Red Hat · Software · YoctoIT tech page

ACS

Shift-left container security: vulnerabilities, configurations and runtime protected along the whole chain, from build to cluster.

FOCUS · SECURITY IN THE PIPELINEFrom Dockerfile to runtime: security moved to where it's cheapest to fix
YoctoIT material for clients and partners · Red Hat, RHEL, OpenShift, Ansible and the other products mentioned are trademarks of Red Hat, Inc. o di sue affiliate.
01 · What it is

Advanced Cluster Security, made clear.

ACS (StackRox) assesses risk along the entire container lifecycle: image scanning at build, configuration checks at deploy (privileges, network policies, secrets), runtime detection of anomalous behavior. Policies block risk in the pipeline, before it reaches production.

Shift-left
the vulnerability blocked in CI costs 1, in production it costs 100
Runtime
anomalous processes and connections detected on running workloads
Network policy
pod segmentation suggested by the real observed traffic
Advanced Cluster Security
OFFICIAL RED HAT BRANDING · ACS
CONSOLE REALE · ACS NETWORK GRAPH · FONTE: RED HAT DOCS
REAL CONSOLE · ACS NETWORK GRAPH · SOURCE: RED HAT DOCS
02 · How to use it well

The things that make the difference.

The protected chain

Build & registryimage scans, signing, SBOMs
Deploy checks
Runtime detection
Network graph
policies · anomalies · segmentation
ACS centralpolicies and prioritized risk
The OpenShift clustersprod, test, everywhere
Every phase controlled, one dashboard

Policies as guardrails

Images with critical CVEs or excessive privileges don't pass: the gate in the pipeline, not the hunt afterwards.

Risk prioritization

Not 10,000 CVEs but the 20 deployments truly exposed: you work where it counts.

Feasible segmentation

The network graph shows who talks to whom: network policies are born from facts.

Container compliance

CIS Kubernetes, NIST, PCI: controls mapped and measured on the clusters.

03 · In depth

Policy engine and supply chain

ACS assesses risk across build, deploy and runtime: policies (ready-made or custom) block in the admission controller the images with critical CVEs, excessive privileges or secrets in manifests; the runtime observes pod processes and network with behavioral baselines; the network graph proposes NetworkPolicies from real traffic. Scanner V4 analyzes images and nodes; the CI integration (roxctl) brings the verdict into the pipeline.

  • Admission control — the non-compliant deploy doesn't get in: policy as code on the cluster
  • roxctl in CI — the image rejected in the pipeline: the fast fail that educates
  • Runtime baseline — unexpected processes in containers flagged: the crypto-miner can't hide
  • Network graph — NetworkPolicies suggested from observed flows: feasible micro-seg
  • Compliance — CIS/NIST/PCI measured per cluster with reports
  • Vulnerability mgmt — CVEs per deployment with fixable versions: the queue that gets cleared
04 · Numbers and lifecycle

The numbers that matter.

3
the phases covered: build, deploy, runtime
60+
the ready-to-use default policies
0
privileged agents unnecessary: eBPF for the runtime
4/anno
the ACS releases aligned with OpenShift
Container security belongs in the flow: policies in admission, gates in CI and the runtime observed — configured by us, always on.
05 · Use cases

Where it really pays off.

DevSecOps

Security inside the pipeline, not after.

Ambienti regolamentati

Control evidence for NIS2/DORA on containers too.

Multi-cluster

A single point of risk visibility across all your OpenShift clusters.

Containers change every day, security must live in the flow: ACS within our managed perimeter.