The StackRox Kubernetes Security Platform version 2.5.27 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.
You can now configure data retention settings for violations and images in the StackRox portal. These settings also enable better control, since you can now set different retention periods for different kinds of violations.
During a database restore operation by using the
roxctl command-line tool, if
your connection is interrupted or you need to go offline, you can now resume
the restore later. See Backup and restore
for more information.
- ROX-2519: The StackRox Kubernetes Security Platform now includes
PodSecurityPolicyconfigurations for each StackRox Kubernetes deployment so you can deploy the StackRox Kubernetes Security Platform seamlessly in clusters that enforce pod security policies.
- ROX-2311: The StackRox portal now handles temporary connection problems better. If the server becomes reachable again after temporarily being unreachable, you’ll now see a message asking you to refresh the page.
- ROX-2424: In the Compliance view, some buttons and screens would crash if the Sensor in a secured cluster hadn’t checked in yet. The StackRox portal now correctly handles this case.
- ROX-2781: The browser appeared frozen when accessing the Process Discovery tab in the Risk view and selecting an image in the Images view. We’ve optimized the page rendering to fix this issue.
- ROX-2886: In the “Passing Standards by Cluster” widget on the Dashboard view, you couldn’t use the arrow buttons to cycle through more than three clusters. The buttons now work correctly.
- ROX-2927: The Images view would change back to the first page of results after you selected an image to view. The table now stays on the page you’ve opened.
- ROX-2929: The
roxctl central generatecommand now runs successfully on Windows.
- ROX-2568: We’ve updated the StackRox Kubernetes Security Platform integration with Jira to handle recent changes to Jira Cloud’s authentication process.
- ROX-2985: The StackRox Kubernetes Security Platform Jira integration now automatically discovers
available options for the priority field when creating issues, in case your
project uses custom values like
- ROX-2998: We’ve fixed an issue where the Process Discovery view could show processes without names.
- ROX-3133: If you deploy
CronJobresources in Kubernetes, you previously could see warning logs in the StackRox Sensor. Because these logs didn’t reflect any incorrect system behavior, we’ve changed settings, so they only appear in debug-level logs.
- ROX-3222: We’ve fixed an issue where StackRox Central could fail to start correctly after being integrated with Google Cloud Security Command Center.
- When you’re backing up the database by using the
roxctl central db backupcommand, you can now provide a file output location using the new
- The StackRox Kubernetes Security Platform periodically refreshes data from external systems like image scanners. The StackRox Kubernetes Security Platform now spreads these refresh requests over a four-hour interval to reduce load instead of refreshing every hour.
- If you configure data retention settings, the StackRox Kubernetes Security Platform now checks for expired data every hour instead of every 24 hours.
We’ve clarified the text shown in the StackRox portal when you are configuring role-based access control. We’ve changed the “Default role” field name to “Minimum access role” to explain its purpose better. System behavior and APIs remain the same:
- you can select a minimum access role to grant to all users who sign in with the configured authentication provider, and
- you can grant additional roles to specific users and groups using rules.
StackRox Central now compacts its database files by default. Compaction saves disk space by freeing the space used for already-deleted objects. The compaction process begins if the free space is above a configured threshold when Central restarts.
We’ve updated our images to resolve the CVE-2019-14697 vulnerability in the Alpine Linux
musllibrary. We identified this vulnerability in StackRox images by using the StackRox Scanner. However, this vulnerability doesn’t apply to the StackRox Kubernetes Security Platform because:
- The vulnerability only affects
muslwhen running on a host with the x86 architecture. However, the StackRox Kubernetes Security Platform only runs on the amd64 (x86_64) architecture, which isn’t affected.
- The binaries in the StackRox Kubernetes Security Platform are linked statically, so they don’t use
musllibrary. The StackRox Kubernetes Security Platform doesn’t pass any user input to the affected binaries in Alpine Linux.
- The vulnerability only affects
Netflix recently published a security advisory identifying several problems that can cause HTTP/2 servers to exhaust resources serving specially crafted requests. The Go programming language was affected by two of these vulnerabilities (CVE-2019-9512 and CVE-2019-9514). We’ve updated the StackRox Kubernetes Security Platform to use a new version of Go that resolves these vulnerabilities.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.