Release notes: 3.0.48

Find out what's new in version 3.0.48.

3 minute read

The StackRox Kubernetes Security Platform version 3.0.48 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: August 26, 2020

New features

Sensor and Collector health

The Platform Configuration > Clusters view now shows more system health information for Sensor and Collector, including:

  • the status of each Sensor’s connection to Central, and
  • the number of actively running Collector pods compared with the number of desired pods and the number of nodes registered with Kubernetes.

We’ve also added a Cloud Provider column to the view, which lets you see where your clusters are deployed.

Slimmer Collector image

We’ve added a new slim version of the Collector image to save disk space and bandwidth. This version doesn’t include any built-in kernel probes, so it’s much smaller than the standard image. To use the slim image, you must either:

The StackRox Kubernetes Security Platform uses the slim image by default for new clusters if these conditions are met. To use slim images in an existing cluster, navigate to the Platform Configuration > Clusters view and turn on the Enable Slim Collector Mode toggle.

Network graph improvements

The Network Graph view now shows more information about active and allowed ports and traffic directions between deployments. To see the new data, hover over a node or edge, or select a node to open the side panel. When you generate new network policies, you can now toggle the Exclude ports & protocols option to choose whether to generate policies that only allow traffic on specific ports.

Important bug fixes

  • ROX-4314: Previously, the remediation text for the built-in Ubuntu Package Manager Execution and Ubuntu Package Manager in Image policies included a command that didn’t remove dpkg. We’ve fixed this issue by updating the command to remove both dpkg and apt.
  • ROX-4828: Previously, compliance checks reported that Kubernetes Role-Based Access Control (RBAC) was disabled if the StackRox Kubernetes Security Platform couldn’t find the Kubernetes API server process command line. We’ve fixed this issue to better support managed services and situations where Collector isn’t deployed in the control plane.
  • ROX-4979: Previously, the StackRox Kubernetes Security Platform would sometimes trigger incorrect alerts for the Process with UID 0 policy if processes changed their identity by using specific system calls. We’ve fixed this issue.
  • ROX-5394: We’ve fixed an issue where Scanner could fail to scan an image and log a database error message resource cannot be found with the description searchFeatureVersion. This error was only triggered when two Scanner replicas tried to add a feature version at the same time.
  • ROX-5402: Previously, in the Violations view, the Deployment tab didn’t show any information for Resources, Volumes, and Secrets under the Container configuration section. The portal now shows this information while the deployment is still active, and shows an informational message after the deployment is deleted.

Resolved in version 3.0.48.1

Release date: Sep 4, 2020

  • ROX-5522: In the StackRox Kubernetes Security Platform version 3.0.48.0, we changed the LANGUAGE_VULNS environment variable name to ROX_LANGUAGE_VULNS for consistency. This environment variable allows you to disable language vulnerability scanning. For backwards compatibility, we’ve added the LANGUAGE_VULNS environment variable again. You can now use either one of these variables to disable language-specific vulnerability scanning.

Important system changes

API

In the /v1/clusters API response, we’ve added a healthStatus.lastContact field showing the last time the cluster’s Sensor contacted Central.

Image scanning

When attempting to scan an image, the StackRox Kubernetes Security Platform now shows more specific error messages under any of the following conditions:

  • no registries integrated
  • no matching registry integrations found
  • no scanners integrated

Feature names

In this release, we’ve renamed features in the portal to use more inclusive terms. Specifically:

  • Process whitelists are now called Process baselines.
  • The Whitelist by Scope option for policies is now called Exclude by Scope.
  • The Image Whitelist option in policies is now called Excluded Images.

Existing API methods aren’t affected by this change.

Upcoming changes

roxctl CLI

In the StackRox Kubernetes Security Platform version 3.0.49 or later, we’ll:

  1. Change the default value for the create-upgrader-sa option to true.
  2. Remove the deprecated runtime option.
  3. Remove the deprecated monitoring-endpoint option.
  4. Remove the deprecated admission-controller option, which is replaced by create-admission-controller.
  5. Remove the deprecated image option, which is replaced by main-image-repository.
  6. Remove the deprecated collector-image option, which is replaced by collector-image-repository.

API

  • In the StackRox Kubernetes Security Platform version 49.0 we’ll remove the status.lastContact field from the response of the /v1/clusters endpoint. Use the new healthStatus.lastContact field instead.
  • In the /v1/images/{id} response, the vulns field for each component in the scan object currently includes a discoveredAt field. We’ll change this field’s name to firstSystemOccurrence starting in the StackRox Kubernetes Security Platform version 49.0. This field represents the first time the CVE was ever discovered in any image.

Security policies

We’ll deprecate the Required Label: Email and Required Annotation: Email security policies in the StackRox Kubernetes Security Platform version 3.0.49. If you’re using Required Label: Email and Required Annotation: Email security policies, we recommend using the Required Label: Owner/Team and Required Annotation: Owner/Team policies instead.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.48.1
ScannerScans images.stackrox.io/scanner:2.3.3
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.3.3
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.0-latest

Documentation changes

ChangePagesDescription
New sectionIntegrate with image registriesAdded instructions for integrating with Amazon Elastic Container Registry (ECR) from a separate Amazon account.
UpdateExamine imagesAdded information about the LANGUAGE_VULNS environment variable.
UpdateUse process baselining and other pages.Renamed Process whitelists to Process baselines.
UpdateManage security policiesRenamed policy Whitelist by Scope option to Exclude by Scope and Image Whitelist to Excluded Images.
UpdateSupported platformsClarified supported version numbers for Debian, CentOS, and Red Hat Enterprise Linux (RHEL).
UpdateUse the roxctl CLIClarified the required permissions required for the token for checking the image scan results.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.