The StackRox Kubernetes Security Platform version 3.0.45 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.
Release date: June 24, 2020
You can now use the
NOT Boolean operators to combine the
policy criteria to create highly specific security policies. It allows you to
narrow down your matches to discover the precise image contents, deployment configurations, or runtime activities about
which you are concerned. See Create custom policies
for more information.
While evaluating risks in your deployments in the Risk view, you can now create new security policies based on the local page filtering criteria you are using. See the Create policy from Risk view section for more information.
We’ve added support for taking environment-wide backups of the StackRox Kubernetes Security Platform on Google Cloud Storage (GCS). You can schedule daily or weekly backups and do manual on-demand backups. See Integrate with Google Cloud Storage for more details.
- ROX-5152: Previously, if you were using the admission controller, the StackRox Kubernetes Security Platform would still block policy violations for snoozed CVEs. We’ve fixed this issue.
- ROX-5100: Previously, if you were using offline mode, the StackRox Kubernetes Security Platform would still attempt to find cluster metadata using DNS lookup. We’ve fixed this issue.
- ROX-5085: Previously, the StackRox Kubernetes Security Platform wouldn’t trigger process
violations for security policies that use the
Process Ancestorpolicy criteria. We’ve fixed this issue.
- ROX-5082: Previously, the backups would fail if you were using Google Cloud Storage (GCS) for storing backups of the StackRox Kubernetes Security Platform, by using the integration with Amazon S3. We’ve fixed this issue by adding a new native integration with GCS.
- ROX-5000: Previously, the StackRox portal would take long time to display CVEs in the Vulnerability Management view. We’ve fixed this issue.
- ROX-4987: We’ve fixed an issue with the Scanner where it would fail to scan images and would log the error message “Could not complete operation in a failed transaction”.
- ROX-4982: Previously, when you exported security policies the generated JSON file would include some fields that the StackRox Kubernetes Security Platform uses internally. We’ve fixed this issue and the exported policies don’t include internal field values anymore.
- ROX-4978: Previously, while editing an already integrated authentication provider, if you encountered a validation error, the StackRox Kubernetes Security Platform would delete the authentication provider. This issue is now fixed.
- ROX-4926: Previously, when editing an existing integration with an image registry, the StackRox portal would show a success message when you selected Test, but fail to save changes when you selected Create. We’ve fixed this issue.
- ROX-4856: Previously, the Secrets Most Used Across Deployments widget on the Configuration Management view would incorrectly report that certain secrets were being used in every deployment. This issue is now fixed.
- ROX-4020: Previously, in the Configuration Management view, the StackRox Kubernetes Security Platform only accounted for secrets that were mounted by using volume mounts. The StackRox Kubernetes Security Platform now also reports secrets mounted by using environment variables.
- ROX-3981: Previously, the Drop Capabilities policy criterion matched the deployments that dropped the specified capability. We’ve fixed it to match the deployments that didn’t drop the required capability.
Release date: July 1, 2020
- ROX-5196: Before version 188.8.131.52, if you set
.*as the value for the
Fixed Bypolicy attribute, the policy only matched fixable CVEs. In version 184.108.40.206, the same policy matches all CVEs. We’ve restored the previous behavior in version 220.127.116.11, and we’ll release a further fix in version 18.104.22.168.
- ROX-5198: Previously, Scanner couldn’t connect to its database in
clusters running IPv6, causing scans to fail. We’ve fixed Scanner’s
configuration to handle IPv6 clusters.
This fix is included in version
2.2.12and later of the Scanner and Scanner DB images.
- The default policies which we’ve excluded for the
kube-systemnamespace are now also excluded for the
- We’ve added a
CVE typefield, which allows you to differentiate clearly between Image CVEs, Kubernetes CVEs, and Istio CVEs.
- We’ve added support for connecting Sensor to Central by using non-gRPC capable Load Balancers. See the Install a Sensor and generate a sensor deployment YAML file sections for details.
- In the Vulnerability Management view, we’ve moved the Images option from Application & Infrastructure > Images to the Vulnerability Management view header. Now to view images in your environment, you can directly select Images on the Vulnerability Management view header.
- We’ve added the TLS Certificate Validation (Insecure) toggle for Anchore Scanner, CoreOS Clair (scanner), JFrog Artifactory (registry), and Quay.io (registry and scanner). To view the changes, navigate to the Platform Configuration > Integrations > New Integration view.
- We’ve added the ability to make secret creation for the sensor, collector, and admission controller optional when deploying using Helm charts.
- We’ve added support for offline mode for Helm charts.
- We’ve added a default integration for the public Microsoft Container Registry
We’ve updated the
policy API object to add the support for logical operators
in security policies. The StackRox Kubernetes Security Platform still accepts old
object in the API and automatically converts it to the new format.
If you have policies that you’ve saved outside of the StackRox Kubernetes Security Platform, you can convert them to the new format by importing them into the StackRox Kubernetes Security Platform then exporting them back. For more details, see Share security policies.
To verify if your policies are in the new format, check the existence of
"policyVersion": "1" in your policy object. If it’s present, it means that
the policies are in the new format.
In this release, we’ve clarified usage text for commands throughout the
We’ll update the available options for the
roxctl sensor generate k8s
command, in the StackRox Kubernetes Security Platform version 3.0.47. We’ll:
- Rename the
- Change the default value for the
- Change the default
- Deprecate (and later remove) the
- Rename the
- Rename the
- Remove the deprecated
We’ve updated dependencies in the Red Hat Universal Base Image-based
Collector and Scanner images to resolve fixable CVEs from RHSA-2020:2637.
These updates are included in version
3.0.16-latest and later of the Collector image,
2.2.11 and later of the Scanner image.
|Main||It includes Central, Sensor, Admission Controller, and Compliance. It also includes ||stackrox.io/main:22.214.171.124|
|Scanner DB||Stores image scan results and vulnerability definitions.||stackrox.io/scanner-db:2.2.12|
|Collector||Collects runtime activity in Kubernetes or OpenShift clusters.||collector.stackrox.io/collector:3.0.16-latest|
|Update||Integrate with Google Cloud Storage||Learn how to integrate with Google Cloud Storage and create environment-wide backups.|
|Update||Create custom policies||Updated the Policy criteria section to include details about using the logical operators in security policies.|
|New section||Add logical conditions||Added a new section to describe how to use the new drag-and-drop panel to add logical conditions for the policy criteria. (Updated in version 126.96.36.199.)|
|Update||Resource requirements||Updated resource requirements for Sensor for the StackRox Kubernetes Security Platform 3.0.44 and newer.|
|Update||Resource requirements||Updated resource requirements for Admission Controller for the StackRox Kubernetes Security Platform 3.0.41 and newer.|
|Update||Supported platforms||Added a note that we don’t support older CPUs that don’t have the Streaming SIMD Extensions (SSE) 4.2 instruction set.|
|New section||Create policy from Risk view||Added a new section about creating new security policies based on the local page filtering criteria from the Risk view.|
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.