Release notes: 3.0.43

Find out what's new in version 3.0.43.

4 minute read

The StackRox Kubernetes Security Platform version 3.0.43 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: May 15, 2020

New features

Event timeline

The StackRox Kubernetes Security Platform version 3.0.43 includes a graphical event timeline view. You can use it to get information about events for all pods in a deployment. The event timeline shows process activities, policy violations, and container restart and termination events. See the Event timeline section for more details.

Specify custom endpoints and non-public regions

You can now use non-public endpoints when you integrate the StackRox Kubernetes Security Platform with Amazon S3 and Amazon Elastic Container Registry (ECR). See the Integrate with Amazon S3 topic to know more about customizing the request endpoint and specifying isolated AWS regions.

Important bug fixes

  • ROX-4862: Previously, the StackRox portal would show an error message for process tags in the Violations and the Risk > Process Discovery view, to users with read permission for process indicators. We’ve resolved this issue.
  • ROX-4861: Previously, CIS (Center for Internet Security) compliance scan results sometimes included incorrect results because the StackRox Kubernetes Security Platform trimmed long process names. We’ve fixed this issue.
  • ROX-4761: Previously, the Cluster details panel from the Vulnerability Management view reported a GraphQL error for policies with cluster, namespace, or label exclusions. The StackRox portal now correctly shows this information for the cluster.
  • ROX-4754: Previously, Sensor bundle didn’t handle additional certificate authorities. We’ve added the ca-setup-sensor.sh and delete-ca-sensor.sh scripts in the Sensor bundle to fix this issue.
  • ROX-4752: Previously, the Policy details panel from the Vulnerability Management view didn’t display information for the Privileged under the Policy Criteria section. The StackRox portal now correctly shows this information.
  • ROX-4744: Previously, diagnostic bundle downloads and debug dumps could time out in busy clusters. We’ve fixed this issue by changing how Central collects data from secured clusters.
  • ROX-4730: Previously, the Scanner deployment didn’t mount the additional CA secret and would fail to scan self-signed registries. We’ve resolved this issue.
  • ROX-4729: Previously, when you selected an image from the Search view, the StackRox portal didn’t open the Image details view. We’ve resolved this issue.
  • ROX-4705: StackRox Sensor falls back to an authentication token when it can’t use mutual TLS for authentication with Central. Previously, Sensor didn’t use the token when downloading Collector probes from Central or during automatic upgrades. We’ve resolved this issue.
  • ROX-4695: Previously, the StackRox Kubernetes Security Platform would still trigger policy violations based on the CVSS scores for snoozed CVEs when you used the roxctl image check command. We’ve fixed this issue.
  • ROX-4660: Previously, when creating a new cluster, the StackRox portal allowed entering trailing slashes and other invalid characters. We’ve fixed this issue by implementing improved validation.
  • ROX-4597: Previously, the StackRox Kubernetes Security Platform didn’t allow you to log in if you configured more than one User Certificates authorization provider with the same certificate authority. We’ve resolved this issue.
  • ROX-4569: Previously, the default security policy Images with no scans wouldn’t report any policy violations or enforcement actions. We’ve fixed this issue.
  • ROX-4405: Previously, there was an error in CIS Kubernetes Compliance check for directory permissions. We’ve fixed this issue.
  • ROX-4146: We’ve removed a mention of the obsolete scanner-v2 service in the policy exclusions.
  • ROX-3789: Previously, automatic upgrades for Sensor would incorrectly display the Sensor version as up to date for a disconnected Sensor in the Platform Configuration > Clusters view. We’ve fixed this issue.
  • ROX-3268: Previously, in the StackRox portal, the Deployment filter option was missing from the local page filtering options in the Compliance view. We’ve fixed this issue.

Resolved in version 3.0.43.1

Release date: May 20, 2020

  • ROX-4946: Previously, if you were using the default Images with no scans security policy with admission controller enforcement, the StackRox Kubernetes Security Platform blocked every deployment. We’ve fixed this issue.
  • ROX-4947: Previously, sometimes Scanner failed to analyze images and reported a duplicate key value error message. We’ve resolved this issue.
  • ROX-4874: To scan images, Scanner takes the server address from image pull secrets. Previously, sometimes Scanner failed to scan images for autogenerated registries if the image address contained trailing paths. The Scanner now uses the correct server address, without the trailing paths.

Important system changes

Collector

We’ve published a technical advisory about how to mitigate Linux kernel issues you may encounter if you use eBPF-based runtime activity collection on certain kernel versions.

API

  • GenerateToken(/v1/apitokens/generate): the singular role field in the request field is deprecated, use the array field roles.
  • GetAPIToken(/v1/apitokens/{id}) and GetAPITokens(/v1/apitokens): the singular role field in the response payload is deprecated, use the array field roles.
  • Audit logs: the singular user.role field in the audit message payload is deprecated, use the singular user.permissions field for the effective permissions of the user, and the array field user.roles for all the individual roles associated with a user.

Jenkins plugin

We’ve updated the StackRox Container Image Scanner Jenkins plugin to version 1.2.2 which includes fixes for the following issues:

  • Rendering of the StackRox Image Security Report when CVE publishedOn date isn’t available.
  • Incorrectly reported CVE fixable state.

StackRox portal

In the Platform Configuration > Clusters view, we’ve updated the status text On the latest version to Up to date with Central version.

Compliance

The Compliance container within the Collector DaemonSet now has a hostPath of /, which is needed to be able to read configuration files anywhere on the host. This change requires the allowedHostVolumes within the stackrox-collector PSP to allow / to be mounted. For added security, the PSP has set / with read-only permission.

Logs

We’ve removed the following frequently appearing error messages related to:

  • a CPE matching for Fedora Linux and operator "AND" in the Scanner logs.
  • memory allocation in the Collector logs.

Security updates

We’ve updated the Collector image to resolve the CVE-2020-3810 vulnerability in the apt package. Collector doesn’t use apt at runtime, and apt isn’t included in its final image. We’ve upgraded apt to a newer version that isn’t affected by the CVE-2020-3810 vulnerability.

Other notes

Amazon S3 compatibility

In this release, we’ve added the ability to specify custom endpoints for the Amazon S3 integration.

However, the StackRox Kubernetes Security Platform doesn’t support using Google Cloud Storage for automatic backups due to API differences.

Documentation changes

ChangePagesDescription
UpdateBackup and restoreAdded a note about the required permissions and role to create backups.
UpdateQuick StartAdded a note that the StackRox Kubernetes Security Platform doesn’t support Amazon Elastic File System (Amazon EFS) and the alternative to use instead.
New sectionCommon tasksAdded a new section that lists some common tasks you can perform from the Vulnerability Management view.
New sectionEvent timelineAdded a new section for the graphical event timeline view.
New topicCollector soft lock-upAdded an advisory about how to mitigate Linux kernel issues you may encounter if you use eBPF-based collection on certain kernel versions.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.