The StackRox Kubernetes Security Platform version 3.0.40 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.
You can now use a YAML configuration file to configure and expose endpoints for StackRox Central. See Configure endpoints for details.
We’ve added two new security policy criteria and two built-in policies for image labels.
Required Image Label: Create violations for any deployments that don’t contain the specified image label.
Disallowed Image Label: Create violations for any deployments that contain the specified image label.
You can modify or clone the new built-in policies to match image labels you expect to see in all deployed images; or image labels that shouldn’t be in any deployed images.
For more details, see the Policy criteria section.
We’ve added compliance checks for the NIST Special Publication 800-53 (rev. 4) standard. To assess your clusters for this standard, select Scan Environment in the Compliance view after you upgrade.
We’ve added a login form for the Username and Password user authentication method for the StackRox portal. The authentication prompt no longer uses your web browser’s interface to request the password.
- ROX-2423: Previously, the Collector pod could crash if a process exited while Collector was starting up. We’ve resolved this issue.
- ROX-4076: Previously, you couldn’t log in using certain authentication providers if StackRox Central couldn’t connect to the provider at startup. The StackRox Kubernetes Security Platform now retries these connections if they fail.
- ROX-4240: Previously, the roxctl CLI sent an invalid
Hostheader, when running in plaintext mode. We’ve fixed this issue.
- ROX-4241 and ROX-4242: Previously, due to an internal logic error, if
you created a policy with the
Required Labelor the
Required Annotationpolicy criteria, you might not receive violations. We’ve fixed this issue.
- ROX-4254: Previously, the Cluster details panel from the Configuration Management view didn’t display policy violations under the Cluster Findings section. The StackRox portal now correctly shows policy violations for all deployments for the cluster.
- Previously, the database backup/restore process could fail if certain invalid data was present. The backup/restore process now handles this type of error.
- We’ve fixed issues that could cause StackRox Central to crash after you upgraded to version 22.214.171.124, depending on the contents of your StackRox Central database.
In version 126.96.36.199, we’ve added a safe mode to StackRox Central. StackRox Support may request that you activate this setting when working with you to resolve an issue.
We’ve reduced the computational load on Central by moving the deployment and image detection capabilities from Central to Sensor. Additionally, Sensor gathers image scan results and additional metadata from Central, generates runtime and deploy-time alerts, and applies enforcement policies.
We’ve removed StackRox Monitoring components. If you want to monitor the StackRox Kubernetes Security Platform
components (Sensor, Central, and Collector), you can monitor by using
Prometheus or other similar software to monitor on the
--endpoint) option of the roxctl CLI now
supports URLs as arguments.
The path component of the URL you specify must either be:
- blank, for example
/, for example
Any other value for the path component is incorrect. For example, the following example is incorrect:
❌ roxctl -e 'https://central.stackrox/api' central debug log
- blank, for example
If you use the
--plaintextoption along with a URL, the URL scheme must be
We’ve updated the Collector image to resolve the following CVEs:
These vulnerabilities were in the
curl library. The older version of the
curl library was vulnerable to heap buffer overflow and double-free
vulnerabilities in the FTP and TFTP handlers, which StackRox Collector doesn’t
use. We identified these vulnerabilities in the Collector image by using the
StackRox Scanner. We’ve upgraded
curl to a newer version that isn’t affected
by these vulnerabilities.
|New topic||Configure endpoints||Learn how to configure endpoints for the StackRox Kubernetes Security Platform by using a YAML configuration file.|
|Update||Create custom policies||Added |
|Update||Benchmark versions||Updated the NIST section to include NIST SP 800-53 Rev. 4.|
|Update||Quick start||Removed information about StackRox Monitoring components.|
|Update||Upgrade from version 2.5.31 through version 3.0.34 and Upgrade from version 3.0.35 or higher||Updated instructions for upgrading to the StackRox Kubernetes Security Platform version 3.0.40.|
|Update||Enable offline mode||Added new sections: Download images for offline use, Enable offline mode during installation, and Upload kernel support packages.|
|Update||Configure custom certificates||Added a new Configure Sensor to trust custom certificates section.|
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.