Release notes: 3.0.40

Find out what's new in version 3.0.40.

2 minute read

The StackRox Kubernetes Security Platform version 3.0.40 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

  • You can now use a YAML configuration file to configure and expose endpoints for StackRox Central. See Configure endpoints for details.

  • We’ve added two new security policy criteria and two built-in policies for image labels.

    1. Required Image Label: Create violations for any deployments that don’t contain the specified image label.
    2. Disallowed Image Label: Create violations for any deployments that contain the specified image label.

    You can modify or clone the new built-in policies to match image labels you expect to see in all deployed images; or image labels that shouldn’t be in any deployed images.

    For more details, see the Policy criteria section.

  • We’ve added compliance checks for the NIST Special Publication 800-53 (rev. 4) standard. To assess your clusters for this standard, select Scan Environment in the Compliance view after you upgrade.

  • We’ve added a login form for the Username and Password user authentication method for the StackRox portal. The authentication prompt no longer uses your web browser’s interface to request the password.

Important bug fixes

Resolved in version

  • ROX-2423: Previously, the Collector pod could crash if a process exited while Collector was starting up. We’ve resolved this issue.
  • ROX-4076: Previously, you couldn’t log in using certain authentication providers if StackRox Central couldn’t connect to the provider at startup. The StackRox Kubernetes Security Platform now retries these connections if they fail.
  • ROX-4240: Previously, the roxctl CLI sent an invalid Host header, when running in plaintext mode. We’ve fixed this issue.
  • ROX-4241 and ROX-4242: Previously, due to an internal logic error, if you created a policy with the Required Label or the Required Annotation policy criteria, you might not receive violations. We’ve fixed this issue.
  • ROX-4254: Previously, the Cluster details panel from the Configuration Management view didn’t display policy violations under the Cluster Findings section. The StackRox portal now correctly shows policy violations for all deployments for the cluster.

Resolved in version

  • Previously, the database backup/restore process could fail if certain invalid data was present. The backup/restore process now handles this type of error.
  • We’ve fixed issues that could cause StackRox Central to crash after you upgraded to version, depending on the contents of your StackRox Central database.

Important system changes

StackRox Central

In version, we’ve added a safe mode to StackRox Central. StackRox Support may request that you activate this setting when working with you to resolve an issue.

StackRox Sensor

We’ve reduced the computational load on Central by moving the deployment and image detection capabilities from Central to Sensor. Additionally, Sensor gathers image scan results and additional metadata from Central, generates runtime and deploy-time alerts, and applies enforcement policies.


We’ve removed StackRox Monitoring components. If you want to monitor the StackRox Kubernetes Security Platform components (Sensor, Central, and Collector), you can monitor by using Prometheus or other similar software to monitor on the <component-address>:9090/metrics path.


The -e (or --endpoint) option of the roxctl CLI now supports URLs as arguments.

  1. The path component of the URL you specify must either be:

    • blank, for example https://central.stackrox, or
    • /, for example https://central.stackrox/.

    Any other value for the path component is incorrect. For example, the following example is incorrect:

    ❌ roxctl -e 'https://central.stackrox/api' central debug log
  2. If you use the --plaintext option along with a URL, the URL scheme must be http and not https.

Security updates

We’ve updated the Collector image to resolve the following CVEs:

These vulnerabilities were in the curl library. The older version of the curl library was vulnerable to heap buffer overflow and double-free vulnerabilities in the FTP and TFTP handlers, which StackRox Collector doesn’t use. We identified these vulnerabilities in the Collector image by using the StackRox Scanner. We’ve upgraded curl to a newer version that isn’t affected by these vulnerabilities.

Documentation changes

New topicConfigure endpointsLearn how to configure endpoints for the StackRox Kubernetes Security Platform by using a YAML configuration file.
UpdateCreate custom policiesAdded Required Image Label and Disallowed Image Label in the policy criteria section.
UpdateBenchmark versionsUpdated the NIST section to include NIST SP 800-53 Rev. 4.
UpdateQuick startRemoved information about StackRox Monitoring components.
UpdateUpgrade from version 2.5.31 through version 3.0.34 and Upgrade from version 3.0.35 or higherUpdated instructions for upgrading to the StackRox Kubernetes Security Platform version 3.0.40.
UpdateEnable offline modeAdded new sections: Download images for offline use, Enable offline mode during installation, and Upload kernel support packages.
UpdateConfigure custom certificatesAdded a new Configure Sensor to trust custom certificates section.


We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.