Release notes: 3.0.47

Find out what's new in version 3.0.47.

4 minute read

The StackRox Kubernetes Security Platform version 3.0.47 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: August 5, 2020

New features

Image operating system information

Image details now include information about the base operating system on which the image is built. We’ve also added an Image OS policy criteria which you can use to create policy and restrict the use of specific base operating systems for images. For more information, see Identify operating system of the base image.

Re-issue internal certificates

Each component (Central, Scanner, Sensor, Collector, and Admission Controller) of the StackRox Kubernetes Security Platform uses an X.509 certificate to authenticate itself to other components. The StackRox Kubernetes Security Platform now shows a message with options to generate replacement certificates before they expire. See the Re-issue internal certificates
topic for more information.

Network graph improvements

The Network Graph view now uses arrows to show the direction of the network traffic between the deployments. When you move your mouse over a deployment, the tooltip shows information about ingress and egress connections, protocols, and port numbers in use for that deployment.

Important bug fixes

  • ROX-3281 and ROX-4751: Previously, the StackRox Kubernetes Security Platform showed incorrect execution file paths for some processes, reporting the container image’s mount path instead of the relative path of the binary. This issue affected hosts running container runtimes built on containerd. We’ve fixed this issue.

  • ROX-5181: Previously, if you were using Scoped Access Control to limit which users could read or write compliance results for clusters, the Compliance view displayed an error after selecting Scan Environment. We’ve resolved this issue by only starting a compliance scan for the clusters you can access.

  • ROX-5233: Previously, when you scanned images by using the roxctl CLI, the scan results also included any snoozed CVEs. We’ve updated the roxctl CLI to fix this issue.

  • ROX-5179: Previously, when you generated compliance reports for a single standard, the generated file (CSV format) included report for all compliance standards. We’ve resolved this issue.

  • ROX-5208: When you create a policy that includes an Environment variable attribute, you can choose which types of environment variables the policy should match. For example, the environment variables types can be:

    • raw values provided in the deployment YAML references, or
    • values from ConfigMaps, Secrets, fields, resource requests, or limits.

    For environment variables other than the raw value type, the StackRox Kubernetes Security Platform ignores the corresponding Value attribute of the policy rule, so the policy only detects the existence of an environment variable. This behavior wasn’t evident in the previous version. To fix this issue, the StackRox Kubernetes Security Platform now rejects policies with non-empty Value attributes for types other than raw values.

  • ROX-5261: Previously, Collector failed to insert its kernel module on Red Hat Enterprise Linux kernel versions 3.10.0-1127.13.1.el7 and 3.10.0-957.56.1.el7. We’ve updated the build configuration for Collector’s kernel module to resolve this issue.

  • ROX-5341: Previously, if a vulnerability in the National Vulnerability Database (NVD) was updated to remove an affected product, StackRox Scanner didn’t reflect the removal. StackRox Scanner now removes the entry to match the NVD changes.

Resolved in version 3.0.47.1

Release date: Aug 7, 2020

  • ROX-5381: Previously, automatic upgrades failed on clusters running Kubernetes 1.18 because the upgrader didn’t handle the newly introduced metadata.managedFields Kubernetes field. We’ve fixed this issue. After you upgrade Central to version 3.0.47.1 or higher, automatic upgrades complete successfully.

Resolved in version 3.0.47.2

Release date: Aug 12, 2020

  • ROX-5385: We’ve fixed an issue where PKI authentication would fail if the authentication provider had multiple trusted root certificates (CA), and one of the trusted root CAs is signed by another trusted root CA’s certificate.

Important system changes

  • Previously, the StackRox Kubernetes Security Platform automatically edited Kubernetes namespace objects to add a namespace.metadata.stackrox.io/id label to support network policy generation. To avoid conflicts with Terraform, StackRox Sensor no longer adds this label, which didn’t have a predictable value. Now, Sensor only adds the namespace.metadata.stackrox.io/name label.
  • Previously, if you made custom changes to the resource requests or limits on the Sensor and Collector deployments, your changes would be overwritten during automatic upgrades. You can now add the annotation auto-upgrade.stackrox.io/preserve-resources=true to the Deployment or DaemonSet to preserve your custom requests and limits.

Jenkins plugin

We’ve updated the StackRox Container Image Scanner Jenkins plugin to version 1.2.3 which includes a fix for the following issue:

  • Unbounded memory allocation vulnerability in a dependency (Guava version 19.0).

StackRox portal

We’ve improved the performance of the Configuration Management view in larger environments. All views accessible from the Application and Infrastructure and the RBAC Visibility and Configuration menus in the view header now sort and display data more efficiently.

roxctl CLI

  • You can now save the API token in a file and use the new --token-file option for authentication. For more information, see the Authentication section in Use the CLI topic.

  • You’ll now see a warning if roxctl uses the default value for the --create-updater-sa option. The default value will change in a future release.

  • We’ve add a new default parameter for the --collection-method option.

  • The --help (or -h) option now includes additional reference information about available resources, commands, and their flags.

  • We’ve updated the available options for the roxctl sensor generate k8s command:

    1. Renamed the admission-controller option to create-admission-controller.
    2. Renamed the image option to main-image-repository.
    3. Renamed the collector-image option to collector-image-repository.
    4. Deprecated the runtime option.

    You can still use the renamed options but we’ll remove them in version 3.0.48 or later.

  • Now the roxctl image scan command doesn’t return image scan results for snoozed CVEs by default. Use the --include-snoozed option to get that information.

API

  • To fix the issue related to the policies with environment variables (see ROX-5208), we’ve updated the API endpoints to match the StackRox portal’s behavior. It’s a breaking change for the /v1.PolicyService/PostPolicy gRPC method; however, it doesn’t affect any REST API methods.
  • Now the /v1/image/<image-id> endpoint doesn’t return image scan results for snoozed CVEs by default. Use the includeSnoozed query parameter to get that information.

Upcoming changes

roxctl CLI

In the StackRox Kubernetes Security Platform version 3.0.48 or later, we’ll:

  1. Change the default value for the create-upgrader-sa option to true.
  2. Remove the deprecated runtime option.
  3. Remove the deprecated monitoring-endpoint option.
  4. Remove the deprecated admission-controller option, which is replaced by create-admission-controller.
  5. Remove the deprecated image option, which is replaced by main-image-repository.
  6. Remove the deprecated collector-image option, which is replaced by collector-image-repository.

Security updates

We’ve updated dependencies in the Collector image to resolve fixable CVEs including CVE-2020-16135 and CVE-2020-15358. The Collector image version 3.0.18-latest includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.47.2
ScannerScans images.stackrox.io/scanner:2.3.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.3.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.0.18-latest

Documentation changes

ChangePagesDescription
New topicRe-issue internal certificatesLearn how to issue new certificates to the components of the StackRox Kubernetes Security Platform.
New sectionManage vulnerabilitiesAdded Identify operating system of the base image section.
UpdateCreate custom policiesUpdated the Policy criteria section to include Image OS.
UpdateUse the roxctl CLIUpdated the Authentication section to include instructions about the new --token-file option.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.