The StackRox Kubernetes Security Platform version 2.5.31 includes new features, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.
The StackRox Kubernetes Security Platform now supports monitoring runtime activity and assessing host compliance on nodes running CRI-O. This feature doesn’t require any additional setup or configuration.
The StackRox Kubernetes Security Platform now supports securing clusters created using Kubernetes on DC/OS. This feature doesn’t require any additional setup or configuration.
The StackRox Kubernetes Security Platform integrates with virtually any image registry. In this version, we’ve added native integrations for improved compatibility with IBM Cloud Container Registry (ICR) and the official Red Hat container registries.
- ROX-2567: The
setup.shscript, which configures image pull secrets, now handles passwords with spaces or other special characters.
- ROX-3351: We’ve improved the reliability of the Red Hat vulnerability definition update process in StackRox Scanner. Previously, Red Hat Security Advisories weren’t included in offline definition updates or in the built-in copy of vulnerability definitions that’s included in the StackRox Scanner image.
- ROX-3430: The Jira integration now supports additional options for Priority. Previously, using such values would cause an error message to appear in the StackRox portal.
- ROX-3454: In some clusters,
localhostcould resolve to an address outside of the local container. StackRox services now directly use
When you configure a custom server certificate,
or make changes to the
central-htpasswd secret, the StackRox Kubernetes Security Platform applies
all changes without the need to restart Central.
To update the server certificate, edit the
To reset your administrator password, create a new
htpasswdfile and then update the
Kubernetes may take up to a minute to propagate any updates you make.
- The StackRox Collector DaemonSet now deploys to all nodes in a cluster by
default, regardless of node taints. This behavior applies to new installations
and to installation files regenerated for existing clusters. To disable this
behavior, pass the
--disable-tolerationsflag to the
roxctl sensor generatecommand or turn off the Enable Taint Tolerations toggle in the Platform Configuration > Clusters view.
- In previous versions, when you ran compliance scans, the compliance data collection process ran in its own dynamic DaemonSet. Now the StackRox Kubernetes Security Platform uses the existing Collector DaemonSet for compliance data collection.
We’ve updated the Scanner v2 (preview) to a new version. This version includes a variety of improvements, such as more accurate reporting of vulnerability CVSS scores.
roxctl CLI now handles more networking
roxctlcan now connect with Central servers exposed behind a non-gRPC-capable proxy like AWS ELB/ALB. To support this, requests go through an ephemeral client-side reverse proxy. If you observe any issues with
roxctlthat you suspect might be because of this change, pass the
--direct-grpcflag to return to the old connection behavior.
roxctlcan now connect to Central servers exposed over plaintext (either directly or by a plaintext proxy talking to a plaintext or TLS-enabled server). While this configuration is usually insecure and not recommended, you can use this mode by passing the
--insecureflags when you run a command.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.