Release notes: 3.0.46

Find out what's new in version 3.0.46.

3 minute read

The StackRox Kubernetes Security Platform version 3.0.46 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: July 15, 2020

New features

Improved event timeline

It’s now easier to view overlapping events in the Event Timeline modal box. The StackRox Kubernetes Security Platform now groups the overlapping events and shows an event count badge. You can click on the group to view details about all events in that group.

Support for Flatcar Container Linux and Garden Linux

The StackRox Kubernetes Security Platform now supports Flatcar Container Linux and Garden Linux.

Important bug fixes

  • ROX-3023: Previously, in the StackRox portal, you couldn’t disable alert data retention. You could only set retention periods to 1 day or higher. You can now use 0 to store violations and unused images forever.

  • ROX-4002: Previously, StackRox Collector wouldn’t show network connection details and process paths, if you were using the StackRox Kubernetes Security Platform on Ubuntu 19.10. We’ve updated the Collector image to fix this issue.

  • ROX-4541: Previously, if you were using the docker-auth.sh (Docker authentication helper) or add-cluster.sh (Helm add cluster) scripts, they would run without checking the required jq binary. We’ve updated these scripts to verify the existence of jq binary and execute only if it’s present.

  • ROX-4872: Previously, the default Cryptocurrency Mining Process Execution security policy wouldn’t report errors for xmr-stak-cpu cryptocurrency mining Docker image. We’ve fixed this issue.

  • ROX-4931: Previously, when you scanned container images based on CentOS 7 or Red Hat Enterprise Linux (RHEL) 7, StackRox Scanner only showed vulnerabilities that had fixes available. We’ve fixed this issue.

    When you scan an image based on CentOS 7 or RHEL 7 in the StackRox Kubernetes Security Platform version 3.0.46.0 or higher, StackRox Scanner returns more vulnerability results than before. To avoid disrupting build or deployment pipelines, make sure your enforced policies use the Fixed By policy attribute so they only match fixable vulnerabilities.

  • ROX-5183: Previously, sometimes, the API requests to generate new tokens would fail listing a timeout error. We’ve increased the timeout to 60 seconds to fix this issue.

  • ROX-5193: Previously, StackRox Collector would report errors for missing net/tcp6 files. We’ve updated the internal logic not to report this error if it isn’t applicable.

  • ROX-5276: In the StackRox Kubernetes Security Platform version 3.0.45, you couldn’t use the Add Selected CVEs to Policy button in the CVEs view to add CVEs to an existing policy. We’ve fixed this issue.

Important system changes

Security policies

  • We’ve renamed the Required Label: Owner and the Required Annotation: Owner security policies to Required Label: Owner/Team and Required Annotation: Owner/Team.
  • The StackRox Central database uses a new format that’s more scalable and performs better. The upgrade includes an automatic migration to the new format. After you upgrade the StackRox Central image to version 3.0.46 or higher, Central may take longer to start up while it finishes the automatic migration.
  • We’ve renamed the port for the scanner-db service from db to tcp-db to better support protocol selection in Istio.

StackRox Portal

  • If you are on a view that lists items in a table, for example, the Risk view, and you are on a page number higher than 1, clicking a column heading now sorts the table and takes you back to page number 1. Previously, the view stayed on the later page even after you re-sorted the table.
  • The cluster details in the Platform Configuration > Clusters view now shows a message if the secured cluster’s credentials are about to expire.
  • In the Vulnerability Management > Policies view, we’ve updated the Deployment column values to only show the number of deployments for which a policy is failing.

API

We’ve added the following new endpoints:

VerbEndpointDescription
PATCH/v1/notifiers/{id}Modify a specific notifier.
POST/v1/notifiers/test/updatedCheck if a notifier is correctly configured.
PATCH/v1/scopedaccessctrl/config/{id}Modify a specific scoped access control plugin.
POST/v1/scopedaccessctrl/test/updatedCheck if a specific scoped access control plugin is correctly configured.
PATCH/v1/externalbackups/{id}Modify a specific external backup.
POST/v1/externalbackups/test/updatedCheck if a specific external backup is correctly configured.

For more information, see the Use the API topic.

Upcoming changes

Security policies

  • We’ll deprecate the Required Label: Email and Required Annotation: Email security policies in the StackRox Kubernetes Security Platform version 3.0.48. If you are using Required Label: Email and Required Annotation: Email security policies, we recommend using the Required Label: Owner/Team and Required Annotation: Owner/Team policies instead.
  • In the StackRox Kubernetes Security Platform version 3.0.45.1, we restored previous behavior of .* values for the Fixed By policy attribute. The further fix for this issue, previously scheduled for version 3.0.46.0, is now delayed to a later release.

roxctl CLI

We’ll update the available options for the roxctl sensor generate k8s command, in the StackRox Kubernetes Security Platform version 3.0.47. We’ll:

  1. Rename the admission-controller option to create-admission-controller.
  2. Change the default value for the create-upgrader-sa option to true.
  3. Deprecate (and later remove) the runtime option.
  4. Rename the image option to main-image-repository.
  5. Rename the collector-image option to collector-image-repository.
  6. Remove the deprecated monitoring-endpoint option.

The previously announced change to the default behavior of the collection-method parameter is no longer planned.

Security updates

We’ve updated dependencies in the Red Hat Universal Base Image-based Collector image to resolve a fixable CVE from RHSA-2020:2755. The Collector image version 3.0.17-latest includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.46.0
ScannerScans images.stackrox.io/scanner:2.2.12
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.2.12
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.0.17-latest

Documentation changes

ChangePagesDescription
UpdateCreate custom policiesAdded instructions to toggle between logical operators inside a policy section in the Add logical conditions section.
New sectionResource requirementsAdded Admission controller requirements.
UpdateManage role-based access controlUpdated the Resource definitions section to include missing RBAC resources.
New topicQuick Start (Helm)Learn how to install the StackRox Kubernetes Security Platform by using Helm charts.
New sectionUse the roxctl CLIAdded a new Install and set up roxctl CLI section which includes instructions for downloading and setting up the roxctl CLI on Linux and macOS.
New topicAdd trusted certificate authoritiesLearn how to add custom trusted certificate authorities to the StackRox Kubernetes Security Platform.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.