We're moving the documentation to a new location. Please bookmark our new site.

Release notes

Get information on the features and improvements in each release.

1 minute read

StackRox releases new features, enhancements, and fixes frequently so you can keep up with the fast-paced container and Kubernetes ecosystem.

Learn more about each version of the StackRox Kubernetes Security Platform here and upgrade when you’re ready to get the newest features.

The StackRox Kubernetes Security Platform version 3.65.0 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases.

To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: September 1, 2021

New Features

MITRE ATT&CK Framework

You can now use the MITRE ATT&CK Framework to categorize policies in the StackRox Kubernetes Security Platform.

Install on Red Hat OpenShift Service on AWS and Azure Red Hat OpenShift

You can now install the StackRox Kubernetes Security Platform on Red Hat OpenShift Service on AWS and Azure Red Hat OpenShift.

Admission control settings

You can now configure the dynamic admission control settings in the Red Hat Advanced Cluster Security for Kubernetes Operator. It now includes the following admission control settings:

  • admissionControl.bypass: Bypass admission control in a monitored manner in the event of an emergency.
  • admissionControl.contactImageScanners: Define how the StackRox Kubernetes Security Platform should handle inline-image scanning for images that aren’t already scanned during a deployments admission review.
  • admissionControl.timeoutSeconds: Specify a maximum timeout period for the admission review, upon which admission review will fail open.

Important bug fixes

  • ROX-6988: Previously, CVEs in Red Hat packages that transitioned from unfixable to the fixable state weren’t deleted and replaced by the fixable advisory. We’ve fixed this issue.
  • ROX-7170: Previously, the error logs in the diagnostic bundle were only collected if you’ve installed the StackRox Kubernetes Security Platform services in the stackrox namespace. We’ve resolved this issue.
  • ROX-7861: Previously, the StackRox Kubernetes Security Platform compliance control NIST 800-190 Control 4.1.4 didn’t correctly detect policies used for secrets protection. We’ve fixed this issue.

Important system changes

  • We’ve updated the host-pid policy to include an exception for the openshift-sdn namespace because the sdn deployment in the openshift-sdn namespace shares the host process namespace, and it resulted in an inaccurate violation.
  • The alert notification titles for PagerDuty, Slack, Microsoft Teams, JIRA, and email notifiers now include the cluster and the policy names in addition to the deployment or image name if it exists.
  • The alert notification for PagerDuty now includes the full alert in the JSON format as a custom detail.
  • All default system policies’ criteria fields are now read-only. However, you can still edit the policy criteria fields for the custom policies or policies you create by cloning a system policy.

Upcoming changes

In the StackRox Kubernetes Security Platform version 3.66, we’ll deprecate the following default system policies:

  • DockerHub NGINX 1.10
  • Shellshock: Multiple CVEs
  • Heartbleed: CVE-2014-0160

In the StackRox Kubernetes Security Platform version 3.66, we’ll disable the following default system policies:

  • DOCKER CIS 4.4: Ensure images are scanned and rebuilt to include security patches

You can create custom policies to monitor for these violations.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.65.0
ScannerScans images and nodes.stackrox.io/scanner:2.19.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.19.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.3.0-latest

The StackRox Kubernetes Security Platform version 3.64.0 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases.

To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: August 11, 2021

New Features

  • ROX-7230: You can now use deployment and namespace annotations to define where the StackRox Kubernetes Security Platform sends the violation notifications when configuring your notifiers such as Slack, Microsoft Teams, Email, and others.
  • ROX-7534: The Red Hat Advanced Cluster Security Operator now supports the ability to allow users to set the enforcement behavior of the admission controller as part of their custom resource.
  • ROX-7561: The StackRox Kubernetes Security Platform now supports kernel modules for Ubuntu 16.04 LTS with extended security maintenance (ESM).

Important bug fixes

  • ROX-6326: Previously, users would get sporadic server errors in environments with a considerably large number of namespaces. We’ve addressed this issue.

Resolved in version 3.64.1

Release date: August 26, 2021

  • ROX-7850: Due to the way StackRox Kubernetes Security Platform previously addressed its internal service endpoints, OpenShift clusters with enabled proxy were incorrectly attempting to send internal traffic as external through the proxy. This resulted in internal service failures that prevented StackRox Kubernetes Security Platform from communicating appropriately. To address communications failures, we’ve added the .svc suffix to the default addresses of the internal service endpoints so that the default OpenShift proxy noProxy setting correctly treats the traffic between StackRox Kubernetes Security Platform components as internal. All customers using OpenShift with the proxy are advised to upgrade to 3.64.1 and above.
  • ROX-7872 The updated operator updated image sets the memory limit to 1 GiB and memory requests to 200 MiB to address out of memory issues when using the RHACS Operator at scale.

Important system changes

  • ROX-6258 The StackRox Kubernetes Security Platform now pre-fixes the optional security context constraint name with stackrox to avoid global naming conflicts.
  • ROX-7318: Previously, violations for port forwards and execs events didn’t contain information about the user who performed the action that generated the events. The violations now include the user context.
  • ROX-7449: Cluster init bundles contain the secrets required for internal StackRox Kubernetes Security Platform services to communicate with each other. You can delete these to rotate secrets, which have previously sometimes caused outages. We’ve updated the deletion workflow. It now gives a warning about the possible impact of deletion on the environment.
  • ROX-7684: The OpenShift compliance operator uses rpm only for querying, and it doesn’t install any packages. We’ve put in a policy exception for this pod by default to reduce the violations count.

Updated in version 3.64.1

Release date: August 26, 2021

  • ROX-7850: We’ve updated our internal services to the following addresses:
    • sensor.stackrox changed to sensor.stackrox.svc
    • central.stackrox changed to central.stackrox.svc
    • scanner.stackrox changed to scanner.stackrox.svc
    • scanner-db.stackrox changed to scanner-db.stackrox.svc

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.64.1
ScannerScans images and nodes.stackrox.io/scanner:2.18.3
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.18.3
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.2.2-latest

The StackRox Kubernetes Security Platform version 3.63.0 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases.

To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: July 21, 2021

Announcement

Release tag version change - Beginning this release our release tag has been modified from 3.0.63.0 to 3.63.0.

New Features

  • ROX-6839: StackRox Kubernetes Security Platform now comes with an OpenShift Operator and is listed on OperatorHub as Advanced Cluster Security for Kubernetes.
  • ROX-6331: StackRox Kubernetes Security Platform now supports scoped access control. This allows administrators to limit user access to security insights to specific clusters and namespaces. For more details, see Manage role-based access control in Red Hat Advanced Cluster Security for Kubernetes version 3.63.0.
  • ROX-6605: StackRox Kubernetes Security Platform now support the ability to create network policies based off of a network traffic baseline.
  • ROX-7137: StackRox Kubernetes Security Platform now supports the ability to set alerts for detections against the OpenShift API server for secrets and configmaps.

Important system changes

  • ROX-7137 Default policies to monitor access to the kubeadmin secret, the Central Admin secret and impersonated access to secrets have been added to StackRox Kubernetes Security Platform
  • ROX-7398 The default policy alerting on images with vulnerabilities with a CVSS score of 7 or higher has been replaced with a policy looking for important or critical severity issues. This policy has been enabled by default. This change only impacts new installations of StackRox Kubernetes Security Platform.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.63.0
ScannerScans images and nodes.stackrox.io/scanner:2.17.4
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.17.4
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.30-latest

The StackRox Kubernetes Security Platform version 3.0.62.0 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases.

To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: June 30, 2021

New Features

  • ROX-7182: StackRox Kubernetes Security Platform now supports OpenShift configuration compliance standards through an integration with the OpenShift Compliance Operator. This allows users to measure and report on configuration security best practices for OpenShift.
  • ROX-7159: StackRox Kubernetes Security Platform now supports vulnerability feeds for the alpine edge and 3.14 development branches.

Important bug fixes

  • ROX-7420: Previously, notifications weren’t triggered when admission controller blocked a deployment from being created as part of a policy violation. We’ve addressed this issue.

Resolved in version 3.0.62.1

Release date: August 11, 2021

  • ROX-7802: We’ve addressed fixable and important issue RHSA-2021:2717 in the RHEL-based images.

Important system changes

  • ROX-7349: The StackRox Kubernetes Security Platform cryptominer policy now supports the miner ‘xmrig’ by default. This is to address active cryptomining campaigns in the wild.
  • ROX-7159: StackRox Kubernetes Security Platform no longer marks alpine 3.2-3.7 as stale because these versions are still receiving updates.
  • ROX-7268: We’ve improved logging for errors where no registry integration exists.
  • ROX-7462 & ROX-7380: We’ve improved network graph lookup performance and collector performance and continue to work to improve performance at scale.

Announcement

Release tag version change - Starting next release our release tagging convention will be modified. The tag will begin to be structured using the convention ‘major-release’.‘minor-release’.‘patch-release’. Because of this change, 3.0.63.0 will become 3.63.0

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.62.1
ScannerScans images and nodes.stackrox.io/scanner:2.17.5
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.17.5
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.32-latest

The StackRox Kubernetes Security Platform version 3.0.61.0 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases.

To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: June 10, 2021

New Features

  • ROX-6639: We’ve added new policy criteria for vulnerabilities severity score in an image’s contents. It provides a more accurate reflection of risk than a CVSS score.

Important bug fixes

  • ROX-6991 and ROX-7058: Previously, CSV exports of security risks were inconsistent with the RHACS user interface. We’ve fixed this issue.
  • ROX-7004: Previously, CVE-2016-4074 was reported as a false positive when images contained the component jq 1.6-r0 or jq 1.6-r1. We’ve fixed this issue.
  • ROX-7270: Previously, under certain conditions, searched images would not correctly index and display. We’ve fixed this issue.
  • ROX-7276: Previously, improper handling of very short-lived tokens caused the GitLab OIDC authentication provider to pre-maturely log users out. We’ve addressed this issue.

Resolved in version 3.0.61.1

Release date: June 21, 2021

  • ROX-7387: Previously, in deployments using non-standard namespaces, admission controller failed to enforce or monitor deploy time policies by failing open on a certificate error. We’ve fixed this issue.

Important system changes

  • ROX-6639: We’ve added a new default policy to flag fixable high or important severity vulnerabilities in images.
  • ROX-7133: The StackRox Kubernetes Security Platform now calculates the Image risk using a score assigned to the severity rating of a vulnerability rather than the CVSS score. Doing this provides a more accurate reflection of an image’s risk.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.61.1
ScannerScans images and nodes.stackrox.io/scanner:2.15.2
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.15.2
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.25-latest

The StackRox Kubernetes Security Platform version 3.0.60 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: May 19, 2021

New Features

  • ROX-7189: StackRox Kubernetes Security Platform has achieved the Red Hat Certified Vulnerability Scanner designation. To become certified, we’ve updated Red Hat severity classifications and improved our base image scanning on RHEL images.
  • ROX-7189: StackRox Kubernetes Security Platform Scanner now officially supports Ubuntu 21.04 images.

Important bug fixes

  • ROX-6979: Previously, the automatically generated image registry integration for registry.redhat.io resulted in integration errors. We’ve fixed this issue.
  • ROX-7004: Previously, environments with more than 50 clusters didn’t show the entire cluster list. We’ve fixed this issue.
  • ROX-7155: Previously, under certain conditions inactive images would continue to be reported on after their deletion schedule. We’ve fixed this issue.

Resolved in version 3.0.60.1

Release date: May 26, 2021

  • ROX-7253: Previously, in version 3.0.60.0, scanner would fail to update vulnerability definitions and incorrectly report as healthy. We’ve addressed this issue.

Important system changes

  • ROX-7059: We’ve updated our user interface to show resource summary counts after removing them in 3.0.58.0.
  • ROX-6632: We’ve updated scanner to report vulnerabilities in alignment with the RHEL scanning certification in preparation for formal certification.
  • ROX-7069: We’ve updated our network policy simulator to not generate policies for orchestrator components when they’re hidden.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.60.1
ScannerScans images and nodes.stackrox.io/scanner:2.14.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.14.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.22-latest

The StackRox Kubernetes Security Platform version 3.0.59 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: April 28, 2021

Important bug fixes

  • ROX-6696: We’ve updated our AWS Security Hub integration to respect Amazon’s rate limits on payload size to prevent errors.
  • ROX-5299, ROX-6496, ROX-6856, and ROX-6718 ROX-6472: We’ve updated the Sensor to fix multiple data race conditions, which resulted in errors.

Resolved in version 3.0.59.1

Release date: May 4, 2021

  • ROX-7053: Previously, re-using a cluster name might cause autogenerated registry integrations to get duplicated. We’ve fixed this issue.

Resolved in version 3.0.59.2

Release date: May 13, 2021

  • ROX-7154: Previously, when using standalone pods with attached services customers would sometimes experience unstable deployments and crash loops. We’ve fixed this issue.

Important system changes

  • ROX-7016: We’ve rebranded our service as Red Hat Advanced Cluster Security.
  • ROX-6909: We’ve disabled the Curl in image and Wget in image policies to reduce default violations.

API

You can now use the GetUpgradeStatus endpoint /v1/centralhealth/upgradestatus which provides Central rollback related information.

roxctl CLI

We’ve changed the default value for the --json-fail-on-policy-violations option for the roxctl image check command to true.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.59.0
ScannerScans images.stackrox.io/scanner:2.13.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.13.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.22-latest

The StackRox Kubernetes Security Platform version 3.0.58 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: April 08, 2021

Important bug fixes

  • ROX-5397, ROX-6458, and ROX-6619: We’ve fixed a minor issue in the Iptables Executed in Privileged Container security policy, updated the remediation instructions in the Curl in Image security policy, and updated the Kubernetes Dashboard Deployed policy criteria.

  • ROX-6497: Previously, you couldn’t use OIDC Identity Provider with the Authorization Code Grant authentication flow, by using a client secret. The connection would fail with the implicit grant not allowed for this client error message. We’ve fixed this issue.

  • ROX-6626: Previously, if you were using the StackRox Kubernetes Security Platform on OpenShift, the Network Graph view would show too many connections and didn’t show Network baselines. We’ve fixed this issue.

  • ROX-6792: We’ve fixed an issue with the inactive deployment filter in the Violations view.

  • ROX-6820: Previously, the StackRox Kubernetes Security Platform wouldn’t report CVE’s in Distroless images under certain conditions. We’ve fixed this issue.

  • ROX-6887: Previously, the admission controller enforcement wouldn’t work for deploy-time policies if you were using enforceOnUpdates. We’ve fixed this issue.

    Resolved in version 3.0.58.1

Release date: Apr 20, 2021

  • ROX-6959: Previously, the OpenShift Cluster Version Operator wasn’t correctly identified as an orchestrator component. We’ve fixed this issue.

    Security updates

We’ve updated the Collector image to resolve the following fixable CVEs:

We’ve updated all RHEL-based images to resolve the following fixable RHSAs:

Important system changes

  • License file functionality has been removed from the StackRox Kubernetes Security Platform. Customers are licensed according to the current agreement in effect for the products purchased including, but not limited to, quantities and license term. Entitlements continue to be enforced by image pull secret. Refer to the licensing restrictions page for more information.
  • You can now enforce scheduling for the scanner and scanner-db deployments on specific nodes.
  • We’ve added a Fixed by column to the Vulnerability Management > All Entities > Components view. It lists the component version that fixes all vulnerabilities for a component. The Fixed by column only works if you’re using StackRox Scanner.
  • You can now rollback to a previous version of Central if an upgrade fails to install.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.58.1
ScannerScans images.stackrox.io/scanner:2.12.2
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.12.2
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.20-latest

The StackRox Kubernetes Security Platform version 3.0.57 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: March 18, 2021

New features

Scan inactive images

The StackRox Kubernetes Security Platform scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions. You can now add inactive (undeployed) images for automatic scanning. For more details, see Scan inactive images.

Important bug fixes

  • ROX-6085: Previously, setting Central log level by using the roxctl CLI’s debug log command wouldn’t work sometimes. You could also set unacceptable values for log level (for example, Trace), which didn’t affect the log level. We’ve fixed these issues.
  • ROX-6302: We’ve fixed an issue with the Violations view where loading too many violations would sometimes crash the StackRox portal page.
  • ROX-6627: Previously, on OpenShift, when creating new builds, the OpenShift web console would show the error message admission webhook “policyeval.stackrox.io” does not support dry run. We’ve fixed this issue by adding dry run support to the admission controller webhook.
  • ROX-6640: We’ve fixed an issue where the StackRox portal wouldn’t display the full description for RHSA CVEs in the CVE details view.
  • ROX-6723: Previously, if you were using the default CA certificate for Central, and you’ve configured an additional CA certificate for a Sensor, the StackRox Kubernetes Security Platform would overwrite Sensor’s additional certificate. We’ve fixed this issue.
  • ROX-6736: Previously, sometimes the StackRox portal didn’t show allowed connections between Sensor and non-isolated deployments in the Network Graph view. We’ve fixed this issue.

Resolved in version 3.0.57.1

Release date: Mar 24, 2021

  • ROX-6832: Previously, if you were using the RHEL base image, upgrading the StackRox Kubernetes Security Platform to version 3.0.57.0 would fail. We’ve fixed this issue.

Resolved in version 3.0.57.2

Release date: Mar 25, 2021

  • ROX-6834: Previously, in the StackRox Kubernetes Security Platform version 3.0.57.0, you couldn’t install a Sensor using the StackRox portal because downloading the Sensor bundle would fail. We’ve fixed this issue.
  • ROX-6805: Previously, if you were using the StackRox Kubernetes Security Platform on OpenShift, the security context constraint conflicted with the Authentication Operator. We’ve updated the StackRox Kubernetes Security Platform’s security context constraint to fix this issue. To upgrade to the StackRox Kubernetes Security Platform version 3.0.57.2, you must also update the security context constraint. See Update OpenShift Security Context Constraints for details.

Important system changes

  • You can now declare custom SourceTypes for alert and audit events if you are integrating with Splunk.
  • The published time for CVEs in RHEL and CentOS images is now correctly shown.
  • You can now use cluster init bundles for clusters you’ve deployed with helmManaged set to false. Previously, helmManaged=false only worked with certificates that were specific to an existing cluster.

roxctl CLI

The roxctl central generate openshift and roxctl sensor generate openshift commands now accept an --openshift-version option. You can set it to:

  • 3 if you are deploying on OpenShift Container Platform version 3.x, or
  • 4 if you are deploying on OpenShift Container Platform version 4.x.

When you don’t specify this option, the StackRox Kubernetes Security Platform generates deployment bundles in a compatibility mode that works on OpenShift Container Platform version 3.11 and version 4.x. However, if you are using OpenShift Container Platform version 4.x, we recommend that you specify this options as 4 to take advantage of additional features that aren’t available for earlier OpenShift versions.

Security updates

We’ve updated the Collector image to resolve the following fixable CVEs:

The Collector image version 3.1.16-latest includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.57.1
ScannerScans images.stackrox.io/scanner:2.11.2
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.11.2
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.16-latest

The StackRox Kubernetes Security Platform version 3.0.56 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: February 24, 2021

New features

Host scanning

You can now identify vulnerabilities in core Kubernetes components and the container runtimes (Docker, CRI-O, runC, and containerd) you are using on your nodes. See Identify vulnerabilities in nodes for more information.

Network baseline updates

The StackRox Kubernetes Security Platform discovers your deployments’ network flows and creates a baseline based on the regular network activity in your clusters. You can now configure alerts and block network activity for connections that don’t exist in the baseline. For more information, see Use Network baselining.

Important bug fixes

  • ROX-3893: Previously, if you used --json option with the roxctl image check command, it would always exit with code 0. We’ve fixed this issue.
  • ROX-6085: We’ve fixed some issues with the roxctl CLIs logging and debugging commands.
  • ROX-6282: We’ve fixed the incorrect API description for CountDeployments and added missing descriptions for the GetSecret, CountSecrets, and ListSecrets endpoints.
  • ROX-6303: Previously, the Deployment With Most Severe Violations widget in the Vulnerability Management view didn’t change based on the selected namespace. We’ve fixed this issue.
  • ROX-6388: Previously, the sensor.sh script would fail with errors when installing Sensor on OpenShift version 4.6 by using that script. We’ve fixed this issue.
  • ROX-6504: Previously, the StackRox portal would forcefully log out users when they selected Platform Configuration > Access Control, and they didn’t have appropriate permissions. We’ve fixed this issue.
  • ROX-6522: We’ve fixed an issue in the StackRox portal, where the component’s location wouldn’t display if you were viewing details for a specific image.
  • ROX-6540: Previously, when configuring a SAML identity provider, the IdP Metadata URL option didn’t work for Keycloak. We’ve fixed this issue.
  • ROX-6608: We’ve fixed incorrect authorization permissions for the GetNetworkGraphConfig and PutNetworkGraphConfig APIs.

Resolved in version 3.0.56.1

Release date: Mar 8, 2021

  • ROX-6629: We’ve fixed an issue in the StackRox portal, where the Compliance view would sometimes display an error message.
  • ROX-6708: Previously, the Scanner would fail to scan images with OCI (Open Container Initiative) manifests. We’ve fixed this issue.
  • ROX-6699: Previously, modifying the Docker CIS 5.15: Ensure that the host’s process namespace is not shared policy would result in an error. We’ve fixed this issue.
  • ROX-6716: Previously, if you’ve used Helm to install a Sensor, you couldn’t enable automatic upgrades for that secured cluster. You can now use the SENSOR_HELM_NOT_HELM_MANAGED=true environment variable to enable automatic upgrades for Helm managed secured clusters.

Known Issues

  • CVE-2020-28928 discovered in alpine:3.13 is a false positive. This is actively being addressed.

Important system changes

  • Splunk alert events sent to HEC no longer include policy description, remediation, and rationale to allow for more violations within the HEC limit.
  • We’ve added Namespace and Node to the minimal access specification for creating a new Role.
  • We’ve added Admission Control health status to the health dashboard. Navigate to Platform Configuration > System Health to view.

Violation policies

  • We’ve updated the Improper Usage of Orchestrator Secrets Volume policy to match the Dockerfile line syntax accurately.
  • We’ve updated the Network Management Execution policy to match network management utilities correctly.
  • We’ve added new default policies for the following CIS Docker controls:
    • 4.1
    • 4.4
    • 4.7
    • 5.1
    • 5.7
    • 5.9
    • 5.15
    • 5.16
    • 5.19
    • 5.20
    • 5.21

StackRox portal

The page title you see in your browser (and in your browser history) now displays the title of the page you are viewing.

SAML authentication

  • If you are using the Dynamic configuration option, you can now specify the https+insecure:// scheme for IdP Metadata URL. When you use this option, the StackRox Kubernetes Security Platform skips TLS validation when fetching the metadata. This configuration is insecure, and we don’t recommend it.
  • If you are using the Static configuration option, you can now specify multiple PEM-encoded certificates for the IdP Certificate(s) (PEM) option.

roxctl CLI

  • You can now use the new --categories option with the roxctl image check command and specify a comma-separated list of categories to only run policies that match the specified categories.
  • You can now use the new --json-fail-on-policy-violations option with the roxctl image check command. When you set this option to true, and there are policy violations, the command exits with a non-zero exit code. The default value for this option is false.
  • We plan to deprecate the --json option for the roxctl image check command in the StackRox Kubernetes Security Platform version 3.0.59, use the --json-fail-on-policy-violations option instead.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.56.0
ScannerScans images.stackrox.io/scanner:2.11.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.11.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.14-latest

Documentation changes

ChangePageDescription
New topicUse network baseliningIdentify and address abnormal network activity.
New sectionView network policiesAdded a new Network baseline section.
New sectionManage vulnerabilitiesAdded a new Identify vulnerabilities in nodes section.
New sectionDeploy-time policiesAdded a new section Block deployment for images that aren’t scanned.
New topicIntegrate with emailIntegrate StackRox with your email provider.
UpdateBackup and restoreAdded instructions to take backups by using the administrator password.
UpdateHelm chart configurationAdded Secured Cluster Services Helm chart configuration options.
UpdateQuick Start (Helm)Updated the Install a Sensor section to include instructions for installing Sensor using cluster init bundle.

The StackRox Kubernetes Security Platform version 3.0.55 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: February 3, 2021

New features

Kubernetes API Server abuse protection

You can now configure policies in the StackRox Kubernetes Security Platform to detect against Kubernetes events that may indicate unauthorized access to a pod through the API server. Specifically, you can configure policies to audit or block portforward and exec events into pods within your environment.

Kernel modules for SUSE Linux

You can now collect runtime activity on SUSE Linux Enterprise Server by using a kernel module. Currently, we support:

  • SUSE Linux Enterprise Server 15 (LTSS)
    • 15 SP1
    • 15 SP2
  • SUSE Linux Enterprise Server 12 (LTSS)
    • 12 SP3 (LTSS)
    • 12 SP4 (LTSS)
    • 12 SP5

Helm charts installation experience

We’ve added a new, more configurable Secured Cluster Services Helm chart that you can use to install and upgrade Sensor, Collector, and Admission controller. For more information, see the Quick Start (Helm) and Helm charts configuration topics.

Important bug fixes

  • ROX-6142: Previously, the health dashboard wouldn’t display the Collector health status if you’ve deployed the Collector in a namespace other than the stackrox namespace. We’ve fixed this issue.
  • ROX-6200: We’ve fixed an issue where sometimes a JSON parsing error crashed a few Collector pods.
  • ROX-6217: Previously, if you deleted a Collector DaemonSet, the health dashboard would still report the Collector as healthy. We’ve fixed this issue.
  • ROX-6249: We’ve fixed an issue where the container name was missing from the container resource violation messages.
  • ROX-6301: We’ve fixed an issue where filtering violations on the Violations view, would sometimes incorrectly shows the message No results found. Please refine your search.
  • ROX-6351: Previously, the StackRox Kubernetes Security Platform would not include process violation messages in the notification triggered by process-related policy violations. We’ve fixed this issue.
  • ROX-6392: Previously, in the Vulnerability Management > Images view in the StackRox portal. If you used local page filtering for namespaces, you couldn’t sort the results based on the Risk Priority. We’ve fixed this issue.

Important system changes

Admission controller

  • From version 3.0.55, the StackRox Kubernetes Security Platform deploys Admission controller service by default in new Kubernetes clusters to support run-time policies to audit or block the exec and portforward events. Currently, it only works on Kubernetes clusters.

API

  • The /v1/metadata endpoint no longer shows version information in the response message for unauthenticated requests.
  • We’ve deprecated the /db/backup endpoint, use the /api/extensions/backup endpoint instead.
  • We’ve deprecated the includeCertificates request parameter from the /v1/externalbackups/* endpoint. The backups now include certificates by default.
  • We’ve deprecated Policy.whitelists request body parameter from the /v1/policies/* endpoint, use the Policy.exclusions parameter instead.

roxctl CLI

  • You can use the new --send-notifications option with the roxctl image check command, which sends notifications (to all configured notifiers) for build time policy violations. This is useful when teams want to be notified on issues individually and aren’t breaking builds.

  • We’ve deprecated the roxctl central db backup command. Use the roxctl central backup command instead.

  • We’ve deprecated the following options from the sensor generate command:

    • --create-admission-controller, use --admission-controller-listen-on-creates instead.
    • --admission-controller-enabled, use --admission-controller-enforce-on-creates instead.
  • We’ve added --retries and --retry-delay options for the following commands:

    • roxctl image scan
    • roxctl image check
    • roxctl deployment check

    Use the --retries option to specify the number of times you want to retry running the command. For example, --retries 3.

    Use the --retry-delay option to specify the time (in seconds) to wait before re-running the command. For example, --retry-delay 2.

  • We’ve added a new --admission-controller-listen-on-events option (true by default) to the roxctl sensor generate k8s command. It controls the deployment of the admission controller webhook, which listens for Kubernetes exec and portforward events.

Policy criteria

We’ve added new policy criteria called Kubernetes Action.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.55.0
ScannerScans images.stackrox.io/scanner:2.10.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.10.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.12-latest

The StackRox Kubernetes Security Platform version 3.0.54 includes bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: January 13, 2021

Important bug fixes

  • ROX-6248: We’ve fixed an issue where automatic upgrades would sometimes fail for Sensor with a failure message immutable ClusterIP.

Important system changes

Network baseline

The StackRox Kubernetes Security Platform now discovers the network flows and creates a baseline based on the regular network activity in your clusters. It also automatically updates the baseline as your infrastructure changes. In future releases, we’ll add the ability to configure alerts and block network activity for connections that don’t exist in the baseline. For more information, see Network baseline.

Backup

Beginning from the StackRox Kubernetes Security Platform version 3.0.54, the automatic and on-demand backups includes Central certificates.

API

  • ProcessWhitelistService(/v1/processwhitelists/*): We’ve deprecated all processwhitelists/* endpoints, use /v1/processbaselines/* instead.
  • ResolveAlert(/v1/alerts/{id}/resolve): We’ve deprecated the whitelist request body parameter, use the add_to_baseline request body parameter instead.
  • ListDeploymentsWithProcessInfo(/v1/deploymentswithprocessinfo): We’ve deprecated the deployments.whitelist_statuses response body parameter, the API now returns the deployments.baseline_statuses instead.

Environment variable

We’ve deprecated the ROX_WHITELIST_GENERATION_DURATION environment variable, use ROX_BASELINE_GENERATION_DURATION instead.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.54.0
ScannerScans images.stackrox.io/scanner:2.9.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.9.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.10-latest

The StackRox Kubernetes Security Platform version 3.0.53 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: December 16, 2020

New features

Health dashboard

We’ve added a new Health dashboard that provides status information on the services that are part of the StackRox Kubernetes Security Platform. To learn about how to access and view the StackRox Kubernetes Security Platform health dashboard, see Use the health dashboard topic.

Configure diagnostic data

When generating a diagnostic bundle, you can now configure the clusters for which you want to generate the diagnostic data and specify the time and date to include the data.

Important bug fixes

  • ROX-5405: We fixed a memory leak in Collector that sometimes caused high memory consumption and the Collector pod to restart.
  • ROX-5506: Previously, if you were using Azure Active Directory as an authentication provider, the logged-in user’s email address wasn’t visible in the StackRox portal. We’ve fixed this issue.
  • ROX-5952: We’ve fixed an issue with Helm installation for the StackRox Kubernetes Security Platform on Helm version 3.1.2.
  • ROX-5961: We’ve fixed an issue where the roxctl central generate command would result in an incorrect image name when you specified the image name along with a port number.
  • ROX-5990: Previously, when scanning images, if the StackRox Kubernetes Security Platform found a language vulnerability in an image layer, which was fixed in another image layer, the StackRox Kubernetes Security Platform would still report that as a vulnerability. We’ve fixed this issue.
  • ROX-6094: Previously, if you were using the StackRox Kubernetes Security Platform version 3.0.52.1 and an OIDC authentication provider that used the fragment response type, the StackRox Kubernetes Security Platform would force log out the users after 5 minutes. We’ve fixed this issue.
  • ROX-6113: We’ve fixed an issue where adding a SAML authentication provider from the Platform Configuration > Access Control view would sometimes crash the StackRox portal page.
  • ROX-6117: Previously, sometimes the StackRox portal didn’t show network policies that apply to the selected deployment in the Network Graph view. We’ve fixed this issue.
  • ROX-6141: Previously, if you were using the StackRox Kubernetes Security Platform version 3.0.52 without NetworkPolicy enforcement, Scanner didn’t validate Central client certificates when running new scans or getting previous scan results. We’ve fixed this issue.

Important system changes

Helm charts

  • We’ve updated the Helm charts templates for the StackRox Kubernetes Security Platform to include support for additional ports (443, 80).
  • We’ve updated the minimum required version of Helm for installing the StackRox Kubernetes Security Platform to 3.2.
  • We’ve updated the Central chart name to stackrox-central-services and the short name to central-services in the charts.stackrox.io repository.

StackRox portal

We’ve added a Discovered in Image column in the Fixable CVE section, which shows up when you view an image’s details. This column lists the time and date the CVE was first discovered in the image.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.53.0
ScannerScans images.stackrox.io/scanner:2.8.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.8.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.9-latest

Documentation changes

ChangePageDescription
New topicUse the health dashboardLearn how to access and view the StackRox Kubernetes Security Platform health dashboard.
UpdateGenerate a diagnostic bundleAdded instructions for generating a diagnostic bundle for the StackRox Kubernetes Security Platform version 3.0.53 and newer.

The StackRox Kubernetes Security Platform version 3.0.52 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: November 18, 2020

New features

Integrate by using the syslog protocol

You can now send alert notifications and audit events from the StackRox Kubernetes Security Platform to a SIEM or a syslog collector. To get started, see Integrate using Syslog protocol.

Support for Kubernetes 1.19

The StackRox Kubernetes Security Platform version 3.0.52 supports the latest Kubernetes version 1.19. See the supported platforms topic to learn more about the operating systems, container platforms, and managed Kubernetes services that we support.

Added in version 3.0.52.1

Release date: Dec 7, 2020

External endpoint support for network graph

The StackRox Kubernetes Security Platform version 3.0.52.1 adds support for external network endpoints in the network graph See the network graph topic to learn more about viewing and configuring external endpoints in the network graph.

Important bug fixes

  • ROX-5597: Previously, if you were monitoring Google’s Container-Optimized OS with Collector by using eBPF probes, sometimes the OS reported high CPU usage. We’ve optimized the Collector image to reduce CPU usage.
  • ROX-5758: Previously, Scanner didn’t mark some ASP.Net Core CVEs as fixable (only for patch releases) because the corresponding NVD database didn’t report fixes for those CVEs. We’ve updated Scanner, and it now reports fixable ASP.Net Core CVEs.

Resolved in version 3.0.52.1

Release date: Dec 7, 2020

  • ROX-5984: We’ve fixed an issue where unconfigurable options were visible when configuring the syslog integration.
  • ROX-5988: We’ve fixed an issue where viewing image components caused UI errors under certain conditions.
  • ROX-6070: Previously, when integrating with some OpenID Connect (OIDC) Identity Providers, the Test Login option would report connection errors. We’ve fixed this issue.

Important system changes

StackRox portal

We’ve removed the redundant option to filter risks by priority from the Risk view.

Scanner

Scanner now identifies vulnerabilities in the latest Ubuntu version 20.10 images, and distroless Docker images.

Policy criteria

We’ve added new policy criteria called Container Name that evaluate policy against the provided container name.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.52.1
ScannerScans images.stackrox.io/scanner:2.7.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.7.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.8-latest

Documentation changes

ChangePageDescription
New topicStackRox architectureDiscover the StackRox Kubernetes Security Platform architecture and concepts.
New sectionExamine imagesAdded a new Supported operating systems section.
New sectionSupported platformsAdded a new StackRox Kubernetes Security Platform support section and clarified the Kubernetes versions we support.

The StackRox Kubernetes Security Platform version 3.0.51 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: October 28, 2020

New features

Google Artifact Registry integration

The StackRox Kubernetes Security Platform integrates with virtually any image registry. In this version, we’ve added native integrations for improved compatibility with Google Artifact Registry.

StackRox add-on for Splunk

We’ve released a new technology add-on for Splunk that normalizes and pulls vulnerability and compliance-related data into Splunk. You can use it along with your existing Splunk integration. For more details, see Integrate with Splunk.

Important bug fixes

  • ROX-4405: Previously, there was an error in the CIS Kubernetes Compliance check for directory permissions. We’ve fixed this issue.
  • ROX-5369: Previously, if you exported the ROX_API_TOKEN system variable from a secret in Kubernetes with a newline character, in the end, the roxctl CLI commands that require the token would fail. We’ve fixed this issue.
  • ROX-5377: We’ve fixed an incorrect description for the roxctl deployment check
    command when you run the roxctl help command.
  • ROX-5599 and ROX-5600: Previously, if you’ve installed the StackRox Kubernetes Security Platform on Google Kubernetes Engine (GKE), the admission controller would sometimes fail if there were connectivity issues with Sensor. This issue happened if you’ve installed the Sensor on preemptible VMs. To fix this issue, we’ve changed Central and Sensor’s Node Affinities to discourage installation on preemptible VMs and made updates to the admission controller. If the Sensor is unavailable, instead of failing, the admission controller communicates with Central.
  • ROX-5628: Previously, the automatic upgrades would sometimes fail for Collector for tainted nodes. We’ve fixed this issue by enabling taint tolerations.
  • ROX-5680: Previously, if you were using custom certificates and use the sensor.sh script to deploy a new Sensor, the script wouldn’t apply custom certificates from the sensor/additional-cas/ folder. We’ve resolved this issue.
  • ROX-5736: Previously, there was an error in the CIS Kubernetes Compliance check for PKI key file permissions. We’ve fixed this issue.
  • ROX-5751: Previously, in the Vulnerability Management > Images view, the StackRox portal didn’t reset the displayed page count next to the page filtering bar. We’ve fixed this issue.
  • ROX-5771*: Previously, image summary data didn’t correctly load when using Safari. We’ve fixed this issue.
  • ROX-5769: Previously, when creating custom policies, the StackRox portal would incorrectly parse values containing the equal sign (=) as a key-value pair and truncate everything before the equal sign. We’ve fixed this issue.
  • ROX-5785: Previously, Sensor marked completed Kubernetes Jobs as deployments, which resulted in too many deployment objects, thereby affecting performance. We’ve fixed this issue by updating Sensor so that now it marks the completed Jobs as removed.

Resolved in version 3.0.51.1

Release date: Nov 4, 2020

  • ROX-5864: We’ve fixed an issue where viewing deployment details from the Risk view would sometimes crash the StackRox portal page.

Important system changes

Central

You can now use the new ROX_NETWORK_ACCESS_LOG environment variable to log all network requests to Central. When you set its value to true, Central logs include all network requests to Central from both the API and the StackRox portal. The default value for this variable is false. We recommend that you only set the ROX_NETWORK_ACCESS_LOG environment variable to true for debugging network connectivity issues and set it back to false after your investigation.

Policy criteria

We’ve added new policy criteria called Namespace that evaluate policy against the provided namespace.

roxctl CLI

You can now use the --force-http1 option with most roxctl commands. When you use this option, roxctl avoids using the HTTP/2 network protocol. Only use this option if you have connectivity issues that you suspect are because of ingress or proxy.

Process timeline

We’ve reordered the columns in the process timeline CSV. They’re now sorted by timestamp. If you are using the process timeline CSV for automation, modify your automated processes accordingly.

API

We’ve added the following new endpoints:

VerbEndpointDescription
GET/api/splunk/ta/vulnmgmtReturns Vulnerability Management data as a JSON array.
GET/api/splunk/ta/complianceReturns Compliance data as a JSON array.

Security updates in version 3.0.51.1

Release date: Nov 4, 2020

We’ve updated the Collector image to resolve the following fixable CVEs:

The Collector image version 3.1.4-latest includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.51.1
ScannerScans images.stackrox.io/scanner:2.6.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.6.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.4-latest

Documentation changes

ChangePageDescription
New sectionIntegrate with SplunkAdded instructions to integrate with StackRox add-on for Splunk.
UpdateIntegrate with image registriesAdded instructions for integrating with Google Artifact Registry.
UpdateIntegrate with CI systemsAdded instructions for integrating with CircleCI.
UpdateIntegrate with Amazon S3Included a note about adding AWS root CA for air-gapped environments.
UpdateSupported platformsAdded a note about unsupported Collector on GKE if you’ve enabled secure boot.

The StackRox Kubernetes Security Platform version 3.0.50 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: October 7, 2020

New features

Helm charts installation experience

We’ve added new more configurable Helm chart that you can use to install and upgrade the StackRox Kubernetes Security Platform. For more information, see Quick Start (Helm) and Helm charts configuration.

.NET Core vulnerability scanning

The StackRox Kubernetes Security Platform now identifies vulnerabilities in images with .NET Core and ASP.NET Core developer platform. If you have existing images that are using the .NET Core runtime, you’ll now get alerts for vulnerabilities when you upgrade to the StackRox Kubernetes Security Platform version 3.0.50.

Important bug fixes

  • ROX-3467: Previously, when viewing clusters in the Network Graph view, active network connections didn’t display when you switched clusters until your refreshed the page. We’ve fixed this issue.
  • ROX-5551 and ROX-5593: Previously, the Navigate to deployment option in the Network Graph view and the View deployment in Network Graph option in the Risk view didn’t work. We’ve fixed this issue.
  • ROX-5579: We’ve fixed an issue where the Sensor Upgrade column in the Platform Configuration > Clusters view incorrectly displayed Incomplete status even when the Sensor version was up-to-date.

Resolved in version 3.0.50.1

Release date: Oct 21, 2020

  • ROX-5785: We’ve fixed an issue in Sensor where it was treating completed jobs as deployment objects in a monitored cluster.
  • ROX-5777: We’ve fixed an issue where the embedded documentation for the StackRox Kubernetes Security Platform didn’t completely render when accessing it in version 3.50.0.

Important system changes

Central

We’ve increased the default resource limit to 4 CPU cores for new Central deployments. Also see Sizing guidelines for recommended compute resources and storage values.

Policy criteria

We’ve added a new policy criteria called Service Account that evaluate policy against a deployment’s service account name.

Scanner

  • The ROX_CONTINUE_UNKNOWN_OS feature flag is now enabled by default in Scanner. It means that the scans won’t fail if Scanner can’t determine the image OS and the image has other feature components. For example, scans won’t fail for the fedora:32 image.
  • Scanner now uses Red Hat CVSS scores (instead of NVD) for rhel and centos based images.
  • Scanner now identifies .NET Core runtime CVEs (based on data from NVD). If you have existing images that are using the .NET Core runtime, you’ll now get alerts.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.50.1
ScannerScans images.stackrox.io/scanner:2.5.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.5.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.3-latest

Documentation changes

ChangePageDescription
UpdateView network policiesAdded details about viewing information in the Network Graph view.
UpdateResource requirementsAdded resource sizing guidelines for Central.
UpdateExamine imagesClarified information about the ROX_LANGUAGE_VULNS environment variable.
UpdateQuick Start (Helm)Added instructions for installing the StackRox Kubernetes Security Platform version 3.0.50.
New topicHelm chart configurationLearn about the Helm chart configuration parameters you can use when you install or upgrade the StackRox Kubernetes Security Platform by using Helm.

The StackRox Kubernetes Security Platform version 3.0.49 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: September 16, 2020

New features

Integrate with AWS Security Hub

You can now send alert notifications from the StackRox Kubernetes Security Platform to AWS Security Hub. To get started, see Integrate with AWS Security Hub.

Admission controller support for OpenShift

The StackRox Kubernetes Security Platform now supports OpenShift Admission plug-ins. The StackRox admission controller prevents users from creating workloads that violate policies you configure in the StackRox Kubernetes Security Platform. See Enable admission controller enforcement for details.

Cluster details panel improvements

We’ve streamlined the Cluster details panel in the Platform Configuration > Clusters view. It now includes a new Cluster Summary section for all existing clusters and provides constant visibility into the state of your Cluster, Sensor, and Collector.

Important bug fixes

  • ROX-2780: Previously, when viewing namespaces in the Network Graph view, some deployments only showed up when you hovered your mouse over other deployments. We’ve fixed this issue.
  • ROX-5470: Previously, the Network Graph view showed the message No ports & protocols available for ingress and egress non-isolated deployment nodes. Since these nodes allow any protocol on any port, we’ve updated the message in the StackRox portal to show Any protocol and Any port for such nodes.
  • ROX-5471: Previously, in the Network Graph view, the StackRox portal sometimes didn’t display active connections when viewing all connections. We’ve resolved this issue.
  • ROX-5520: We’ve fixed an issue where the StackRox Kubernetes Security Platform would send duplicate violation notifications to all configured notifiers (if you’ve integrated the StackRox Kubernetes Security Platform with other tools).

Resolved in version 3.0.49.1

Release date: Sep 18, 2020

  • ROX-5634: We’ve fixed an issue where the automatic upgrades to Sensor fail under certain conditions. We’ve fixed this in version 3.0.49.1.

Resolved in version 3.0.49.2

Release date: Sep 25, 2020

  • ROX-5662: We’ve fixed an issue in the Network Graph where the cluster selector displays the incorrect cluster under certain conditions. We’ve fixed this in version 3.0.49.2.

Important system changes

  • You can now enforce policies on the DeploymentConfig resources in OpenShift.
  • When integrating with an OpenID Connect (OIDC) authentication provider, you can now configure the StackRox Kubernetes Security Platform to:

StackRox portal

  • Now when you hover over a node in the Network Graph, you’ll see the ports on which that node is listening.
  • In the Vulnerability Management > Images view, when you select an image, the Scanner details are visible under the Details & Metadata section on the image details panel.

API

  • For the /v1/images/{id} (GetImage) endpoint, we’ve changed the following fields in the response:
    • replaced the scan.components.vulns.discoveredAt field with scan.components.vulns.firstSystemOccurrence. It returns the timestamp for the first time the StackRox Kubernetes Security Platform discovered the CVE in your clusters.
    • added a new field scan.components.vulns.firstImageOccurrence. It returns the timestamp for the first time the StackRox Kubernetes Security Platform discovered the CVE in the corresponding image.
  • We’ve fixed a scrolling issue on the API documentation page where you couldn’t scroll the left-hand side panel (list of endpoints) independently of the main content (endpoints descriptions).
  • We’ve deprecated status.lastContact from the response of the v1/clusters endpoint. Use healthStatus.lastContact instead.

roxctl CLI

  • You can now generate YAML files that support Istio enabled clusters for Central, Scanner, and Sensor by using the --istio-support=<istio version> option. We support Istio version 1.0 to version 1.7. The interactive installation command roxctl central generate interactive also displays prompts to configure Istio enabled clusters.
  • We’ve changed the default value for the --create-upgrader-sa option to true for both the roxctl sensor generate and the roxctl sensor get-bundle commands.
  • We’ve removed the following deprecated options for the roxctl sensor generate command:
    • --admission-controller (use --create-admission-controller instead)
    • --image (use --main-image-repository instead)
    • --collector-image (use --collector-image-repository instead)
    • --runtime (use --collection-method instead)
    • --monitoring-endpoint

Security updates

We’ve updated dependencies in the Scanner image to resolve the following fixable CVEs:

The Scanner image version 2.4.1 includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.49.2
ScannerScans images.stackrox.io/scanner:2.4.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.4.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.1-latest

Documentation changes

ChangePagesDescription
UpdateEnable admission controller enforcementUpdated the content to include information about admission controller enforcement on OpenShift.
New topicIntegrate with AWS Security HubIntegrate StackRox with AWS Security Hub.
UpdateConfigure an OIDC Identity Provider in StackRoxUpdated the Configure StackRox section to include information about the support for skip TLS verification and query strings for the Issuer field.

The StackRox Kubernetes Security Platform version 3.0.48 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: August 26, 2020

New features

Sensor and Collector health

The Platform Configuration > Clusters view now shows more system health information for Sensor and Collector, including:

  • the status of each Sensor’s connection to Central, and
  • the number of actively running Collector pods compared with the number of desired pods and the number of nodes registered with Kubernetes.

We’ve also added a Cloud Provider column to the view, which lets you see where your clusters are deployed.

Slimmer Collector image

We’ve added a new slim version of the Collector image to save disk space and bandwidth. This version doesn’t include any built-in kernel probes, so it’s much smaller than the standard image. To use the slim image, you must either:

The StackRox Kubernetes Security Platform uses the slim image by default for new clusters if these conditions are met. To use slim images in an existing cluster, navigate to the Platform Configuration > Clusters view and turn on the Enable Slim Collector Mode toggle.

Network graph improvements

The Network Graph view now shows more information about active and allowed ports and traffic directions between deployments. To see the new data, hover over a node or edge, or select a node to open the side panel. When you generate new network policies, you can now toggle the Exclude ports & protocols option to choose whether to generate policies that only allow traffic on specific ports.

Important bug fixes

  • ROX-4314: Previously, the remediation text for the built-in Ubuntu Package Manager Execution and Ubuntu Package Manager in Image policies included a command that didn’t remove dpkg. We’ve fixed this issue by updating the command to remove both dpkg and apt.
  • ROX-4828: Previously, compliance checks reported that Kubernetes Role-Based Access Control (RBAC) was disabled if the StackRox Kubernetes Security Platform couldn’t find the Kubernetes API server process command line. We’ve fixed this issue to better support managed services and situations where Collector isn’t deployed in the control plane.
  • ROX-4979: Previously, the StackRox Kubernetes Security Platform would sometimes trigger incorrect alerts for the Process with UID 0 policy if processes changed their identity by using specific system calls. We’ve fixed this issue.
  • ROX-5394: We’ve fixed an issue where Scanner could fail to scan an image and log a database error message resource cannot be found with the description searchFeatureVersion. This error was only triggered when two Scanner replicas tried to add a feature version at the same time.
  • ROX-5402: Previously, in the Violations view, the Deployment tab didn’t show any information for Resources, Volumes, and Secrets under the Container configuration section. The portal now shows this information while the deployment is still active, and shows an informational message after the deployment is deleted.

Resolved in version 3.0.48.1

Release date: Sep 4, 2020

  • ROX-5522: In the StackRox Kubernetes Security Platform version 3.0.48.0, we changed the LANGUAGE_VULNS environment variable name to ROX_LANGUAGE_VULNS for consistency. This environment variable allows you to disable language vulnerability scanning. For backwards compatibility, we’ve added the LANGUAGE_VULNS environment variable again. You can now use either one of these variables to disable language-specific vulnerability scanning.

Important system changes

API

In the /v1/clusters API response, we’ve added a healthStatus.lastContact field showing the last time the cluster’s Sensor contacted Central.

Image scanning

When attempting to scan an image, the StackRox Kubernetes Security Platform now shows more specific error messages under any of the following conditions:

  • no registries integrated
  • no matching registry integrations found
  • no scanners integrated

Feature names

In this release, we’ve renamed features in the portal to use more inclusive terms. Specifically:

  • Process whitelists are now called Process baselines.
  • The Whitelist by Scope option for policies is now called Exclude by Scope.
  • The Image Whitelist option in policies is now called Excluded Images.

Existing API methods aren’t affected by this change.

Upcoming changes

roxctl CLI

In the StackRox Kubernetes Security Platform version 3.0.49 or later, we’ll:

  1. Change the default value for the create-upgrader-sa option to true.
  2. Remove the deprecated runtime option.
  3. Remove the deprecated monitoring-endpoint option.
  4. Remove the deprecated admission-controller option, which is replaced by create-admission-controller.
  5. Remove the deprecated image option, which is replaced by main-image-repository.
  6. Remove the deprecated collector-image option, which is replaced by collector-image-repository.

API

  • In the StackRox Kubernetes Security Platform version 49.0 we’ll remove the status.lastContact field from the response of the /v1/clusters endpoint. Use the new healthStatus.lastContact field instead.
  • In the /v1/images/{id} response, the vulns field for each component in the scan object currently includes a discoveredAt field. We’ll change this field’s name to firstSystemOccurrence starting in the StackRox Kubernetes Security Platform version 49.0. This field represents the first time the CVE was ever discovered in any image.

Security policies

We’ll deprecate the Required Label: Email and Required Annotation: Email security policies in the StackRox Kubernetes Security Platform version 3.0.49. If you’re using Required Label: Email and Required Annotation: Email security policies, we recommend using the Required Label: Owner/Team and Required Annotation: Owner/Team policies instead.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.48.1
ScannerScans images.stackrox.io/scanner:2.3.3
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.3.3
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.0-latest

Documentation changes

ChangePagesDescription
New sectionIntegrate with image registriesAdded instructions for integrating with Amazon Elastic Container Registry (ECR) from a separate Amazon account.
UpdateExamine imagesAdded information about the LANGUAGE_VULNS environment variable.
UpdateUse process baselining and other pages.Renamed Process whitelists to Process baselines.
UpdateManage security policiesRenamed policy Whitelist by Scope option to Exclude by Scope and Image Whitelist to Excluded Images.
UpdateSupported platformsClarified supported version numbers for Debian, CentOS, and Red Hat Enterprise Linux (RHEL).
UpdateUse the roxctl CLIClarified the required permissions required for the token for checking the image scan results.

The StackRox Kubernetes Security Platform version 3.0.47 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: August 5, 2020

New features

Image operating system information

Image details now include information about the base operating system on which the image is built. We’ve also added an Image OS policy criteria which you can use to create policy and restrict the use of specific base operating systems for images. For more information, see Identify operating system of the base image.

Re-issue internal certificates

Each component (Central, Scanner, Sensor, Collector, and Admission Controller) of the StackRox Kubernetes Security Platform uses an X.509 certificate to authenticate itself to other components. The StackRox Kubernetes Security Platform now shows a message with options to generate replacement certificates before they expire. See the Re-issue internal certificates
topic for more information.

Network graph improvements

The Network Graph view now uses arrows to show the direction of the network traffic between the deployments. When you move your mouse over a deployment, the tooltip shows information about ingress and egress connections, protocols, and port numbers in use for that deployment.

Important bug fixes

  • ROX-3281 and ROX-4751: Previously, the StackRox Kubernetes Security Platform showed incorrect execution file paths for some processes, reporting the container image’s mount path instead of the relative path of the binary. This issue affected hosts running container runtimes built on containerd. We’ve fixed this issue.

  • ROX-5181: Previously, if you were using Scoped Access Control to limit which users could read or write compliance results for clusters, the Compliance view displayed an error after selecting Scan Environment. We’ve resolved this issue by only starting a compliance scan for the clusters you can access.

  • ROX-5233: Previously, when you scanned images by using the roxctl CLI, the scan results also included any snoozed CVEs. We’ve updated the roxctl CLI to fix this issue.

  • ROX-5179: Previously, when you generated compliance reports for a single standard, the generated file (CSV format) included report for all compliance standards. We’ve resolved this issue.

  • ROX-5208: When you create a policy that includes an Environment variable attribute, you can choose which types of environment variables the policy should match. For example, the environment variables types can be:

    • raw values provided in the deployment YAML references, or
    • values from ConfigMaps, Secrets, fields, resource requests, or limits.

    For environment variables other than the raw value type, the StackRox Kubernetes Security Platform ignores the corresponding Value attribute of the policy rule, so the policy only detects the existence of an environment variable. This behavior wasn’t evident in the previous version. To fix this issue, the StackRox Kubernetes Security Platform now rejects policies with non-empty Value attributes for types other than raw values.

  • ROX-5261: Previously, Collector failed to insert its kernel module on Red Hat Enterprise Linux kernel versions 3.10.0-1127.13.1.el7 and 3.10.0-957.56.1.el7. We’ve updated the build configuration for Collector’s kernel module to resolve this issue.

  • ROX-5341: Previously, if a vulnerability in the National Vulnerability Database (NVD) was updated to remove an affected product, StackRox Scanner didn’t reflect the removal. StackRox Scanner now removes the entry to match the NVD changes.

Resolved in version 3.0.47.1

Release date: Aug 7, 2020

  • ROX-5381: Previously, automatic upgrades failed on clusters running Kubernetes 1.18 because the upgrader didn’t handle the newly introduced metadata.managedFields Kubernetes field. We’ve fixed this issue. After you upgrade Central to version 3.0.47.1 or higher, automatic upgrades complete successfully.

Resolved in version 3.0.47.2

Release date: Aug 12, 2020

  • ROX-5385: We’ve fixed an issue where PKI authentication would fail if the authentication provider had multiple trusted root certificates (CA), and one of the trusted root CAs is signed by another trusted root CA’s certificate.

Important system changes

  • Previously, the StackRox Kubernetes Security Platform automatically edited Kubernetes namespace objects to add a namespace.metadata.stackrox.io/id label to support network policy generation. To avoid conflicts with Terraform, StackRox Sensor no longer adds this label, which didn’t have a predictable value. Now, Sensor only adds the namespace.metadata.stackrox.io/name label.
  • Previously, if you made custom changes to the resource requests or limits on the Sensor and Collector deployments, your changes would be overwritten during automatic upgrades. You can now add the annotation auto-upgrade.stackrox.io/preserve-resources=true to the Deployment or DaemonSet to preserve your custom requests and limits.

Jenkins plugin

We’ve updated the StackRox Container Image Scanner Jenkins plugin to version 1.2.3 which includes a fix for the following issue:

  • Unbounded memory allocation vulnerability in a dependency (Guava version 19.0).

StackRox portal

We’ve improved the performance of the Configuration Management view in larger environments. All views accessible from the Application and Infrastructure and the RBAC Visibility and Configuration menus in the view header now sort and display data more efficiently.

roxctl CLI

  • You can now save the API token in a file and use the new --token-file option for authentication. For more information, see the Authentication section in Use the CLI topic.

  • You’ll now see a warning if roxctl uses the default value for the --create-updater-sa option. The default value will change in a future release.

  • We’ve add a new default parameter for the --collection-method option.

  • The --help (or -h) option now includes additional reference information about available resources, commands, and their flags.

  • We’ve updated the available options for the roxctl sensor generate k8s command:

    1. Renamed the admission-controller option to create-admission-controller.
    2. Renamed the image option to main-image-repository.
    3. Renamed the collector-image option to collector-image-repository.
    4. Deprecated the runtime option.

    You can still use the renamed options but we’ll remove them in version 3.0.48 or later.

  • Now the roxctl image scan command doesn’t return image scan results for snoozed CVEs by default. Use the --include-snoozed option to get that information.

API

  • To fix the issue related to the policies with environment variables (see ROX-5208), we’ve updated the API endpoints to match the StackRox portal’s behavior. It’s a breaking change for the /v1.PolicyService/PostPolicy gRPC method; however, it doesn’t affect any REST API methods.
  • Now the /v1/image/<image-id> endpoint doesn’t return image scan results for snoozed CVEs by default. Use the includeSnoozed query parameter to get that information.

Upcoming changes

roxctl CLI

In the StackRox Kubernetes Security Platform version 3.0.48 or later, we’ll:

  1. Change the default value for the create-upgrader-sa option to true.
  2. Remove the deprecated runtime option.
  3. Remove the deprecated monitoring-endpoint option.
  4. Remove the deprecated admission-controller option, which is replaced by create-admission-controller.
  5. Remove the deprecated image option, which is replaced by main-image-repository.
  6. Remove the deprecated collector-image option, which is replaced by collector-image-repository.

Security updates

We’ve updated dependencies in the Collector image to resolve fixable CVEs including CVE-2020-16135 and CVE-2020-15358. The Collector image version 3.0.18-latest includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.47.2
ScannerScans images.stackrox.io/scanner:2.3.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.3.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.0.18-latest

Documentation changes

ChangePagesDescription
New topicRe-issue internal certificatesLearn how to issue new certificates to the components of the StackRox Kubernetes Security Platform.
New sectionManage vulnerabilitiesAdded Identify operating system of the base image section.
UpdateCreate custom policiesUpdated the Policy criteria section to include Image OS.
UpdateUse the roxctl CLIUpdated the Authentication section to include instructions about the new --token-file option.

The StackRox Kubernetes Security Platform version 3.0.46 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: July 15, 2020

New features

Improved event timeline

It’s now easier to view overlapping events in the Event Timeline modal box. The StackRox Kubernetes Security Platform now groups the overlapping events and shows an event count badge. You can click on the group to view details about all events in that group.

Support for Flatcar Container Linux and Garden Linux

The StackRox Kubernetes Security Platform now supports Flatcar Container Linux and Garden Linux.

Important bug fixes

  • ROX-3023: Previously, in the StackRox portal, you couldn’t disable alert data retention. You could only set retention periods to 1 day or higher. You can now use 0 to store violations and unused images forever.

  • ROX-4002: Previously, StackRox Collector wouldn’t show network connection details and process paths, if you were using the StackRox Kubernetes Security Platform on Ubuntu 19.10. We’ve updated the Collector image to fix this issue.

  • ROX-4541: Previously, if you were using the docker-auth.sh (Docker authentication helper) or add-cluster.sh (Helm add cluster) scripts, they would run without checking the required jq binary. We’ve updated these scripts to verify the existence of jq binary and execute only if it’s present.

  • ROX-4872: Previously, the default Cryptocurrency Mining Process Execution security policy wouldn’t report errors for xmr-stak-cpu cryptocurrency mining Docker image. We’ve fixed this issue.

  • ROX-4931: Previously, when you scanned container images based on CentOS 7 or Red Hat Enterprise Linux (RHEL) 7, StackRox Scanner only showed vulnerabilities that had fixes available. We’ve fixed this issue.

    When you scan an image based on CentOS 7 or RHEL 7 in the StackRox Kubernetes Security Platform version 3.0.46.0 or higher, StackRox Scanner returns more vulnerability results than before. To avoid disrupting build or deployment pipelines, make sure your enforced policies use the Fixed By policy attribute so they only match fixable vulnerabilities.

  • ROX-5183: Previously, sometimes, the API requests to generate new tokens would fail listing a timeout error. We’ve increased the timeout to 60 seconds to fix this issue.

  • ROX-5193: Previously, StackRox Collector would report errors for missing net/tcp6 files. We’ve updated the internal logic not to report this error if it isn’t applicable.

  • ROX-5276: In the StackRox Kubernetes Security Platform version 3.0.45, you couldn’t use the Add Selected CVEs to Policy button in the CVEs view to add CVEs to an existing policy. We’ve fixed this issue.

Important system changes

Security policies

  • We’ve renamed the Required Label: Owner and the Required Annotation: Owner security policies to Required Label: Owner/Team and Required Annotation: Owner/Team.
  • The StackRox Central database uses a new format that’s more scalable and performs better. The upgrade includes an automatic migration to the new format. After you upgrade the StackRox Central image to version 3.0.46 or higher, Central may take longer to start up while it finishes the automatic migration.
  • We’ve renamed the port for the scanner-db service from db to tcp-db to better support protocol selection in Istio.

StackRox Portal

  • If you are on a view that lists items in a table, for example, the Risk view, and you are on a page number higher than 1, clicking a column heading now sorts the table and takes you back to page number 1. Previously, the view stayed on the later page even after you re-sorted the table.
  • The cluster details in the Platform Configuration > Clusters view now shows a message if the secured cluster’s credentials are about to expire.
  • In the Vulnerability Management > Policies view, we’ve updated the Deployment column values to only show the number of deployments for which a policy is failing.

API

We’ve added the following new endpoints:

VerbEndpointDescription
PATCH/v1/notifiers/{id}Modify a specific notifier.
POST/v1/notifiers/test/updatedCheck if a notifier is correctly configured.
PATCH/v1/scopedaccessctrl/config/{id}Modify a specific scoped access control plugin.
POST/v1/scopedaccessctrl/test/updatedCheck if a specific scoped access control plugin is correctly configured.
PATCH/v1/externalbackups/{id}Modify a specific external backup.
POST/v1/externalbackups/test/updatedCheck if a specific external backup is correctly configured.

For more information, see the Use the API topic.

Upcoming changes

Security policies

  • We’ll deprecate the Required Label: Email and Required Annotation: Email security policies in the StackRox Kubernetes Security Platform version 3.0.48. If you are using Required Label: Email and Required Annotation: Email security policies, we recommend using the Required Label: Owner/Team and Required Annotation: Owner/Team policies instead.
  • In the StackRox Kubernetes Security Platform version 3.0.45.1, we restored previous behavior of .* values for the Fixed By policy attribute. The further fix for this issue, previously scheduled for version 3.0.46.0, is now delayed to a later release.

roxctl CLI

We’ll update the available options for the roxctl sensor generate k8s command, in the StackRox Kubernetes Security Platform version 3.0.47. We’ll:

  1. Rename the admission-controller option to create-admission-controller.
  2. Change the default value for the create-upgrader-sa option to true.
  3. Deprecate (and later remove) the runtime option.
  4. Rename the image option to main-image-repository.
  5. Rename the collector-image option to collector-image-repository.
  6. Remove the deprecated monitoring-endpoint option.

The previously announced change to the default behavior of the collection-method parameter is no longer planned.

Security updates

We’ve updated dependencies in the Red Hat Universal Base Image-based Collector image to resolve a fixable CVE from RHSA-2020:2755. The Collector image version 3.0.17-latest includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.46.0
ScannerScans images.stackrox.io/scanner:2.2.12
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.2.12
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.0.17-latest

Documentation changes

ChangePagesDescription
UpdateCreate custom policiesAdded instructions to toggle between logical operators inside a policy section in the Add logical conditions section.
New sectionResource requirementsAdded Admission controller requirements.
UpdateManage role-based access controlUpdated the Resource definitions section to include missing RBAC resources.
New topicQuick Start (Helm)Learn how to install the StackRox Kubernetes Security Platform by using Helm charts.
New sectionUse the roxctl CLIAdded a new Install and set up roxctl CLI section which includes instructions for downloading and setting up the roxctl CLI on Linux and macOS.
New topicAdd trusted certificate authoritiesLearn how to add custom trusted certificate authorities to the StackRox Kubernetes Security Platform.

The StackRox Kubernetes Security Platform version 3.0.45 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: June 24, 2020

New features

Support for logical operators in security policies

You can now use the AND, OR, and NOT Boolean operators to combine the policy criteria to create highly specific security policies. It allows you to narrow down your matches to discover the precise image contents, deployment configurations, or runtime activities about which you are concerned. See Create custom policies for more information.

Create policy from Risk view

While evaluating risks in your deployments in the Risk view, you can now create new security policies based on the local page filtering criteria you are using. See the Create policy from Risk view section for more information.

Enable data backups on Google Cloud Storage

We’ve added support for taking environment-wide backups of the StackRox Kubernetes Security Platform on Google Cloud Storage (GCS). You can schedule daily or weekly backups and do manual on-demand backups. See Integrate with Google Cloud Storage for more details.

Important bug fixes

Resolved in version 3.0.45.0

  • ROX-5152: Previously, if you were using the admission controller, the StackRox Kubernetes Security Platform would still block policy violations for snoozed CVEs. We’ve fixed this issue.
  • ROX-5100: Previously, if you were using offline mode, the StackRox Kubernetes Security Platform would still attempt to find cluster metadata using DNS lookup. We’ve fixed this issue.
  • ROX-5085: Previously, the StackRox Kubernetes Security Platform wouldn’t trigger process violations for security policies that use the Process Ancestor policy criteria. We’ve fixed this issue.
  • ROX-5082: Previously, the backups would fail if you were using Google Cloud Storage (GCS) for storing backups of the StackRox Kubernetes Security Platform, by using the integration with Amazon S3. We’ve fixed this issue by adding a new native integration with GCS.
  • ROX-5000: Previously, the StackRox portal would take long time to display CVEs in the Vulnerability Management view. We’ve fixed this issue.
  • ROX-4987: We’ve fixed an issue with the Scanner where it would fail to scan images and would log the error message “Could not complete operation in a failed transaction”.
  • ROX-4982: Previously, when you exported security policies the generated JSON file would include some fields that the StackRox Kubernetes Security Platform uses internally. We’ve fixed this issue and the exported policies don’t include internal field values anymore.
  • ROX-4978: Previously, while editing an already integrated authentication provider, if you encountered a validation error, the StackRox Kubernetes Security Platform would delete the authentication provider. This issue is now fixed.
  • ROX-4926: Previously, when editing an existing integration with an image registry, the StackRox portal would show a success message when you selected Test, but fail to save changes when you selected Create. We’ve fixed this issue.
  • ROX-4856: Previously, the Secrets Most Used Across Deployments widget on the Configuration Management view would incorrectly report that certain secrets were being used in every deployment. This issue is now fixed.
  • ROX-4020: Previously, in the Configuration Management view, the StackRox Kubernetes Security Platform only accounted for secrets that were mounted by using volume mounts. The StackRox Kubernetes Security Platform now also reports secrets mounted by using environment variables.
  • ROX-3981: Previously, the Drop Capabilities policy criterion matched the deployments that dropped the specified capability. We’ve fixed it to match the deployments that didn’t drop the required capability.

Resolved in version 3.0.45.1

Release date: July 1, 2020

  • ROX-5196: Before version 3.0.45.0, if you set .* as the value for the Fixed By policy attribute, the policy only matched fixable CVEs. In version 3.0.45.0, the same policy matches all CVEs. We’ve restored the previous behavior in version 3.0.45.1, and we’ll release a further fix in version 3.0.46.0.
  • ROX-5198: Previously, Scanner couldn’t connect to its database in clusters running IPv6, causing scans to fail. We’ve fixed Scanner’s configuration to handle IPv6 clusters. This fix is included in version 2.2.12 and later of the Scanner and Scanner DB images.

Important system changes

  • The default policies which we’ve excluded for the kube-system namespace are now also excluded for the istio-system namespace.
  • We’ve added a CVE type field, which allows you to differentiate clearly between Image CVEs, Kubernetes CVEs, and Istio CVEs.
  • We’ve added support for connecting Sensor to Central by using non-gRPC capable Load Balancers. See the Install a Sensor and generate a sensor deployment YAML file sections for details.

StackRox Portal

  • In the Vulnerability Management view, we’ve moved the Images option from Application & Infrastructure > Images to the Vulnerability Management view header. Now to view images in your environment, you can directly select Images on the Vulnerability Management view header.
  • We’ve added the TLS Certificate Validation (Insecure) toggle for Anchore Scanner, CoreOS Clair (scanner), JFrog Artifactory (registry), and Quay.io (registry and scanner). To view the changes, navigate to the Platform Configuration > Integrations > New Integration view.

Helm charts

  • We’ve added the ability to make secret creation for the sensor, collector, and admission controller optional when deploying using Helm charts.
  • We’ve added support for offline mode for Helm charts.

Integrate with public Microsoft Container Registry

  • We’ve added a default integration for the public Microsoft Container Registry (mcr.microsoft.com).

API

We’ve updated the policy API object to add the support for logical operators in security policies. The StackRox Kubernetes Security Platform still accepts old policy object in the API and automatically converts it to the new format.

If you have policies that you’ve saved outside of the StackRox Kubernetes Security Platform, you can convert them to the new format by importing them into the StackRox Kubernetes Security Platform then exporting them back. For more details, see Share security policies.

To verify if your policies are in the new format, check the existence of "policyVersion": "1" in your policy object. If it’s present, it means that the policies are in the new format.

roxctl CLI

In this release, we’ve clarified usage text for commands throughout the roxctl CLI.

Upcoming changes to roxctl CLI

We’ll update the available options for the roxctl sensor generate k8s command, in the StackRox Kubernetes Security Platform version 3.0.47. We’ll:

  1. Rename the admission-controller option to create-admission-controller.
  2. Change the default value for the create-upgrader-sa option to true.
  3. Change the default collection-method to KERNEL_MODULE.
  4. Deprecate (and later remove) the runtime option.
  5. Rename the image option to main-image-repository.
  6. Rename the collector-image option to collector-image-repository.
  7. Remove the deprecated monitoring-endpoint option.

Security updates

We’ve updated dependencies in the Red Hat Universal Base Image-based Collector and Scanner images to resolve fixable CVEs from RHSA-2020:2637. These updates are included in version 3.0.16-latest and later of the Collector image, and version 2.2.11 and later of the Scanner image.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.45.1
ScannerScans images.stackrox.io/scanner:2.2.12
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.2.12
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.0.16-latest

Documentation changes

ChangePagesDescription
UpdateIntegrate with Google Cloud StorageLearn how to integrate with Google Cloud Storage and create environment-wide backups.
UpdateCreate custom policiesUpdated the Policy criteria section to include details about using the logical operators in security policies.
New sectionAdd logical conditionsAdded a new section to describe how to use the new drag-and-drop panel to add logical conditions for the policy criteria. (Updated in version 3.0.45.1.)
UpdateResource requirementsUpdated resource requirements for Sensor for the StackRox Kubernetes Security Platform 3.0.44 and newer.
UpdateResource requirementsUpdated resource requirements for Admission Controller for the StackRox Kubernetes Security Platform 3.0.41 and newer.
UpdateSupported platformsAdded a note that we don’t support older CPUs that don’t have the Streaming SIMD Extensions (SSE) 4.2 instruction set.
New sectionCreate policy from Risk viewAdded a new section about creating new security policies based on the local page filtering criteria from the Risk view.

The StackRox Kubernetes Security Platform version 3.0.44 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: June 3, 2020

New features

Share security policies

You can now share security policies between different Central instances, by exporting and importing policies. Use it you enforce the same standards for all your clusters. To share policies, you can export them as JSON files and then import them back into another Central instance. See Share security policies for more details.

Use Google Cloud Identity-Aware Proxy (IAP) as an Identity Provider

You can now use Google Cloud Identity-Aware Proxy as a Single sign-on (SSO) provider for the StackRox Kubernetes Security Platform. See Configure Google Cloud Identity-Aware Proxy (IAP) as an Identity Provider for details.

Test integration with Identity Providers

While configuring Identity Providers, now you don’t have to log out and log back in to check if the integration is working. There’s a new Test Login option you can use to test your identity provider without logging out of the StackRox Kubernetes Security Platform. For details, see the Verify configuration section in the Configure a SAML 2.0 Identity Provider in StackRox and Configure an OIDC Identity Provider in StackRox topics.

Active user details

The StackRox Kubernetes Security Platform now shows information about the current logged-in user. The logged-in user initials are visible in the Infobar on top. You can select the initials to view your details, including your name, username, and role. Select your name to open the User Permissions view, which lists the StackRox Kubernetes Security Platform RBAC resources, permissions you have for each of those resources, and the role or roles that grant you each permission.

Important bug fixes

  • ROX-4995: We’ve fixed an issue where the audit logs would show the username and password of the built-in administrator user. This issue didn’t affect single sign-on (SSO) users.
  • ROX-4989: Previously, the StackRox portal would fail to show data in the Vulnerability Management view if background requests for data took too long. We’ve increased the timeout to fix this issue.
  • ROX-4965: Previously, when a policy violation occurred in a pod, the Event Timeline view showed the policy violation for all pods in the deployment. We’ve fixed this issue.
  • ROX-4914: Previously, if you scanned an image, rebuilt it with the same tag (such as latest), and scanned it again, the StackRox Kubernetes Security Platform would return old scan results for the rebuilt image. We’ve fixed this issue.
  • ROX-4709: Previously, the roxctl image check CLI command would try to run even with an incorrect option. We’ve updated the roxctl CLI, and it now reports errors for unexpected options in commands.
  • ROX-4610: We’ve fixed an issue where the Network Graph view could appear to shake if you used a custom browser zoom level.

Resolved in version 3.0.44.1

Release date: June 11, 2020

  • ROX-5077: Previously, when you integrated with more than one Google Container Registry (GCR), the StackRox Kubernetes Security Platform could intermittently fail to retrieve image metadata and scan results. We’ve fixed this issue by improving the way the StackRox Kubernetes Security Platform chooses which integration to use for each image.
  • ROX-5065: To improve performance, we’ve implemented log throttling, which controls the number of log messages the StackRox Kubernetes Security Platform generates.
    • By default, the StackRox Central, Sensor, Scanner, Admission Controller, and Compliance containers each emit at most 100 log lines in any 10-second interval.
    • You can adjust this threshold for each service by setting the environment variable MAX_LOG_LINE_QUOTA on each container in the Kubernetes PodSpec. The value must match the format <#log lines>/<interval in seconds>, for example, 100/100 for 100 logs in 100 seconds (1 log-per-second sustained throughput, enforced over 100-second intervals).
  • ROX-5062: We’ve fixed an issue with the crontab Execution security policy where it wouldn’t trigger violations for crontab but would trigger violations for other matching processes like cron. This issue also affected custom policies where a single regular expression criterion had OR branches, and one was a prefix of the other, for example (a|ab).
  • ROX-5058: Previously, if you deployed Sensor and Collector by using Helm charts, automatic upgrades would later fail due to incorrect image names for both images. We’ve fixed this issue.
  • ROX-5042: We’ve fixed an issue where the StackRox portal wouldn’t show a success or failure message when you selected the Test option while configuring an integration.
  • ROX-5027: Previously, if you were using admission controller enforcement and the communication between the Sensor and the Admission Controller was interrupted for more than 15 minutes, the Admission Controller would retry the connection frequently, resulting in high volumes of logs and increased resource usage. We’ve fixed this issue.
  • ROX-5025: Previously, the StackRox portal would show an error message and not show any results when you used certain global search options. We’ve fixed this issue.

Important system changes

StackRox portal

  • We’ve replaced some inconsistent term usage for Amazon S3 and Amazon ECR with their official product names in the Platform Configuration > Integrations view.
  • We’ve fixed tables in different views so that long descriptions (or names) don’t overlap with other columns.
  • We’ve updated the registry integration view so that you don’t have to re-enter credentials every time you make changes to existing integrations.
  • We’ve improved input validation in the Portal when you are creating a new role.

API

We’ve added the following new endpoints for sharing security policies.

  • /v1/policies/export, which accepts a list of policy IDs and returns a list of JSON policies.
  • /v1/policies/import, which accepts a JSON list of policies, imports them into the StackRox Kubernetes Security Platform, and returns success or failure details for every policy.

Sensor

  • We’ve increased resource requests and limits in new Sensor deployments:
    • Sensor now requests 1 CPU core and 1GiB of RAM.
    • Sensor is now limited to 2 CPU cores and 4GiB of RAM.

Security updates

Updated in version 3.0.44.0

We’ve updated the base image for Collector and made some other changes to reduce the number of CVEs affecting the Collector image. It still has a few CVEs left which aren’t fixable because there is no new version available. We’ve determined that the unfixable CVEs don’t affect Collector in its deployed configuration. The Collector image version with this change is 3.0.14-latest.

Updated in version 3.0.44.1

Release date: June 10, 2020

We’ve updated dependencies in the Collector image to resolve new fixable CVEs. The Collector image version with this change is 3.0.15-latest.

Documentation changes

ChangePagesDescription
New topicShare security policiesLearn how to share your security policies between Central instances.
New topicConfigure Google Cloud Identity-Aware Proxy (IAP) as an Identity ProviderUse Google Cloud IAP for identity management with StackRox.
New topicUninstall the StackRox Kubernetes Security PlatformAdded instructions for completely uninstalling each component of the StackRox Kubernetes Security Platform.
UpdateUpload support packages to CentralAdded information about the order in which Collector checks for new probes and about mutable image tags.

The StackRox Kubernetes Security Platform version 3.0.43 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: May 15, 2020

New features

Event timeline

The StackRox Kubernetes Security Platform version 3.0.43 includes a graphical event timeline view. You can use it to get information about events for all pods in a deployment. The event timeline shows process activities, policy violations, and container restart and termination events. See the Event timeline section for more details.

Specify custom endpoints and non-public regions

You can now use non-public endpoints when you integrate the StackRox Kubernetes Security Platform with Amazon S3 and Amazon Elastic Container Registry (ECR). See the Integrate with Amazon S3 topic to know more about customizing the request endpoint and specifying isolated AWS regions.

Important bug fixes

  • ROX-4862: Previously, the StackRox portal would show an error message for process tags in the Violations and the Risk > Process Discovery view, to users with read permission for process indicators. We’ve resolved this issue.
  • ROX-4861: Previously, CIS (Center for Internet Security) compliance scan results sometimes included incorrect results because the StackRox Kubernetes Security Platform trimmed long process names. We’ve fixed this issue.
  • ROX-4761: Previously, the Cluster details panel from the Vulnerability Management view reported a GraphQL error for policies with cluster, namespace, or label exclusions. The StackRox portal now correctly shows this information for the cluster.
  • ROX-4754: Previously, Sensor bundle didn’t handle additional certificate authorities. We’ve added the ca-setup-sensor.sh and delete-ca-sensor.sh scripts in the Sensor bundle to fix this issue.
  • ROX-4752: Previously, the Policy details panel from the Vulnerability Management view didn’t display information for the Privileged under the Policy Criteria section. The StackRox portal now correctly shows this information.
  • ROX-4744: Previously, diagnostic bundle downloads and debug dumps could time out in busy clusters. We’ve fixed this issue by changing how Central collects data from secured clusters.
  • ROX-4730: Previously, the Scanner deployment didn’t mount the additional CA secret and would fail to scan self-signed registries. We’ve resolved this issue.
  • ROX-4729: Previously, when you selected an image from the Search view, the StackRox portal didn’t open the Image details view. We’ve resolved this issue.
  • ROX-4705: StackRox Sensor falls back to an authentication token when it can’t use mutual TLS for authentication with Central. Previously, Sensor didn’t use the token when downloading Collector probes from Central or during automatic upgrades. We’ve resolved this issue.
  • ROX-4695: Previously, the StackRox Kubernetes Security Platform would still trigger policy violations based on the CVSS scores for snoozed CVEs when you used the roxctl image check command. We’ve fixed this issue.
  • ROX-4660: Previously, when creating a new cluster, the StackRox portal allowed entering trailing slashes and other invalid characters. We’ve fixed this issue by implementing improved validation.
  • ROX-4597: Previously, the StackRox Kubernetes Security Platform didn’t allow you to log in if you configured more than one User Certificates authorization provider with the same certificate authority. We’ve resolved this issue.
  • ROX-4569: Previously, the default security policy Images with no scans wouldn’t report any policy violations or enforcement actions. We’ve fixed this issue.
  • ROX-4405: Previously, there was an error in CIS Kubernetes Compliance check for directory permissions. We’ve fixed this issue.
  • ROX-4146: We’ve removed a mention of the obsolete scanner-v2 service in the policy exclusions.
  • ROX-3789: Previously, automatic upgrades for Sensor would incorrectly display the Sensor version as up to date for a disconnected Sensor in the Platform Configuration > Clusters view. We’ve fixed this issue.
  • ROX-3268: Previously, in the StackRox portal, the Deployment filter option was missing from the local page filtering options in the Compliance view. We’ve fixed this issue.

Resolved in version 3.0.43.1

Release date: May 20, 2020

  • ROX-4946: Previously, if you were using the default Images with no scans security policy with admission controller enforcement, the StackRox Kubernetes Security Platform blocked every deployment. We’ve fixed this issue.
  • ROX-4947: Previously, sometimes Scanner failed to analyze images and reported a duplicate key value error message. We’ve resolved this issue.
  • ROX-4874: To scan images, Scanner takes the server address from image pull secrets. Previously, sometimes Scanner failed to scan images for autogenerated registries if the image address contained trailing paths. The Scanner now uses the correct server address, without the trailing paths.

Important system changes

Collector

We’ve published a technical advisory about how to mitigate Linux kernel issues you may encounter if you use eBPF-based runtime activity collection on certain kernel versions.

API

  • GenerateToken(/v1/apitokens/generate): the singular role field in the request field is deprecated, use the array field roles.
  • GetAPIToken(/v1/apitokens/{id}) and GetAPITokens(/v1/apitokens): the singular role field in the response payload is deprecated, use the array field roles.
  • Audit logs: the singular user.role field in the audit message payload is deprecated, use the singular user.permissions field for the effective permissions of the user, and the array field user.roles for all the individual roles associated with a user.

Jenkins plugin

We’ve updated the StackRox Container Image Scanner Jenkins plugin to version 1.2.2 which includes fixes for the following issues:

  • Rendering of the StackRox Image Security Report when CVE publishedOn date isn’t available.
  • Incorrectly reported CVE fixable state.

StackRox portal

In the Platform Configuration > Clusters view, we’ve updated the status text On the latest version to Up to date with Central version.

Compliance

The Compliance container within the Collector DaemonSet now has a hostPath of /, which is needed to be able to read configuration files anywhere on the host. This change requires the allowedHostVolumes within the stackrox-collector PSP to allow / to be mounted. For added security, the PSP has set / with read-only permission.

Logs

We’ve removed the following frequently appearing error messages related to:

  • a CPE matching for Fedora Linux and operator "AND" in the Scanner logs.
  • memory allocation in the Collector logs.

Security updates

We’ve updated the Collector image to resolve the CVE-2020-3810 vulnerability in the apt package. Collector doesn’t use apt at runtime, and apt isn’t included in its final image. We’ve upgraded apt to a newer version that isn’t affected by the CVE-2020-3810 vulnerability.

Other notes

Amazon S3 compatibility

In this release, we’ve added the ability to specify custom endpoints for the Amazon S3 integration.

However, the StackRox Kubernetes Security Platform doesn’t support using Google Cloud Storage for automatic backups due to API differences.

Documentation changes

ChangePagesDescription
UpdateBackup and restoreAdded a note about the required permissions and role to create backups.
UpdateQuick StartAdded a note that the StackRox Kubernetes Security Platform doesn’t support Amazon Elastic File System (Amazon EFS) and the alternative to use instead.
New sectionCommon tasksAdded a new section that lists some common tasks you can perform from the Vulnerability Management view.
New sectionEvent timelineAdded a new section for the graphical event timeline view.
New topicCollector soft lock-upAdded an advisory about how to mitigate Linux kernel issues you may encounter if you use eBPF-based collection on certain kernel versions.

The StackRox Kubernetes Security Platform version 3.0.42 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Comments and tags

You can now use Comments and Tags to specify what’s happening with violations and processes to keep your team up to date. Comments and tags are available in various views, for example, you can add comments and tags for,

Violations in the following views:

Processes in the following views:

Important bug fixes

  • ROX-4671: We addressed an issue that caused high CPU usage in Sensor.
  • ROX-4607: Previously, the admission controller didn’t enforce policies with single cluster scope. We’ve fixed this issue.
  • ROX-4580: Previously, in the Configuration Management view, the StackRox portal didn’t show background for selected deployments listed in the Service Account details panel. Now the StackRox portal now shows the details.
  • ROX-4543 and ROX-4272: Previously, in the Configuration Management view, the StackRox portal didn’t show deployments details panel when you selected from Image > Deployment. The StackRox portal now correctly shows the details.
  • ROX-4429: Previously, the automatic upgrades wouldn’t work if the cluster reported some resources as unavailable. We’ve updated the StackRox Kubernetes Security Platform to ensure that automatic upgrades work as usual as long as the required resources are available on the cluster.

Important system changes

Snooze CVEs for a specific time

You can now snooze CVEs for a specified time such as a day, a week, two weeks, a month, or indefinitely (until you unsnooze).

API

  • You can now request pretty-printed JSON responses for all v1 API endpoints by adding the ?pretty path parameter in your requests. For more information, see the Use the API topic.
  • You can use:
    • the SuppressCVEs endpoint /v1/cves/suppress to snooze CVEs for specific duration, and
    • the UnsuppressCVEs endpoint /v1/cves/unsuppress to unsnooze CVEs.

StackRox portal

  • We’ve added a new Deployment Name field in the Deployment Details panel for the Violations and Risk views.
  • In the Risk view, the browser address bar now shows the complete address (including the applied filtering) when you use local page filtering. You can copy and share the address for the filtered view with others.

Central, Sensor, and Collector on OpenShift

We’ve updated the Security Context Constraint (SCC) priority to 0 so that they don’t supersede default SCCs.

Documentation changes

ChangePagesDescription
UpdateEnable PKI authenticationAdded information about configuring custom endpoints by using a YAML configuration file.
UpdateResource requirementsAdded information about recommended machine type and cores for deploying Central and updated the architecture diagram.
UpdateIntegrate with image registriesIncluded the registry integration explanation.
UpdateExamine imagesAdded information about differences in the CVSS scores between Red Hat Security Advisory (RHSA) CVSS score and the CVSS score visible in the StackRox portal.
UpdateGet startedUpdated the StackRox Kubernetes Security Platform architecture diagram.
UpdateIntegrate with CI systemsAdded instructions for running the roxctl client in a container image.
AddedEvaluate the StackRox Kubernetes Security PlatformAdded instructions for evaluating Deploy-time policies, Run-time policies, and Risks report.

The StackRox Kubernetes Security Platform version 3.0.41 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Vulnerability Management

The StackRox Kubernetes Security Platform now features a Vulnerability Management view in the StackRox portal to help you identify, prioritize, and manage vulnerabilities across your applications and infrastructure. The Vulnerability Management view displays information you can act on and gives you a complete view of the vulnerabilities and how they relate to other entities, for example, deployments, images, and components.

Helm chart support for secured clusters

You can now use Helm charts to install Sensor, Collector, and Admission Controller. To get started, navigate to the stackrox/helm-charts repository on GitHub.

The GitHub repository includes charts for each version of the StackRox Kubernetes Security Platform, starting from version 3.0.41.0. In version 3.0.41.1, we added a new image.repository.collector parameter and adjusted the default values of other parameters.

Important bug fixes

Resolved in version 3.0.41.0

  • ROX-3800: Previously, in the Violations view, the StackRox portal didn’t show enforcement actions that the StackRox Kubernetes Security Platform had taken in response to violations. The StackRox portal now correctly shows these actions.
  • ROX-4359: Previously, while adding a new authentication provider, selecting Cancel would crash the StackRox portal page if you didn’t have any other authentication providers. We’ve fixed this issue.
  • ROX-4521: Previously, in the Violations view when you selected a violation, the Policy tab of the violation details panel didn’t show the policy details. The StackRox portal now correctly shows policy details for the selected violation.

Resolved in version 3.0.41.1

  • ROX-4570: In version 3.0.41.0, the StackRox portal didn’t display CVE descriptions in the Vulnerability Management and Images views. These views now correctly show a summary of each vulnerability.
  • ROX-4575: In version 3.0.41.0, local page filtering suggestions in the StackRox portal overlapped with other parts of some views. We’ve fixed this issue.
  • ROX-4577: From versions 3.0.40.0 to 3.0.41.0, when you bypassed admission controller enforcement in an emergency, the StackRox Kubernetes Security Platform would still apply scale-to-zero enforcement. We’ve fixed this issue.

Resolved in version 3.0.41.2

  • ROX-4578: We’ve fixed an issue where the StackRox Kubernetes Security Platform didn’t include new results from re-scanning images when checking compliance with your policies.

Resolved in version 3.0.41.3

  • ROX-4590: Previously, if you first installed the StackRox Kubernetes Security Platform version 2.4.21 or earlier, then eventually upgraded to version 3.0.41, StackRox Sensor would crash in each cluster until you adjusted that cluster’s dynamic configuration options in the Platform Configuration > Clusters view. We’ve resolved this issue.

Resolved in version 3.0.41.4

  • ROX-4598: Previously, StackRox Sensor crashed sometimes when processing large amounts of data, due to an internal error. We’ve resolved this issue.

Important system changes

Admission controller enforcement

The StackRox admission controller prevents users from creating workloads that violate policies you configure in the StackRox Kubernetes Security Platform. Beginning from the StackRox Kubernetes Security Platform version 3.0.41, you can also configure the admission controller to prevent updates to workloads that violate policies. For more details, see Enable admission controller enforcement.

UBI images

We’ve updated the StackRox Kubernetes Security Platform images based on the Red Hat Enterprise Linux (RHEL) images, from Red Hat Universal Base Image (UBI) version 7.7 to UBI version 8.1. See Use StackRox images built with UBI for more information.

Documentation changes

ChangePagesDescription
New topicManage vulnerabilitiesLearn how to identify and prioritize vulnerabilities for remediation.
UpdateEnable admission controller enforcementAdded Additional information section, and added user interface options only available for the StackRox Kubernetes Security Platform version 3.0.41 and newer.
UpdateSupported platformsClarified supported version numbers for Kubernetes and OpenShift.

The StackRox Kubernetes Security Platform version 3.0.40 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

  • You can now use a YAML configuration file to configure and expose endpoints for StackRox Central. See Configure endpoints for details.

  • We’ve added two new security policy criteria and two built-in policies for image labels.

    1. Required Image Label: Create violations for any deployments that don’t contain the specified image label.
    2. Disallowed Image Label: Create violations for any deployments that contain the specified image label.

    You can modify or clone the new built-in policies to match image labels you expect to see in all deployed images; or image labels that shouldn’t be in any deployed images.

    For more details, see the Policy criteria section.

  • We’ve added compliance checks for the NIST Special Publication 800-53 (rev. 4) standard. To assess your clusters for this standard, select Scan Environment in the Compliance view after you upgrade.

  • We’ve added a login form for the Username and Password user authentication method for the StackRox portal. The authentication prompt no longer uses your web browser’s interface to request the password.

Important bug fixes

Resolved in version 3.0.40.0

  • ROX-2423: Previously, the Collector pod could crash if a process exited while Collector was starting up. We’ve resolved this issue.
  • ROX-4076: Previously, you couldn’t log in using certain authentication providers if StackRox Central couldn’t connect to the provider at startup. The StackRox Kubernetes Security Platform now retries these connections if they fail.
  • ROX-4240: Previously, the roxctl CLI sent an invalid Host header, when running in plaintext mode. We’ve fixed this issue.
  • ROX-4241 and ROX-4242: Previously, due to an internal logic error, if you created a policy with the Required Label or the Required Annotation policy criteria, you might not receive violations. We’ve fixed this issue.
  • ROX-4254: Previously, the Cluster details panel from the Configuration Management view didn’t display policy violations under the Cluster Findings section. The StackRox portal now correctly shows policy violations for all deployments for the cluster.

Resolved in version 3.0.40.1

  • Previously, the database backup/restore process could fail if certain invalid data was present. The backup/restore process now handles this type of error.
  • We’ve fixed issues that could cause StackRox Central to crash after you upgraded to version 3.0.40.0, depending on the contents of your StackRox Central database.

Important system changes

StackRox Central

In version 3.0.40.1, we’ve added a safe mode to StackRox Central. StackRox Support may request that you activate this setting when working with you to resolve an issue.

StackRox Sensor

We’ve reduced the computational load on Central by moving the deployment and image detection capabilities from Central to Sensor. Additionally, Sensor gathers image scan results and additional metadata from Central, generates runtime and deploy-time alerts, and applies enforcement policies.

Monitoring

We’ve removed StackRox Monitoring components. If you want to monitor the StackRox Kubernetes Security Platform components (Sensor, Central, and Collector), you can monitor by using Prometheus or other similar software to monitor on the <component-address>:9090/metrics path.

CLI

The -e (or --endpoint) option of the roxctl CLI now supports URLs as arguments.

  1. The path component of the URL you specify must either be:

    • blank, for example https://central.stackrox, or
    • /, for example https://central.stackrox/.

    Any other value for the path component is incorrect. For example, the following example is incorrect:

    Copy
    ❌ roxctl -e 'https://central.stackrox/api' central debug log
  2. If you use the --plaintext option along with a URL, the URL scheme must be http and not https.

Security updates

We’ve updated the Collector image to resolve the following CVEs:

These vulnerabilities were in the curl library. The older version of the curl library was vulnerable to heap buffer overflow and double-free vulnerabilities in the FTP and TFTP handlers, which StackRox Collector doesn’t use. We identified these vulnerabilities in the Collector image by using the StackRox Scanner. We’ve upgraded curl to a newer version that isn’t affected by these vulnerabilities.

Documentation changes

ChangePagesDescription
New topicConfigure endpointsLearn how to configure endpoints for the StackRox Kubernetes Security Platform by using a YAML configuration file.
UpdateCreate custom policiesAdded Required Image Label and Disallowed Image Label in the policy criteria section.
UpdateBenchmark versionsUpdated the NIST section to include NIST SP 800-53 Rev. 4.
UpdateQuick startRemoved information about StackRox Monitoring components.
UpdateUpgrade from version 2.5.31 through version 3.0.34 and Upgrade from version 3.0.35 or higherUpdated instructions for upgrading to the StackRox Kubernetes Security Platform version 3.0.40.
UpdateEnable offline modeAdded new sections: Download images for offline use, Enable offline mode during installation, and Upload kernel support packages.
UpdateConfigure custom certificatesAdded a new Configure Sensor to trust custom certificates section.

The StackRox Kubernetes Security Platform version 3.0.39 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Online telemetry

The StackRox Kubernetes Security Platform version 3.0.39 includes the option to enable online telemetry. If enabled, we use it to gather environment data, which helps us to troubleshoot support issues and improve the quality of the future StackRox Kubernetes Security Platform versions based on real-world usage. See Online telemetry for more information.

Diagnostic data

You can now generate a diagnostic bundle and send it to the StackRox support team to aid in investigating your support issues with the StackRox Kubernetes Security Platform.

Support for refresh tokens

The StackRox Kubernetes Security Platform now supports the OAuth 2.0 Authorization Code Grant authentication flow when you specify a client secret during configuration of an OpenID Connect (OIDC) integration. This authentication flow allows you to use refresh tokens to stay logged in beyond the token expiration time configured in your OIDC identity provider. See Configure an OIDC Identity Provider for more information.

Native Jenkins plugin

You can now use the new StackRox Container Image Scanner Jenkins plugin to scan container images for published software vulnerabilities. You can add it as a build step in your freestyle projects or pipeline to ensure that your infrastructure is in adherence with the StackRox Kubernetes Security Platform build-time policies.

Important bug fixes

Resolved in version 3.0.39.0

  • ROX-3769: Previously, when integrating the StackRox Kubernetes Security Platform with Splunk, the test would pass on invalid URLs. We’ve updated the logic to better integrate with Splunk (version 6.6.0 and newer). Now, when you integrate with Splunk there is no need to specify the complete URL. You can specify the HTTP Event Collector URL as https://<splunk-server-path>:8088, <splunk-server-path>:8088, or http://<splunk-server-path>:8088. See Integrate with Splunk for more information.
  • ROX-3953: We’ve added the install commands for Helm 3. You can run the helm charts for Helm 3 without the --name tag, helm install central ./central.
  • ROX-3971: Previously, the /v1/policies API endpoint always returned the lastUpdated property as Null. We’ve fixed this issue. The API now returns the correct time for edited policies and Null for unedited policies.
  • ROX-3985: Previously, Scanner would report errors for removed Debian packages. We’ve fixed this issue.

Resolved in version 3.0.39.1

  • Bug ROX-4209: We’ve fixed an issue where the compliance scan would not correctly consider UID 0 as root for the CSI Docker 4.1 benchmark.

Resolved in version 3.0.39.2

  • Bug ROX-4088: We’ve fixed an issue where the automatic upgrades didn’t work if an admission controller was running on the secured cluster.
  • We’ve fixed an issue where the Central deployment triggered panic events after an upgrade while trying to prune undeployed images.

Resolved in version 3.0.39.3

  • Bug ROX-4317: We’ve fixed an issue where the Central deployment triggered panic events on start-up if risk assessments were still present for deleted deployments.

Important system changes

  • We’ve deprecated the UseStartTLS field in email notifier configuration, and we now use enum which supports more authentication methods.
  • We’ve added a new ScannerBundle resource type for use with the StackRox Kubernetes Security Platform role-based access control. See the Resource definitions section for details. Users now need READ permission for the ScannerBundle resource to run the roxctl scanner generate command. Previously, any authenticated user could run this command.

Scanner

  • We’ve removed the Scanner v2 (preview). If you are using the preview version, follow the upgrade instructions to switch to the generally available version of StackRox Scanner.
  • Scanner now fetches its vulnerability definitions from https://definitions.stackrox.io instead of https://storage.googleapis.com/definitions.stackrox.io/.
  • We’ve split Scanner deployment into two separate deployments scanner and scanner-db to support Scanner autoscaling.

CLI

  • We’ve added the roxctl central cert command which you can use to download the Central’s TLS certificate. You can then use the --ca <downloaded-certificate> option to specify a custom CA.

Security updates

We’ve updated the Collector image to resolve the CVE-2017-14062 vulnerability in the libidn library. The older version of the libidn library (for parsing of internationalized domain names) was vulnerable to a possible buffer overflow. We identified this vulnerability in the Collector images by using the StackRox Scanner. We’ve upgraded libidn to a newer version that isn’t affected by the CVE-2017-14062 vulnerability.

The StackRox Kubernetes Security Platform version 3.0.38 includes bug fixes and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Important bug fixes

Resolved in version 3.0.38.0

  • Bug ROX-3772: Previously, if you selected Retry Upgrade or Upgrade Available for automatic upgrades in a multi-cluster environment, the upgrade would trigger on different clusters rather than the selected one. We’ve fixed this issue.
  • Bug ROX-3922: We’ve improved the email integration for compatibility with Office365 and other systems that use the STARTTLS LOGIN authentication method.
  • Bug ROX-3932: We’ve fixed an issue in the StackRox portal, where sorting the clusters based on the sensor version didn’t work as expected.

Resolved in version 3.0.38.1

  • Bug ROX-4009: In version 3.0.38.0 only, sending a violation to Jira can cause Central to crash. We’ve resolved this issue in version 3.0.38.1.

Resolved in version 3.0.38.2

  • Bug ROX-4078: We’ve fixed an issue where a large number of unnecessary duplicate processes remained.

    Along with resolving this, we’ve also:

    • reduced memory consumption in Sensor related to network flows, and
    • improved the performance of risk calculation for deployments.

Resolved in version 3.0.38.3

  • Bug ROX-4209: We’ve fixed an issue where the compliance scan would not correctly consider UID 0 as root for the CSI Docker 4.1 benchmark.

Important system changes

API

We’ve added the /v1/group endpoint. You can use it to retrieve a single group by exact property match.

The StackRox Kubernetes Security Platform version 3.0.37 includes bug fixes and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Important bug fixes

  • Bug ROX-3811: Previously, some Replication Controllers weren’t visible in Central. We’ve fixed this issue.
  • Bug ROX-3804 and Bug ROX-3784: We’ve fixed issues and streamlined the following scripts:
    • the image bundle import.sh script to push the StackRox Kubernetes Security Platform images into a private registry.
    • the delete-sensor.sh script to delete the StackRox Kubernetes Security Platform from a secured cluster.
  • Bug ROX-3803: In the Network Graph view, Simulate Network Policy function didn’t work if you selected namespaces in the menu on the top bar. We’ve fixed this issue.
  • Bug ROX-3689: Previously, sometimes the old active images were deleted when you pushed newer images to the registry. We’ve fixed this issue by updating the pruning check to ensure that no deployment is using an image before it’s deleted.
  • Bug ROX-3788: Previously, when you deleted a deployment, its associated process baselines didn’t get deleted. We’ve fixed this issue.
  • Bug ROX-3337: Previously, there were errors in running the CIS benchmark compliance checks on OpenShift control plane and infrastructure nodes. We’ve fixed this issue.
  • Bug ROX-3809: Previously, when integrating the StackRox Kubernetes Security Platform with JIRA, the integration sometimes failed if the priorities in JIRA didn’t match the Pn format. We’ve added an option to manually map JIRA priorities to fix this issue.
  • Bug ROX-3855: We’ve fixed an issue where integration with Amazon S3 failed because S3 container IAM role used the default container credentials instead of using the container IAM role.

Important system changes

General

  • We’ve renamed the NIST 800-190 standard to NIST SP 800-190, for correctness. The ID is still the same; therefore, you don’t need to update existing API calls. Existing data is preserved and available on upgrade.
  • We’ve update the policy descriptions, rationale, and remediation for the following built-in policies:
    • Fixable CVSS >=6 and Privileged
    • Fixable CVSS >=7
    • Compiler Tool Execution
    • 30-Day Scan Age
    • Alpine Linux Package Manager Execution
    • Red Hat Package Manager Execution
    • Ubuntu Package Manager Execution

roxctl CLI

We’ve added a roxctl sensor get-bundle <cluster-name-or-id> command. You can use it to download sensor bundles for existing clusters by specifying a cluster name or ID.

The StackRox Kubernetes Security Platform version 3.0.36 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Upload license from StackRox portal

In addition to uploading your StackRox Kubernetes Security Platform license by using the roxctl command-line interface, you can now upload your license by using the StackRox Portal as well. You can use it to upload your license when you are installing the StackRox Kubernetes Security Platform or updating your license after its expiry. See the License activation section for more details.

Important bug fixes

Resolved in version 3.0.36.0

  • Bug ROX-3777: We’ve fixed an issue with the Sensor upgrader not working with custom CA certificates. The sensor upgrader now mounts custom certificates during the upgrade.
  • Bug ROX-3767: Previously, exporting compliance scan results in CSV format by using the API, sometimes returned older unsupported CIS Docker 1.1.0 and CIS Kubernetes 1.4.1 results. We’ve resolved this issue.
  • Bug ROX-3561: Removed experimental compliance management schedule APIs that were unintentionally exposed.

Resolved in version 3.0.36.1

  • Bug ROX-3802: We’ve fixed an issue that prevented opening the Compliance and the Configuration Management views in Firefox and Safari browsers.

Important system changes

General

We made updates to various YAML files (deployments, daemonsets and pod security policies) and removed references to the deprecated extensions/v1beta1 Kubernetes API’s. This makes the StackRox Kubernetes Security Platform compatible with Kubernetes 1.16, however, it won’t affect existing StackRox Kubernetes Security Platform deployments. For more information, see the Kubernetes blog Deprecated APIs Removed In 1.16: Here’s What You Need To Know.

API

We removed the following experimental API’s:

  1. /v1/complianceManagement/schedules GET
  2. /v1/complianceManagement/schedules POST
  3. /v1/complianceManagement/schedules/{schedule_id} POST
  4. /v1/complianceManagement/schedules/{schedule_id} DELETE

The StackRox Kubernetes Security Platform version 3.0.35 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Language-specific vulnerability scanning

The StackRox Kubernetes Security Platform now identifies vulnerabilities in language-specific components such as Java JAR files, Ruby gems, and Python and JavaScript libraries.

The StackRox Kubernetes Security Platform includes these new vulnerability results when checking images and deployments against your security policies. If you have enabled enforcement on image vulnerability-based policies by integrating with a continuous integration (CI) system, enabling admission control, or using scale-to-zero enforcement, we recommend disabling enforcement before you upgrade so that you can view policy violations before re-enabling enforcement. New image scan results and policy violations appear in the StackRox portal over a four-hour interval as images are rescanned with the updated version of StackRox Scanner.

To find out if your policies are enforced, navigate to Platform Configuration > System Policies and filter the view by Enforcement: Fail build and Enforcement: Scale to zero.

Native support for network proxies

The StackRox Kubernetes Security Platform now natively supports the use of a network proxy. You can now configure StackRox Central and Scanner to send external traffic through an HTTP, HTTPS, or SOCKS5 proxy by configuring a Kubernetes Secret. See Configure a proxy for external network access for more information.

Important bug fixes

  • ROX-3118: Previously, once a deployment details tab was open in the Network graph view, you couldn’t view generated network policies. We’ve resolved this issue.
  • ROX-3653: We fixed an issue where pages in the Compliance view did not respond correctly when you filtered by Compliance State.
  • ROX-3657: We clarified the header in the Compliance view to reflect that the number of clusters, namespaces, nodes, and deployments only includes those checked for compliance.

Important system changes

General

You can now deploy the StackRox Kubernetes Security Platform using images built with the Red Hat Universal Base Image (UBI). See Use StackRox images built with UBI for more information. (This change was first released in version 3.0.34.2).

StackRox Scanner

Because language-specific vulnerability scanning is now generally available, we’ve deprecated the preview version of StackRox Scanner.

If you are using the preview version, follow the upgrade instructions to switch to the generally available version of StackRox Scanner.

API

In the /v1/images/{id} API, the image object now includes a source field for each component in scan.components[]. This field indicates how the component was identified:

  • Components installed using operating system package managers like apk, apt, or rpm list OS as the source.
  • Components identified using language analysis list the programming language as the source, for example PYTHON or JAVA.

The StackRox Kubernetes Security Platform version 3.0.34 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

CIS Kubernetes version 1.5

The StackRox Kubernetes Security Platform now assesses compliance with the recently released version 1.5 of the Center for Internet Security (CIS) benchmark for Kubernetes. The current versions are v1.2.0 for Docker and v1.5.0 for Kubernetes. See benchmark versions for more details.

More options to update StackRox Collector for new kernel versions

The StackRox Collector image contains built-in support for runtime activity collection on currently available Linux kernel versions. To get support for new kernel versions, StackRox Collector automatically uses updated images and various secure download methods.

Starting from version 3.0.34.0, you can also upload new support packages by using the roxctl collector support-packages upload command. The StackRox Kubernetes Security Platform uses these support packages before falling back to download options. See Upload support packages to Central for more details.

Important bug fixes

Resolved in version 3.0.34.0

  • ROX-3581: We fixed an issue where some pages in the Configuration Management view showed a “not found” error under certain conditions.
  • We fixed various issues with graphs and filters in the Compliance view.
  • ROX-1849: The Access Control view now shows rules that match on the presence of user metadata keys, regardless of value. Previously, these rules were accepted and not enforced, but not shown in the portal.

Resolved in version 3.0.34.1

  • We fixed a memory leak in Collector that caused high memory consumption in busy environments.

Resolved in version 3.0.34.2

  • We fixed another memory leak in Collector that caused high memory consumption in busy environments.
  • You can now deploy the StackRox Kubernetes Security Platform using images built with the Red Hat Universal Base Image (UBI). See Use StackRox images built with UBI for more information.

Important system changes

Portal

You can add exclusions to StackRox policies based on cluster, namespace, deployment, and deployment labels. The StackRox portal now shows all the details of these excluded entries. Previously, only the deployment name was shown.

roxctl CLI

The roxctl image scan command now has a --force flag. This flag causes the StackRox Kubernetes Security Platform to re-pull image metadata and image scan results from the associated registry and scanner.

Policies

In new installations of the StackRox Kubernetes Security Platform, the built-in Iptables Executed in Privileged Container policy is now part of the “Network Tools” category. If you’ve already installed, we recommend changing the category yourself.

The StackRox Kubernetes Security Platform version 3.0.33 includes a bug fix and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Important bug fix

  • Previously, when you deleted a Kubernetes or OpenShift deployment, the StackRox Kubernetes Security Platform sometimes still returned deploy-phase policy violations, process execution records, and network flows for the deployment, if Central encountered an error while deleting objects in the database. StackRox Central now removes this data for deleted deployments when Central starts and when the regular garbage collection cycle runs. (This change was first released in version 2.5.32.1.)

Important system changes

Deployment

  • To make it easier to use certain types of persistent storage, the StackRox Central deployment now specifies a runAsUser and fsGroup value of 4000.
  • The StackRox Collector image contains built-in support for runtime activity collection on currently available Linux kernel versions. StackRox publishes updated images with support for additional versions. If your system can’t pull a new image, StackRox Collector attempts to securely download a support package for the new version. Starting from version 3.0.33.0, the StackRox Kubernetes Security Platform first attempts to access the new package by using StackRox Central’s network connection, to minimize external network usage in each StackRox Collector pod.

Configuration

  • ROX-3237: When you’re configuring an integration with a single-sign-on authentication provider, you can now edit the configuration until a user has successfully logged in. The configuration view also now more clearly shows whether edits are allowed. Previously the StackRox Kubernetes Security Platform didn’t allow you to edit settings after you created the integration.
  • When you’re viewing image vulnerability scan results, CVEs with a 0 score are now shown as Pending. These vulnerabilities haven’t been analyzed in the National Vulnerability Database, or are under dispute.
  • When you are configuring policy scope restrictions or exclusions, you can now write a regular expression for the namespace and label fields. You can use any syntax available in re2.

StackRox Scanner

  • Previously, Red Hat Security Advisories (RHSAs) were shown with a vulnerability score of 0. RHSAs now are assigned a score based on the highest-severity CVSS of the CVEs that are part of the RHSA. Each CVE also is now reported separately, so you can write policies or search queries based on the CVEs that are included in RHSAs.

API

  • ROX-3483: StackRox Central now serves a less-detailed API to anonymous users that only includes enough information to log in. To access any other details of authentication provider configuration, a user or API client must have Read access to the AuthProvider resource.
  • The validated field in the AuthProviderService APIs is deprecated and will be removed in version 3.0.35.0 or higher. Use the active field instead; this field indicates whether a user has successfully used the authentication provider to log in to the StackRox Kubernetes Security Platform.
  • The GetRisk API (/v1/risks/{subjectType}/{subjectID}) API is removed. To get a deployment’s risk details, use GetDeploymentWithRisk (/v1/deploymentswithrisk/{id}).

The StackRox Kubernetes Security Platform version 2.5.32 includes new features, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Microsoft Teams integration

You can now send alert notifications to Microsoft Teams. To get started, see Integrate with Microsoft Teams.

Common Vulnerability Scoring System (CVSS) v3

StackRox Scanner now shows CVSS v3 scores for image vulnerabilities. To learn more about CVSS v3 support, see View images in your environment.

Simplified updates for Collector

StackRox Collector monitors runtime activity on each node in your secured clusters. We’ve changed the default image tag for Collector so you get support for newer Linux kernel versions more easily. By default, StackRox Collector now uses a mutable image tag (<version>-latest) that StackRox updates every time a new kernel version is released. We don’t change code, or preexisting kernel modules or eBPF programs, in these versions.

If you push the Collector image into your own private registry, you must regularly download the Collector image to take advantage of this feature.

See the Per-Node Services (Collector) section, to learn more about this change.

Important bug fixes

Resolved in version 2.5.32.0

  • ROX-3289: When you export a Compliance Evidence Report in CSV format, the StackRox Kubernetes Security Platform now includes a single row for each compliance control. Previously, each piece of evidence was included in a row of its own.
  • ROX-3462: Previously, Compliance Evidence Report CSV files listed informational results with the status Unknown. These entries now correctly list the status as Info.

Resolved in version 2.5.32.1

  • Previously, when you deleted a Kubernetes or OpenShift deployment, the StackRox Kubernetes Security Platform sometimes still returned deploy-phase policy violations, process execution records, and network flows for the deployment, if Central encountered an error while deleting objects in the database. StackRox Central now removes this data for deleted deployments when Central starts and when the regular garbage collection cycle runs.

Important system changes

StackRox Central and Sensor

  • ROX-3209: You can now customize the port used for Prometheus metrics in StackRox Central and Sensor by setting a value for the ROX_METRICS_PORT environment variable. Supported options include:

    • disabled,
    • :port-num (which binds to the wildcard address), and
    • host_or_addr:port. You can also provide an IPv6 address within brackets, for example, [2001:db8::1234]:9090.

    The default setting is still :9090.

  • When you redeploy a secured cluster using a new configuration bundle after disabling admission control, the admission controller configuration now gets deleted. Previously, the ValidatingWebhookConfiguration would remain in the cluster.

  • We’ve optimized the API for resolving multiple policy violations. Resolving multiple violations at a time is now faster.

roxctl CLI

The roxctl CLI now supports more options so you can get the precise behavior you need.

  • You can now use the --insecure-skip-tls-verify option with most roxctl commands.
    • If you use --insecure-skip-tls-verify=false, the connection to StackRox Central fails if roxctl receives an invalid certificate.
    • If you use --insecure-skip-tls-verify=true, the connection to StackRox Central always succeeds, even if roxctl receives an invalid certificate.
    • If you don’t use this option, roxctl shows a warning message when it receives an invalid certificate, but the connection proceeds. In a future release, we intend to change roxctl to fail in this case.
  • If you use a custom Certificate Authority (CA) that’s not globally trusted, you can provide it using the --ca <filename> option.
  • You can now provide a --output-dir <dir> option to the following commands:
    • roxctl sensor generate
    • roxctl scanner generate
    • roxctl central debug dump

The StackRox Kubernetes Security Platform version 2.5.31 includes new features, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

CRI-O support

The StackRox Kubernetes Security Platform now supports monitoring runtime activity and assessing host compliance on nodes running CRI-O. This feature doesn’t require any additional setup or configuration.

Kubernetes on DC/OS support

The StackRox Kubernetes Security Platform now supports securing clusters created using Kubernetes on DC/OS. This feature doesn’t require any additional setup or configuration.

IBM and Red Hat registry integrations

The StackRox Kubernetes Security Platform integrates with virtually any image registry. In this version, we’ve added native integrations for improved compatibility with IBM Cloud Container Registry (ICR) and the official Red Hat container registries.

Important bug fixes

  • ROX-2567: The setup.sh script, which configures image pull secrets, now handles passwords with spaces or other special characters.
  • ROX-3351: We’ve improved the reliability of the Red Hat vulnerability definition update process in StackRox Scanner. Previously, Red Hat Security Advisories weren’t included in offline definition updates or in the built-in copy of vulnerability definitions that’s included in the StackRox Scanner image.
  • ROX-3430: The Jira integration now supports additional options for Priority. Previously, using such values would cause an error message to appear in the StackRox portal.
  • ROX-3454: In some clusters, localhost could resolve to an address outside of the local container. StackRox services now directly use 127.0.0.1.

Important system changes

StackRox Central

When you configure a custom server certificate, or make changes to the central-htpasswd secret, the StackRox Kubernetes Security Platform applies all changes without the need to restart Central.

  • To update the server certificate, edit the central-default-tls-cert secret.

  • To reset your administrator password, create a new htpasswd file and then update the central-htpasswd secret.

    Kubernetes may take up to a minute to propagate any updates you make.

StackRox Collector

  • The StackRox Collector DaemonSet now deploys to all nodes in a cluster by default, regardless of node taints. This behavior applies to new installations and to installation files regenerated for existing clusters. To disable this behavior, pass the --disable-tolerations flag to the roxctl sensor generate command or turn off the Enable Taint Tolerations toggle in the Platform Configuration > Clusters view.
  • In previous versions, when you ran compliance scans, the compliance data collection process ran in its own dynamic DaemonSet. Now the StackRox Kubernetes Security Platform uses the existing Collector DaemonSet for compliance data collection.

StackRox Scanner

We’ve updated the Scanner v2 (preview) to a new version. This version includes a variety of improvements, such as more accurate reporting of vulnerability CVSS scores.

Starting from version 3.0.35, language-specific vulnerability scanning is available by default and we’ve deprecated Scanner v2 (preview). If you are using the preview version, follow the upgrade instructions to switch to the generally available version of StackRox Scanner.

roxctl CLI

The roxctl CLI now handles more networking configurations:

  • roxctl can now connect with Central servers exposed behind a non-gRPC-capable proxy like AWS ELB/ALB. To support this, requests go through an ephemeral client-side reverse proxy. If you observe any issues with roxctl that you suspect might be because of this change, pass the --direct-grpc flag to return to the old connection behavior.
  • roxctl can now connect to Central servers exposed over plaintext (either directly or by a plaintext proxy talking to a plaintext or TLS-enabled server). While this configuration is usually insecure and not recommended, you can use this mode by passing the --plaintext and --insecure flags when you run a command.

The StackRox Kubernetes Security Platform version 2.5.30 includes new features, bug fixes, scale improvements, and other changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Configuration management

The StackRox Kubernetes Security Platform now features a Configuration Management view in the StackRox portal for managing configuration across your applications and infrastructure. This view shows policy violations and configuration assessments, and introduces new ways to explore all the related deployments, policies, service accounts, and other objects in your clusters.

Kubernetes RBAC visibility

Kubernetes role-based access control (RBAC) configurations have a significant impact on your security posture. The Configuration Management view allows you to see all your service accounts, users, groups, roles, and permissions so that you can find unnecessary exposures or risks.

Important bug fixes

  • ROX-1478: The replica count for DaemonSet applications now shows the correct number of replicas.
  • ROX-3216: Previously, entering an unreachable SAML metadata URL while integrating a SAML Identity Provider caused the StackRox portal to stop responding. The portal now handles this error.
  • ROX-3236: Previously, when you saved role-based access control mappings that included a colon, the server appeared unresponsive. These mappings are now applied correctly.

Important system changes

  • The StackRox Central database uses a new format that performs better and frees disk space more proactively. The upgrade includes an automatic migration to the new format. The migration first compacts the existing database, then converts existing data to the new format. The upgrade requires available disk space; please carefully review the upgrade instructions.

  • We’ve updated StackRox Scanner to use the National Vulnerability Database’s JSON API due to the upcoming shutdown of their XML API. We’ve also made the update process more reliable for vulnerabilities in images based on Red Hat Enterprise Linux, CentOS, or similar operating systems.

  • If a policy assesses Kubernetes RBAC configurations, the policy violation message previously included capitalized phrases like CLUSTER_ADMIN. We’ve improved the violation message text, and now it uses more natural English.

  • When building a baseline of each deployment’s activity, the StackRox Kubernetes Security Platform now automatically includes any behavior observed in the first minute of a container’s creation.

  • The StackRox Kubernetes Security Platform now assesses compliance with the recently released versions of the Center for Internet Security (CIS) benchmarks. The current versions are v1.2.0 for Docker and v1.4.1 for Kubernetes. See benchmark versions for more details.

  • ROX-3239: If you are using Docker pull-through cache, a Sonatype Nexus proxy repository, or a similar proxy as the default image registry instead of docker.io (Docker Hub), you can now specify a custom default image registry for each cluster in the Platform Configuration > Clusters view.

    To apply this setting in an existing cluster:

    1. Navigate to Platform Configuration > Clusters. Select the cluster.

    2. Under Dynamic Configuration (syncs to Sensor), specify the new registry.

    3. Add a registry integration if one isn’t configured yet.

    4. Delete existing images from Docker Hub:

      1. Preview the images you will delete:
        Copy
        curl -sk -X DELETE -H "Authorization: Bearer <admin api token>" "https://<endpoint>/v1/images?query.query=Image Registry:docker.io"
      2. If the number of images is what you expect, delete the images:
        Copy
        curl -sk -X DELETE -H "Authorization: Bearer <admin api token>" "https://<endpoint>/v1/images?query.query=Image Registry:docker.io&confirm=true"
    5. In the secured cluster, delete the sensor pod:

      1. Find the name of the sensor pod:

        Copy
        kubectl get pod -n stackrox
        Copy
        oc get pod -n stackrox
      2. Delete the pod:

        Copy
        kubectl delete pod -n stackrox <pod name>
        Copy
        oc delete pod -n stackrox 
  • The roxctl image check command now returns an error if an image can’t be pulled and scanned.

  • All built-in policies for image components and vulnerabilities now enable the “Build” lifecycle stage by default.

API changes

  • In the GetAlert API, we’ve removed the link field from all objects in the violations field. This field previously held links to each identified vulnerability if the policy referred to vulnerabilities.
  • In the /v1/processes APIs, we’ve removed the emitTimestamp field. API responses have never set a value for this field.
  • The TriggerRun (/v1/complianceManagement/runs) endpoint is removed. To trigger a compliance assessment, use TriggerRuns (/v1/compliancemanagement/runs) instead.

The StackRox Kubernetes Security Platform version 2.5.29 includes new features, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Version 2.5.28 wasn’t released.

New feature

Automatic upgrades

Automatic upgrades make it easier to stay up-to-date by automating the manual task of upgrading each secured cluster. After you upgrade to version 2.5.29, you can use automatic upgrades for future releases of the StackRox Kubernetes Security Platform.

Automatic upgrades are enabled by default in version 2.5.29. If you prefer to complete future upgrades manually, you can disable automatic upgrades.

Important bug fixes

  • ROX-2536: If you mount Kubernetes secrets as environment variables using a secretKeyRef, your deployments will no longer violate the built-in policy Environment Variable Contains Secret.
  • ROX-2982: We fixed the issue of missing data in PDF exports for namespaces in the Compliance view.
  • ROX-3034: We’ve restored the CSV download option on some parts of the Compliance view.
  • ROX-3044: In the Compliance view, the loading animation for Scan Environment remains visible until all results are retrieved.

Also, see additional bugs resolved in versions 2.5.27.1 and 2.5.27.2.

Important system changes

Changed in version 2.5.29.0

  • As part of the automatic upgrades feature, we’ve moved the Clusters integrations from Platform Configuration > Integrations to a new page. To open it, select Platform Configuration > Clusters from the left-hand navigation menu.
  • In the Risk view, the Process Discovery tab now always shows, even if there are no observed processes.
  • ROX-3000: When you integrate with a SAML 2.0 identity provider (IdP) and use IdP-initiated sign-in, you no longer need to set a default RelayState. The StackRox Kubernetes Security Platform automatically associates SAML responses with the correct IdP. If the automatic association fails, you can now see the correct RelayState value under Platform Configuration > Access Control.
  • The StackRox Collector image tag matches the major version of the StackRox Kubernetes Security Platform (currently 2.5). Previously, the Collector image tag was a Git reference beginning with 1.6.0. See the upgrade instructions to find the right tag for your release.
  • The updatedAt field in the GetDeployment API is renamed to created because it reports the deployment creation time.
  • We changed the Prometheus scrape endpoint in StackRox services from localhost:9090 to :9090 so you can more easily scrape metrics using your own Prometheus server.

Changed in version 2.5.29.1

  • Collector now supports runtime activity monitoring on the latest Red Hat Enterprise Linux kernel releases (versions beginning with 3.10.0-1062).
    • eBPF-based runtime activity collection isn’t yet supported on these kernel versions.
    • Collector will automatically fall back to kernel module-based collection if you request eBPF-based collection on a node running an affected kernel version.
    • In new deployments, the default Collector image tag is now 2.5.3. To apply this update in an existing secured cluster, follow the upgrade instructions.

Also, see additional system changes in versions 2.5.27.1 and 2.5.27.2.

Version 2.5.28 of the StackRox Kubernetes Security Platform wasn’t released. The next release is version 2.5.29.

The StackRox Kubernetes Security Platform version 2.5.27 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Precise data retention

You can now configure data retention settings for violations and images in the StackRox portal. These settings also enable better control, since you can now set different retention periods for different kinds of violations.

Resumable restore operations

During a database restore operation by using the roxctl command-line tool, if your connection is interrupted or you need to go offline, you can now resume the restore later. See Backup and restore for more information.

Important enhancements

  • ROX-2519: The StackRox Kubernetes Security Platform now includes PodSecurityPolicy configurations for each StackRox Kubernetes deployment so you can deploy the StackRox Kubernetes Security Platform seamlessly in clusters that enforce pod security policies.
  • ROX-2311: The StackRox portal now handles temporary connection problems better. If the server becomes reachable again after temporarily being unreachable, you’ll now see a message asking you to refresh the page.

Important bug fixes

Resolved in version 2.5.27.0

  • ROX-2424: In the Compliance view, some buttons and screens would crash if the Sensor in a secured cluster hadn’t checked in yet. The StackRox portal now correctly handles this case.
  • ROX-2781: The browser appeared frozen when accessing the Process Discovery tab in the Risk view and selecting an image in the Images view. We’ve optimized the page rendering to fix this issue.
  • ROX-2886: In the “Passing Standards by Cluster” widget on the Dashboard view, you couldn’t use the arrow buttons to cycle through more than three clusters. The buttons now work correctly.
  • ROX-2927: The Images view would change back to the first page of results after you selected an image to view. The table now stays on the page you’ve opened.
  • ROX-2929: The roxctl central generate command now runs successfully on Windows.

Resolved in version 2.5.27.1

  • ROX-2568: We’ve updated the StackRox Kubernetes Security Platform integration with Jira to handle recent changes to Jira Cloud’s authentication process.
  • ROX-2985: The StackRox Kubernetes Security Platform Jira integration now automatically discovers available options for the priority field when creating issues, in case your project uses custom values like P3-Minor.
  • ROX-2998: We’ve fixed an issue where the Process Discovery view could show processes without names.
  • ROX-3133: If you deploy CronJob resources in Kubernetes, you previously could see warning logs in the StackRox Sensor. Because these logs didn’t reflect any incorrect system behavior, we’ve changed settings, so they only appear in debug-level logs.

Resolved in version 2.5.27.2

Important system changes

Changed in version 2.5.27.0

  • When you’re backing up the database by using the roxctl central db backup command, you can now provide a file output location using the new --output option.
  • The StackRox Kubernetes Security Platform periodically refreshes data from external systems like image scanners. The StackRox Kubernetes Security Platform now spreads these refresh requests over a four-hour interval to reduce load instead of refreshing every hour.
  • If you configure data retention settings, the StackRox Kubernetes Security Platform now checks for expired data every hour instead of every 24 hours.

Changed in version 2.5.27.1

  • We’ve clarified the text shown in the StackRox portal when you are configuring role-based access control. We’ve changed the “Default role” field name to “Minimum access role” to explain its purpose better. System behavior and APIs remain the same:

    • you can select a minimum access role to grant to all users who sign in with the configured authentication provider, and
    • you can grant additional roles to specific users and groups using rules.
  • StackRox Central now compacts its database files by default. Compaction saves disk space by freeing the space used for already-deleted objects. The compaction process begins if the free space is above a configured threshold when Central restarts.

Security updates

  • We’ve updated our images to resolve the CVE-2019-14697 vulnerability in the Alpine Linux musl library. We identified this vulnerability in StackRox images by using the StackRox Scanner. However, this vulnerability doesn’t apply to the StackRox Kubernetes Security Platform because:

    • The vulnerability only affects musl when running on a host with the x86 architecture. However, the StackRox Kubernetes Security Platform only runs on the amd64 (x86_64) architecture, which isn’t affected.
    • The binaries in the StackRox Kubernetes Security Platform are linked statically, so they don’t use the affected musl library. The StackRox Kubernetes Security Platform doesn’t pass any user input to the affected binaries in Alpine Linux.
  • Netflix recently published a security advisory identifying several problems that can cause HTTP/2 servers to exhaust resources serving specially crafted requests. The Go programming language was affected by two of these vulnerabilities (CVE-2019-9512 and CVE-2019-9514). We’ve updated the StackRox Kubernetes Security Platform to use a new version of Go that resolves these vulnerabilities.

The StackRox Kubernetes Security Platform version 2.5.26 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Important enhancements

  • ROX-2639: The StackRox Kubernetes Security Platform now automatically removes labels and annotations from alert notifications if needed to avoid exceeding the Splunk HTTP Event Collector size limit.
  • ROX-2838: Previously, you could only select from a fixed set of user attributes when configuring Role-based access control (RBAC) in the StackRox portal. You can now see all the attributes that the identity provider has provided for users who’ve logged in.
  • ROX-2811: We’ve improved the performance of compliance check result processing, so you see results earlier in large clusters.

Important bug fixes

Resolved in version 2.5.26.0

  • ROX-1931: Compliance assessments for the Payment Card Industry Data Security Standard (PCI DSS) now correctly refer to PCI DSS version 3.2.1 instead of version 3.2.
  • ROX-2802: The network graph now loads more predictably in large environments.

Resolved in version 2.5.26.1

  • ROX-2950: In version 2.5.26.0, you couldn’t add a new authentication provider in the UI. This issue is resolved in version 2.5.26.1.

Important system changes

  • Writable file system paths in StackRox Central are now specified explicitly in the Kubernetes Deployment specification. This change improves compatibility with different container engine configurations.

The StackRox Kubernetes Security Platform version 2.5.25 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Key features and improvements

Optional unencrypted HTTP endpoint

You can now enable a plaintext HTTP server on the StackRox Kubernetes Security Platform for compatibility with ingress controllers, Layer 7 load balancers, or other solutions that require plain HTTP (not HTTPS) back ends. You can expose the StackRox portal over HTTP during installation or on an existing deployment.

OpenShift sensor bundle generation

You can now use the roxctl sensor generate openshift command to generate sensor deployment bundles for OpenShift clusters. Previously, it was only available for Kubernetes clusters.

Improved registry compatibility

Some image registries don’t support checking access before downloading public images. When you are integrating with a new registry, you can now skip this test for the affected registries, including docker.bintray.io, k8s.gcr.io, and registry.gitlab.com.

Important bug fixes

Resolved in version 2.5.25.0

  • ROX-2655: Previously, after a Kubernetes rolling upgrade, the Images view could show multiple entries for a single image tag. This issue is resolved.
  • ROX-2762: The View Active YAMLS button in the Network Graph view was inadvertently removed in version 2.4.24.0. The button is restored to its previous location.
  • ROX-2794: In large clusters, loading specific compliance views could previously use large amounts of memory and could exceed memory limits. These operations are optimized to reduce memory usage significantly.
  • ROX-2797: Previously, custom alert data retention settings were discarded due to an internal logic error. This issue is resolved.
  • ROX-2806: Backing up large databases to Amazon S3 could fail with an error related to multipart file uploads. This issue is resolved.

Resolved in version 2.5.25.1

  • ROX-2812: Starting in version 2.4.24, PDF exports from the Compliance view contained incorrect data in certain columns. This issue is resolved in version 2.5.25.1.
  • ROX-2853: In version 2.5.25.0, risk calculations would vary over time in deployments with multiple containers per pod. This issue is resolved in version 2.5.25.1.

Important system changes

  • ROX-2649: OpenShift requires that the Security Context Constraints (SCCs) must exist before deployments can reference them. We’ve renamed the SCC file so that oc create -R creates it before creating any deployments.

  • Due to the addition of the roxctl sensor generate openshift command, you must specify the --admission-controller flags (that are exclusive to Kubernetes clusters and aren’t available in OpenShift), after the k8s command. For example, the command:

    Copy
    roxctl sensor generate --admission-controller=true k8s

    is no longer valid.

    Instead, use the following command:

    Copy
    roxctl sensor generate k8s --admission-controller=true

The StackRox Kubernetes Security Platform version 2.4.24 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Key features and improvements

Client certificate authentication (PKI)

You can now set up client certificate authentication so users can provide their client certificates to log in. If your organization issues client certificates, configure an authentication provider to get started.

Scoped access control

Different teams are often responsible for working with separate clusters or namespaces. You can now set up an authorization plugin to grant users granular, scoped access to individual clusters or namespaces. To get started, see configure an authorization plugin.

Scoped access control is an advanced feature, and it requires additional manual configuration. We recommend that you only use scoped access control if you’re unable to configure required access levels by using Role based access control.

Performance improvements

Version 2.4.24 includes significant optimizations to reduce resource usage and improve response times.

Database backup operations now complete faster and show progress bars while they’re ongoing. To make it easier to back up a large database, the timeout you set in roxctl is now used as an initial deadline for the file to begin downloading. After that, the backup continues as long as data is successfully flowing from the server to the client.

Important bug fixes

  • ROX-2660: The roxctl command-line client now uses less memory to complete database restore tasks.
  • ROX-2668: Previously, StackRox Scanner would fail to start in clusters with oci-systemd-hook enabled. This issue is resolved.
  • ROX-1883: In large clusters, loading the compliance view could previously use large amounts of memory and could exceed memory limits. This operation is optimized to reduce memory usage significantly.

Important system changes

  • ROX-2543: You can now specify the NameID format for SAML single-sign-on integrations. Some SAML Identity Providers require this format.
  • ROX-2158: When you filter a view based on time, the filtering behavior is now more intuitive. Searching for violations with time >1d, for instance, now returns violations that occurred more than one day ago, not after one day ago.
  • The /v1/deployments/metadata/multipliers API is removed. User-defined risk multipliers (previously accessible only through this API) are no longer taken into account.

The StackRox Kubernetes Security Platform version 2.4.23 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

The StackRox Kubernetes Security Platform enforces licensing restrictions in version 2.4.20 and higher.

Contact your sales representative or StackRox support if you don’t have a license.

Key features and improvements

Offline mode

You can now enable Offline Mode to run the StackRox Kubernetes Security Platform in clusters without internet connectivity. See the Offline mode instructions for more details.

Kubernetes RBAC assessment

It’s important to know what access users and service accounts have to the Kubernetes API. Risk assessments, policies, and compliance checks now account for Kubernetes Role-Based Access Control (RBAC) privileges. Navigate to the Risk or Compliance views in the left-hand navigation menu to see RBAC data, or configure policies under Platform Configuration > System Policies.

Performance improvements

Version 2.4.23 includes new optimizations to reduce disk space requirements and make Central start up faster.

Important bug fixes

  • ROX-2488: Previously, API responses were sometimes truncated incorrectly, delivering fewer objects than requested. The API server now delivers up to 1000 matching objects, depending on the pagination parameters you use. See the API guide for more information.
  • ROX-2429: Packages in the Scanner and Monitoring images have been updated to address CVEs.
  • ROX-2487: Previously, backup requests for large databases could time out or require additional RAM to complete. The backup process is optimized, and the default timeout is increased to 60 minutes in version 2.4.23.1.
  • ROX-2464: Previously, loading active flows in the network graph could fail or time out for clusters with a large number of deployments and network connections. This issue is resolved in version 2.4.23.1.
  • ROX-2645: Previously, some OpenShift pods weren’t handled as part of the deployments that created them, especially ReplicationControllers. This issue is resolved in version 2.4.23.2.

Important system changes

  • You can now configure the size of the persistent volume for Central during installation.
  • The resource requests and limits for Central and Sensor have been increased to provide a more predictable user experience.
  • StackRox Scanner now communicates with Central using mutual TLS.
  • Previously, the Prometheus endpoint for Central was available over HTTPS on port 8443. For better compatibility with monitoring systems, the endpoint now is available over plain HTTP on port 9090.
  • You can now configure a retention period for alerts using the API. Once configured, Central deletes the alerts after the retention period expires. See Enable alert data retention to get started.

The StackRox Kubernetes Security Platform version 2.4.22 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

The StackRox Kubernetes Security Platform enforces licensing restrictions in version 2.4.20 and higher.

Contact your sales representative or StackRox support if you don’t have a license.

Key features and improvements

Sumo Logic integration

You can now forward alerts to Sumo Logic. See the Integrate with Sumo Logic page for more details.

Security notices

You can now display custom notices in the header or footer of every page, or on the login screen. These notices can help you meet information security requirements or remind users of corporate policies. See the Add security notices page for more details.

Dynamic Sensor reconfiguration

You can now adjust Admission Control configurations, including timeouts and other options, without redeploying Sensor. To get started, navigate to Platform Configuration > Integrations and select Kubernetes or OpenShift. Choose a cluster and edit the dynamic configuration options shown.

License information display

You can now use the roxctl command-line program to show important details of your StackRox license key, so you can tell which key is the right one to apply. Run the following command to view your license details:

Copy
roxctl central license info --license <license-file-name>

Important bug fixes

  • ROX-2347: Previously, certain resources were left out of the list when configuring custom access roles. You can now select all the resources when you configure role-based access control (RBAC).
  • ROX-2341: Previously, some alerts sent to Splunk were larger than the maximum allowed size of 10 KB and the Splunk HTTP Event Collector dropped these events. Alerts sent to Splunk are now streamlined to be within the size limit.

Important system changes

  • ROX-2342: The default size of the Persistent Volume Claim for Central is increased to 100 GiB.
  • ROX-1865: The StackRox portal no longer downloads resources from the internet, giving you a better experience if your network access is restricted.

The StackRox Kubernetes Security Platform version 2.4.21 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

The StackRox Kubernetes Security Platform enforces licensing restrictions in version 2.4.20 and higher.

Contact your sales representative or StackRox support if you don’t have a license.

Key features and improvements

Analyze process activity

Gain more visibility and control over the processes running in your deployments. From the Risk view, you can now see and address abnormal process executions. You can also define a set of processes that are allowed to run and trigger violations for all other processes. See the use process baselining page for more details.

Custom TLS server certificate

You can now set a custom certificate on the Central server, so users and API clients don’t have to bypass certificate security warnings.

Dark mode

You can now change the StackRox portal to use a darker color scheme. To toggle between the dark mode and the light mode (default), select the Sun or the Moon icon in the upper right corner.

eBPF on Red Hat Enterprise Linux

You can now choose to collect runtime activity on Red Hat Enterprise Linux using an Extended Berkeley Packet Filter (eBPF) program instead of a kernel module. To use eBPF in a cluster, select the eBPF option when you configure a Kubernetes or OpenShift cluster in the Platform Configuration > Integrations view.

Policies on volumes

You can now add policies that check whether host-mount or other volumes are writable so that you can prioritize writable volumes over read-only volumes. To get started, navigate to Platform Configuration > System Policies.

Important bug fixes

  • ROX-2157: Previously, the API reference showed field names with the wrong capitalization. The API reference documentation now uses the correct capitalization (camelCase).
  • ROX-1840: In the Role-Based Access Control (RBAC) configuration view, there was a mismatch between the listed permissions and the initially defined permissions. The view now shows the correct set of permissions defined for a role.
  • ROX-2389: Previously, StackRox Central could crash while sending a violation to Splunk if an invalid image name was used in the affected deployment. Version 2.4.21.2 resolves this issue.

The StackRox Kubernetes Security Platform version 2.4.20 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Key features and improvements

License enforcement

The StackRox Kubernetes Security Platform enforces licensing restrictions in version 2.4.20 and higher.

Contact your sales representative or StackRox support if you don’t have a license.

New network graph

An enhanced network graph providing easier scaling and better interactivity is now available. You can now move namespaces and see more details to understand how your applications communicate.

Backup and restore to Amazon S3

You can now backup your database to an Amazon S3 bucket and restore from a saved copy. To get started, open Platform Configuration > Integrations and set up an S3 backup schedule.

Improved compliance layout

When you’re evaluating your infrastructure for compliance, now it’s easier to see the details of related entities for every cluster, node, namespace, deployment, or control. With the updated layout, you now can stay on one page and use multiple tabs to navigate and view all related entity information.

New policy field for port exposure

You can now write policies to find services that are exposed using Kubernetes LoadBalancer or NodePort services, or with hostPort pod configurations.

Important bug fixes

  • ROX-1892: In the previous version, removing nodes from cluster didn’t delete related objects from memory, resulting in the Sensor consuming large amounts of memory. The Sensor service now correctly frees memory when you remove nodes from a secured cluster.
  • ROX-1955: Previously, there was a mismatch between the actual default timeout and the default timeout displayed in the roxctl command-line interface (CLI) --help command. The roxctl CLI now correctly sets default timeouts for different commands, especially for database backups. You can still specify timeouts explicitly.
  • ROX-2011: In versions 2.4.20.0 through 2.4.20.4, some users couldn’t get past an “Authenticating” message when accessing the StackRox portal. Version 2.4.20.5 resolves this issue.

Known issues

  • ROX-1959: If you have created custom Role-Based Access Control (RBAC) roles, you must grant users Read access to the Licenses resource before they can access the StackRox portal.

The StackRox Kubernetes Security Platform version 2.4.19 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

eBPF Data collection (Preview)

When securing a cluster, you can now choose to collect the runtime activity by using an Extended Berkeley Packet Filter (eBPF) program instead of a Linux kernel module.

This feature adds support for runtime visibility and detection in clusters running Container-Optimized OS from Google.

  • To use eBPF data collection, your cluster nodes must run a supported operating system and kernel version, such as Ubuntu, Debian, or Container-Optimized OS from Google.

  • eBPF collection is available as a Preview feature. It’s recommended to test this feature in a development or testing environment before deploying it in a production environment.

Policy scopes

You can now apply policies to specific clusters or namespaces, or only to services matching specific labels.

Audit logging and export

Important system changes are now saved and exported to Splunk. To get started, configure a Splunk integration.

Improved compliance UI

When you’re assessing compliance, it’s now easier to see the details of related controls, namespaces, and nodes for each cluster. Look for the new tabs on the compliance page for your cluster.

In-product documentation

A copy of the StackRox Kubernetes Security Platform documentation is now included in the StackRox Portal. To access it, log in and enter the URL <stackrox-portal-address>/docs/product/.

The StackRox Kubernetes Security Platform version 2.4.18 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Network policy generation

With the new network policy generation feature, you can generate network policies based on the network traffic flows in your environment. After a network policy is generated, you can preview the effects of these policies, share them with your team, download them for testing, or directly apply them in your cluster. See Generate network policies for details.

Network graph performance improvements

With the latest performance improvements, you can view hundreds of more deployments in the network graph to understand their actual traffic flows and allowed network communication paths. See View network policies for details.

Azure Container Registry integration

You can now connect to Microsoft Azure Container Registry, so you have the required context you need to understand your deployments.

Generic webhook alert notifications

Notify other services using webhooks when specific alerts occur in the StackRox Kubernetes Security Platform. Use these webhooks to send relevant information in JSON format to an HTTP endpoint, so you can integrate StackRox alerts into any business system or process.

Policies for fixable CVEs

Minimize alert fatigue by writing policies that only alert on vulnerabilities with available patches.

The StackRox Kubernetes Security Platform version 2.4.17 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Network policy generator

Generate network policies based on actual network traffic flows in your environment. Preview the effects of these policies and send them to your team so they can be applied.

Network flow visualization improvements

You can now select the time when viewing the network graph so that you can tell which traffic is recent and which is no longer active. See View network policies for details.

Anchore image scanner integration

Integrate with the Anchore open-source image scanner, in addition to existing options such as Clair, Docker Trusted Registry, Google Container Analysis, Quay, and StackRox Scanner.

View user IDs in Process Discovery

See the user ID for each process running in your environment so you can find processes running under privileged accounts.

The StackRox Kubernetes Security Platform version 2.4.16 includes several new features and enhancements. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Compliance management

Continuously assess your compliance with industry best practices and regulatory requirements, including:

  • Center for Internet Security (CIS) Benchmark for Kubernetes and Docker,
  • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-190,
  • Payment Card Industry Data Security Standard (PCI DSS) 3.2, and
  • Health Insurance Portability and Accountability Act (HIPAA).

See Manage compliance for details.

Kubernetes-native controls and workflows

Admission control enforcement

Verify critical security policies using an Admission Controller before applications are allowed to deploy.

Helm charts for deployment

Use our Helm chart to deploy StackRox services the same way you roll out your own applications.

Network flow and policy visualization

Visualize the effects of existing network policies, see actual network activity, and simulate new policies before applying them. See Manage network policies for details.

Splunk integration

Send StackRox Kubernetes Security Platform alerts to Splunk for consolidated monitoring and management.

Improved threat detection

Process visualization

Understand what’s running in your deployments with improved process activity visualization features.

Process ancestor analysis

Detect security issues and understand alerts faster with information about each process’s parent processes.

Improved single sign-on (SSO)

Expanded authentication provider support

Connect to your SAML or OpenID Connect Identity Provider for seamless single sign-on (SSO). See Integrate with identity management systems for details.

Role-based access control (RBAC)

Control access to StackRox features using user metadata from your identity provider.

Platform updates

Command-line interface (roxctl)

Automate common interactions with the StackRox Kubernetes Security Platform using the command line, including:

  • Database backup and restore,
  • Deployment of central services,
  • Deployment of monitoring services into each secured cluster, and
  • Evaluation of policies against images or Kubernetes or OpenShift deployments.

Rolling upgrades

Enjoy simpler, faster upgrades that only require a few kubectl or oc commands.

Zero-touch image registry integration

Seamlessly connect to your image registries so you have the required context you need to understand your deployments.

Sonatype Nexus

The StackRox Kubernetes Security Platform now integrates with the Sonatype Nexus image registry, in addition to all previously supported registries.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.