In the second quarter of 2022, Red Hat Advanced Cluster Security continued to create and enhance capabilities designed to improve security programs, including supply chain security and zero-trust networking for Kubernetes. Our latest updates, released in 3.69 and 3.70, include improvements to vulnerability management, security policies, scale and additional guardrails to help protect against misconfigurations that can create security risks. The key new and enhanced capabilities outlined in these releases are:
- Scanning of the embedded OpenShift Container Registry.
- Improved detection of Spring vulnerabilities.
- New policies to manage operational deployment readiness of a deployment.
- Inactive software component identification.
- Verifying image signatures against Cosign public keys.
- Identifying missing Kubernetes network policies to enable zero-trust networking within a cluster.
But how do these enhancements enable you to achieve your business goals around supply chain security, zero-trust networking, DevSecOps initiatives, and vulnerability management?
Supply Chain Security
Just like the software they build, open source communities depend on each other. A single vulnerability or misconfiguration in the supply chain can result in costly fixes later in the software lifecycle. Several notable breaches over the last few years have highlighted the importance of supply chain security. In 2021, there was a 650% year-over-year increase in software supply chain attacks aimed at exploiting weaknesses in upstream, open source ecosystems, according to this year’s "State of the Software Supply Chain" report.
Effective supply chain security includes managing the security of the open source solutions that drive innovation in combination with the custom code that provides unique business value. In response to the rising concern around securing the supply chain, Red Hat started leveraging sigstore, an open source project originally conceived of and prototyped at Red Hat.Sigstore is now under the auspices of the Linux Foundation with backing from Red Hat, Google and other IT leaders. Supply chain security is critical to innovative, savvy cloud adopters, and because the open source community shares code we are exemplifying the idea of “trust and verify” by leveraging sigstore for the signing of artifacts and the verifying of signatures.
Sigstore improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparent log technologies. Sigstore empowers software developers to securely sign software artifacts such as release files, container images and binaries. Signing materials are then stored in a tamper-proof public log which enhances security and trust.
This quarter, we have included a new feature that will verify image signatures against Cosign public keys to verify the integrity of the container images in your clusters. You can also create policies to block images that are unsigned or signed with unverified signatures, and enforce the policy by using an admission controller to stop unauthorized deployment creation.
For greater security and compliance, customers require the ability to run their private registry in a disconnected or detached environment. These organizations desire the ability to identify critical vulnerabilities without being exposed to the internet. With Red Hat Advanced Cluster Security Release 3.69, we’ve taken this a step further and now support the scanning of an embedded OpenShift Container Registry that is only available to users logged into the OpenShift cluster. Customers can scan for known container image vulnerabilities while strictly limiting access to the OpenShift embedded registry. With the new release of ACS, customers can scan an embedded OpenShift Container Registry with a lightweight version of the Scanner delivered as part of the secured cluster services.
This release also includes improved detection of Spring vulnerabilities with enhancements in the Scanner to identify vulnerabilities in packages that follow the Spring naming conventions. The Scanner now detects Spring packages impacted by the newly discovered critical vulnerabilities CVE-2022-22963 and CVE-2022-22965 (Spring4Shell).
Scanner also includes the following new capabilities:
- Support for Alpine 3.15
- Scanner now identifies busybox as a base operating system.
- Ubuntu vulnerability reference links now point to the updated address https://ubuntu.com/security/.
Zero Trust Networking and Security Policy Enhancements
The risk of security breaches is driving DevSecOps and cloud teams to adopt a zero-trust networking approach to security. Though being able to lock down your environment is crucial, teams also don’t want to break existing applications and workflows. It is imperative organizations have the right guardrails in place to keep security and compliance continuous without sacrificing productivity.
Kubernetes network policies are vital in helping to enable zero-trust networking within a cluster. They reduce the impact of network attacks by limiting the opportunity for lateral movement. By default, all communication between pods is allowed in a Kubernetes cluster, and organizations sometimes struggle to define and deploy Kubernetes network policies to restrict pod-to-pod traffic.
Networking teams that traditionally own Network Security are typically not engaged in the Kubernetes security process and are not familiar with its controls. Kubernetes Security teams are typically the ones charged with Kubernetes networking security and sometimes struggle to coordinate with the networking team. When it comes to Kubernetes Network Policies, the security team may not have complete knowledge of the application communication needs.
ACS helps address these challenges by recommending Kubernetes network policies that teams can adopt. Recommendations are based on observed healthy traffic to help establish a baseline that represents allowed traffic. Teams can gain networking insights by visually inspecting network connections using the interactive Network Graph, and by simulating the impact of applying the recommended network policies. Once reviewed, these recommended network policies can be exported from ACS, to be applied as live network policies through automation.
The new ACS default policy allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. Enabling this ACS policy can help customers understand which deployments are exposed. It is a great first step in overcoming the above challenges and building a healthy organizational process to take advantage of kubernetes network policies.
This release also includes improved validation of pod security context. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the pod security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.
With the new policies to manage operational deployment readiness users can now set policies to define the operational readiness of a deployment. The new policies include checks for liveness and readiness probes and predefined replica counts. Inactive software component identification allows users to quickly identify if a software package inside a container image is inactive. You can use this information to consider removing the inactive software package as a hardening step or for vulnerability remediation.
When it comes to security, solutions that can work together can help create a more resilient security posture. Integrations and APIs are key to success and to helping teams reach ultimate efficiency.
In our Q2 releases, we have added automatic Amazon ECR registry integration. The registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes' Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes. See Amazon ECR integrations for more information.
About Red Hat® Advanced Cluster Security (ACS) for Kubernetes
Red Hat® Advanced Cluster Security (ACS) for Kubernetes hardens the security of clusters and applications with built-in security policies. ACS lowers operational costs by reducing the learning curve for implementing Kubernetes security, provides built-in controls for enforcement to reduce operational risk, and uses a Kubernetes-native approach that supports built-in security across the entire software development life cycle, facilitating greater developer productivity.
The platform integrates with DevOps and security tools, allowing teams to operationalize and implement security for their supply chain, infrastructure, and workloads.
Red Hat Advanced Cluster Security for Kubernetes uses Kubernetes-native principles, declarative definition, and immutable infrastructure to automate DevSecOps best practices. United, ACS, and OpenShift help to enable continuous compliance, monitor usage, and maintains consistency for a more resilient security posture.
To learn more about Red Hat Advanced Cluster Security, visit our product page and documentation.
To get a more personalized look at Red Hat Advanced Cluster Security for Kubernetes, you can request a demo.