The StackRox Kubernetes Security Platform version 3.65.0 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases.
To upgrade to this release from a previous version, see the Upgrade StackRox section.
Release date: September 1, 2021
You can now use the MITRE ATT&CK Framework to categorize policies in the StackRox Kubernetes Security Platform.
You can now configure the dynamic admission control settings in the Red Hat Advanced Cluster Security for Kubernetes Operator. It now includes the following admission control settings:
admissionControl.bypass: Bypass admission control in a monitored manner in the event of an emergency.
admissionControl.contactImageScanners: Define how the StackRox Kubernetes Security Platform should handle inline-image scanning for images that aren’t already scanned during a deployments admission review.
admissionControl.timeoutSeconds: Specify a maximum timeout period for the admission review, upon which admission review will fail open.
- ROX-6988: Previously, CVEs in Red Hat packages that transitioned from unfixable to the fixable state weren’t deleted and replaced by the fixable advisory. We’ve fixed this issue.
- ROX-7170: Previously, the error logs in the diagnostic bundle were only collected if you’ve installed the StackRox Kubernetes Security Platform services in the
stackroxnamespace. We’ve resolved this issue.
- ROX-7861: Previously, the StackRox Kubernetes Security Platform compliance control NIST 800-190 Control 4.1.4 didn’t correctly detect policies used for secrets protection. We’ve fixed this issue.
- We’ve updated the
host-pidpolicy to include an exception for the
openshift-sdnnamespace because the
sdndeployment in the
openshift-sdnnamespace shares the host process namespace, and it resulted in an inaccurate violation.
- The alert notification titles for PagerDuty, Slack, Microsoft Teams, JIRA, and email notifiers now include the cluster and the policy names in addition to the deployment or image name if it exists.
- The alert notification for PagerDuty now includes the full alert in the JSON format as a custom detail.
- All default system policies’ criteria fields are now read-only. However, you can still edit the policy criteria fields for the custom policies or policies you create by cloning a system policy.
In the StackRox Kubernetes Security Platform version 3.66, we’ll deprecate the following default system policies:
DockerHub NGINX 1.10
Shellshock: Multiple CVEs
In the StackRox Kubernetes Security Platform version 3.66, we’ll disable the following default system policies:
DOCKER CIS 4.4: Ensure images are scanned and rebuilt to include security patches
You can create custom policies to monitor for these violations.
|Main||It includes Central, Sensor, Admission Controller, and Compliance. It also includes ||stackrox.io/main:3.65.0|
|Scanner||Scans images and nodes.||stackrox.io/scanner:2.19.0|
|Scanner DB||Stores image scan results and vulnerability definitions.||stackrox.io/scanner-db:2.19.0|
|Collector||Collects runtime activity in Kubernetes or OpenShift clusters.||collector.stackrox.io/collector:3.3.0-latest|
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.