Release notes: 3.0.49

Find out what's new in version 3.0.49.

2 minute read

The StackRox Kubernetes Security Platform version 3.0.49 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: September 16, 2020

New features

Integrate with AWS Security Hub

You can now send alert notifications from the StackRox Kubernetes Security Platform to AWS Security Hub. To get started, see Integrate with AWS Security Hub.

Admission controller support for OpenShift

The StackRox Kubernetes Security Platform now supports OpenShift Admission plug-ins. The StackRox admission controller prevents users from creating workloads that violate policies you configure in the StackRox Kubernetes Security Platform. See Enable admission controller enforcement for details.

Cluster details panel improvements

We’ve streamlined the Cluster details panel in the Platform Configuration > Clusters view. It now includes a new Cluster Summary section for all existing clusters and provides constant visibility into the state of your Cluster, Sensor, and Collector.

Important bug fixes

  • ROX-2780: Previously, when viewing namespaces in the Network Graph view, some deployments only showed up when you hovered your mouse over other deployments. We’ve fixed this issue.
  • ROX-5470: Previously, the Network Graph view showed the message No ports & protocols available for ingress and egress non-isolated deployment nodes. Since these nodes allow any protocol on any port, we’ve updated the message in the StackRox portal to show Any protocol and Any port for such nodes.
  • ROX-5471: Previously, in the Network Graph view, the StackRox portal sometimes didn’t display active connections when viewing all connections. We’ve resolved this issue.
  • ROX-5520: We’ve fixed an issue where the StackRox Kubernetes Security Platform would send duplicate violation notifications to all configured notifiers (if you’ve integrated the StackRox Kubernetes Security Platform with other tools).

Resolved in version 3.0.49.1

Release date: Sep 18, 2020

  • ROX-5634: We’ve fixed an issue where the automatic upgrades to Sensor fail under certain conditions. We’ve fixed this in version 3.0.49.1.

Resolved in version 3.0.49.2

Release date: Sep 25, 2020

  • ROX-5662: We’ve fixed an issue in the Network Graph where the cluster selector displays the incorrect cluster under certain conditions. We’ve fixed this in version 3.0.49.2.

Important system changes

  • You can now enforce policies on the DeploymentConfig resources in OpenShift.
  • When integrating with an OpenID Connect (OIDC) authentication provider, you can now configure the StackRox Kubernetes Security Platform to:

StackRox portal

  • Now when you hover over a node in the Network Graph, you’ll see the ports on which that node is listening.
  • In the Vulnerability Management > Images view, when you select an image, the Scanner details are visible under the Details & Metadata section on the image details panel.

API

  • For the /v1/images/{id} (GetImage) endpoint, we’ve changed the following fields in the response:
    • replaced the scan.components.vulns.discoveredAt field with scan.components.vulns.firstSystemOccurrence. It returns the timestamp for the first time the StackRox Kubernetes Security Platform discovered the CVE in your clusters.
    • added a new field scan.components.vulns.firstImageOccurrence. It returns the timestamp for the first time the StackRox Kubernetes Security Platform discovered the CVE in the corresponding image.
  • We’ve fixed a scrolling issue on the API documentation page where you couldn’t scroll the left-hand side panel (list of endpoints) independently of the main content (endpoints descriptions).
  • We’ve deprecated status.lastContact from the response of the v1/clusters endpoint. Use healthStatus.lastContact instead.

roxctl CLI

  • You can now generate YAML files that support Istio enabled clusters for Central, Scanner, and Sensor by using the --istio-support=<istio version> option. We support Istio version 1.0 to version 1.7. The interactive installation command roxctl central generate interactive also displays prompts to configure Istio enabled clusters.
  • We’ve changed the default value for the --create-upgrader-sa option to true for both the roxctl sensor generate and the roxctl sensor get-bundle commands.
  • We’ve removed the following deprecated options for the roxctl sensor generate command:
    • --admission-controller (use --create-admission-controller instead)
    • --image (use --main-image-repository instead)
    • --collector-image (use --collector-image-repository instead)
    • --runtime (use --collection-method instead)
    • --monitoring-endpoint

Security updates

We’ve updated dependencies in the Scanner image to resolve the following fixable CVEs:

The Scanner image version 2.4.1 includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.49.2
ScannerScans images.stackrox.io/scanner:2.4.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.4.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.1-latest

Documentation changes

ChangePagesDescription
UpdateEnable admission controller enforcementUpdated the content to include information about admission controller enforcement on OpenShift.
New topicIntegrate with AWS Security HubIntegrate StackRox with AWS Security Hub.
UpdateConfigure an OIDC Identity Provider in StackRoxUpdated the Configure StackRox section to include information about the support for skip TLS verification and query strings for the Issuer field.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.