Added Features
-
ROX-30645: Two new API endpoints are added for locking/unlocking process baselines given a cluster ID and an optional set of namespaces.
-
ROX-30279: The
admissionControl.enforcementfield has been added to the SecuredCluster CRD as a high-level way to toggle admission controller enforcement. -
ROX-30279: The
admissionControl.enforcementfield defaults to Enabled for new installations.
[This is currently behind the ROX_ADMISSION_CONTROLLER_CONFIG feature flag, but the plan is to enable it for 4.9.] -
ROX-30279: The
admissionControl.failurePolicyfield has been added to the SecuredCluster CRD for controlling admission controller's
failure policy. It defaults toIgnore. -
ROX-27238: Central API for generating CRSs now supports custom expiration times, specified using the new fields "valid_until" or "valid_for".
roxctl's "central crs generate" now supports specifying custom expiration times using the new parameters "--valid-until" or "--valid-for". -
ROX-30087: Implicit exchange of OIDC tokens, accessing the API, with a role mapping according to the M2M configuration that matches the token issuer.
-
ROX-30100: Incorrect defaults for admission controller related configuration options in "roxctl sensor generate" have been fixed. The admission controller will be deployed and configured
for policy evaluation and enforcement as well as image scanning, out of the box - without requiring a user to specify command line
options to "roxctl sensor generate". -
ROX-30034,ROX-29995,ROX-29996: Support for two new admission controller configuration related options in roxctl sensor generate
--admission-controller-enforcementdefaults to true. If set to false, admission controller webhook will be
configured to not enforce policies on any admission review request.--admission-controller-fail-on-errordefaults to false, which means admission controller webhook will fail open.
If set to true, the admission controller webhook will fail closed i.e. the review request will be blocked in case of timeouts or errors.
-
ROX-24956: Fix default timeout value for the --admission-controller-timeout flag to 0 (note: this flag has been marked for deprecation)
-
ROX-30035: On upgrade to 4.9, all secured clusters deployed using manifest install (roxctl sensor generate or via the Add Cluster legacy install UI workflow)
will have the scan inline setting of the admission controller config set to true, and will have both
enforce on creates and enforce on updates set to true, if either or both were true before upgrade. This implies that the admission
controller webhooks will now be configured to 1) always scan images inline 2) either enforce on all admission review requests, or not. -
ROX-19197: Policies with the "Allow Privilege Escalation" criterion will now fire violations for deployments with containers which do not have the allowPrivilegeEscalation defined in their security context.
-
ROX-29160: New default policy (disabled by default) and associated image signature integration to ensure Red Hat images are signed by Red Hat's Release Key 3 (see https://access.redhat.com/security/team/key) and serve as an example of using the Image Signature criterion. It applies to images from the following registries and remotes:
registry.redhat.ioregistry.access.redhat.comquay.io/openshift-release-dev/ocp-releasequay.io/openshift-release-dev/ocp-v4.0-art-dev
-
ROX-28326: Custom Prometheus metrics exposed on the
/metricspath of the central API endpoint. Configured via the/v1/configservice.
Disabled by default. -
ROX-20262: Enable internal CA rotation for Operator-installed Centrals and Secured Clusters. Operator-installed Secured Clusters have full support, while Helm-installed Secured Clusters have partial support (can connect to Central with rotated CA but their certificates remain signed by the older CA).
Removed Features
- ROX-30278: The
admissionControl.dynamic.timeoutconfiguration parameter of the secured-cluster-services Helm chart is not user-configurable anymore.
Its value is set to10.
[This is currently behind the ROX_ADMISSION_CONTROLLER_CONFIG feature flag, but the plan is to enable it for 4.9.] - ROX-30279: The
admissionControl.listenOn*fields of the SecuredCluster CRD are deprecated. - ROX-30279: The
admissionControl.contactImageScannersfield of the SecuredCluster CRD is deprecated. - ROX-30279: The
admissionControl.timeoutSecondsfield of the SecuredCluster CRD is deprecated. - ROX-30278: The
admissionControl.dynamic.enforceOn*configuration parameters of the secured-cluster-services Helm chart
are deprecated and are now ignored. Please use the high-level parameteradmissionControl.enforceinstead.
Enforce is now enabled by default. - ROX-29994: Removing the following roxctl sensor generate options that have been marked as deprecated
since 4.7 and prior.- --create-admission-controller
- --admission-controller-enabled
- --slim-collector
- ROX-30278: The
admissionControl.listenOn*configuration parameters of the secured-cluster-services Helm chart are not user-configurable anymore.
Their values are all set totrue(except for OpenShift 3, wherelistenOnEventsremains disabled.)
[This is currently behind the ROX_ADMISSION_CONTROLLER_CONFIG feature flag, but the plan is to enable it for 4.9.] - ROX-30278: The
admissionControl.dynamic.scanInlineconfiguration parameter of the secured-cluster-services Helm chart is not user-configurable anymore.
Its value is set totrue.
[This is currently behind the ROX_ADMISSION_CONTROLLER_CONFIG feature flag, but the plan is to enable it for 4.9.]
Deprecated Features
- ROX-30170: The following roxctl sensor generate options have been marked as deprecated
--admission-controller-enforce-on-creates--admission-controller-enforce-on-updates--admission-controller-listen-on-creates--admission-controller-listen-on-updates--admission-controller-listen-on-events--admission-controller-timeout
Using them has no effect.
- The current hierarchical implementation for defining Collections is deprecated and will be replaced by a more comprehensive search-based definition in the future.
- The manifest install method is now deprecated and will be removed in the future. Manifest install is currently done using the
roxctl {central,sensor,scanner} generatecommand line utility, or by choosing the "Legacy installation method" in the UI. Users should switch to Operator or Helm installation. - All GraphQL endpoints are now deprecated and will be removed in the future. The endpoints were created to support the ACS UI, all other uses are unsupported.
Technical Changes
- ROX-29793: Accessing the Compliance menus (OpenShift Coverage and OpenShift Schedules) and API endpoints (
/v2/compliance/*) now additionally requires read permissions for theClusterresource. - ROX-30136: Autogenerated image integration TLS check results will now be cached to speed up Central event processing. The env var
ROX_SENSOR_REGISTRY_TLS_CHECK_CACHE_TTLhas been renamed toROX_REGISTRY_TLS_CHECK_CACHE_TTLand can be applied to Central and/or Sensor to change the cache TTL. The 15 minute default remains the same. - ROX-30343: Update Node.js requirement for ui folder to 20.0.0
- ROX-30602: Enhanced sensor component message processing with asynchronous queuing system to improve reliability and performance of
sensor-central communication. Each sensor component now processes messages from Central in dedicated queues with configurable buffer
sizes. New environment variableROX_REQUESTS_CHANNEL_BUFFER_SIZEcontrols the buffer size for messages from Central
before dropping occurs. New metrics have been added for monitoring sensor components:rox_sensor_component_process_message_duration_seconds: Tracks processing time for messages from Central in each sensor componentrox_sensor_component_queue_operations_total: Tracks operations on component buffer queuesrox_sensor_component_process_message_errors_total: Tracks processing errors in each sensor component
- ROX-30729: Allow to spin up a Sensitive File Activity monitoring agent via
ROX_SENSITIVE_FILE_ACTIVITYenv var. The agent itself is in dev preview and is not supposed to be used in production in this version.