Release notes: 3.0.55

Find out what's new in version 3.0.55.

2 minute read

The StackRox Kubernetes Security Platform version 3.0.55 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: February 3, 2021

New features

Kubernetes API Server abuse protection

You can now configure policies in the StackRox Kubernetes Security Platform to detect against Kubernetes events that may indicate unauthorized access to a pod through the API server. Specifically, you can configure policies to audit or block portforward and exec events into pods within your environment.

Kernel modules for SUSE Linux

You can now collect runtime activity on SUSE Linux Enterprise Server by using a kernel module. Currently, we support:

  • SUSE Linux Enterprise Server 15 (LTSS)
    • 15 SP1
    • 15 SP2
  • SUSE Linux Enterprise Server 12 (LTSS)
    • 12 SP3 (LTSS)
    • 12 SP4 (LTSS)
    • 12 SP5

Helm charts installation experience

We’ve added a new, more configurable Secured Cluster Services Helm chart that you can use to install and upgrade Sensor, Collector, and Admission controller. For more information, see the Quick Start (Helm) and Helm charts configuration topics.

Important bug fixes

  • ROX-6142: Previously, the health dashboard wouldn’t display the Collector health status if you’ve deployed the Collector in a namespace other than the stackrox namespace. We’ve fixed this issue.
  • ROX-6200: We’ve fixed an issue where sometimes a JSON parsing error crashed a few Collector pods.
  • ROX-6217: Previously, if you deleted a Collector DaemonSet, the health dashboard would still report the Collector as healthy. We’ve fixed this issue.
  • ROX-6249: We’ve fixed an issue where the container name was missing from the container resource violation messages.
  • ROX-6301: We’ve fixed an issue where filtering violations on the Violations view, would sometimes incorrectly shows the message No results found. Please refine your search.
  • ROX-6351: Previously, the StackRox Kubernetes Security Platform would not include process violation messages in the notification triggered by process-related policy violations. We’ve fixed this issue.
  • ROX-6392: Previously, in the Vulnerability Management > Images view in the StackRox portal. If you used local page filtering for namespaces, you couldn’t sort the results based on the Risk Priority. We’ve fixed this issue.

Important system changes

Admission controller

  • From version 3.0.55, the StackRox Kubernetes Security Platform deploys Admission controller service by default in new Kubernetes clusters to support run-time policies to audit or block the exec and portforward events. Currently, it only works on Kubernetes clusters.

API

  • The /v1/metadata endpoint no longer shows version information in the response message for unauthenticated requests.
  • We’ve deprecated the /db/backup endpoint, use the /api/extensions/backup endpoint instead.
  • We’ve deprecated the includeCertificates request parameter from the /v1/externalbackups/* endpoint. The backups now include certificates by default.
  • We’ve deprecated Policy.whitelists request body parameter from the /v1/policies/* endpoint, use the Policy.exclusions parameter instead.

roxctl CLI

  • You can use the new --send-notifications option with the roxctl image check command, which sends notifications (to all configured notifiers) for build time policy violations. This is useful when teams want to be notified on issues individually and aren’t breaking builds.

  • We’ve deprecated the roxctl central db backup command. Use the roxctl central backup command instead.

  • We’ve deprecated the following options from the sensor generate command:

    • --create-admission-controller, use --admission-controller-listen-on-creates instead.
    • --admission-controller-enabled, use --admission-controller-enforce-on-creates instead.
  • We’ve added --retries and --retry-delay options for the following commands:

    • roxctl image scan
    • roxctl image check
    • roxctl deployment check

    Use the --retries option to specify the number of times you want to retry running the command. For example, --retries 3.

    Use the --retry-delay option to specify the time (in seconds) to wait before re-running the command. For example, --retry-delay 2.

  • We’ve added a new --admission-controller-listen-on-events option (true by default) to the roxctl sensor generate k8s command. It controls the deployment of the admission controller webhook, which listens for Kubernetes exec and portforward events.

Policy criteria

We’ve added new policy criteria called Kubernetes Action.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.55.0
ScannerScans images.stackrox.io/scanner:2.10.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.10.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.12-latest

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.