The enterprise platform for mission-critical applications brings next-level data privacy, security, and resiliency to your hybrid multicloud.
The release of Red Hat Advanced Cluster Security for Kubernetes 3.74 went live February 27, 2023 and with it, you can secure clusters running on Red Hat OpenShift on IBM zSystems and IBM® LinuxONE by using the RHACS Operator. This is a significant step for providing our customers a secured integrated eco-system for OpenShift on LinuxONE and Z that is now inclusive of security!
ACS provides capabilities across the full container lifecycle - building secure images, verifying image signatures, deploying them with hardened configurations, and monitoring the running environment to detect malicious activity at runtime.
See ACS in two minutes to understand more about ACS.
Source: https://www.youtube.com/watch?v=lFBFW3HmgsA
Containers and Kubernetes are driving rapid innovation in application development and management with teams adopting DevOps principles and practices. Protecting containerized applications is becoming critical as organizations deploy more containerized workloads. Cloud security is a shared responsibility and Enterprises are responsible for protecting the application layer, and their sensitive data beyond the security provided by the on-premises infrastructure.
ACS , with its Kubernetes-native approach, integrates with DevOps and security tools, enabling teams to operationalize and secure their supply chain, infrastructure, and workloads. It fulfills the need to have a container security platform where security is a visible piece of the overall hybrid-cloud strategy. ACS provides customers with increased developer productivity and innovation by providing security guardrails that support developer velocity while still maintaining the desired security and compliance posture.
Increase developer velocity by automating DevSecOps
Harden Kubernetes for more resilient & compliant cluster
Secure workloads at scale with “zero-trust execution”
Lower operational cost: Common language & single, trusted source of truth
Decreased operational risk: Align security & infrastructure to reduce downtime using built-in Kubernetes capabilities; mitigate threats using Kubernetes-native controls to enforce security policies, reducing risk of outage
Innovate with confidence: Integrate security guardrails supporting developer velocity while maintaining security posture; standardize on Kubernetes across DevOps
Vulnerability Management
Scan images for known vulnerabilities
Find vulnerabilities in running
deployments and learn how to fix them
Enforce policies based on vulnerability
information in CI/CD workflows
Compliance
Assess compliance with CIS Benchmarks, and PCI-DSS, HIPAA, and NIST SP 800-190 reference architectures
Get actionable insights to improve compliance posture
Show proof of compliance with instant reports and dashboards
Risk Profiling
Rank your deployments according to their security risk for prioritization
Go beyond CVE scores, and understand the true risk of vulnerabilities based on information derived from Kubernetes
Track improvements in your security posture to validate impact of your actions
Configuration management
Identify configuration risks such as network exposures, privileged containers, processes running as root, and noncompliance to align with industry best practices
Check for misconfigurations of your application deployments in CI/CD workflows.
Analyze Kubernetes RBAC settings
Network segmentation
Visualize active vs allowed network traffic to identify risky traffic
Enable security teams to audit network policies and recommend better policies
Simulate new, secure network policies and their impact
Baseline network traffic to alert when it deviates from known-good network activity
Runtime detection & response
Identify anomalous runtime activity using process allowlists and baselining
Use pre-built policies to detect common threats such as crypto mining, privilege escalation, and various exploits
Respond to threats with real time alerts or use Kubernetes-native controls to kill and restart suspicious pods
ACS is architected from the ground up to secure Kubernetes environments. It uses the declarative definitions and immutable infrastructure inherent to Kubernetes to enable security as code. For example, whereas competitors rely on proprietary security components to enforce network segmentation, ACS leverages the built-in Network Policy capabilities in Kubernetes to automatically enforce network segmentation at scale. This approach ensures that security works with, not against, how developers and operators build and operate clusters.
Central services you install on one cluster.
Central needs to be set up on x86_64 as it is not yet supported on IBM zSystems and IBM® LinuxONE.
Also to be noted is that ACS supports scanning IBM zSystems and IBM® LinuxONE images with the following limitations for multi-architecture images:
If scanning a multi-architecture image with a tag reference, ACS reports the image scan results of the AMD64 layer.
If scanning a multi-architecture image with a SHA reference to a specific architecture layer, ACS reports the image scan results of the architecture specified.
Secured cluster services you install on each cluster that you want to secure with ACS.
IBM zSystems and IBM® LinuxONE nodes can now be secured by installing the secured cluster services on the nodes.
ACS version 3.74 extends support for ACS secured clusters for Red Hat OpenShift 4.10 to 4.12 on IBM zSystems and IBM® LinuxONE.
See the Install Guide for details on how to set up ACS with central on X86_64 and Secured Cluster Services for IBM zSystems and IBM® LinuxONE nodes.
Below is an architecture diagram that shows the components of ACS. For details on the different components and what they do, see Red Hat Advanced Cluster Security for Kubernetes architecture.
Source: https://docs.openshift.com/acs/3.74/architecture/acs-architecture.html (fig 1)
Release 3.74 includes additional enhancements, bug fixes, and important system changes. For more information, see Red Hat Advanced Cluster Security for Kubernetes 3.74 release notes.
If you want to see ACS in action, check out the Red Hat Advanced Cluster Security - Deep dive demo made by Red Hat’s Chris Porter. Chris talks about how ACS takes a Kubernetes-native approach to security and how this is a better approach than building a firewall, or building something at the pod level or at the Linux kernel level to apply and enforce rules at the network layer.
Copy