Release notes: 3.0.56

Find out what's new in version 3.0.56.

3 minute read

The StackRox Kubernetes Security Platform version 3.0.56 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: February 24, 2021

New features

Host scanning

You can now identify vulnerabilities in core Kubernetes components and the container runtimes (Docker, CRI-O, runC, and containerd) you are using on your nodes. See Identify vulnerabilities in nodes for more information.

Network baseline updates

The StackRox Kubernetes Security Platform discovers your deployments’ network flows and creates a baseline based on the regular network activity in your clusters. You can now configure alerts and block network activity for connections that don’t exist in the baseline. For more information, see Use Network baselining.

Important bug fixes

  • ROX-3893: Previously, if you used --json option with the roxctl image check command, it would always exit with code 0. We’ve fixed this issue.
  • ROX-6085: We’ve fixed some issues with the roxctl CLIs logging and debugging commands.
  • ROX-6282: We’ve fixed the incorrect API description for CountDeployments and added missing descriptions for the GetSecret, CountSecrets, and ListSecrets endpoints.
  • ROX-6303: Previously, the Deployment With Most Severe Violations widget in the Vulnerability Management view didn’t change based on the selected namespace. We’ve fixed this issue.
  • ROX-6388: Previously, the sensor.sh script would fail with errors when installing Sensor on OpenShift version 4.6 by using that script. We’ve fixed this issue.
  • ROX-6504: Previously, the StackRox portal would forcefully log out users when they selected Platform Configuration > Access Control, and they didn’t have appropriate permissions. We’ve fixed this issue.
  • ROX-6522: We’ve fixed an issue in the StackRox portal, where the component’s location wouldn’t display if you were viewing details for a specific image.
  • ROX-6540: Previously, when configuring a SAML identity provider, the IdP Metadata URL option didn’t work for Keycloak. We’ve fixed this issue.
  • ROX-6608: We’ve fixed incorrect authorization permissions for the GetNetworkGraphConfig and PutNetworkGraphConfig APIs.

Resolved in version 3.0.56.1

Release date: Mar 8, 2021

  • ROX-6629: We’ve fixed an issue in the StackRox portal, where the Compliance view would sometimes display an error message.
  • ROX-6708: Previously, the Scanner would fail to scan images with OCI (Open Container Initiative) manifests. We’ve fixed this issue.
  • ROX-6699: Previously, modifying the Docker CIS 5.15: Ensure that the host’s process namespace is not shared policy would result in an error. We’ve fixed this issue.
  • ROX-6716: Previously, if you’ve used Helm to install a Sensor, you couldn’t enable automatic upgrades for that secured cluster. You can now use the SENSOR_HELM_NOT_HELM_MANAGED=true environment variable to enable automatic upgrades for Helm managed secured clusters.

Known Issues

  • CVE-2020-28928 discovered in alpine:3.13 is a false positive. This is actively being addressed.

Important system changes

  • Splunk alert events sent to HEC no longer include policy description, remediation, and rationale to allow for more violations within the HEC limit.
  • We’ve added Namespace and Node to the minimal access specification for creating a new Role.
  • We’ve added Admission Control health status to the health dashboard. Navigate to Platform Configuration > System Health to view.

Violation policies

  • We’ve updated the Improper Usage of Orchestrator Secrets Volume policy to match the Dockerfile line syntax accurately.
  • We’ve updated the Network Management Execution policy to match network management utilities correctly.
  • We’ve added new default policies for the following CIS Docker controls:
    • 4.1
    • 4.4
    • 4.7
    • 5.1
    • 5.7
    • 5.9
    • 5.15
    • 5.16
    • 5.19
    • 5.20
    • 5.21

StackRox portal

The page title you see in your browser (and in your browser history) now displays the title of the page you are viewing.

SAML authentication

  • If you are using the Dynamic configuration option, you can now specify the https+insecure:// scheme for IdP Metadata URL. When you use this option, the StackRox Kubernetes Security Platform skips TLS validation when fetching the metadata. This configuration is insecure, and we don’t recommend it.
  • If you are using the Static configuration option, you can now specify multiple PEM-encoded certificates for the IdP Certificate(s) (PEM) option.

roxctl CLI

  • You can now use the new --categories option with the roxctl image check command and specify a comma-separated list of categories to only run policies that match the specified categories.
  • You can now use the new --json-fail-on-policy-violations option with the roxctl image check command. When you set this option to true, and there are policy violations, the command exits with a non-zero exit code. The default value for this option is false.
  • We plan to deprecate the --json option for the roxctl image check command in the StackRox Kubernetes Security Platform version 3.0.59, use the --json-fail-on-policy-violations option instead.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.56.0
ScannerScans images.stackrox.io/scanner:2.11.1
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.11.1
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.14-latest

Documentation changes

ChangePageDescription
New topicUse network baseliningIdentify and address abnormal network activity.
New sectionView network policiesAdded a new Network baseline section.
New sectionManage vulnerabilitiesAdded a new Identify vulnerabilities in nodes section.
New sectionDeploy-time policiesAdded a new section Block deployment for images that aren’t scanned.
New topicIntegrate with emailIntegrate StackRox with your email provider.
UpdateBackup and restoreAdded instructions to take backups by using the administrator password.
UpdateHelm chart configurationAdded Secured Cluster Services Helm chart configuration options.
UpdateQuick Start (Helm)Updated the Install a Sensor section to include instructions for installing Sensor using cluster init bundle.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.