Release notes: 2.5.30

Find out what's new in version 2.5.30.

2 minute read

The StackRox Kubernetes Security Platform version 2.5.30 includes new features, bug fixes, scale improvements, and other changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Configuration management

The StackRox Kubernetes Security Platform now features a Configuration Management view in the StackRox portal for managing configuration across your applications and infrastructure. This view shows policy violations and configuration assessments, and introduces new ways to explore all the related deployments, policies, service accounts, and other objects in your clusters.

Kubernetes RBAC visibility

Kubernetes role-based access control (RBAC) configurations have a significant impact on your security posture. The Configuration Management view allows you to see all your service accounts, users, groups, roles, and permissions so that you can find unnecessary exposures or risks.

Important bug fixes

  • ROX-1478: The replica count for DaemonSet applications now shows the correct number of replicas.
  • ROX-3216: Previously, entering an unreachable SAML metadata URL while integrating a SAML Identity Provider caused the StackRox portal to stop responding. The portal now handles this error.
  • ROX-3236: Previously, when you saved role-based access control mappings that included a colon, the server appeared unresponsive. These mappings are now applied correctly.

Important system changes

  • The StackRox Central database uses a new format that performs better and frees disk space more proactively. The upgrade includes an automatic migration to the new format. The migration first compacts the existing database, then converts existing data to the new format. The upgrade requires available disk space; please carefully review the upgrade instructions.

  • We’ve updated StackRox Scanner to use the National Vulnerability Database’s JSON API due to the upcoming shutdown of their XML API. We’ve also made the update process more reliable for vulnerabilities in images based on Red Hat Enterprise Linux, CentOS, or similar operating systems.

  • If a policy assesses Kubernetes RBAC configurations, the policy violation message previously included capitalized phrases like CLUSTER_ADMIN. We’ve improved the violation message text, and now it uses more natural English.

  • When building a baseline of each deployment’s activity, the StackRox Kubernetes Security Platform now automatically includes any behavior observed in the first minute of a container’s creation.

  • The StackRox Kubernetes Security Platform now assesses compliance with the recently released versions of the Center for Internet Security (CIS) benchmarks. The current versions are v1.2.0 for Docker and v1.4.1 for Kubernetes. See benchmark versions for more details.

  • ROX-3239: If you are using Docker pull-through cache, a Sonatype Nexus proxy repository, or a similar proxy as the default image registry instead of docker.io (Docker Hub), you can now specify a custom default image registry for each cluster in the Platform Configuration > Clusters view.

    To apply this setting in an existing cluster:

    1. Navigate to Platform Configuration > Clusters. Select the cluster.

    2. Under Dynamic Configuration (syncs to Sensor), specify the new registry.

    3. Add a registry integration if one isn’t configured yet.

    4. Delete existing images from Docker Hub:

      1. Preview the images you will delete:
        Copy
        curl -sk -X DELETE -H "Authorization: Bearer <admin api token>" "https://<endpoint>/v1/images?query.query=Image Registry:docker.io"
      2. If the number of images is what you expect, delete the images:
        Copy
        curl -sk -X DELETE -H "Authorization: Bearer <admin api token>" "https://<endpoint>/v1/images?query.query=Image Registry:docker.io&confirm=true"
    5. In the secured cluster, delete the sensor pod:

      1. Find the name of the sensor pod:

        Copy
        kubectl get pod -n stackrox
        Copy
        oc get pod -n stackrox
      2. Delete the pod:

        Copy
        kubectl delete pod -n stackrox <pod name>
        Copy
        oc delete pod -n stackrox 
  • The roxctl image check command now returns an error if an image can’t be pulled and scanned.

  • All built-in policies for image components and vulnerabilities now enable the “Build” lifecycle stage by default.

API changes

  • In the GetAlert API, we’ve removed the link field from all objects in the violations field. This field previously held links to each identified vulnerability if the policy referred to vulnerabilities.
  • In the /v1/processes APIs, we’ve removed the emitTimestamp field. API responses have never set a value for this field.
  • The TriggerRun (/v1/complianceManagement/runs) endpoint is removed. To trigger a compliance assessment, use TriggerRuns (/v1/compliancemanagement/runs) instead.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.