IBM Z and LinuxONE - Software - Group home

Announcing RHACS 4.3 and its Central Services to Red Hat OpenShift on IBM Z and IBM® LinuxONE

By Lei Zhang posted 17 days ago

  

The latest version of Red Hat Advanced Cluster Security for Kubernetes (RHACS), 4.3 becomes generally available on November 15, 2023. At the same time, it is available for customers on Red Hat OpenShift on IBM Z and IBM® LinuxONE. This latest release focuses on supporting more Kubernetes platforms, and delivers better vulnerability reports, while onboarding users quickly and more. The Red Hat Advanced Cluster Security 4.3 release notes contain the many updates, deprecations, and removal of features in the product. 

Ever since its first release on Red Hat OpenShift on IBM Z and IBM® LinuxONE in February 2023, only RHACS Secured Cluster Services had been supported on IBM Z. However, with this latest release, RHACS Central Services also became available for customers on IBM Z. With the full support of RHACS on IBM Z, it marks a pivotal advancement for IBM Z as we aim to assist our customers in lowering their security program expenses, addressing skill gaps in Kubernetes security and empowering them to overcome organizational silos.

What is Red Hat Advanced Cluster Security (RHACS)?

RHACS provides capabilities across the full container lifecycle - building secure images, verifying image signatures, deploying them with hardened configurations, and monitoring the running environment to detect malicious activity at runtime.

See RHACS in two minutes to understand more about ACS.

Why RHACS?

DevOps with ACS

Source: https://www.youtube.com/watch?v=lFBFW3HmgsA

Containers and Kubernetes are driving rapid innovation in application development and management with teams adopting DevOps principles and practices. Protecting containerized applications is becoming critical as organizations deploy more containerized workloads. Cloud security is a shared responsibility and Enterprises are responsible for protecting the application layer, and their sensitive data beyond the security provided by the on-premises infrastructure.

RHACS , with its Kubernetes-native approach, integrates with DevOps and security tools, enabling teams to operationalize and secure their supply chain, infrastructure, and workloads. It fulfills the need to have a container security platform where security is a visible piece of the overall hybrid-cloud strategy. ACS provides customers with increased developer productivity and innovation by providing security guardrails that support developer velocity while still maintaining the desired security and compliance posture.

Benefits of RHACS

  • Increase developer velocity by automating DevSecOps

  • Harden Kubernetes for more resilient & compliant cluster

  • Secure workloads at scale with “zero-trust execution”

Value of RHACS

  • Lower operational cost: Common language & single, trusted source of truth

  • Decreased operational risk: Align security & infrastructure to reduce downtime using built-in Kubernetes capabilities; mitigate threats using Kubernetes-native controls to enforce security policies, reducing risk of outage

  • Innovate with confidence: Integrate security guardrails supporting developer velocity while maintaining security posture; standardize on Kubernetes across DevOps

Common use cases

Vulnerability Management

  • Scan images for known vulnerabilities

  • Find vulnerabilities in running

    deployments and learn how to fix them

  • Enforce policies based on vulnerability

    information in CI/CD workflows

Compliance

  • Assess compliance with CIS Benchmarks, and PCI-DSS, HIPAA, and NIST SP 800-190 reference architectures

  • Get actionable insights to improve compliance posture

  • Show proof of compliance with instant reports and dashboards

Risk Profiling

  • Rank your deployments according to their security risk for prioritization

  • Go beyond CVE scores, and understand the true risk of vulnerabilities based on information derived from Kubernetes

  • Track improvements in your security posture to validate impact of your actions

Configuration management

  • Identify configuration risks such as network exposures, privileged containers, processes running as root, and noncompliance to align with industry best practices

  • Check for misconfigurations of your application deployments in CI/CD workflows.

  • Analyze Kubernetes RBAC settings

Network segmentation

  • Visualize active vs allowed network traffic to identify risky traffic

  • Enable security teams to audit network policies and recommend better policies

  • Simulate new, secure network policies and their impact

  • Baseline network traffic to alert when it deviates from known-good network activity

Runtime detection & response

  • Identify anomalous runtime activity using process allowlists and baselining

  • Use pre-built policies to detect common threats such as crypto mining, privilege escalation, and various exploits

  • Respond to threats with real time alerts or use Kubernetes-native controls to kill and restart suspicious pods

What makes RHACS different from its competitors?

Red Hat ACS

Source: https://www.youtube.com/watch?v=lFBFW3HmgsA

RHACS is architected from the ground up to secure Kubernetes environments. It uses the declarative definitions and immutable infrastructure inherent to Kubernetes to enable security as code. For example, whereas competitors rely on proprietary security components to enforce network segmentation, RHACS leverages the built-in Network Policy capabilities in Kubernetes to automatically enforce network segmentation at scale. This approach ensures that security works with, not against, how developers and operators build and operate clusters.

What is new for RHACS 4.3 and why is it exciting for IBM Z and IBM® LinuxONE customers?

The new features RHACS 4.3 brings can be found in Red Hat Advanced Cluster Security for Kubernetes 4.3 New features. Among which, the more exciting part for IBM Z and IBM® LinuxONE customers is that RHACS Central Services are now supported on IBM Z and IBM® LinuxONE, in addition to RHACS Secured Cluster Services. 
RHACS Central Services comprise three main components—Central, Central DB, and Scanner—installed on a single cluster, where Central manages the RHACS application interface, Central DB handles data persistence using PostgreSQL 13, and Scanner is a certified vulnerability scanner for container images and system components.
Together with RHACS Secured Cluster Services, now the full stack of RHASC are supported on Red Hat OpenShift on IBM Z and IBM® LinuxONE. Below is an architecture diagram that shows the components of RHACS. For details on the different components and what they do, see Red Hat Advanced Cluster Security for Kubernetes architecture.
ACS architecture diagram

Source: https://docs.openshift.com/acs/4.3/architecture/acs-architecture.html#acs-architecture_acs-architecture (fig 1)

To Probe Further

Release 4.3 includes additional enhancements, bug fixes, and important system changes. For more information, see Red Hat Advanced Cluster Security for Kubernetes 4.3 release notes.

If you want to see RHACS in action, check out the Red Hat Advanced Cluster Security - Deep dive demo made by Red Hat’s Chris Porter. Chris talks about how RHACS takes a Kubernetes-native approach to security and how this is a better approach than building a firewall, or building something at the pod level or at the Linux kernel level to apply and enforce rules at the network layer.

0 comments
3 views