Release notes: 3.0.33

Find out what's new in version 3.0.33.

2 minute read

The StackRox Kubernetes Security Platform version 3.0.33 includes a bug fix and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Important bug fix

  • Previously, when you deleted a Kubernetes or OpenShift deployment, the StackRox Kubernetes Security Platform sometimes still returned deploy-phase policy violations, process execution records, and network flows for the deployment, if Central encountered an error while deleting objects in the database. StackRox Central now removes this data for deleted deployments when Central starts and when the regular garbage collection cycle runs. (This change was first released in version 2.5.32.1.)

Important system changes

Deployment

  • To make it easier to use certain types of persistent storage, the StackRox Central deployment now specifies a runAsUser and fsGroup value of 4000.
  • The StackRox Collector image contains built-in support for runtime activity collection on currently available Linux kernel versions. StackRox publishes updated images with support for additional versions. If your system can’t pull a new image, StackRox Collector attempts to securely download a support package for the new version. Starting from version 3.0.33.0, the StackRox Kubernetes Security Platform first attempts to access the new package by using StackRox Central’s network connection, to minimize external network usage in each StackRox Collector pod.

Configuration

  • ROX-3237: When you’re configuring an integration with a single-sign-on authentication provider, you can now edit the configuration until a user has successfully logged in. The configuration view also now more clearly shows whether edits are allowed. Previously the StackRox Kubernetes Security Platform didn’t allow you to edit settings after you created the integration.
  • When you’re viewing image vulnerability scan results, CVEs with a 0 score are now shown as Pending. These vulnerabilities haven’t been analyzed in the National Vulnerability Database, or are under dispute.
  • When you are configuring policy scope restrictions or exclusions, you can now write a regular expression for the namespace and label fields. You can use any syntax available in re2.

StackRox Scanner

  • Previously, Red Hat Security Advisories (RHSAs) were shown with a vulnerability score of 0. RHSAs now are assigned a score based on the highest-severity CVSS of the CVEs that are part of the RHSA. Each CVE also is now reported separately, so you can write policies or search queries based on the CVEs that are included in RHSAs.

API

  • ROX-3483: StackRox Central now serves a less-detailed API to anonymous users that only includes enough information to log in. To access any other details of authentication provider configuration, a user or API client must have Read access to the AuthProvider resource.
  • The validated field in the AuthProviderService APIs is deprecated and will be removed in version 3.0.35.0 or higher. Use the active field instead; this field indicates whether a user has successfully used the authentication provider to log in to the StackRox Kubernetes Security Platform.
  • The GetRisk API (/v1/risks/{subjectType}/{subjectID}) API is removed. To get a deployment’s risk details, use GetDeploymentWithRisk (/v1/deploymentswithrisk/{id}).

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.