We're moving the documentation to a new location. Please bookmark our new site.

Release notes: 3.65

Find out what's new in version 3.65.0

2 minute read

The StackRox Kubernetes Security Platform version 3.65.0 includes feature enhancements, bug fixes, scale improvements, and other changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases.

To upgrade to this release from a previous version, see the Upgrade StackRox section.

Release date: September 1, 2021

New Features

MITRE ATT&CK Framework

You can now use the MITRE ATT&CK Framework to categorize policies in the StackRox Kubernetes Security Platform.

Install on Red Hat OpenShift Service on AWS and Azure Red Hat OpenShift

You can now install the StackRox Kubernetes Security Platform on Red Hat OpenShift Service on AWS and Azure Red Hat OpenShift.

Admission control settings

You can now configure the dynamic admission control settings in the Red Hat Advanced Cluster Security for Kubernetes Operator. It now includes the following admission control settings:

  • admissionControl.bypass: Bypass admission control in a monitored manner in the event of an emergency.
  • admissionControl.contactImageScanners: Define how the StackRox Kubernetes Security Platform should handle inline-image scanning for images that aren’t already scanned during a deployments admission review.
  • admissionControl.timeoutSeconds: Specify a maximum timeout period for the admission review, upon which admission review will fail open.

Important bug fixes

  • ROX-6988: Previously, CVEs in Red Hat packages that transitioned from unfixable to the fixable state weren’t deleted and replaced by the fixable advisory. We’ve fixed this issue.
  • ROX-7170: Previously, the error logs in the diagnostic bundle were only collected if you’ve installed the StackRox Kubernetes Security Platform services in the stackrox namespace. We’ve resolved this issue.
  • ROX-7861: Previously, the StackRox Kubernetes Security Platform compliance control NIST 800-190 Control 4.1.4 didn’t correctly detect policies used for secrets protection. We’ve fixed this issue.

Important system changes

  • We’ve updated the host-pid policy to include an exception for the openshift-sdn namespace because the sdn deployment in the openshift-sdn namespace shares the host process namespace, and it resulted in an inaccurate violation.
  • The alert notification titles for PagerDuty, Slack, Microsoft Teams, JIRA, and email notifiers now include the cluster and the policy names in addition to the deployment or image name if it exists.
  • The alert notification for PagerDuty now includes the full alert in the JSON format as a custom detail.
  • All default system policies’ criteria fields are now read-only. However, you can still edit the policy criteria fields for the custom policies or policies you create by cloning a system policy.

Upcoming changes

In the StackRox Kubernetes Security Platform version 3.66, we’ll deprecate the following default system policies:

  • DockerHub NGINX 1.10
  • Shellshock: Multiple CVEs
  • Heartbleed: CVE-2014-0160

In the StackRox Kubernetes Security Platform version 3.66, we’ll disable the following default system policies:

  • DOCKER CIS 4.4: Ensure images are scanned and rebuilt to include security patches

You can create custom policies to monitor for these violations.

Image versions

ImageDescriptionCurrent version
MainIt includes Central, Sensor, Admission Controller, and Compliance. It also includes roxctl for use in Continuous Integration systems.stackrox.io/main:3.65.0
ScannerScans images and nodes.stackrox.io/scanner:2.19.0
Scanner DBStores image scan results and vulnerability definitions.stackrox.io/scanner-db:2.19.0
CollectorCollects runtime activity in Kubernetes or OpenShift clusters.collector.stackrox.io/collector:3.3.0-latest

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.