-type: ASSEMBLY +[id="release-notes-49"] += Red{nbsp}Hat Advanced Cluster Security for Kubernetes 4.9 +include::modules/common-attributes.adoc[] +:context: release-notes-49 + +toc::[] + +{rh-rhacs-first} is an enterprise-ready, Kubernetes-native container security solution that protects your vital applications across the build, deploy, and runtime stages of the application lifecycle. +{product-title} deploys into your infrastructure and integrates with your DevOps tools and workflows. This integration provides better security and compliance, enabling DevOps and InfoSec teams to operationalize security. + +.Release dates +[options="header"] +|==== + +|{product-title-short} version |Released on + +|`4.9.0` | {ga-date-490} + +|==== + +[id="about-this-release-490_{context}"] +== About release 4.9.0 + +{product-title-short} 4.9 includes the following new features, improvements, and updates: + +Platform:: +* xref:../release_notes/49-release-notes.adoc#scan-vms-support_release-notes-49[Support for scanning virtual machines on Red Hat OpenShift Virtualization (Developer Preview)] + +Compliance:: +* xref:../release_notes/49-release-notes.adoc#compliance-access-rights_release-notes-49[Permission updates for Compliance menus and API endpoints] + +Policy:: +* xref:../release_notes/49-release-notes.adoc#admission-controller-changes_release-notes-49[Admission controller configuration enhancements] +* xref:../release_notes/49-release-notes.adoc#redhat-images-signed-release-key_release-notes-49[New default system policy for Red Hat image signing] +* xref:../release_notes/49-release-notes.adoc#automatic-baseline-locking_release-notes-49[Ability to automatically lock baselines to improve process execution policy] +* xref:../release_notes/49-release-notes.adoc#policy-editor-enhancements-updates_release-notes-49[Enhancements and updates to policy editor fields] + +Vulnerability Management:: +* xref:../release_notes/49-release-notes.adoc#vuln-reporting-enhancements_release-notes-49[Vulnerability reporting enhancements] +* xref:../release_notes/49-release-notes.adoc#scannerv4-sbom-delegated-scans_release-notes-49[SBOM creation is generally available and supports delegated scanning] + +External integrations:: +* xref:../release_notes/49-release-notes.adoc#servicenow-vm-integration_release-notes-49[Integration with the ServiceNow Container Vulnerability Response Application is generally available] +* xref:../release_notes/49-release-notes.adoc#m2m-token-exchange-jwt[Support for machine-to-machine token exchange for external JSON web token issuers] +* xref:../release_notes/49-release-notes.adoc#declarative-config-m2m_release-notes-49[Declarative configuration for machine-to-machine access configuration] + +Security:: + +* xref:../release_notes/49-release-notes.adoc#certificate-rotation-operator-managed-clusters_release-notes-49[Automatic certificate authority rotation for Operator-managed clusters] +* xref:../release_notes/49-release-notes.adoc#crs-expiration-time_release-notes-49[Configurable expiration time for cluster registration secrets] +* xref:../release_notes/49-release-notes.adoc#smtp-ehlo-helo-hostname_release-notes-49[SMTP EHLO/HELO hostname field supported in the {product-title-short} email notifier] + +Monitoring:: + +* xref:../release_notes/49-release-notes.adoc#prometheus-custom-metrics_release-notes-49[{product-title-short} supports detailed security metrics] + +Performance:: + +* xref:../release_notes/49-release-notes.adoc#vuln-defs-offline-improvement_release-notes-49[Improved resource handling for offline vulnerability bundles] +* xref:../release_notes/49-release-notes.adoc#sensor-memory-usage-improvements_release-notes-49[Optimized Sensor memory usage to improve performance] + +Documentation:: + +* xref:../release_notes/49-release-notes.adoc#policy-documentation-updates_release-notes-49[Policy documentation enhancements and updates] + +[id="new-features_{context}"] +== New features + +This release adds improvements related to the following components and concepts: + +//Platform +//ROX-27051 +[id="scan-vms-support_{context}"] +=== Support for scanning virtual machines on Red Hat OpenShift Virtualization (Developer Preview) + +This release adds support to {product-title-short} for vulnerability management of virtual machine (VM) workloads at runtime on {ocp-virt-first}. The feature requires you to run a virtual machine agent to perform continuous package scanning from inside of the virtual machine. + +[IMPORTANT] +==== +This is a Developer Preview feature introduced in {product-title-short} 4.9 that is currently under active development. It is released with the intent of testing, feedback, and early evaluation only and is not supported for production environments. +==== + +For more information, see link:https://access.redhat.com/solutions/7133102[Vulnerability management for virtual machines with {product-title}]. + +//Policy + +//ROX-27883 +[id="admission-controller-changes_{context}"] +=== Admission controller configuration enhancements + +{product-title-short} 4.9 provides new and simplified configuration options available during secured cluster installation for all installation methods. You can use these options to perform the following actions: + +* Configure the failure policy on its validating webhooks +* Configure enforcement of the security policies that have enforcement enabled + +In addition, several older configuration options have been deprecated for simplicity and correctness. For more information about deprecated items, see xref:../release_notes/49-release-notes.adoc#deprecated-and-removed-features_release-notes-49[Deprecated and removed features]. + +You can view the new settings in the {product-title-short} portal in the *Platform Configuration* -> *Clusters* page for each cluster. You can configure these settings by using the following methods: + +* For clusters installed by using the Operator, configure these settings in the `SecuredCluster` CR: +** `spec.admissionControl.failurePolicy`: Determines the action that the cluster should take when an error or timeout happens with the admission controller. If the timeout seconds have been reached and the failure policy is `Ignore`, the API server "fails open" or accepts the create or update request. If the timeout seconds have been reached and the failure policy is set to `Fail`, the API server rejects the create or update request. +** `spec.admissionControl.enforcement`: Determines if the admission controller has been configured to enforce policies that have enforcement enabled. This field defaults to `Enabled` for new installations. +* For clusters installed by using Helm, configure these settings in the Helm `values.yaml` file: +** `admissionControl.failurePolicy`: Determines the action that the cluster should take when an error or timeout happens with the admission controller. If the timeout seconds have been reached and the failure policy is `Ignore`, the API server "fails open" or accepts the create or update request. If the timeout seconds have been reached and the failure policy is `Fail`, the API server rejects the create or update request. +** `admissionControl.enforce`: Determines if the admission controller has been configured to enforce policies that have enforcement enabled. This field defaults to `true` for new installations. + +For more information, see the following documentation: + +* xref:../operating/manage_security_policies/use-admission-controller-enforcement.adoc#use-admission-controller-enforcement[Using admission controller enforcement] +* xref:../installing/installing_ocp/install-secured-cluster-config-options-ocp.adoc#admission-controller-settings_install-secured-cluster-config-options-ocp[Admission controller settings] (Operator) +* xref:../installing/installing_ocp/install-secured-cluster-ocp.adoc#secured-cluster-services-config_install-secured-cluster-ocp[Configuration parameters] (Helm) +* xref:..//cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#secured-cluster-services-config_install-secured-cluster-cloud-ocp[Configuration parameters] (Helm for {product-title-managed-short}) +* xref:../cli/command-reference/roxctl-sensor.adoc#roxctl-sensor[roxctl sensor command] + +//ROX-29160 +[id="redhat-images-signed-release-key_{context}"] +=== New default system policy for Red Hat image signing + +A new default policy, "Red Hat images must be signed by a Red Hat release key", is available with this release. This policy ensures that Red Hat images are signed by the Red Hat link:https://access.redhat.com/security/team/key[Release Key 3 product signing key]. In addition to ensuring supply chain provenance, this default policy serves as an example of using the "Image Signature" field and combining it with other criteria. + +For more information, see xref:../operating/manage_security_policies/security-policy-reference.adoc#high-sev-security-policies_security-policy-reference[High severity security policies]. + +//ROX-26282 +[id="automatic-baseline-locking_{context}"] +=== Ability to automatically lock baselines to improve process execution policy + +This process execution policy improvement automates the process of locking baselines, removing the need to complete this process manually for each deployment. The change is designed to significantly reduce the time and effort to complete this process and to enable security teams to focus on more critical work items. + +Furthermore, this change allows for a more proactive security approach. Instead of waiting for a deployment to exist before setting up an alert, you can define a policy for a specific scope, such as a namespace. Any new deployment in that scope will automatically raise alerts, ensuring consistent security across all deployments. + +For more information, see xref:../operating/evaluate-security-risks.adoc#auto-lock-process-baselines_evaluate-security-risks[Configuring auto-lock for process baselines]. + +//ROX-26289 +[id="vuln-reporting-enhancements_{context}"] +=== Vulnerability reporting enhancements + +With this release, you can directly export CSV files from the vulnerability management pages, potentially enhancing your vulnerability management workflows. This feature also empowers you to use granular filters and create on-demand, view-based reports and provides flexibility in analyzing data and addressing specific security concerns. + +Additionally, you can generate view-based reports directly from both individual image and deployment detail pages. + +For more information about creating and downloading vulnerability reports, see xref:../operating/manage-vulnerabilities/vulnerability-reporting.adoc#vulnerability-reporting[Vulnerability reporting]. + +//ROX-28029 +[id="scannerv4-sbom-delegated-scans_{context}"] +=== SBOM creation is generally available and supports delegated scanning + +With this release, using {product-title-short} to generate a software bill of materials (SBOM) from scanned container images is generally available (GA). SBOM generation includes images scanned with the {product-title-short} delegated scanning feature. These SBOMs provide a detailed overview of all software components, dependencies, and libraries within an application. The SBOMs created by {product-title-short} are of the link:https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf["Analyzed"] type and conform to the SPDX 2.3 specification. + +For more information, see xref:../operating/manage-vulnerabilities/scanner-generate-sbom.adoc#scanner-generate-sbom[Generating SBOMs from scanned images]. + +//External integrations + +//ROX-22434 +[id="servicenow-vm-integration_{context}"] +=== Integration with the ServiceNow Container Vulnerability Response Application is generally available + +{product-title-short} integration with the ServiceNow Container Vulnerability Response Application is now GA in the link:https://store.servicenow.com/store/app/edea7344476072502ec7c1c4f16d4343#summary[ServiceNow Marketplace]. {product-title-short} integration with ServiceNow populates rich container image vulnerability data from {product-title-short} in the ServiceNow Container Vulnerability Response Module. It enables {product-title-short} users to create custom vulnerability management workflows for efficient tracking and remediation of vulnerabilities. + +//ROX-30087 +[id="m2m-token-exchange-jwt"] +=== Support for machine-to-machine token exchange for external JSON web token issuers + +With this update, {product-title-short} supports transparent machine-to-machine (M2M) token exchange with external JSON web token (JWT) token issuers. {product-title-short} performs a token exchange between third-party identity tokens and {product-title-short}. It uses role mapping to allow access to the {product-title-short} API. This improvement enables third-party clients that do not support the full M2M token exchange flow to access the {product-title-short} API endpoint. For example, a Prometheus server does not support M2 token exchange, but can use Kubernetes service account tokens to access the API endpoint. + +For more information, see xref:../configuration/configure-api-token.adoc#configure-api-token[Configuring API tokens]. + +//ROX-29959, ROX-29070 +[id="declarative-config-m2m_{context}"] +=== Declarative configuration for machine-to-machine access configuration + +With this release, you can declaratively configure M2M OIDC authentication. To configure M2M authentication resources, you first create YAML files that contain configuration information. These files are used to create a config map or secret. During installation of the {product-title-short} Central resource, the config map or secret is added to Central by using a mount point. + +For an example of setting up declarative configuration for short-lived OIDC token usage, see xref:../configuration/declarative-configuration-using.adoc#declarative-config-example-short-lived-token[Declarative configuration short-lived token example]. + +//Security + +//ROX-20262 +[id="certificate-rotation-operator-managed-clusters_{context}"] +=== Automatic certificate authority rotation for Operator-managed clusters + +Previously, in release 4.7, {product-title-short} automatically rotated only the 1-year service certificates. This change enables automatic rotation for the 5-year CA certificates also. The change is designed to simplify the management of large cluster installations, where the manual upgrading of certificates can require significant effort. + +[NOTE] +==== +Automatic certificate rotation remains partially supported for Helm-installed secured clusters. These clusters can connect to Central with the rotated CA but their certificates remain signed by the older CA. +==== + +For more information, see xref:../configuration/reissue-internal-certificates.adoc#reissue-internal-certificates[Reissuing internal certificates]. + +//ROX-27238 +[id="crs-expiration-time_{context}"] +=== Configurable expiration time for cluster registration secrets + +With this release, the expiration time for cluster registration secrets (CRSes) is changed from a default value of 1 year to a default value of 1 hour. Additionally, you can configure the time period by using the `--valid-until` or `--valid-for` flags with the `roxctl central crs` command. + +For more information, see xref:../cli/command-reference/roxctl-central.adoc#roxctl-central-crs_roxctl-central[roxctl central crs command]. + + +//ROX-30654 +[id="smtp-ehlo-helo-hostname_{context}"] +=== SMTP EHLO/HELO hostname field supported in the {product-title-short} email notifier + +With the 4.9 release, {product-title-short} SMTP notifiers support configuring the EHLO/HELO hostname. This capability allows for better compatibility with strict mail relay servers in secured environments. + +For more information, see xref:../integration/integrate-with-email.adoc#integrate-with-email[Integrating with email]. + +//Monitoring + +//ROX-28326 +[id="prometheus-custom-metrics_{context}"] +=== {product-title-short} supports detailed security metrics + +With the 4.9 release, {product-title-short} Central exposes detailed security metrics on its `/metrics` API endpoint, allowing users to scrape this data by using an existing Prometheus infrastructure. +With this feature, you can leverage deep, customizable security observability for proactive alerting and trend analysis. + +For more information, see xref:../configuration/monitor-acs.adoc#custom-prometheus-metrics_monitor-acs[Using custom Prometheus metrics]. + +//Performance + +//ROX-28634 +[id="vuln-defs-offline-improvement_{context}"] +=== Improved resource handling for offline vulnerability bundles + +{product-title-short} has improved Central's handling of offline vulnerability bundles, resulting in less pressure on Central DB and Central disk, especially in larger environments. + +//ROX-29060 +[id="sensor-memory-usage-improvements_{context}"] +=== Optimized Sensor memory usage to improve performance + +With this release, Sensor uses significantly less memory than earlier releases in clusters with large numbers of processes that listen for connections. In extreme-scale environments, for example, clusters with greater than 10 million open ports, Sensor's memory footprint related to open connections, endpoints, and process tracking is reduced by roughly 50%. This improvement helps prevent out-of-memory (OOM) kills. For moderate workloads, such as a few thousand open ports, memory savings typically range between 10 to 15%, depending on workload characteristics. + +This optimization was achieved by changing how the Sensor tracks and reports updates to Central. Previously, Sensor retained full details of all open connections, endpoints, and processes while they remained active. Sensor also consumed memory required to store all of these details. With this change, Sensor stores only a fingerprint, or hash, of each object, greatly reducing memory usage. + +[id="notable-technical-changes_{context}"] +== Notable technical changes + +This release contains the following changes: + +//ROX-24620 +[id="image-technology-change"] +=== Product image build and release technology change + +If you are updating from an {product-title-short} release earlier than 4.6.10, 4.7.7, or 4.8.3, you might notice changes to container image metadata, such as container labels or SBOM contents and location. This change is because product images are now built and released by using different technologies. These changes do not affect product functionality, but they might impact your third-party integrations. + +//ROX-29723 +[id="policy-editor-enhancements-updates_{context}"] +=== Enhancements and updates to policy editor fields + +The policy editor in the {product-title-short} portal was enhanced and includes rearranged and renamed policy criteria to better reflect their intended use in policy lifecycle stages. The policy lifecycle selection process was simplified and the introductory text was updated to assist you in authoring policies. The following changes were included: + +* Policy criteria categories were grouped under top-level headings that reflect how the criteria trigger policy violations. +* Criteria related to image scan results were moved out of the *Image contents* category into a new category, *Image scanning*. +* A new category, *Baseline deviation*, was created and the *Unexpected network flow* and *Unexpected process execution* criteria were moved into it. +* Runtime audit log policy criteria were split into *Resource operations* and *Resource attributes*. + +For more information, see xref:../operating/manage_security_policies/custom-security-policies.adoc#custom-security-policies[Creating and modifying security policies]. + +//Compliance + +//ROX-29793 +[id="compliance-access-rights_{context}"] +=== Permission updates for Compliance menus and API endpoints + +With this release, accessing the following items requires `read` permissions for the cluster resource: + +* Compliance menus: +** *OpenShift Coverage* +** *OpenShift Schedules* +* API endpoints: +** `/v2/compliance/*` + +For more information, see xref:../operating/manage-compliance/compliance-feature-overview.adoc#openshift-infrastructure-compliance_compliance-feature-overview[OpenShift infrastructure compliance]. + +//ROX-28412 & ROX-25970 +[id="policy-documentation-updates_{context}"] +=== Policy documentation enhancements and updates + +Policy documentation was restructured, simplified, and enhanced. Comprehensive information was added to provide an overview of policy evaluation, structure, and enforcement. Reference information was split out into a separate section. Additionally, documentation errors were corrected. + +For more information, see the following documentation: + +* xref:../operating/manage_security_policies/about-security-policies.adoc#about-security-policies[About policies in {product-title-short}] +* xref:../operating/manage_security_policies/security-policy-reference.adoc#security-policy-reference[Security policy reference] + + +[id="deprecated-and-removed-features_{context}"] +== Deprecated and removed features + +Some features available in earlier releases have been deprecated or removed. + +Deprecated functionality is still included in {product-title-short} and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. +For the most recent list of major functionality deprecated and removed, see the following table. +Additional removed or deprecated functionality is available after the table. + +In the table, features are marked with the following statuses: + +* GA: General Availability +* TP: Technology Preview +* DEP: Deprecated +* REM: Removed +* NA: Not applicable + +.Deprecated and removed features tracker +[cols="4,1,1,1",options="header"] +|=== +|Feature |{product-title-short} 4.7 |{product-title-short} 4.8 |{product-title-short} 4.9 + +a|Admission controller configuration parameters: + +* `admissionControl.contactImageScanners` +* `admissionControl.dynamic.enforceOnCreates` +* `admissionControl.dynamic.enforceOnUpdates` +* user configuration ability of `admissionControl.dynamic.scanInline` +* user configuration ability of `admissionControl.dynamic.timeout` +* `admissionControl.listenOnCreates` +* `admissionControl.listenOnEvents` +* `admissionControl.listenOnUpdates` +* `admissionControl.timeoutSeconds` + +|GA +|GA +|DEP + +|API token authentication for {cloud-redhat-com}^[1]^ +|DEP +|DEP +|DEP + +|Collections hierarchical implementation^[2]^ +|GA +|GA +|DEP + +|Compliance dashboard +|NA +|DEP +|DEP + +|`definitions.stackrox.io` +|DEP +|DEP +|DEP + +|*Export Download Evidence as CSV* button^[3]^ +|GA +|GA +|REM + +|Google Container Registry integration^[4]^ +|DEP +|DEP +|DEP + +|GraphQL endpoints^[5]^ +|GA +|GA +|DEP + +|GraphQL image -> scan -> components and image -> scan -> components -> vulns queries^[6]^ +|GA +|GA +|REM + +|Kernel support packages and driver download functionality^[7]^ +|DEP +|DEP +|DEP + +|Manifest installation method, also called the `roxctl` CLI installation method^[8]^ +|GA +|GA +|DEP + +|Reporting of Istio vulnerabilities +|DEP +|DEP +|DEP + +a|`roxctl` admission controller parameters: + +* `--admission-controller-enforce-on-creates` +* `--admission-controller-enforce-on-updates` +* `--admission-controller-listen-on-creates` +* `--admission-controller-listen-on-updates` +* `--admission-controller-listen-on-events` +* `--admission-controller-timeout` +|GA +|GA +|DEP + +|StackRox Scanner +|DEP +|DEP +|DEP + +|`/v1/clustercves/suppress` APIs^[9,10]^ +|DEP +|DEP +|DEP + +|`/v1/clustercves/unsuppress` APIs^[9,10]^ +|DEP +|DEP +|DEP + +|`/v1/nodecves/suppress` APIs^[9,10]^ +|DEP +|DEP +|DEP + +|`/v1/nodecves/unsuppress` APIs^[9,10]^ +|DEP +|DEP +|DEP + +|`/v1/summary/counts` endpoint +|DEP +|DEP +|REM + +|Vulnerability Management (1.0) menu item^[11]^ +|DEP +|DEP +|DEP + +|Vulnerability Report Creator permission +|DEP +|DEP +|DEP + +|=== + +[.small] +-- +. API token authentication is deprecated. The corresponding cloud source integration uses service accounts for authentication. + +. The *Export Download Evidence as CSV* functionality was removed from the image, node, and platform CVE pages due to technical issues. This functionality is provided by new reporting features. For more information about creating and downloading vulnerability reports, see xref:../operating/manage-vulnerabilities/vulnerability-reporting.adoc#vulnerability-reporting[Vulnerability reporting]. + +. The current hierarchical implementation for defining Collections is deprecated and is anticipated to be replaced by a more comprehensive search-based definition in a future release. + +. The Google Container Registry integration is deprecated in response to the deprecation of Container Registry. You can use the Artifact Registry as a registry replacement and Scanner V4 as a scanner replacement. ++ +For more information, see link:https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr[Transition from Container Registry] (Google Cloud documentation). + +. Kernel support packages and driver download functionality are deprecated. + +. All GraphQL endpoints are deprecated and are expected to be removed in a future release. The endpoints were created to support the {product-title-short} portal. All other uses are unsupported. + +. The deprecated and unsupported GraphQL query of image -> scan -> components and image -> scan -> components -> vulns has been eliminated in favor of image -> scan -> imageComponents and image -> scan -> imageComponents -> imageVulnerabilities. + +. The manifest installation method is deprecated and is expected to be removed in the future. Manifest installation is currently done by using the `roxctl {central,sensor,scanner} generate` command in the CLI, or by choosing the legacy installation method in the {product-title-short} portal. Use the Operator or Helm installation methods. + +. A feature flag controls this API object, and you can enable or disable this API object by using the `ROX_VULN_MGMT_LEGACY_SNOOZE` environment variable. + +. The format for specifying duration in JSON requests to `v1/nodecves/suppress`, `v1/clustercves/suppress`, and `v1/imagecves/suppress` has been changed to the ProtoJSON format. +Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the `s` suffix is supported. ++ +For example, `0.300s`, `-5400s`, or `9900s`. The previously valid time units of `ns`, `us`, `µs`, `ms`, `m`, and `h` are no longer supported. + +. The *Vulnerability Management* -> *Dashboard* view is deprecated and is planned to be removed in a future release. You can use the *User workload vulnerabilities*, *Exception management*, *Platform vulnerabilities*, and *Node CVEs* views as alternatives. + +-- + +[id="bug-fixes_{context}"] +== Bug fixes in version 4.9.0 + +*Release date*: {ga-date-490} + +//ROX-13221 +* Fixed a bug in the policy editor in the {product-title-short} portal that causes environment variables criteria or Dockerfile criteria with a keyword of `ENV` to be malformed when the criteria value includes the `=` character. +* With this release, when `allowPrivilegeEscalation` is not defined in a containers security context, {product-title-short} assumes the value is `true`. As part of good security practices, this value would usually be explicitly set to `false` to provide better security and ensure that the container cannot access a parent process with higher privileges. Policies with that criteria also create violations on deployments with containers that do not have the `allowPrivilegeEscalation` field defined in their security context. +//ROX-29776 +* Before this update, the response times were slow because the `serviceaccounts` endpoint improperly handled pagination parameters and returned all service accounts. With this release, you can use the `serviceaccounts` endpoint, which considers pagination limits and therefore returns only the specified number of service accounts. +//ROX-30498 +* Before this update, you might have experienced a consistently growing Central database that caused constant resizing of the persistent volume claim (PVC) or service interruptions from a no space left on device error. With this release, if the hashes table is the source of the growth, you can turn off the feature by setting ROX_HASH_FLUSH_INTERVAL=0. +//ROX-29755 +* Before this update, Sensor's failure to call `stream.Recv()` caused gRPC flow control to block image reprocessing every 4 hours. This update resolves the issue by including a timeout for sending messages to Sensors in the reprocessing loop, allowing image reprocessing to resume as expected. +//ROX-23996 +* With this update, we have streamlined our Central startup process, making the API endpoint available sooner. +//ROX-31049 +* The {product-title-short} 4.7.7, 4.8.3, and 4.8.4 releases set `mediaType` on container images to `oci` which is not compatible with some older registries and could break image mirroring. In this release, the `mediaType` is reverted to `docker` so that {product-title-short} product images can be mirrored in older image registries not supporting the `oci` mediaType. +//ROX-31158 +* With this release, the gRPC framework better propagates server name information to the processing of requests. This ensures benefits that include the generation of a correct redirect URI for the {ocp} authentication backend, and as a consequence, a working {ocp} authentication flow. +//ROX-21764 +* The matching logic for the process arguments criterion in security policies is fixed to do a "contains" match for the supplied values, instead of a whole string match. +//ROX-30949 +* Before this update, diagnostic bundles included telemetry gathering information from all clusters without respecting the cluster filter. As a consequence, users experienced slow diagnostic bundle creation for large fleet clusters. With this release, diagnostic bundle generation respects cluster filters and diagnostic bundle generation for large fleets is faster. +//ROX-19315 +* Fixed a bug that caused secured clusters to get stuck in a pending, or locked, state when an API referenced by Helm was removed from the cluster. +//ROX-31192 +* Fixed a bug where searching on an unknown label caused Central to crash. +//ROX-31365 +* Fixed an issue that could cause database connection exhaustion when many sensors try to reconnect at the same time. +//ROX-29795, ROX-28952, //ROX-29772 +* Various bugs for Compliance Operator were fixed and improvements were made, including the following items: +** Profiles are better mapped to specific *Coverage* tabs, for example, *OCP4-CIS* is displayed under the *CIS* tab. +//ROX-30821 +** BSI profiles now display in their own tab, instead of in the *Other* tab in the *Coverage* page. +** Scans can be scheduled for node profiles of different products. +** Sensor retries and waits longer for Compliance Operator and related Kubernetes resource creation. + +include::modules/image-versions.adoc[leveloffset=+1]