Release notes: 3.0.45

Find out what's new in version 3.0.45.

4 minute read

The StackRox Kubernetes Security Platform version 3.0.45 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: June 24, 2020

New features

Support for logical operators in security policies

You can now use the AND, OR, and NOT Boolean operators to combine the policy criteria to create highly specific security policies. It allows you to narrow down your matches to discover the precise image contents, deployment configurations, or runtime activities about which you are concerned. See Create custom policies for more information.

Create policy from Risk view

While evaluating risks in your deployments in the Risk view, you can now create new security policies based on the local page filtering criteria you are using. See the Create policy from Risk view section for more information.

Enable data backups on Google Cloud Storage

We’ve added support for taking environment-wide backups of the StackRox Kubernetes Security Platform on Google Cloud Storage (GCS). You can schedule daily or weekly backups and do manual on-demand backups. See Integrate with Google Cloud Storage for more details.

Important bug fixes

Resolved in version 3.0.45.0

  • ROX-5152: Previously, if you were using the admission controller, the StackRox Kubernetes Security Platform would still block policy violations for snoozed CVEs. We’ve fixed this issue.
  • ROX-5100: Previously, if you were using offline mode, the StackRox Kubernetes Security Platform would still attempt to find cluster metadata using DNS lookup. We’ve fixed this issue.
  • ROX-5085: Previously, the StackRox Kubernetes Security Platform wouldn’t trigger process violations for security policies that use the Process Ancestor policy criteria. We’ve fixed this issue.
  • ROX-5082: Previously, the backups would fail if you were using Google Cloud Storage (GCS) for storing backups of the StackRox Kubernetes Security Platform, by using the integration with Amazon S3. We’ve fixed this issue by adding a new native integration with GCS.
  • ROX-5000: Previously, the StackRox portal would take long time to display CVEs in the Vulnerability Management view. We’ve fixed this issue.
  • ROX-4987: We’ve fixed an issue with the Scanner where it would fail to scan images and would log the error message “Could not complete operation in a failed transaction”.
  • ROX-4982: Previously, when you exported security policies the generated JSON file would include some fields that the StackRox Kubernetes Security Platform uses internally. We’ve fixed this issue and the exported policies don’t include internal field values anymore.
  • ROX-4978: Previously, while editing an already integrated authentication provider, if you encountered a validation error, the StackRox Kubernetes Security Platform would delete the authentication provider. This issue is now fixed.
  • ROX-4926: Previously, when editing an existing integration with an image registry, the StackRox portal would show a success message when you selected Test, but fail to save changes when you selected Create. We’ve fixed this issue.
  • ROX-4856: Previously, the Secrets Most Used Across Deployments widget on the Configuration Management view would incorrectly report that certain secrets were being used in every deployment. This issue is now fixed.
  • ROX-4020: Previously, in the Configuration Management view, the StackRox Kubernetes Security Platform only accounted for secrets that were mounted by using volume mounts. The StackRox Kubernetes Security Platform now also reports secrets mounted by using environment variables.
  • ROX-3981: Previously, the Drop Capabilities policy criterion matched the deployments that dropped the specified capability. We’ve fixed it to match the deployments that didn’t drop the required capability.

Resolved in version 3.0.45.1

Release date: July 1, 2020

  • ROX-5196: Before version 3.0.45.0, if you set .* as the value for the Fixed By policy attribute, the policy only matched fixable CVEs. In version 3.0.45.0, the same policy matches all CVEs. We’ve restored the previous behavior in version 3.0.45.1, and we’ll release a further fix in version 3.0.46.0.
  • ROX-5198: Previously, Scanner couldn’t connect to its database in clusters running IPv6, causing scans to fail. We’ve fixed Scanner’s configuration to handle IPv6 clusters. This fix is included in version 2.2.12 and later of the Scanner and Scanner DB images.

Important system changes

  • The default policies which we’ve excluded for the kube-system namespace are now also excluded for the istio-system namespace.
  • We’ve added a CVE type field, which allows you to differentiate clearly between Image CVEs, Kubernetes CVEs, and Istio CVEs.
  • We’ve added support for connecting Sensor to Central by using non-gRPC capable Load Balancers. See the Install a Sensor and generate a sensor deployment YAML file sections for details.

StackRox Portal

  • In the Vulnerability Management view, we’ve moved the Images option from Application & Infrastructure > Images to the Vulnerability Management view header. Now to view images in your environment, you can directly select Images on the Vulnerability Management view header.
  • We’ve added the TLS Certificate Validation (Insecure) toggle for Anchore Scanner, CoreOS Clair (scanner), JFrog Artifactory (registry), and Quay.io (registry and scanner). To view the changes, navigate to the Platform Configuration > Integrations > New Integration view.

Helm charts

  • We’ve added the ability to make secret creation for the sensor, collector, and admission controller optional when deploying using Helm charts.
  • We’ve added support for offline mode for Helm charts.

Integrate with public Microsoft Container Registry

  • We’ve added a default integration for the public Microsoft Container Registry (mcr.microsoft.com).

API

We’ve updated the policy API object to add the support for logical operators in security policies. The StackRox Kubernetes Security Platform still accepts old policy object in the API and automatically converts it to the new format.

If you have policies that you’ve saved outside of the StackRox Kubernetes Security Platform, you can convert them to the new format by importing them into the StackRox Kubernetes Security Platform then exporting them back. For more details, see Share security policies.

To verify if your policies are in the new format, check the existence of "policyVersion": "1" in your policy object. If it’s present, it means that the policies are in the new format.

roxctl CLI

In this release, we’ve clarified usage text for commands throughout the roxctl CLI.

Upcoming changes to roxctl CLI

We’ll update the available options for the roxctl sensor generate k8s command, in the StackRox Kubernetes Security Platform version 3.0.47. We’ll:

  1. Rename the admission-controller option to create-admission-controller.
  2. Change the default value for the create-upgrader-sa option to true.
  3. Change the default collection-method to KERNEL_MODULE.
  4. Deprecate (and later remove) the runtime option.
  5. Rename the image option to main-image-repository.
  6. Rename the collector-image option to collector-image-repository.
  7. Remove the deprecated monitoring-endpoint option.

Security updates

We’ve updated dependencies in the Red Hat Universal Base Image-based Collector and Scanner images to resolve fixable CVEs from RHSA-2020:2637. These updates are included in version 3.0.16-latest and later of the Collector image, and version 2.2.11 and later of the Scanner image.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.45.1
ScannerScans images.stackrox.io/scanner:2.2.12
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.2.12
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.0.16-latest

Documentation changes

ChangePagesDescription
UpdateIntegrate with Google Cloud StorageLearn how to integrate with Google Cloud Storage and create environment-wide backups.
UpdateCreate custom policiesUpdated the Policy criteria section to include details about using the logical operators in security policies.
New sectionAdd logical conditionsAdded a new section to describe how to use the new drag-and-drop panel to add logical conditions for the policy criteria. (Updated in version 3.0.45.1.)
UpdateResource requirementsUpdated resource requirements for Sensor for the StackRox Kubernetes Security Platform 3.0.44 and newer.
UpdateResource requirementsUpdated resource requirements for Admission Controller for the StackRox Kubernetes Security Platform 3.0.41 and newer.
UpdateSupported platformsAdded a note that we don’t support older CPUs that don’t have the Streaming SIMD Extensions (SSE) 4.2 instruction set.
New sectionCreate policy from Risk viewAdded a new section about creating new security policies based on the local page filtering criteria from the Risk view.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.