The StackRox Kubernetes Security Platform version 3.0.56 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.
Release date: February 24, 2021
You can now identify vulnerabilities in core Kubernetes components and the container runtimes (Docker, CRI-O, runC, and containerd) you are using on your nodes. See Identify vulnerabilities in nodes for more information.
The StackRox Kubernetes Security Platform discovers your deployments’ network flows and creates a baseline based on the regular network activity in your clusters. You can now configure alerts and block network activity for connections that don’t exist in the baseline. For more information, see Use Network baselining.
- ROX-3893: Previously, if you used
--jsonoption with the
roxctl image checkcommand, it would always exit with code
0. We’ve fixed this issue.
- ROX-6085: We’ve fixed some issues with the
roxctlCLIs logging and debugging commands.
- ROX-6282: We’ve fixed the incorrect API description for
CountDeploymentsand added missing descriptions for the
- ROX-6303: Previously, the Deployment With Most Severe Violations widget in the Vulnerability Management view didn’t change based on the selected namespace. We’ve fixed this issue.
- ROX-6388: Previously, the
sensor.shscript would fail with errors when installing Sensor on OpenShift version 4.6 by using that script. We’ve fixed this issue.
- ROX-6504: Previously, the StackRox portal would forcefully log out users when they selected Platform Configuration > Access Control, and they didn’t have appropriate permissions. We’ve fixed this issue.
- ROX-6522: We’ve fixed an issue in the StackRox portal, where the component’s location wouldn’t display if you were viewing details for a specific image.
- ROX-6540: Previously, when configuring a SAML identity provider, the IdP Metadata URL option didn’t work for Keycloak. We’ve fixed this issue.
- ROX-6608: We’ve fixed incorrect authorization permissions for the
Release date: Mar 8, 2021
- ROX-6629: We’ve fixed an issue in the StackRox portal, where the Compliance view would sometimes display an error message.
- ROX-6708: Previously, the Scanner would fail to scan images with OCI (Open Container Initiative) manifests. We’ve fixed this issue.
- ROX-6699: Previously, modifying the Docker CIS 5.15: Ensure that the host’s process namespace is not shared policy would result in an error. We’ve fixed this issue.
- ROX-6716: Previously, if you’ve used Helm to install a Sensor,
you couldn’t enable automatic upgrades
for that secured cluster. You can now use the
SENSOR_HELM_NOT_HELM_MANAGED=trueenvironment variable to enable automatic upgrades for Helm managed secured clusters.
- CVE-2020-28928 discovered in alpine:3.13 is a false positive. This is actively being addressed.
- Splunk alert events sent to HEC no longer include policy description, remediation, and rationale to allow for more violations within the HEC limit.
- We’ve added Namespace and Node to the minimal access specification for creating a new Role.
- We’ve added Admission Control health status to the health dashboard. Navigate to Platform Configuration > System Health to view.
- We’ve updated the Improper Usage of Orchestrator Secrets Volume policy to match the Dockerfile line syntax accurately.
- We’ve updated the Network Management Execution policy to match network management utilities correctly.
- We’ve added new default policies for the following
The page title you see in your browser (and in your browser history) now displays the title of the page you are viewing.
- If you are using the Dynamic configuration option, you can now specify the
IdP Metadata URL. When you use this option, the StackRox Kubernetes Security Platform skips TLS validation when fetching the metadata. This configuration is insecure, and we don’t recommend it.
- If you are using the Static configuration option, you can now specify
multiple PEM-encoded certificates for the
IdP Certificate(s) (PEM)option.
- You can now use the new
--categoriesoption with the
roxctl image checkcommand and specify a comma-separated list of categories to only run policies that match the specified categories.
- You can now use the new
--json-fail-on-policy-violationsoption with the
roxctl image checkcommand. When you set this option to
true, and there are policy violations, the command exits with a non-zero exit code. The default value for this option is
- We plan to deprecate the
--jsonoption for the
roxctl image checkcommand in the StackRox Kubernetes Security Platform version 3.0.59, use the
|Main||It includes Central, Sensor, Admission Controller, and Compliance. It also includes ||stackrox.io/main:220.127.116.11|
|Scanner DB||Stores image scan results and vulnerability definitions.||stackrox.io/scanner-db:2.11.1|
|Collector||Collects runtime activity in Kubernetes or OpenShift clusters.||collector.stackrox.io/collector:3.1.14-latest|
|New topic||Use network baselining||Identify and address abnormal network activity.|
|New section||View network policies||Added a new Network baseline section.|
|New section||Manage vulnerabilities||Added a new Identify vulnerabilities in nodes section.|
|New section||Deploy-time policies||Added a new section Block deployment for images that aren’t scanned.|
|New topic||Integrate with email||Integrate StackRox with your email provider.|
|Update||Backup and restore||Added instructions to take backups by using the administrator password.|
|Update||Helm chart configuration||Added Secured Cluster Services Helm chart configuration options.|
|Update||Quick Start (Helm)||Updated the Install a Sensor section to include instructions for installing Sensor using cluster init bundle.|
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.