The StackRox Kubernetes Security Platform version 3.0.43 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.
Release date: May 15, 2020
The StackRox Kubernetes Security Platform version 3.0.43 includes a graphical event timeline view. You can use it to get information about events for all pods in a deployment. The event timeline shows process activities, policy violations, and container restart and termination events. See the Event timeline section for more details.
You can now use non-public endpoints when you integrate the StackRox Kubernetes Security Platform with Amazon S3 and Amazon Elastic Container Registry (ECR). See the Integrate with Amazon S3 topic to know more about customizing the request endpoint and specifying isolated AWS regions.
- ROX-4862: Previously, the StackRox portal would show an error message for
process tags in the Violations and the Risk > Process Discovery
view, to users with
readpermission for process indicators. We’ve resolved this issue.
- ROX-4861: Previously, CIS (Center for Internet Security) compliance scan results sometimes included incorrect results because the StackRox Kubernetes Security Platform trimmed long process names. We’ve fixed this issue.
- ROX-4761: Previously, the Cluster details panel from the Vulnerability Management view reported a GraphQL error for policies with cluster, namespace, or label exclusions. The StackRox portal now correctly shows this information for the cluster.
- ROX-4754: Previously, Sensor bundle didn’t handle additional certificate
authorities. We’ve added the
delete-ca-sensor.shscripts in the Sensor bundle to fix this issue.
- ROX-4752: Previously, the Policy details panel from the Vulnerability Management view didn’t display information for the Privileged under the Policy Criteria section. The StackRox portal now correctly shows this information.
- ROX-4744: Previously, diagnostic bundle downloads and debug dumps could time out in busy clusters. We’ve fixed this issue by changing how Central collects data from secured clusters.
- ROX-4730: Previously, the Scanner deployment didn’t mount the additional CA secret and would fail to scan self-signed registries. We’ve resolved this issue.
- ROX-4729: Previously, when you selected an image from the Search view, the StackRox portal didn’t open the Image details view. We’ve resolved this issue.
- ROX-4705: StackRox Sensor falls back to an authentication token when it can’t use mutual TLS for authentication with Central. Previously, Sensor didn’t use the token when downloading Collector probes from Central or during automatic upgrades. We’ve resolved this issue.
- ROX-4695: Previously, the StackRox Kubernetes Security Platform would still trigger policy
violations based on the CVSS scores for snoozed CVEs when you used the
roxctl image checkcommand. We’ve fixed this issue.
- ROX-4660: Previously, when creating a new cluster, the StackRox portal allowed entering trailing slashes and other invalid characters. We’ve fixed this issue by implementing improved validation.
- ROX-4597: Previously, the StackRox Kubernetes Security Platform didn’t allow you to log in if you configured more than one User Certificates authorization provider with the same certificate authority. We’ve resolved this issue.
- ROX-4569: Previously, the default security policy Images with no scans wouldn’t report any policy violations or enforcement actions. We’ve fixed this issue.
- ROX-4405: Previously, there was an error in CIS Kubernetes Compliance check for directory permissions. We’ve fixed this issue.
- ROX-4146: We’ve removed a mention of the obsolete scanner-v2 service in the policy exclusions.
- ROX-3789: Previously, automatic upgrades for Sensor would incorrectly display the Sensor version as up to date for a disconnected Sensor in the Platform Configuration > Clusters view. We’ve fixed this issue.
- ROX-3268: Previously, in the StackRox portal, the Deployment filter option was missing from the local page filtering options in the Compliance view. We’ve fixed this issue.
Release date: May 20, 2020
- ROX-4946: Previously, if you were using the default Images with no scans security policy with admission controller enforcement, the StackRox Kubernetes Security Platform blocked every deployment. We’ve fixed this issue.
- ROX-4947: Previously, sometimes Scanner failed to analyze images and reported a duplicate key value error message. We’ve resolved this issue.
- ROX-4874: To scan images, Scanner takes the server address from image pull secrets. Previously, sometimes Scanner failed to scan images for autogenerated registries if the image address contained trailing paths. The Scanner now uses the correct server address, without the trailing paths.
We’ve published a technical advisory about how to mitigate Linux kernel issues you may encounter if you use eBPF-based runtime activity collection on certain kernel versions.
GenerateToken(/v1/apitokens/generate): the singular
rolefield in the request field is deprecated, use the array field
GetAPITokens(/v1/apitokens): the singular
rolefield in the response payload is deprecated, use the array field
- Audit logs: the singular
user.rolefield in the audit message payload is deprecated, use the singular
user.permissionsfield for the effective permissions of the user, and the array field
user.rolesfor all the individual roles associated with a user.
We’ve updated the StackRox Container Image Scanner Jenkins plugin to version 1.2.2 which includes fixes for the following issues:
- Rendering of the StackRox Image Security Report when CVE
publishedOndate isn’t available.
- Incorrectly reported CVE fixable state.
In the Platform Configuration > Clusters view, we’ve updated the status
On the latest version to
Up to date with Central version.
The Compliance container within the Collector DaemonSet now has a hostPath of
/, which is needed to be able to read configuration files anywhere on the
host. This change requires the allowedHostVolumes within the stackrox-collector PSP to
/ to be mounted. For added security, the PSP has set
/ with read-only
We’ve removed the following frequently appearing error messages related to:
- a CPE matching for Fedora Linux and
operator "AND"in the Scanner logs.
- memory allocation in the Collector logs.
We’ve updated the Collector image to resolve the
vulnerability in the
apt package. Collector doesn’t use
apt at runtime,
apt isn’t included in its final image. We’ve upgraded
apt to a newer
version that isn’t affected by the CVE-2020-3810 vulnerability.
However, the StackRox Kubernetes Security Platform doesn’t support using Google Cloud Storage for automatic backups due to API differences.
|Update||Backup and restore||Added a note about the required permissions and role to create backups.|
|Update||Quick Start||Added a note that the StackRox Kubernetes Security Platform doesn’t support Amazon Elastic File System (Amazon EFS) and the alternative to use instead.|
|New section||Common tasks||Added a new section that lists some common tasks you can perform from the Vulnerability Management view.|
|New section||Event timeline||Added a new section for the graphical event timeline view.|
|New topic||Collector soft lock-up||Added an advisory about how to mitigate Linux kernel issues you may encounter if you use eBPF-based collection on certain kernel versions.|
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.