Release notes: 3.0.57

Find out what's new in version 3.0.57.

2 minute read

The StackRox Kubernetes Security Platform version 3.0.57 includes new features, bug fixes, and system changes. To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: March 18, 2021

New features

Scan inactive images

The StackRox Kubernetes Security Platform scans all active (deployed) images every 4 hours and updates the image scan results to reflect the latest vulnerability definitions. You can now add inactive (undeployed) images for automatic scanning. For more details, see Scan inactive images.

Important bug fixes

  • ROX-6085: Previously, setting Central log level by using the roxctl CLI’s debug log command wouldn’t work sometimes. You could also set unacceptable values for log level (for example, Trace), which didn’t affect the log level. We’ve fixed these issues.
  • ROX-6302: We’ve fixed an issue with the Violations view where loading too many violations would sometimes crash the StackRox portal page.
  • ROX-6627: Previously, on OpenShift, when creating new builds, the OpenShift web console would show the error message admission webhook “policyeval.stackrox.io” does not support dry run. We’ve fixed this issue by adding dry run support to the admission controller webhook.
  • ROX-6640: We’ve fixed an issue where the StackRox portal wouldn’t display the full description for RHSA CVEs in the CVE details view.
  • ROX-6723: Previously, if you were using the default CA certificate for Central, and you’ve configured an additional CA certificate for a Sensor, the StackRox Kubernetes Security Platform would overwrite Sensor’s additional certificate. We’ve fixed this issue.
  • ROX-6736: Previously, sometimes the StackRox portal didn’t show allowed connections between Sensor and non-isolated deployments in the Network Graph view. We’ve fixed this issue.

Resolved in version 3.0.57.1

Release date: Mar 24, 2021

  • ROX-6832: Previously, if you were using the RHEL base image, upgrading the StackRox Kubernetes Security Platform to version 3.0.57.0 would fail. We’ve fixed this issue.

Resolved in version 3.0.57.2

Release date: Mar 25, 2021

  • ROX-6834: Previously, in the StackRox Kubernetes Security Platform version 3.0.57.0, you couldn’t install a Sensor using the StackRox portal because downloading the Sensor bundle would fail. We’ve fixed this issue.
  • ROX-6805: Previously, if you were using the StackRox Kubernetes Security Platform on OpenShift, the security context constraint conflicted with the Authentication Operator. We’ve updated the StackRox Kubernetes Security Platform’s security context constraint to fix this issue. To upgrade to the StackRox Kubernetes Security Platform version 3.0.57.2, you must also update the security context constraint. See Update OpenShift Security Context Constraints for details.

Important system changes

  • You can now declare custom SourceTypes for alert and audit events if you are integrating with Splunk.
  • The published time for CVEs in RHEL and CentOS images is now correctly shown.
  • You can now use cluster init bundles for clusters you’ve deployed with helmManaged set to false. Previously, helmManaged=false only worked with certificates that were specific to an existing cluster.

roxctl CLI

The roxctl central generate openshift and roxctl sensor generate openshift commands now accept an --openshift-version option. You can set it to:

  • 3 if you are deploying on OpenShift Container Platform version 3.x, or
  • 4 if you are deploying on OpenShift Container Platform version 4.x.

When you don’t specify this option, the StackRox Kubernetes Security Platform generates deployment bundles in a compatibility mode that works on OpenShift Container Platform version 3.11 and version 4.x. However, if you are using OpenShift Container Platform version 4.x, we recommend that you specify this options as 4 to take advantage of additional features that aren’t available for earlier OpenShift versions.

Security updates

We’ve updated the Collector image to resolve the following fixable CVEs:

The Collector image version 3.1.16-latest includes this update.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.0.57.1
ScannerScans images.stackrox.io/scanner:2.11.2
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.11.2
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.1.16-latest

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.