The StackRox Kubernetes Security Platform version 3.0.51 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.
Release date: October 28, 2020
We’ve released a new technology add-on for Splunk that normalizes and pulls vulnerability and compliance-related data into Splunk. You can use it along with your existing Splunk integration. For more details, see Integrate with Splunk.
- ROX-4405: Previously, there was an error in the CIS Kubernetes Compliance check for directory permissions. We’ve fixed this issue.
- ROX-5369: Previously, if you exported the
ROX_API_TOKENsystem variable from a secret in Kubernetes with a newline character, in the end, the
roxctlCLI commands that require the token would fail. We’ve fixed this issue.
- ROX-5377: We’ve fixed an incorrect description for the
roxctl deployment check
command when you run the
- ROX-5599 and ROX-5600: Previously, if you’ve installed the StackRox Kubernetes Security Platform on Google Kubernetes Engine (GKE), the admission controller would sometimes fail if there were connectivity issues with Sensor. This issue happened if you’ve installed the Sensor on preemptible VMs. To fix this issue, we’ve changed Central and Sensor’s Node Affinities to discourage installation on preemptible VMs and made updates to the admission controller. If the Sensor is unavailable, instead of failing, the admission controller communicates with Central.
- ROX-5628: Previously, the automatic upgrades would sometimes fail for Collector for tainted nodes. We’ve fixed this issue by enabling taint tolerations.
- ROX-5680: Previously, if you were using custom certificates
and use the
sensor.shscript to deploy a new Sensor, the script wouldn’t apply custom certificates from the
sensor/additional-cas/folder. We’ve resolved this issue.
- ROX-5736: Previously, there was an error in the CIS Kubernetes Compliance check for PKI key file permissions. We’ve fixed this issue.
- ROX-5751: Previously, in the Vulnerability Management > Images view, the StackRox portal didn’t reset the displayed page count next to the page filtering bar. We’ve fixed this issue.
- ROX-5771*: Previously, image summary data didn’t correctly load when using Safari. We’ve fixed this issue.
- ROX-5769: Previously, when creating custom policies,
the StackRox portal would incorrectly parse values containing the equal sign
=) as a key-value pair and truncate everything before the equal sign. We’ve fixed this issue.
- ROX-5785: Previously, Sensor marked completed Kubernetes Jobs as
deployments, which resulted in too many deployment objects, thereby affecting performance. We’ve fixed this issue by updating Sensor so that now it marks the completed Jobs as
Release date: Nov 4, 2020
- ROX-5864: We’ve fixed an issue where viewing deployment details from the Risk view would sometimes crash the StackRox portal page.
You can now use the new
ROX_NETWORK_ACCESS_LOG environment variable to log all
network requests to Central. When you set its value to
true, Central logs
include all network requests to Central from both the API and the StackRox
portal. The default value for this variable is
false. We recommend that you
only set the
ROX_NETWORK_ACCESS_LOG environment variable to
debugging network connectivity issues and set it back to
false after your
We’ve added new policy criteria called Namespace that evaluate policy against the provided namespace.
You can now use the
--force-http1 option with most
roxctl commands. When
you use this option,
roxctl avoids using the HTTP/2 network protocol. Only
use this option if you have connectivity issues that you suspect are because of
ingress or proxy.
We’ve reordered the columns in the process timeline CSV. They’re now sorted by timestamp. If you are using the process timeline CSV for automation, modify your automated processes accordingly.
We’ve added the following new endpoints:
|GET||Returns Vulnerability Management data as a JSON array.|
|GET||Returns Compliance data as a JSON array.|
Release date: Nov 4, 2020
We’ve updated the Collector image to resolve the following fixable CVEs:
The Collector image version
3.1.4-latest includes this update.
|Main||It includes Central, Sensor, Admission Controller, and Compliance. It also includes ||stackrox.io/main:188.8.131.52|
|Scanner DB||Stores image scan results and vulnerability definitions.||stackrox.io/scanner-db:2.6.0|
|Collector||Collects runtime activity in Kubernetes or OpenShift clusters.||collector.stackrox.io/collector:3.1.4-latest|
|New section||Integrate with Splunk||Added instructions to integrate with StackRox add-on for Splunk.|
|Update||Integrate with image registries||Added instructions for integrating with Google Artifact Registry.|
|Update||Integrate with CI systems||Added instructions for integrating with CircleCI.|
|Update||Integrate with Amazon S3||Included a note about adding AWS root CA for air-gapped environments.|
|Update||Supported platforms||Added a note about unsupported Collector on GKE if you’ve enabled secure boot.|
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.