The StackRox Kubernetes Security Platform version 3.0.44 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.
Release date: June 3, 2020
You can now share security policies between different Central instances, by exporting and importing policies. Use it you enforce the same standards for all your clusters. To share policies, you can export them as JSON files and then import them back into another Central instance. See Share security policies for more details.
You can now use Google Cloud Identity-Aware Proxy as a Single sign-on (SSO) provider for the StackRox Kubernetes Security Platform. See Configure Google Cloud Identity-Aware Proxy (IAP) as an Identity Provider for details.
While configuring Identity Providers, now you don’t have to log out and log back in to check if the integration is working. There’s a new Test Login option you can use to test your identity provider without logging out of the StackRox Kubernetes Security Platform. For details, see the Verify configuration section in the Configure a SAML 2.0 Identity Provider in StackRox and Configure an OIDC Identity Provider in StackRox topics.
The StackRox Kubernetes Security Platform now shows information about the current logged-in user. The logged-in user initials are visible in the Infobar on top. You can select the initials to view your details, including your name, username, and role. Select your name to open the User Permissions view, which lists the StackRox Kubernetes Security Platform RBAC resources, permissions you have for each of those resources, and the role or roles that grant you each permission.
- ROX-4995: We’ve fixed an issue where the audit logs would show the username and password of the built-in administrator user. This issue didn’t affect single sign-on (SSO) users.
- ROX-4989: Previously, the StackRox portal would fail to show data in the Vulnerability Management view if background requests for data took too long. We’ve increased the timeout to fix this issue.
- ROX-4965: Previously, when a policy violation occurred in a pod, the Event Timeline view showed the policy violation for all pods in the deployment. We’ve fixed this issue.
- ROX-4914: Previously, if you scanned an image, rebuilt it with the same
tag (such as
latest), and scanned it again, the StackRox Kubernetes Security Platform would return old scan results for the rebuilt image. We’ve fixed this issue.
- ROX-4709: Previously, the
roxctl image checkCLI command would try to run even with an incorrect option. We’ve updated the
roxctlCLI, and it now reports errors for unexpected options in commands.
- ROX-4610: We’ve fixed an issue where the Network Graph view could appear to shake if you used a custom browser zoom level.
Release date: June 11, 2020
- ROX-5077: Previously, when you integrated with more than one Google Container Registry (GCR), the StackRox Kubernetes Security Platform could intermittently fail to retrieve image metadata and scan results. We’ve fixed this issue by improving the way the StackRox Kubernetes Security Platform chooses which integration to use for each image.
- ROX-5065: To improve performance, we’ve implemented log throttling, which
controls the number of log messages the StackRox Kubernetes Security Platform generates.
- By default, the StackRox Central, Sensor, Scanner, Admission Controller, and Compliance containers each emit at most 100 log lines in any 10-second interval.
- You can adjust this threshold for each service by setting the
MAX_LOG_LINE_QUOTAon each container in the Kubernetes
PodSpec. The value must match the format
<#log lines>/<interval in seconds>, for example,
100/100for 100 logs in 100 seconds (1 log-per-second sustained throughput, enforced over 100-second intervals).
- ROX-5062: We’ve fixed an issue with the crontab Execution
security policy where it wouldn’t trigger violations for
crontabbut would trigger violations for other matching processes like
cron. This issue also affected custom policies where a single regular expression criterion had
ORbranches, and one was a prefix of the other, for example
- ROX-5058: Previously, if you deployed Sensor and Collector by using Helm charts, automatic upgrades would later fail due to incorrect image names for both images. We’ve fixed this issue.
- ROX-5042: We’ve fixed an issue where the StackRox portal wouldn’t show a success or failure message when you selected the Test option while configuring an integration.
- ROX-5027: Previously, if you were using admission controller enforcement and the communication between the Sensor and the Admission Controller was interrupted for more than 15 minutes, the Admission Controller would retry the connection frequently, resulting in high volumes of logs and increased resource usage. We’ve fixed this issue.
- ROX-5025: Previously, the StackRox portal would show an error message and not show any results when you used certain global search options. We’ve fixed this issue.
- We’ve replaced some inconsistent term usage for Amazon S3 and Amazon ECR with their official product names in the Platform Configuration > Integrations view.
- We’ve fixed tables in different views so that long descriptions (or names) don’t overlap with other columns.
- We’ve updated the registry integration view so that you don’t have to re-enter credentials every time you make changes to existing integrations.
- We’ve improved input validation in the Portal when you are creating a new role.
We’ve added the following new endpoints for sharing security policies.
/v1/policies/export, which accepts a list of policy IDs and returns a list of JSON policies.
/v1/policies/import, which accepts a JSON list of policies, imports them into the StackRox Kubernetes Security Platform, and returns success or failure details for every policy.
- We’ve increased resource requests and limits in new Sensor deployments:
- Sensor now requests 1 CPU core and 1GiB of RAM.
- Sensor is now limited to 2 CPU cores and 4GiB of RAM.
We’ve updated the base image for Collector and made some other changes to reduce
the number of CVEs affecting the Collector image. It still has a few CVEs left
which aren’t fixable because there is no new version available. We’ve
determined that the unfixable CVEs don’t affect Collector in its deployed
configuration. The Collector image version with this change is
Release date: June 10, 2020
We’ve updated dependencies in the Collector image to resolve new fixable CVEs.
The Collector image version with this change is
|New topic||Share security policies||Learn how to share your security policies between Central instances.|
|New topic||Configure Google Cloud Identity-Aware Proxy (IAP) as an Identity Provider||Use Google Cloud IAP for identity management with StackRox.|
|New topic||Uninstall the StackRox Kubernetes Security Platform||Added instructions for completely uninstalling each component of the StackRox Kubernetes Security Platform.|
|Update||Upload support packages to Central||Added information about the order in which Collector checks for new probes and about mutable image tags.|
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.