Release notes: 3.0.44

Find out what's new in version 3.0.44.

4 minute read

The StackRox Kubernetes Security Platform version 3.0.44 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: June 3, 2020

New features

Share security policies

You can now share security policies between different Central instances, by exporting and importing policies. Use it you enforce the same standards for all your clusters. To share policies, you can export them as JSON files and then import them back into another Central instance. See Share security policies for more details.

Use Google Cloud Identity-Aware Proxy (IAP) as an Identity Provider

You can now use Google Cloud Identity-Aware Proxy as a Single sign-on (SSO) provider for the StackRox Kubernetes Security Platform. See Configure Google Cloud Identity-Aware Proxy (IAP) as an Identity Provider for details.

Test integration with Identity Providers

While configuring Identity Providers, now you don’t have to log out and log back in to check if the integration is working. There’s a new Test Login option you can use to test your identity provider without logging out of the StackRox Kubernetes Security Platform. For details, see the Verify configuration section in the Configure a SAML 2.0 Identity Provider in StackRox and Configure an OIDC Identity Provider in StackRox topics.

Active user details

The StackRox Kubernetes Security Platform now shows information about the current logged-in user. The logged-in user initials are visible in the Infobar on top. You can select the initials to view your details, including your name, username, and role. Select your name to open the User Permissions view, which lists the StackRox Kubernetes Security Platform RBAC resources, permissions you have for each of those resources, and the role or roles that grant you each permission.

Important bug fixes

  • ROX-4995: We’ve fixed an issue where the audit logs would show the username and password of the built-in administrator user. This issue didn’t affect single sign-on (SSO) users.
  • ROX-4989: Previously, the StackRox portal would fail to show data in the Vulnerability Management view if background requests for data took too long. We’ve increased the timeout to fix this issue.
  • ROX-4965: Previously, when a policy violation occurred in a pod, the Event Timeline view showed the policy violation for all pods in the deployment. We’ve fixed this issue.
  • ROX-4914: Previously, if you scanned an image, rebuilt it with the same tag (such as latest), and scanned it again, the StackRox Kubernetes Security Platform would return old scan results for the rebuilt image. We’ve fixed this issue.
  • ROX-4709: Previously, the roxctl image check CLI command would try to run even with an incorrect option. We’ve updated the roxctl CLI, and it now reports errors for unexpected options in commands.
  • ROX-4610: We’ve fixed an issue where the Network Graph view could appear to shake if you used a custom browser zoom level.

Resolved in version 3.0.44.1

Release date: June 11, 2020

  • ROX-5077: Previously, when you integrated with more than one Google Container Registry (GCR), the StackRox Kubernetes Security Platform could intermittently fail to retrieve image metadata and scan results. We’ve fixed this issue by improving the way the StackRox Kubernetes Security Platform chooses which integration to use for each image.
  • ROX-5065: To improve performance, we’ve implemented log throttling, which controls the number of log messages the StackRox Kubernetes Security Platform generates.
    • By default, the StackRox Central, Sensor, Scanner, Admission Controller, and Compliance containers each emit at most 100 log lines in any 10-second interval.
    • You can adjust this threshold for each service by setting the environment variable MAX_LOG_LINE_QUOTA on each container in the Kubernetes PodSpec. The value must match the format <#log lines>/<interval in seconds>, for example, 100/100 for 100 logs in 100 seconds (1 log-per-second sustained throughput, enforced over 100-second intervals).
  • ROX-5062: We’ve fixed an issue with the crontab Execution security policy where it wouldn’t trigger violations for crontab but would trigger violations for other matching processes like cron. This issue also affected custom policies where a single regular expression criterion had OR branches, and one was a prefix of the other, for example (a|ab).
  • ROX-5058: Previously, if you deployed Sensor and Collector by using Helm charts, automatic upgrades would later fail due to incorrect image names for both images. We’ve fixed this issue.
  • ROX-5042: We’ve fixed an issue where the StackRox portal wouldn’t show a success or failure message when you selected the Test option while configuring an integration.
  • ROX-5027: Previously, if you were using admission controller enforcement and the communication between the Sensor and the Admission Controller was interrupted for more than 15 minutes, the Admission Controller would retry the connection frequently, resulting in high volumes of logs and increased resource usage. We’ve fixed this issue.
  • ROX-5025: Previously, the StackRox portal would show an error message and not show any results when you used certain global search options. We’ve fixed this issue.

Important system changes

StackRox portal

  • We’ve replaced some inconsistent term usage for Amazon S3 and Amazon ECR with their official product names in the Platform Configuration > Integrations view.
  • We’ve fixed tables in different views so that long descriptions (or names) don’t overlap with other columns.
  • We’ve updated the registry integration view so that you don’t have to re-enter credentials every time you make changes to existing integrations.
  • We’ve improved input validation in the Portal when you are creating a new role.

API

We’ve added the following new endpoints for sharing security policies.

  • /v1/policies/export, which accepts a list of policy IDs and returns a list of JSON policies.
  • /v1/policies/import, which accepts a JSON list of policies, imports them into the StackRox Kubernetes Security Platform, and returns success or failure details for every policy.

Sensor

  • We’ve increased resource requests and limits in new Sensor deployments:
    • Sensor now requests 1 CPU core and 1GiB of RAM.
    • Sensor is now limited to 2 CPU cores and 4GiB of RAM.

Security updates

Updated in version 3.0.44.0

We’ve updated the base image for Collector and made some other changes to reduce the number of CVEs affecting the Collector image. It still has a few CVEs left which aren’t fixable because there is no new version available. We’ve determined that the unfixable CVEs don’t affect Collector in its deployed configuration. The Collector image version with this change is 3.0.14-latest.

Updated in version 3.0.44.1

Release date: June 10, 2020

We’ve updated dependencies in the Collector image to resolve new fixable CVEs. The Collector image version with this change is 3.0.15-latest.

Documentation changes

ChangePagesDescription
New topicShare security policiesLearn how to share your security policies between Central instances.
New topicConfigure Google Cloud Identity-Aware Proxy (IAP) as an Identity ProviderUse Google Cloud IAP for identity management with StackRox.
New topicUninstall the StackRox Kubernetes Security PlatformAdded instructions for completely uninstalling each component of the StackRox Kubernetes Security Platform.
UpdateUpload support packages to CentralAdded information about the order in which Collector checks for new probes and about mutable image tags.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.