Release notes: 2.5.31

Find out what's new in version 2.5.31.

2 minute read

The StackRox Kubernetes Security Platform version 2.5.31 includes new features, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

CRI-O support

The StackRox Kubernetes Security Platform now supports monitoring runtime activity and assessing host compliance on nodes running CRI-O. This feature doesn’t require any additional setup or configuration.

Kubernetes on DC/OS support

The StackRox Kubernetes Security Platform now supports securing clusters created using Kubernetes on DC/OS. This feature doesn’t require any additional setup or configuration.

IBM and Red Hat registry integrations

The StackRox Kubernetes Security Platform integrates with virtually any image registry. In this version, we’ve added native integrations for improved compatibility with IBM Cloud Container Registry (ICR) and the official Red Hat container registries.

Important bug fixes

  • ROX-2567: The setup.sh script, which configures image pull secrets, now handles passwords with spaces or other special characters.
  • ROX-3351: We’ve improved the reliability of the Red Hat vulnerability definition update process in StackRox Scanner. Previously, Red Hat Security Advisories weren’t included in offline definition updates or in the built-in copy of vulnerability definitions that’s included in the StackRox Scanner image.
  • ROX-3430: The Jira integration now supports additional options for Priority. Previously, using such values would cause an error message to appear in the StackRox portal.
  • ROX-3454: In some clusters, localhost could resolve to an address outside of the local container. StackRox services now directly use 127.0.0.1.

Important system changes

StackRox Central

When you configure a custom server certificate, or make changes to the central-htpasswd secret, the StackRox Kubernetes Security Platform applies all changes without the need to restart Central.

  • To update the server certificate, edit the central-default-tls-cert secret.

  • To reset your administrator password, create a new htpasswd file and then update the central-htpasswd secret.

    Kubernetes may take up to a minute to propagate any updates you make.

StackRox Collector

  • The StackRox Collector DaemonSet now deploys to all nodes in a cluster by default, regardless of node taints. This behavior applies to new installations and to installation files regenerated for existing clusters. To disable this behavior, pass the --disable-tolerations flag to the roxctl sensor generate command or turn off the Enable Taint Tolerations toggle in the Platform Configuration > Clusters view.
  • In previous versions, when you ran compliance scans, the compliance data collection process ran in its own dynamic DaemonSet. Now the StackRox Kubernetes Security Platform uses the existing Collector DaemonSet for compliance data collection.

StackRox Scanner

We’ve updated the Scanner v2 (preview) to a new version. This version includes a variety of improvements, such as more accurate reporting of vulnerability CVSS scores.

Starting from version 3.0.35, language-specific vulnerability scanning is available by default and we’ve deprecated Scanner v2 (preview). If you are using the preview version, follow the upgrade instructions to switch to the generally available version of StackRox Scanner.

roxctl CLI

The roxctl CLI now handles more networking configurations:

  • roxctl can now connect with Central servers exposed behind a non-gRPC-capable proxy like AWS ELB/ALB. To support this, requests go through an ephemeral client-side reverse proxy. If you observe any issues with roxctl that you suspect might be because of this change, pass the --direct-grpc flag to return to the old connection behavior.
  • roxctl can now connect to Central servers exposed over plaintext (either directly or by a plaintext proxy talking to a plaintext or TLS-enabled server). While this configuration is usually insecure and not recommended, you can use this mode by passing the --plaintext and --insecure flags when you run a command.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.