Release notes: 3.0.51

Find out what's new in version 3.0.51.

2 minute read

The StackRox Kubernetes Security Platform version 3.0.51 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: October 28, 2020

New features

Google Artifact Registry integration

The StackRox Kubernetes Security Platform integrates with virtually any image registry. In this version, we’ve added native integrations for improved compatibility with Google Artifact Registry.

StackRox add-on for Splunk

We’ve released a new technology add-on for Splunk that normalizes and pulls vulnerability and compliance-related data into Splunk. You can use it along with your existing Splunk integration. For more details, see Integrate with Splunk.

Important bug fixes

  • ROX-4405: Previously, there was an error in the CIS Kubernetes Compliance check for directory permissions. We’ve fixed this issue.
  • ROX-5369: Previously, if you exported the ROX_API_TOKEN system variable from a secret in Kubernetes with a newline character, in the end, the roxctl CLI commands that require the token would fail. We’ve fixed this issue.
  • ROX-5377: We’ve fixed an incorrect description for the roxctl deployment check
    command when you run the roxctl help command.
  • ROX-5599 and ROX-5600: Previously, if you’ve installed the StackRox Kubernetes Security Platform on Google Kubernetes Engine (GKE), the admission controller would sometimes fail if there were connectivity issues with Sensor. This issue happened if you’ve installed the Sensor on preemptible VMs. To fix this issue, we’ve changed Central and Sensor’s Node Affinities to discourage installation on preemptible VMs and made updates to the admission controller. If the Sensor is unavailable, instead of failing, the admission controller communicates with Central.
  • ROX-5628: Previously, the automatic upgrades would sometimes fail for Collector for tainted nodes. We’ve fixed this issue by enabling taint tolerations.
  • ROX-5680: Previously, if you were using custom certificates and use the sensor.sh script to deploy a new Sensor, the script wouldn’t apply custom certificates from the sensor/additional-cas/ folder. We’ve resolved this issue.
  • ROX-5736: Previously, there was an error in the CIS Kubernetes Compliance check for PKI key file permissions. We’ve fixed this issue.
  • ROX-5751: Previously, in the Vulnerability Management > Images view, the StackRox portal didn’t reset the displayed page count next to the page filtering bar. We’ve fixed this issue.
  • ROX-5771*: Previously, image summary data didn’t correctly load when using Safari. We’ve fixed this issue.
  • ROX-5769: Previously, when creating custom policies, the StackRox portal would incorrectly parse values containing the equal sign (=) as a key-value pair and truncate everything before the equal sign. We’ve fixed this issue.
  • ROX-5785: Previously, Sensor marked completed Kubernetes Jobs as deployments, which resulted in too many deployment objects, thereby affecting performance. We’ve fixed this issue by updating Sensor so that now it marks the completed Jobs as removed.

Resolved in version 3.0.51.1

Release date: Nov 4, 2020

  • ROX-5864: We’ve fixed an issue where viewing deployment details from the Risk view would sometimes crash the StackRox portal page.

Important system changes

Central

You can now use the new ROX_NETWORK_ACCESS_LOG environment variable to log all network requests to Central. When you set its value to true, Central logs include all network requests to Central from both the API and the StackRox portal. The default value for this variable is false. We recommend that you only set the ROX_NETWORK_ACCESS_LOG environment variable to true for debugging network connectivity issues and set it back to false after your investigation.

Policy criteria

We’ve added new policy criteria called Namespace that evaluate policy against the provided namespace.

roxctl CLI

You can now use the --force-http1 option with most roxctl commands. When you use this option, roxctl avoids using the HTTP/2 network protocol. Only use this option if you have connectivity issues that you suspect are because of ingress or proxy.

Process timeline

We’ve reordered the columns in the process timeline CSV. They’re now sorted by timestamp. If you are using the process timeline CSV for automation, modify your automated processes accordingly.

API

We’ve added the following new endpoints:

VerbEndpointDescription
GET/api/splunk/ta/vulnmgmtReturns Vulnerability Management data as a JSON array.
GET/api/splunk/ta/complianceReturns Compliance data as a JSON array.

Security updates in version 3.0.51.1

Release date: Nov 4, 2020

We’ve updated the Collector image to resolve the following fixable CVEs:

The Collector image version 3.1.4-latest includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.51.1
ScannerScans images.stackrox.io/scanner:2.6.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.6.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.4-latest

Documentation changes

ChangePageDescription
New sectionIntegrate with SplunkAdded instructions to integrate with StackRox add-on for Splunk.
UpdateIntegrate with image registriesAdded instructions for integrating with Google Artifact Registry.
UpdateIntegrate with CI systemsAdded instructions for integrating with CircleCI.
UpdateIntegrate with Amazon S3Included a note about adding AWS root CA for air-gapped environments.
UpdateSupported platformsAdded a note about unsupported Collector on GKE if you’ve enabled secure boot.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.