The StackRox Kubernetes Security Platform version 2.5.30 includes new features, bug fixes, scale improvements, and other changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.
The StackRox Kubernetes Security Platform now features a Configuration Management view in the StackRox portal for managing configuration across your applications and infrastructure. This view shows policy violations and configuration assessments, and introduces new ways to explore all the related deployments, policies, service accounts, and other objects in your clusters.
Kubernetes role-based access control (RBAC) configurations have a significant impact on your security posture. The Configuration Management view allows you to see all your service accounts, users, groups, roles, and permissions so that you can find unnecessary exposures or risks.
- ROX-1478: The replica count for DaemonSet applications now shows the correct number of replicas.
- ROX-3216: Previously, entering an unreachable SAML metadata URL while integrating a SAML Identity Provider caused the StackRox portal to stop responding. The portal now handles this error.
- ROX-3236: Previously, when you saved role-based access control mappings that included a colon, the server appeared unresponsive. These mappings are now applied correctly.
The StackRox Central database uses a new format that performs better and frees disk space more proactively. The upgrade includes an automatic migration to the new format. The migration first compacts the existing database, then converts existing data to the new format. The upgrade requires available disk space; please carefully review the upgrade instructions.
We’ve updated StackRox Scanner to use the National Vulnerability Database’s JSON API due to the upcoming shutdown of their XML API. We’ve also made the update process more reliable for vulnerabilities in images based on Red Hat Enterprise Linux, CentOS, or similar operating systems.
If a policy assesses Kubernetes RBAC configurations, the policy violation message previously included capitalized phrases like
CLUSTER_ADMIN. We’ve improved the violation message text, and now it uses more natural English.
When building a baseline of each deployment’s activity, the StackRox Kubernetes Security Platform now automatically includes any behavior observed in the first minute of a container’s creation.
The StackRox Kubernetes Security Platform now assesses compliance with the recently released versions of the Center for Internet Security (CIS) benchmarks. The current versions are v1.2.0 for Docker and v1.4.1 for Kubernetes. See benchmark versions for more details.
ROX-3239: If you are using Docker pull-through cache, a Sonatype Nexus proxy repository, or a similar proxy as the default image registry instead of
docker.io(Docker Hub), you can now specify a custom default image registry for each cluster in the Platform Configuration > Clusters view.
To apply this setting in an existing cluster:
Navigate to Platform Configuration > Clusters. Select the cluster.
Under Dynamic Configuration (syncs to Sensor), specify the new registry.
Add a registry integration if one isn’t configured yet.
Delete existing images from Docker Hub:
- Preview the images you will delete:
curl -sk -X DELETE -H "Authorization: Bearer <admin api token>" "https://<endpoint>/v1/images?query.query=Image Registry:docker.io"
- If the number of images is what you expect, delete the images:
curl -sk -X DELETE -H "Authorization: Bearer <admin api token>" "https://<endpoint>/v1/images?query.query=Image Registry:docker.io&confirm=true"
- Preview the images you will delete:
In the secured cluster, delete the sensor pod:
Find the name of the sensor pod:
kubectl get pod -n stackrox
oc get pod -n stackrox
Delete the pod:
kubectl delete pod -n stackrox <pod name>
oc delete pod -n stackrox
roxctl image checkcommand now returns an error if an image can’t be pulled and scanned.
All built-in policies for image components and vulnerabilities now enable the “Build” lifecycle stage by default.
- In the
GetAlertAPI, we’ve removed the
linkfield from all objects in the
violationsfield. This field previously held links to each identified vulnerability if the policy referred to vulnerabilities.
- In the
/v1/processesAPIs, we’ve removed the
emitTimestampfield. API responses have never set a value for this field.
/v1/complianceManagement/runs) endpoint is removed. To trigger a compliance assessment, use
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.