Release notes: 2.5.32

Find out what's new in version 2.5.32.

2 minute read

The StackRox Kubernetes Security Platform version 2.5.32 includes new features, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Microsoft Teams integration

You can now send alert notifications to Microsoft Teams. To get started, see Integrate with Microsoft Teams.

Common Vulnerability Scoring System (CVSS) v3

StackRox Scanner now shows CVSS v3 scores for image vulnerabilities. To learn more about CVSS v3 support, see View images in your environment.

Simplified updates for Collector

StackRox Collector monitors runtime activity on each node in your secured clusters. We’ve changed the default image tag for Collector so you get support for newer Linux kernel versions more easily. By default, StackRox Collector now uses a mutable image tag (<version>-latest) that StackRox updates every time a new kernel version is released. We don’t change code, or preexisting kernel modules or eBPF programs, in these versions.

If you push the Collector image into your own private registry, you must regularly download the Collector image to take advantage of this feature.

See the Per-Node Services (Collector) section, to learn more about this change.

Important bug fixes

Resolved in version 2.5.32.0

  • ROX-3289: When you export a Compliance Evidence Report in CSV format, the StackRox Kubernetes Security Platform now includes a single row for each compliance control. Previously, each piece of evidence was included in a row of its own.
  • ROX-3462: Previously, Compliance Evidence Report CSV files listed informational results with the status Unknown. These entries now correctly list the status as Info.

Resolved in version 2.5.32.1

  • Previously, when you deleted a Kubernetes or OpenShift deployment, the StackRox Kubernetes Security Platform sometimes still returned deploy-phase policy violations, process execution records, and network flows for the deployment, if Central encountered an error while deleting objects in the database. StackRox Central now removes this data for deleted deployments when Central starts and when the regular garbage collection cycle runs.

Important system changes

StackRox Central and Sensor

  • ROX-3209: You can now customize the port used for Prometheus metrics in StackRox Central and Sensor by setting a value for the ROX_METRICS_PORT environment variable. Supported options include:

    • disabled,
    • :port-num (which binds to the wildcard address), and
    • host_or_addr:port. You can also provide an IPv6 address within brackets, for example, [2001:db8::1234]:9090.

    The default setting is still :9090.

  • When you redeploy a secured cluster using a new configuration bundle after disabling admission control, the admission controller configuration now gets deleted. Previously, the ValidatingWebhookConfiguration would remain in the cluster.

  • We’ve optimized the API for resolving multiple policy violations. Resolving multiple violations at a time is now faster.

roxctl CLI

The roxctl CLI now supports more options so you can get the precise behavior you need.

  • You can now use the --insecure-skip-tls-verify option with most roxctl commands.
    • If you use --insecure-skip-tls-verify=false, the connection to StackRox Central fails if roxctl receives an invalid certificate.
    • If you use --insecure-skip-tls-verify=true, the connection to StackRox Central always succeeds, even if roxctl receives an invalid certificate.
    • If you don’t use this option, roxctl shows a warning message when it receives an invalid certificate, but the connection proceeds. In a future release, we intend to change roxctl to fail in this case.
  • If you use a custom Certificate Authority (CA) that’s not globally trusted, you can provide it using the --ca <filename> option.
  • You can now provide a --output-dir <dir> option to the following commands:
    • roxctl sensor generate
    • roxctl scanner generate
    • roxctl central debug dump

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.