The StackRox Kubernetes Security Platform version 3.0.39 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.
The StackRox Kubernetes Security Platform version 3.0.39 includes the option to enable online telemetry. If enabled, we use it to gather environment data, which helps us to troubleshoot support issues and improve the quality of the future StackRox Kubernetes Security Platform versions based on real-world usage. See Online telemetry for more information.
You can now generate a diagnostic bundle and send it to the StackRox support team to aid in investigating your support issues with the StackRox Kubernetes Security Platform.
The StackRox Kubernetes Security Platform now supports the OAuth 2.0 Authorization Code Grant authentication flow when you specify a client secret during configuration of an OpenID Connect (OIDC) integration. This authentication flow allows you to use refresh tokens to stay logged in beyond the token expiration time configured in your OIDC identity provider. See Configure an OIDC Identity Provider for more information.
You can now use the new StackRox Container Image Scanner Jenkins plugin to scan container images for published software vulnerabilities. You can add it as a build step in your freestyle projects or pipeline to ensure that your infrastructure is in adherence with the StackRox Kubernetes Security Platform build-time policies.
- ROX-3769: Previously, when integrating the StackRox Kubernetes Security Platform with Splunk,
the test would pass on invalid URLs. We’ve updated the logic to better
integrate with Splunk (version 6.6.0 and newer). Now, when you integrate with
Splunk there is no need to specify the complete URL. You can specify the
HTTP Event Collector URL as
http://<splunk-server-path>:8088. See Integrate with Splunk for more information.
- ROX-3953: We’ve added the install commands for Helm 3. You can run the
helm charts for Helm 3 without the
helm install central ./central.
- ROX-3971: Previously, the
/v1/policiesAPI endpoint always returned the
Null. We’ve fixed this issue. The API now returns the correct time for edited policies and
Nullfor unedited policies.
- ROX-3985: Previously, Scanner would report errors for removed Debian packages. We’ve fixed this issue.
- Bug ROX-4209: We’ve fixed an issue where the compliance scan would not correctly consider UID 0 as root for the CSI Docker 4.1 benchmark.
- Bug ROX-4088: We’ve fixed an issue where the automatic upgrades didn’t work if an admission controller was running on the secured cluster.
- We’ve fixed an issue where the Central deployment triggered panic events after an upgrade while trying to prune undeployed images.
- Bug ROX-4317: We’ve fixed an issue where the Central deployment triggered panic events on start-up if risk assessments were still present for deleted deployments.
- We’ve deprecated the
UseStartTLSfield in email notifier configuration, and we now use
enumwhich supports more authentication methods.
- We’ve added a new
ScannerBundleresource type for use with the StackRox Kubernetes Security Platform role-based access control. See the Resource definitions section for details. Users now need
READpermission for the
ScannerBundleresource to run the
roxctl scanner generatecommand. Previously, any authenticated user could run this command.
- We’ve removed the Scanner v2 (preview). If you are using the preview version, follow the upgrade instructions to switch to the generally available version of StackRox Scanner.
- Scanner now fetches its vulnerability definitions from
- We’ve split Scanner deployment into two separate deployments
scanner-dbto support Scanner autoscaling.
- We’ve added the
roxctl central certcommand which you can use to download the Central’s TLS certificate. You can then use the
--ca <downloaded-certificate>option to specify a custom CA.
We’ve updated the Collector image to resolve the
vulnerability in the
libidn library. The older version of the
(for parsing of internationalized domain names) was vulnerable to a possible
buffer overflow. We identified this vulnerability in the Collector images by
using the StackRox Scanner. We’ve upgraded
libidn to a newer version that
isn’t affected by the CVE-2017-14062 vulnerability.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.