This file helps upstream users learn about what is new in a release.
Put an entry in this file if your change is user-visible and you consider it particularly noteworthy. Especially:
- Any changes that introduce a deprecation in functionality, OR
- Obscure side-effects that are not obviously apparent based on the JIRA associated with the changes.
Changes should still be described appropriately in JIRA/doc input pages, for inclusion in downstream release notes.
Full Changelog: 4.10.4...4.10.5
For a description of the changes, review the Release Notes on the Red Hat Documentation portal.
Full Changelog: 4.10.3...4.10.4
For a description of the changes, review the Release Notes on the Red Hat Documentation portal.
Full Changelog: 4.10.2...4.10.3
For a description of the changes, review the Release Notes on the Red Hat Documentation portal.
Full Changelog: 4.10.1...4.10.2
For a description of the changes, review the Release Notes on the Red Hat Documentation portal.
Full Changelog: 4.10.0...4.10.1
For a description of the changes, review the Release Notes on the Red Hat Documentation portal.
- ROX-31443: Automatic HTTP to HTTPS redirection is now enabled for Central OpenShift routes (passthrough and reencrypt).
- ROX-29582: A
kubectl geton a Central CR now shows the following additional columns: Version, AdminPassword, Message, Available, Progressing. - ROX-32061: The
spec.configAsCodefield in the Central CR now supportsresources,nodeSelector,tolerations, andhostAliasessettings for the config-controller deployment. - ROX-31738: Added the
spec.customize.deploymentDefaultsfield to Central and SecuredCluster CRDs, for configuring global default scheduling constraints for Deployments. This was previously possible on a per-component basis. - ROX-30094, ROX-30610, ROX-30740: Add new namespaces to Layered Products default config regex.
- ROX-31960, ROX-32449: include and exclude filters for custom metrics.
- ROX-30641: Added a new policy criteria "Days Since CVE Fix Was Available".
- ROX-32630: The OpenShift console plugin integrates the ACS vulnerability management view into OpenShift console. It is enabled by default for operator-deployed secured clusters.
- Tech preview: operator-based installation available for community StackRox build. More information in a separate README file.
- ROX-30585, ROX-30196 (Tech Preview): Added file activity monitoring, including new policy criteria for deployment or node file activity.
- ROX-31727:
/v1/cve/requestsAPIs (deprecated in 4.3.0) for managing vulnerability exceptions have been removed.- The
/v2/vulnerability-exceptions/APIs must be used.
- The
- ROX-31728: Active Vulnerability Management has been removed.
- ROX-31531: Removed deprecated
/v1/imagecves/suppressand/v1/imagecves/unsuppressAPIs
- ROX-32851: The
roxctl netpol generate,roxctl netpol connectivity map, androxctl netpol connectivity diffcommands are deprecated because they rely on the unmaintained NP-Guard library and will be removed in a future release. - ROX-32867: The Compliance V1 feature has been deprecated, and it is planned to be removed in a future release. This includes:
- The Compliance Dashboard
- The Compliance V1 API endpoints
- The Compliance Configuration Management Board
- ROX-30769: Update Node.js requirement for ui folder to 22.13.0
- ROX-31295: The lower limit for
ROX_MAX_PARALLEL_IMAGE_SCAN_INTERNALon Sensor has been reduced to one (from 10). - ROX-32125: The operator now adopts secrets that have the
app.stackrox.io/managed-by: operatorlabel but noownerReferences. This fixes reconciliation failures after backup/restore operations that stripownerReferencesfrom secrets. - ROX-32394, ROX-32554: Remove init-tls-certs init container from all Secured Cluster services. The certificate initialization logic for Sensor is now performed at Sensor startup.
- ROX-28352: Remove Sensor's certdistribution API, which was used by the admission controller to retrieve its TLS certificate from Sensor (no longer needed)
- ROX-26374: Upgrading from a version prior to 4.6 is no longer supported. If upgrading from a version prior to 4.6, then you must upgrade to 4.6, 4.7, 4.8 or 4.9 first, before upgrading to 4.10. Similarly, once on 4.10 or higher, rollback to a version prior to 4.6 is no longer supported. For example: - 4.5 -> 4.10 -- not supported must go to 4.6, 4.7, 4.8 or 4.9 first and then go to 4.10. - 4.6 -> 4.10 -- this upgrade is supported, as is the rollback.
-
ROX-30645: Two new API endpoints are added for locking/unlocking process baselines given a cluster ID and an optional set of namespaces.
-
ROX-30279: The
admissionControl.enforcementfield has been added to the SecuredCluster CRD as a high-level way to toggle admission controller enforcement. -
ROX-30279: The
admissionControl.enforcementfield defaults to Enabled for new installations. [This is currently behind the ROX_ADMISSION_CONTROLLER_CONFIG feature flag, but the plan is to enable it for 4.9.] -
ROX-30279: The
admissionControl.failurePolicyfield has been added to the SecuredCluster CRD for controlling admission controller's failure policy. It defaults toIgnore. -
ROX-27238: Central API for generating CRSs now supports custom expiration times, specified using the new fields "valid_until" or "valid_for". roxctl's "central crs generate" now supports specifying custom expiration times using the new parameters "--valid-until" or "--valid-for".
-
ROX-30087: Implicit exchange of OIDC tokens, accessing the API, with a role mapping according to the M2M configuration that matches the token issuer.
-
ROX-30100: Incorrect defaults for admission controller related configuration options in "roxctl sensor generate" have been fixed. The admission controller will be deployed and configured for policy evaluation and enforcement as well as image scanning, out of the box - without requiring a user to specify command line options to "roxctl sensor generate".
-
ROX-30034,ROX-29995,ROX-29996: Support for two new admission controller configuration related options in roxctl sensor generate
--admission-controller-enforcementdefaults to true. If set to false, admission controller webhook will be configured to not enforce policies on any admission review request.--admission-controller-fail-on-errordefaults to false, which means admission controller webhook will fail open. If set to true, the admission controller webhook will fail closed i.e. the review request will be blocked in case of timeouts or errors.
-
ROX-24956: Fix default timeout value for the --admission-controller-timeout flag to 0 (note: this flag has been marked for deprecation)
-
ROX-30035: On upgrade to 4.9, all secured clusters deployed using manifest install (roxctl sensor generate or via the Add Cluster legacy install UI workflow) will have the scan inline setting of the admission controller config set to true, and will have both enforce on creates and enforce on updates set to true, if either or both were true before upgrade. This implies that the admission controller webhooks will now be configured to 1) always scan images inline 2) either enforce on all admission review requests, or not.
-
ROX-19197: Policies with the "Allow Privilege Escalation" criterion will now fire violations for deployments with containers which do not have the allowPrivilegeEscalation defined in their security context.
-
ROX-29160: New default policy (disabled by default) and associated image signature integration to ensure Red Hat images are signed by Red Hat's Release Key 3 (see https://access.redhat.com/security/team/key) and serve as an example of using the Image Signature criterion. It applies to images from the following registries and remotes:
registry.redhat.ioregistry.access.redhat.comquay.io/openshift-release-dev/ocp-releasequay.io/openshift-release-dev/ocp-v4.0-art-dev
-
ROX-28326: Custom Prometheus metrics exposed on the
/metricspath of the central API endpoint. Configured via the/v1/configservice. Disabled by default. -
ROX-20262: Enable internal CA rotation for Operator-installed Centrals and Secured Clusters. Operator-installed Secured Clusters have full support, while Helm-installed Secured Clusters have partial support (can connect to Central with rotated CA but their certificates remain signed by the older CA).
- ROX-30278: The
admissionControl.dynamic.timeoutconfiguration parameter of the secured-cluster-services Helm chart is not user-configurable anymore. Its value is set to10. [This is currently behind the ROX_ADMISSION_CONTROLLER_CONFIG feature flag, but the plan is to enable it for 4.9.] - ROX-30279: The
admissionControl.listenOn*fields of the SecuredCluster CRD are deprecated. - ROX-30279: The
admissionControl.contactImageScannersfield of the SecuredCluster CRD is deprecated. - ROX-30279: The
admissionControl.timeoutSecondsfield of the SecuredCluster CRD is deprecated. - ROX-30278: The
admissionControl.dynamic.enforceOn*configuration parameters of the secured-cluster-services Helm chart are deprecated and are now ignored. Please use the high-level parameteradmissionControl.enforceinstead. Enforce is now enabled by default. - ROX-29994: Removing the following roxctl sensor generate options that have been marked as deprecated
since 4.7 and prior.
- --create-admission-controller
- --admission-controller-enabled
- --slim-collector
- ROX-30278: The
admissionControl.listenOn*configuration parameters of the secured-cluster-services Helm chart are not user-configurable anymore. Their values are all set totrue(except for OpenShift 3, wherelistenOnEventsremains disabled.) [This is currently behind the ROX_ADMISSION_CONTROLLER_CONFIG feature flag, but the plan is to enable it for 4.9.] - ROX-30278: The
admissionControl.dynamic.scanInlineconfiguration parameter of the secured-cluster-services Helm chart is not user-configurable anymore. Its value is set totrue. [This is currently behind the ROX_ADMISSION_CONTROLLER_CONFIG feature flag, but the plan is to enable it for 4.9.]
- ROX-30170: The following roxctl sensor generate options have been marked as deprecated
--admission-controller-enforce-on-creates--admission-controller-enforce-on-updates--admission-controller-listen-on-creates--admission-controller-listen-on-updates--admission-controller-listen-on-events--admission-controller-timeoutUsing them has no effect.
- The current hierarchical implementation for defining Collections is deprecated and will be replaced by a more comprehensive search-based definition in the future.
- The manifest install method is now deprecated and will be removed in the future. Manifest install is currently done using the
roxctl {central,sensor,scanner} generatecommand line utility, or by choosing the "Legacy installation method" in the UI. Users should switch to Operator or Helm installation. - All GraphQL endpoints are now deprecated and will be removed in the future. The endpoints were created to support the ACS UI, all other uses are unsupported.
- ROX-29793: Accessing the Compliance menus (OpenShift Coverage and OpenShift Schedules) and API endpoints (
/v2/compliance/*) now additionally requires read permissions for theClusterresource. - ROX-30136: Autogenerated image integration TLS check results will now be cached to speed up Central event processing. The env var
ROX_SENSOR_REGISTRY_TLS_CHECK_CACHE_TTLhas been renamed toROX_REGISTRY_TLS_CHECK_CACHE_TTLand can be applied to Central and/or Sensor to change the cache TTL. The 15 minute default remains the same. - ROX-30602: Enhanced sensor component message processing with asynchronous queuing system to improve reliability and performance of
sensor-central communication. Each sensor component now processes messages from Central in dedicated queues with configurable buffer
sizes. New environment variable
ROX_REQUESTS_CHANNEL_BUFFER_SIZEcontrols the buffer size for messages from Central before dropping occurs. New metrics have been added for monitoring sensor components:rox_sensor_component_process_message_duration_seconds: Tracks processing time for messages from Central in each sensor componentrox_sensor_component_queue_operations_total: Tracks operations on component buffer queuesrox_sensor_component_process_message_errors_total: Tracks processing errors in each sensor component (note: it will not be published until an error occurs)
- ROX-30729: Allow to spin up a Sensitive File Activity monitoring agent via
ROX_SENSITIVE_FILE_ACTIVITYenv var. The agent itself is in dev preview and is not supposed to be used in production in this version. - ROX-31365: Fixed an issue that could cause DB connection exhaustion when many sensor try to reconnect at the same time
HELM USERS: Please see ROX-27622 under "technical changes" to avoid upgrade failures!
- ROX-29152: When using the secured-cluster-services Helm chart for new installations StackRox Scanner and Scanner V4 will be installed unless explicitly disabled (opt-out). For upgrades using the new chart version scanners continue to be not installed by default (opt-in).
- ROX-13493: Support for scale subresource in the admission controller to enable policy detection and enforcement on admission review requests on the scale subresource.
- RHPF-98: Log creation of API token. The token creation log message will trigger an administration event.
- ROX-28716: New policy criterion "Days Since CVE Was Published" to allow creation of a policy that offers a grace period to teams to fix vulnerabilities within the number of days from when the CVE was published in the vulnerability feeds.
- ROX-28296: Support for an OpenShift reencrypt route to expose Central (
central.exposure.route.reencrypt.enabled: true). - ROX-28153: Support for Cosign keyless signing and verification of image signatures.
- ROX-28306: When using the central-services Helm chart for new installations Scanner V4 will be installed unless explicitly disabled (opt-out). For upgrades using the new chart version Scanner V4 continues to be not installed by default (opt-in).
- ROX-28655: When managing a Central installation using the operator
- Scanner V4 will be installed for new installations unless explicitly disabled (opt-out) and
- Scanner V4 will remain not installed for upgrades unless explicitly enabled (opt-in).
- ROX-29151: When managing a SecuredCluster installation using the operator
- Scanner V4 will be installed for new installations unless explicitly disabled (opt-out) and
- Scanner V4 will remain not installed for upgrades unless explicitly enabled (opt-in).
- ROX-27443: Scanner V4 now has the ability to only show vulnerability data from Red Hat security data sources for official Red Hat container images
found in the Red Hat Container Catalog when the environment variable
ROX_SCANNER_V4_RED_HAT_LAYERS_RED_HAT_VULNS_ONLYis set in Scanner V4 Matcher.- Currently, those who use Scanner V4 will see vulnerability data from various sources for all layers in their images. This may lead to confusion when users scan official Red Hat images or images based on official Red Hat images. Scanner V4 claims the images contain vulnerabilities which the official Red Hat CVE pages claim do not exist in the same image.
- This arises from non-RPM content in official Red Hat container images, such as Go binaries in OpenShift images.
- When the variable is set, Scanner V4 will continue to show non-RPM content in official Red Hat container images but will no longer output vulnerabilities from non-Red Hat security data sources for these images.
- ROX-25570: The data model for image based CVEs has been denormalized
- This will result in far more consistent results as 1 image scan will no longer overwrite CVE data of a previous image scan.
ROX_FLATTEN_CVE_DATAcan be set to false to use the old normalized data model
- ROX-27696: ROX_EXTERNAL_IPS feature flag enabled by default. Note: Collector will still need to be configured for external IPs for this to have an effect.
-
ROX-28263: New
roxctlhelp formatting. -
ROX-24500: Certificate validation failure in
roxctlis now an error. -
ROX-27885: Aligned data in old Compliance across tables and widgets
-
ROX-28574: Fixed a Sensor race condition that would occasionally disable delegated scanning when Sensor reconnected to Central.
-
ROX-27622: Move
SecurityPolicyCRD to template directory in Helm chart. All Helm users will need to take action! No action is needed for users that use the operator orroxctlto install StackRox. This change makes the CRD simpler to maintain for users because it will now be automatically upgraded. To avoid upgrade failure, Helm users need to apply the following changes to the CRD prior to upgrade:kubectl annotate crd/securitypolicies.config.stackrox.io meta.helm.sh/release-name=stackrox-central-services kubectl annotate crd/securitypolicies.config.stackrox.io meta.helm.sh/release-namespace=stackrox kubectl label crd/securitypolicies.config.stackrox.io app.kubernetes.io/managed-by=HelmThe above values will need to be updated to match your release name (i.e. "stackrox-central-services") or namespace (i.e. "stackrox") in case you had used different ones.
-
ROX-29232: When reading docker config pull secrets from K8s, Sensor will ignore entries containing invalid UTF8 characters.
-
ROX-22597: The S3 backup integration is migrated to the AWS go SDK v2. GCS buckets are not supported anymore by the S3 integration type, as announced in 4.5.0, users should use dedicated GCS integrations for these.
-
The scoping of Google image integrations by project is now optional.
-
ROX-29074: The default output of
roxctl image scanwhen using the--outputflag will now include three new fields, by default: CVSS, Advisory, and Advisory Link (the exact names depend on the specific output format).- CVSS represents the CVSS score of the vulnerability.
- The Advisory and Advisory Link fields represent the advisory related to the vulnerability, if it exists and is tracked by StackRox.
- A typical example is a CVE's associated RHSA (Red Hat Security Advisory), if the CVE is related to a Red Hat product.
- ROX-26847: RHCOS Node Scanning with Scanner V4
- ROX-27719: is now enabled by default on all secured clusters and will be preferred over the Stackrox Scanner if Scanner V4 is installed and connected to Central.
- ROX-25625: can now detect vulnerabilities for the containerized image of the RHCOS itself.
- ROX-26849: uses report caching to avoid repeated IO load on the nodes.
- ROX-25638: Introduce configurable log rotation.
ROX_LOGGING_MAX_ROTATION_FILESandROX_LOGGING_MAX_SIZE_MBvariables allow for configuring the number and the size of a central log rotation file. - ROX-14332: Automatic service certificate renewal for Secured Clusters installed using Helm or operator.
- Scanner V4 adds supports for openSUSE Leap 15.5 and 15.6
- ROX-26088: Introduced Cluster Registration Secrets (CRS) as a successor to init bundles for registering Secured Clusters.
- ROX-24052: Tech Preview - SBOMs can now be generated from Scanner V4 image scans via the UI, CLI (
roxctl image sbom), and API (/api/v1/images/sbom). Only scans executed via Central are supported, delegated scans will be supported in a future release. This feature can be disabled by settingROX_SBOM_GENERATIONtofalse. - ROX-21529: Short-lived token authentication for Azure integrations with Azure workload or managed identities.
- ROX-23735: Distinct autogenerated image integrations will now be created for the OCP global pull secret (the "pull-secret" secret in the "openshift-config" namespace). This can be disabled by setting
ROX_AUTOGENERATE_GLOBAL_PULLSEC_REGISTRIEStofalseon Central and Sensor.
- Scanner V4 drops support for openSUSE Leap 15.0 and 15.1
- ROX-18384 Slim Mode for Collector has been removed following deprecation in 4.5. Any Clusters configured to use slim mode will be converted to use regular Collector images.
- RELATED_IMAGE_COLLECTOR_SLIM and RELATED_IMAGE_COLLECTOR_FULL environment variables have been removed, in favor of RELATED_IMAGE_COLLECTOR. Users that set these variables to override Collector images should either use the new environment variable or use other image override mechanisms for your chosen installation method.
- The Azure integration payload in
/v1/imageintegrationshas been changed from{..., "type": "azure", "docker": {...}}to{..., "type": "azure", "azure": {...}}. The former schema is still supported, but is now considered deprecated. If delegated scanning is used in combination with new or updated Azure image integrations, make sure that both Central and Secured Clusters are upgraded to ACS version >= 4.7.
- Scanner V4 now uses Red Hat's VEX files instead of the CVE map for vulnerability data related to non-RPM content inside of official Red Hat images.
ROX_NODE_INDEX_CONTAINER_APIis no longer a valid environment variable to set in the Compliance pod.- The node scanner never reached out to the Red Hat Container Catalog, so this variable was never used.
- ROX-27253: Scanner V4 now reads Red Hat's CSAF data to alleviate inconsistent Red Hat advisory (RHSA/RHBA/RHEA) data.
- Use of this data may be disabled by setting
ROX_SCANNER_V4_RED_HAT_CSAFtofalsein Scanner V4 Matcher. - ROX-27916 ROX-27985 ROX-27986: Replace links to docs in console UI
- from docs dot openshift dot com
- to docs dot redhat dot com
- Use of this data may be disabled by setting
- ROX-26763: identify defunct processes before they induce parsing errors in Collector.
- ROX-25066: Add new external backup integration for non-AWS S3 compatible providers.
- ROX-25451: Secured Cluster Auto-Upgrader is now enabled for all kind of clusters.
- ROX-26124: Added a
--with-database-onlyonly to diagnostic bundle.roxctl central debug download-diagnostics --with-database-only
- ROX-18899: Added Microsoft Sentinel notifier to send alerts and audit logs to Azure Log Analytics Workspace.
- The environment variable
ROX_DEPLOYMENT_ENVVAR_SEARCHhas been removed. - The environment variable
ROX_DEPLOYMENT_SECRET_SEARCHhas been removed. - The environment variable
ROX_DEPLOYMENT_VOLUME_SEARCHhas been removed. - The environment variable
ROX_SECRET_FILE_SEARCHhas been removed. - The Central PVC stackrox-db will be removed. Existing volumes will be released. Flags for configuring Central attached persistent storage have been removed from roxctl:
roxctl central generate k8s pvcandroxctl central generate openshift pvcno longer have the flags--name,--size, and--storage-class.roxctl central generate k8s hostpathandroxctl central generate openshift hostpathno longer have the flags--hostpath,--node-selector-key, and--node-selector-value.
- ROX-25677: The format for specifying durations in JSON requests to
v1/nodecves/suppress,v1/clustercves/suppressandv1/imagecves/suppresswill be restricted to a proto JSON format. Only a numeric value representing seconds (with optional fractional seconds for nanosecond precision) followed by the s suffix will be accepted (e.g., "0.300s", "-5400s", or "9900s"). This replaces the current format, which allows a string with a signed sequence of decimal numbers, each with an optional fraction and a unit suffix (e.g., "300ms", "-1.5h", or "2h45m"). The currently valid time units "ns", "us" (or "µs"), "ms", "m", and "h" will no longer be supported. - ROX-24169: API token authentication has been deprecated by Red Hat OpenShift Cluster Manager. The corresponding cloud source integration now uses service accounts for authentication.
- ROX-26669: StackRox Scanner is now deprecated. Users should use Scanner V4, instead, for all image scanning needs. StackRox Scanner is still required for full Node and Orchestrator scanning, though.
- ROX-26670: Google Container Registry integration is now deprecated. Users should use Artifact Registry as a registry replacement and Scanner V4 as a scanner replacement.
- ROX-24897: Sensor will now perform TLS checks lazily during delegated scanning instead of when secrets are first discovered, this should reduce Sensor startup time.
- ROX-23343: The auto-sensing within the Helm charts for detecting OpenShift clusters has been changed to depend on the
project.openshift.io/v1APIVersion. - ROX-22701: Prevent deleting default policies through the API
- ROX-26422: Central will now include the
idfield in alert notifications and API responses. - ROX-20723: Remove monorepo substructure under
ui/directory and switch from yarn v1 to npm for package management. Usenpm runin place ofyarncommands. - ROX-26306: Increase minimum Node.js version from
">=18.0.0"to"^18.18.0 || >=20.0.0"for open source community to runmake lintcommand in the ui directory.- Node.js 18.18.0 was released on 2023-09-18
- Node.js 18 moves from Maintenance to End-of-Life status on 2025-04-30
- Node.js 20 moves from Active to Maintenance status on 2024-10-22
- ROX-20578: Sensor will now store pull secrets by secret name and registry host (instead of only registry host). This will reduce Delegated Scanning authentication failures when multiple secrets exist for the same registry within a namespace and more closely aligns with k8s secret handling.
- Setting
ROX_SENSOR_PULL_SECRETS_BY_NAMEtofalseon Sensor will disable this feature and cause secrets to be stored by only registry host.
- Setting
- ROX-25981: Scanner V4 now fetches vulnerability data from Red Hat's VEX files instead of Red Hat's OVAL feed for RPMs installed in RHEL-based image containers.
- Fixed vulnerabilities affecting RHEL-based images are still identified by the respective RHSA, RHBA, or RHEA, by default. They may be identified by CVE, instead, by setting the feature flag
ROX_SCANNER_V4_RED_HAT_CVEStotruein Scanner V4 Matcher.- This will also apply to vulnerabilities obtained from the CVE map (used for container-first scanning).
- Setting the feature flag will disrupt policies created around RHSAs, as RHSAs will no longer be tracked.
- Scanner V4 now only considers vulnerabilities affecting Red Hat products dated back to 2014.
- Previously when reading Red Hat's OVAL data, the vulnerabilities dated back to pre-2000, but ClairCore only reads back to 2014.
- Scanner V4 DB requires less space for vulnerability data, and its initialization time has improved from about 1 hour on SSD to about 10 minutes.
- Fixed vulnerabilities affecting RHEL-based images are still identified by the respective RHSA, RHBA, or RHEA, by default. They may be identified by CVE, instead, by setting the feature flag
- ROX-26372:
ROX_POSTGRES_VM_STATEMENT_TIMEOUTenv var defaulting to 3 minutes to allow customers to extend the timeout for queries backing VM pages only - ROX-26428: Fixed a bug when using delegated scanning where newer image metadata and layers were pulled incorrectly for an older image referenced by tag when the image registry contents have changed since deployment.
- Now the metadata and layers pulled will be based on the digest of the image provided by the container runtime (when available) instead of just the tag.
- ROX-26748: Replaced 'unsafe' characters in the CSV report file name.
- The endpoint
/v2/compliance/scan/configurations/reports/runmethod has changed fromPUTtoPOST. - ROX-23956, ROX-17355: Scanner V4 Indexer will now re-index manifests/images for one of two reasons: (1) upon Indexer update which knowingly affects manifests/images or (2) after some random amount of time between 7 and 30 days after indexing.
- This means Scanner V4 Indexer will now pull images from the registry more than just once.
- This will allow image scans to reflect the latest features (for example, we support a new language, we will re-index an image to see if artifacts of the new language exist).
- This will also clean up manifests/Index Reports from Scanner V4 DB which are no longer relevant in the environment or may have previously been indexed incorrectly due to a bug or missing data.
- Any manifests indexed prior to this change will be deleted upon update to this version to ensure any incorrect Index Reports are amended.
- The interval in which manifests are randomly deleted may be modified via
ROX_SCANNER_V4_MANIFEST_DELETE_INTERVAL_START(default: 7 days) andROX_SCANNER_V4_MANIFEST_DELETE_DURATION(default: 23 days) in Scanner V4 Indexer. - Scanner V4 Indexer periodically checks for expired manifests at the interval specified by
ROX_SCANNER_V4_MANIFEST_GC_INTERVAL(default: 4 hours). - Each GC process only deletes a subset of expired manifests specified by
ROX_SCANNER_V4_MANIFEST_GC_THROTTLE(default: 100) in Scanner V4 Indexer. - Scanner V4 Indexer will also run a periodic "full" GC process at the interval specified by
ROX_SCANNER_V4_FULL_MANIFEST_GC_INTERVAL(default: 24 hours). - Re-indexing may be disabled by setting
ROX_SCANNER_V4_REINDEXtofalsein the Scanner V4 Indexer.
- Alpine vulnerabilities will now have a link to https://security.alpinelinux.org instead of https://www.cve.org.
- ROX-18689: ACS will qualify the registry (and path) of images from the container runtime when env var
ROX_UNQUALIFIED_SEARCH_REGISTRIESis set totrueon both Central and Sensor.- This enables support for CRI-O's unqualified search registries and short name aliases (more info).
- ROX-23852:
roxctl image scannow has the option to filter by vulnerability severities using the--severityflag. - ROX-22376: Add a new notifier integration to enable notification via email for ACS Cloud Service managed centrals
- ROX-24411:
roxctl image scan --output=csvandroxctl image scan --output=tablenow include the fixed version by default. - ROX-24173: A new export API
/v1/export/vuln-mgmt/workloadsfor workload vulnerabilities has been added. It provides a performant way of exporting both deployments and images in a single query which will hold all relevant data for vulnerability management. - ROX-21768: Scanner V4 may now be configured to return partial Node.js results via
ROX_SCANNER_V4_PARTIAL_NODE_JS_SUPPORT(default isfalse).- Scanner v2 (aka StackRox Scanner) always returned partial results for programming languages such that only packages with known vulnerabilities were returned. This flag allows users to enable this functionality in Scanner V4 for Node.js, only.
- Scanner V4 is out of Tech Preview and is now Generally Available.
- StackRox Scanner (Scanner v2) continues to be the default scanner until a future release, but it is recommended to use Scanner V4 for more accurate image scan results.
- Dropped support for older Helm versions: For rendering the Helm charts stackrox-central-services and stackrox-secured-cluster-services a Helm version >= 3.9.0 is now required.
- The
ROX_SCANNER_V4_NODE_JS_SUPPORTenvironment variable is removed.- This flag originally allowed users to configure if Scanner V4 should support Node.js.
- This is replaced with
ROX_SCANNER_V4_PARTIAL_NODE_JS_SUPPORT.
- ROX-23155: EBPF collection has been removed. If EBPF is configured, it will be automatically converted to CORE_BPF. forceCollection no longer has an effect.
- The
ROX_CLOUD_CREDENTIALSfeature flag has been removed. Its effect is now enabled by default.
- ROX-23155: Slim/Full Collector images have been deprecated and will be removed in a future release. The two image flavors are now functionally identical (neither contain any kernel drivers.)
- ROX-23155: Kernel support packages and driver download functionality have been deprecated and will be removed in ACS 4.7 or later.
- The field
errorreturned for failed API calls has been deprecated, and it will be removed in a future release. Instead of using theerrorfield, use themessagefield. Themessagefield contains the same information as theerrorfield. - The
/v1/summary/countsAPI has been deprecated in 4.5 and will be removed in the future. - 'Dashboard' view under 'Vulnerability Management' is deprecated and will be removed in a future release. Use 'Workload CVEs', 'Exception Management', 'Platform CVEs', and 'Node CVEs' views instead.
- ROX-25067: The Amazon S3 external backup integration interoperability with Google Cloud Storage has been deprecated. Backups to Google Cloud Storage should be done by using the dedicated Google Cloud Storage external backup integration.
- The fields
grpcCode,httpCode, andhttpStatusin returned error for gRPC stream APIs will be removed in the next release. A new fieldcodewill be added, which should be used instead ofgrpcCode. This change will unify returned API calls for streams and unary requests and it will simplify error handling. Here is an example of the current error payload:That example error will be returned in the following format with the next release:{ "error": { "grpcCode": 16, "httpCode": 401, "message": "credentials not found", "httpStatus": "Unauthorized", "details": [] } }{ "error": { "code": 16, "message": "credentials not found", "details": [] } }
- ROX-18969: Added a label selector for the caching configuration of secrets and configmaps to the operator.
- Reduces memory consumption of the operator significantly, especially on large clusters. (28% on a fresh OCP cluster)
- Increases number of requests sent to the API server to get secrets that are not managed by the operator and don't match the cache label selector.
- Adds a label
app.stackrox.io/managed-by: operatorto all helm chart resources and secrets created by the operator
- ROX-22044: Scanner DB is now based on PostgreSQL 15 instead of 12.
- No migration should be necessary, as the database is not persisted.
- ROX-23953: Nexus and Red Hat registry integrations will now attempt to pull manifest digests by default (via a
HEADrequest to/v2/<name>/manifests/<reference>). This can be disabled by setting envROX_ATTEMPT_MANIFEST_DIGESTtofalse.- This fixes one scenario that resulted in an
unsupported digest algorithmerror when using Scanner V4.
- This fixes one scenario that resulted in an
- ROX-20223: Added a new default policy category called "Zero Trust", and the following default policies have been tagged with the category: "Deployments should have at least one ingress Network Policy" and "Unauthorized Network Flow"
- ROX-20224: Added a new default policy category called "Supply Chain Security", and the following default policies have been tagged with the category: "Images with no scans", "30-day Scan Age", "90-day Image Age", "Required Annotation: Email", "Required Annotation: Owner/Team", "Required Label: Owner/Team" and "Latest tag"
- ROX-21207: All usage of RocksDB has been removed.
- Support to directly upgrade from any ACS version 3.74.x or earlier to version 4.5 has been deprecated. ACS version 3.74.x or earlier MUST be upgraded to version 4.4.x before proceeding to version 4.5 or later.
- ROX-14990: When generating manifests for OpenShift, roxctl now defaults to OpenShift 4.x instead of OpenShift 3.x.
- ROX-17572: Image scans initiated by image watch reprocessing may now be delegated per the delegated scanning config. This can be disabled by setting Central env
ROX_DELEGATE_WATCHED_IMAGE_REPROCESSINGtofalse. - ROX-24355: Scanner V4 Matcher is capable of performing concurrent vulnerability updates with iterators, bringing down the memory consumption for vulnerability updates from 4GB to 500MB.
- ROX-23714: Populating initial registry integration repo list (
/v2/_catalog) will now be done lazily.- This should reduce Central startup time in environments with many autogenerated integrations.
- Scanner V4 may now be accessed anonymously for debugging purposes by enabling
ROX_SCANNER_V4_ALLOW_ANONYMOUS_AUTH.- This was already enabled for development builds of StackRox, but now it may be configured for release builds, too.
- This defaults to
truefor development builds, andfalsefor release builds.
- Deployment bundles created with roxctl do not contain PodSecurityPolicies (PSPs) anymore by default. When deploying to pre-1.25 Kubernetes clusters with PSPs enabled the --enable-pod-security-policies flag needs to be specified when invoking roxctl for generating deployment bundles.
- ROX-24725: Enhances Sensor's image scan event handling when
ROX_UNQUALIFIED_SEARCH_REGISTRIESistrueso only one simultaneous scan request is allowed per unique image.- Also increases the chances of scan cache hits when multiple names for the same image have been observed.
- This enhancement is enabled by default when
ROX_UNQUALIFIED_SEARCH_REGISTRIESistrueon Sensor, it can be disabled by settingROX_SENSOR_SINGLE_SCANtofalseon Sensor.
- ROX-21651, ROX-22364, ROX-22365: Further enhancements to the ACS and Compliance Operator integration are now available under the heading "Compliance (2.0)". Updates include improved views by profiles, limited control information and on demand reporting. As part of the enhancements the APIs were updated and the count APIs were removed. This feature remains in Tech Preview.
- ROX-21288: The default timeout setting for ACS' admission controller webhooks has been reduced from 20 seconds to 10 seconds, which will result in an effective timeout within the ValidatingWebhookConfiguration of 12 seconds. This change has been motivated by the fact that OpenShift unconditionally caps webhook timeouts at 13 seconds. On non-OpenShift Kubernetes longer webhook timeouts are supported. Users currently depending on longer timeouts, for example because of enabled inline image scanning within webhooks, might need to specify a longer timeout explicitly, which can be done in the
SecuredClusterCR (admissionControl.timeoutSeconds), in Helm (admissionControl.dynamic.timeout) or within a sensor deployment bundle (ValidatingWebhookConfigurationmanifest within the fileadmission-controller.yaml). - ROX-20621, ROX-17677, ROX-17678: New improved user interface for managing workload, node and platform vulnerabilities are now available under 'Vulnerability Management'.
- ROX-17385: The 'Risk Acceptance' workflow is replaced by 'Exception Management'.
- Pre-existing deferrals and false positive requests will be migrated to 'Exception Management'.
- Pre-existing globally snoozed Image CVEs will be migrated to create equivalent approved deferrals under 'Exception Management'.
/v1/cve/requestsAPIs (deprecated in 4.3.0) for managing vulnerability exceptions are now replaced with new/v2/vulnerability-exceptions/APIs.
- ROX-22251: The ability to snooze Node and Platform CVEs is no longer enabled by default and can be enabled by setting
ROX_VULN_MGMT_LEGACY_SNOOZEtotrueon Central. - ROX-24471: Scanner V4 Matcher memory requirements were updates to align with the current consumption (see ROX-24355).
- Customer-provided PostgreSQL databases are now GA
- ROX-21235:
/api/extensions/certs/backupadded to provide external database consumers a means to back up certs.--certs-onlyflag added toroxctl central backupto exercise that endpoint. - The "Kubernetes Resource Name" policy criteria now supports regex values. Note: the value must be prefixed with "r/" to activate regex matching.
- ROX-22238:
roxctl deployment checkresults now contain additional information about the Permission Level and applicable Network Policies for a deployment, if--clusterand--namespaceare provided together with--verbose. - Export APIs have been added for deployments (
/v1/export/deployments), nodes (/v1/export/nodes), pods (/v1/export/pods), and images (/v1/export/images) as a tech preview. They are much more performant for a full export than their REST counterparts. - ROX-21950:
roxctl scanner download-dbhas been added to help download version specific offline vulnerability bundles introduced withScanner V4. - The new vulnerability scanner named "Scanner V4" has been integrated. At the moment it needs to run side-by-side with the current default scanner named "StackRox Scanner". Installation instructions can be found in the official RHACS documentation.
- ROX-19932: ACS can pull information about available clusters to secure from Red Hat OpenShift Cluster Manager and Paladin Cloud.
- ROX-13367: ACS now supports short-lived token integrations for GCP via workload identity federation and AWS via the Secure Token Service.
- ROX-17382: An enhanced version of the ACS and Compliance Operator integration is now available under the heading "Compliance (2.0)". This feature is in Tech Preview.
- ROX-20100:
Machine access configurationshave been added to provide short-lived access tokens for Central. - A new image scanner based on ClairCore, Scanner V4, is now available.
- It is disabled by default, but it is recommended for more accurate image scan results.
- ROX-22505: It is now possible to set up authentication provider claim mappings via UI.
- API token expiration date can be configured. If expiration date is not specified, API token will expire in 1 year.
-
ROX-18840: Sunburst widgets in the Compliance section have been removed (deprecation announced in version 4.2 release notes)
-
The Docker CIS benchmark has been removed as announced in the 4.2 release notes.
-
ROX-12982: All custom
stackrox-*SecurityContextConstraints (SCC) have been replaced with default SCCs (deprecation announced in 4.1 release notes). -
ROX-9156: In Helm and Operator installation modes, references to image pull secrets with certain names are no longer unconditionally added to service accounts. This is done to avoid causing log spam for kubelet due to non-existing secrets.
References will still be added for backwards compatibility if during installation or upgrade the secrets in question are found to actually exist. The names of these special secrets are:
- for central components:
stackrox,stackrox-scanner, - for secured cluster components:
stackrox,stackrox-scanner,secured-cluster-services-main,secured-cluster-services-collector,collector-stackrox.
We recommend to explicitly list image pull secrets that are needed, if any:
- for Helm-based installs: via the
imagePullSecrets.useExistingHelm value - for operator-based installs: via the
spec.imagePullSecretsfield in stackrox custom resources This may be necessary in case the Helm chart is applied in an environment where cluster lookup is unavailable (such as a CD pipeline like ArgoCD).
- for central components:
- The following search terms will be disabled in the next release and removed from the deployment context in 2 releases:
- Environment variable terms that can be removed by setting ROX_DEPLOYMENT_ENVVAR_SEARCH=false:
- Environment Key, Environment Value, Environment Variable Source
- Volume terms that can be removed by setting ROX_DEPLOYMENT_VOLUME_SEARCH=false:
- Volume Destination, Volume Name, Volume ReadOnly, Volume Source, Volume Type
- Secret terms that can be removed by setting ROX_DEPLOYMENT_SECRET_SEARCH=false:
- Secret, Secret Path
- Environment variable terms that can be removed by setting ROX_DEPLOYMENT_ENVVAR_SEARCH=false:
- The following search terms will be disabled in the next release and removed from the secret context in 2 releases. They can be removed in the current release by setting ROX_SECRET_FILE_SEARCH=false:
- Secret Type, Cert Expiration, Image Pull Secret Registry
- The Helm setting
central.db.persistence.hostPathfor hostPath storage will be deprecated in 2 releases. It is recommended to switch to an alternative persistent storage. - Users running ACS version 3.74.x or earlier must stop at version 4.4.x before upgrading to 4.5 or later. In version 4.0.0, ACS switched the underlying datastore to PostgreSQL. On an upgrade, data would be automatically migrated to PostgresSQL from the previous store. In 4.5.0 this previous store will no longer be available, thus any existing data will not be migrated over if users jump from 3.74.x directly to 4.5.0. By stopping at any version from 4.0.0 to 4.4.x, users can ensure that the data will be properly migrated.
- StackRox Scanner will no longer receive new features and will be in maintenance-mode. Development is now focused on the new Scanner V4.
- Increased default memory request for scanner-db from 200MiB to 512MiB, to prevent OOMs during DB initialization in case of memory pressure on the node.
- ROX-20105: Scanner slim will now read additional CAs from the
additional-ca-sensorsecret. - ROX-20623: Fixed bug mistakenly requiring admin access to delegate ad-hoc scan requests to secured clusters.
- ROX-20492: Existing autogenerated integrations will now be deleted on Central startup if
ROX_DISABLE_AUTOGENERATED_REGISTRIESistrue. /v1/administration/usageAPI endpoint is now considered stable.- Enforce the existence of the OpenShift monitoring
/metricsserver certificate by requiring the secretscentral-monitoring-tls/sensor-monitoring-tlsto exist on start up. This only applies if OpenShift monitoring is enabled. - Configuration files now specify ROX_MEMLIMIT instead of GOMEMLIMIT.
- ROX_MEMLIMIT is meant to capture the memory limit of the deployment, so it may adjust the GOMEMLIMIT accordingly.
- ROX_MEMLIMIT is not as flexible as GOMEMLIMIT. It may only be set to an integer representing a number of bytes.
- ROX-21620: publish opensource instead of stackrox.io helm charts
- ROX-20163: Sensor captures runtime events even if it is disconnected from Central.
- ROX-20280: Fixed bug that prevented user from editing the endpoint from an unauthenticated email notifier. The credentials are still required to change the endpoint if it's not unauthenticated.
- ROX-21729: - ROX-21729: When deleting a collection that is referenced by other objects such as report configurations, the error message now includes the names of the collection being deleted and its referencing object (report configuration).
- ROX_SCAN_TIMEOUT environment variable in Central and Sensor now defaults to 10m instead of 6m.
- ROX-19814: As announced in 4.2, the /v1/resources endpoint now requires authenticated access.
- The default policy "systemctl Execution" has been updated to not trigger when the process argument
--versionis used. This does not pose a security issue because the information printed relates to features supported by systemd at the build time and not the capabilities of the host OS. - The default policy "No resource requests or limits specified" has been renamed to "No CPU request or memory limit specified" and now no longer checks CPU limit or memory request. Rather it only detects that the CPU request and memory limits are set.
- The
/v1/availableAuthProvidersendpoint will in a future release require authentication and at least READ permission on theAccessresource. Ensure that any flow interacting with it is authenticated and has the proper permissions going forward.
- ROX-18525, ROX-19158: A new
clusterflag has been added to theroxctlcommands and APIs that perform image scans, this enables delegating scans to specific secured clusters on demand. - ROX-19156: Ad-hoc image scanning is now enabled for images in the OCP integrated registry.
- RHACS attempts to infer the OCP project name from the image path and utilize the project secrets for registry authentication.
- ROX-19561: Few new environment variables have been introduced in Central. They can be used to rate limit requests and Sensor communications.
ROX_CENTRAL_MAX_INIT_SYNC_SENSORSfunctions as a restriction on the quantity of Sensors engaged in their initial synchronization process. It is set to a default value0(unlimited). This synchronization occurs once Sensor establishes a connection with Central. It is recommended to set this limit when a significant number of secured clusters are connected to a single Central instance to avoid resource exhaustion.ROX_CENTRAL_RATE_LIMIT_PER_SECONDsetting functions as a global rate limiter for all requests directed to Central. It is set to a default value0(unlimited). The primary objective of this configuration is to serve as a protective measure against Distributed Denial of Service (DDoS) attacks on Central.ROX_CENTRAL_RATE_LIMIT_THROTTLE_DURATIONsetting allows you to specify the maximum throttle duration when the rate limit is reached. If set to less than 1 second (or 0), requests are immediately rejected. The default value is10s(10 seconds).
- ROX-9510: As announced in release 69.0, empty value for
role.access_scope_idis not supported anymore forCreateRoleandUpdateRolein/v1/roles/. Role creation and update now require passing an identifier referencing a valid access scope inrole.access_scope_id. - The UI menu option
Vulnerability ReportingunderVulnerability Management (1.0)has been removed. The new and improved v2 version is available underVulnerability Management (2.0). - The
/v1/reportAPIs have been removed. Please use/v2/reports/APIs.
- The UI menu option
Vulnerability Management (1.0)has been deprecated and will be removed in the future. It will be replaced byVulnerability Management (2.0). - The
/v1/cve/requestsAPIs have been deprecated and will be replaced by/v2/vulnerability-exceptions/APIs in the future. - Vulnerability deferral management for host(/node) and platform(/cluster) vulnerabilities has been deprecated and
will be removed in the future. Once removed, deferral cannot be created for host and platform vulnerabilities
and the existing exceptions enforced on host and platform vulnerabilities will be reverted. The affected APIs are
/v1/nodecves/suppress,/v1/nodecves/unsuppress,/v1/clustercves/suppress, and/v1/clustercves/unsuppress.
- Increased minimum Node.js version to 18.0.0 because 16 reached end of life. This change affects
yarncommands in the ui folder. - ROX-19738: Previously categories passed to the detection service's APIs
v1/detect/build, v1/detect/deploy, v1/detect/deploy/yamlhave been always lower-cased by the backend. However, this is not the case anymore to support custom categories, which are required to be title-cased. - ROX-14701: Starting from 4.3.0 release,
roxctlbinaries forppc64leands390xarchitectures are available for download fromhttps://mirror.openshift.com/pub/rhacs/assets/<version>/Linux/roxctl-<ppc64le|s390x>(e.g. https://mirror.openshift.com/pub/rhacs/assets/4.3.0/Linux/roxctl-s390x). - The experimental API
/v1/product/usagehas been renamed to/v1/administration/usage. - ROX-19566: The results of registry TLS checks made by Sensor are now cached (for 15 minutes by default, which can be changed by setting the
ROX_SENSOR_REGISTRY_TLS_CHECK_CACHE_TTLenvironment variable). This will result in faster Sensor startup times in clusters with a large number of pull secrets. - Risk reprocessing has been shifted from being potentially computed every 15 seconds to 10 minutes. This will improve system performance by debouncing expensive risk calculations.
- ROX-20303: Fixed a bug that may have incorrectly matched an image to an image integration during scanning.
- ROX:20288: A new environment variable
ROX_AUDIT_LOG_WITHOUT_PERMISSIONShas been added to Central (defaults tofalse). When set totrue, audit log messages will not contain the detailed permissions of the user associated with the request. Instead, only the associated role names will be there. Enabling this will lower the verbosity of the audit log messages, but investigating associated permissions for a requester might be harder (i.e. the associated role would have be known at the time of the request). Thus, it is generally not recommended to set this totrue. - ROX-18978: The default policy "Iptables Executed in Privileged Container" has been renamed to "Iptables or nftables Executed in Privileged Container" and now also detects the
nftprocess which is used bynftables.
- Telemetry collection enabled by default for self-managed installations. Opt-out is available on bundle generation, or at any time via the System Configuration UI.
- Integration with OpenShift Container Platform monitoring is configured and enabled by default for OpenShift 4 installations. The flag
monitoring.openshift.enabled: falsedisables the integration. - A new environment variable
ROX_DISABLE_REGISTRY_REPO_LISThas been added to Central (defaults tofalse). When set totruewill disable registry repo list (/v2/_catalog) usage when matching integrations to image registries. - A new environment variable
ROX_REGISTRY_MIRRORING_ENABLEDhas been added to Sensor that is set totrueby default and enables processing registry mirrors during Sensor image enrichment. Mirror details are obtained via theImageContentSourcePolicy,ImageDigestMirrorSet, andImageTagMirrorSetCRs. - ROX-17112: CORE_BPF collection is now generally available.
- ROX-17702: Product usage metrics experimental API:
/v1/product/usage/secured-units/current,/v1/product/usage/secured-units/max. New/api/product/usage/secured-units/csvendpoint. - ROX-19096, ROX-19098, ROX-19099: StackRox Scanner now supports alpine:v3.18, debian:12, ubuntu:23.04, ubuntu:23.10
- The
--offline-modeflag for theroxctl scanner generatecommand was removed, as Scanner's default behavior is to fetch vulnerability updates from Central. - In version 4.0, RHACS released the collections feature that replaced access scopes used in report configurations. RHACS automatically created equivalent collections for access scopes used in existing report configurations and migrated report configurations to use newly-created collections. If the migration failed, the report configurations became non-functional, and RHACS logged the error messages in Central logs. In this release, any report configurations that could not be migrated will be deleted.
- RBAC risk was deprecated in release 4.0 due to poor performance.
- (Tech preview feature) CLI command
roxctl generate netpolis deprecated in favor ofroxctl netpol generate - (Tech preview feature) CLI command
roxctl connextivity-mapis deprecated in favor ofroxctl netpol connectivity map - The CIS Docker v1.2.0 standard will be removed from RHACS Compliance checks starting in RHACS version 4.4.
- The Syslog notifier used to send the message header incorrect - the severity and name fields were flipped. Starting in this release, there is now an option
to choose which format the header should be sent it:
CEFwhich is the correct order orCEF (legacy field order)which is the older incorrect way. The UI will default toCEFbut when using the API if a value isn't selected, it will default toCEF (legacy field order). Starting in version 4.4 the notifier will default toCEF. - A few public endpoints will soon require authentication, ensure that any flow interacting with these endpoints is authenticated going forward:
/v1/featureflags/v1/resources
- ROX-16962: A new parameter
spec.admissionControl.replicashas been added to theSecuredClusterCRD. - ROX-18073: The implementation of Add Capabilities policy criteria has been fixed to ensure violations are generated correctly for the specified values.
- Rollback to a 3.y release or the 4.0 release will no longer be supported starting from 4.3.
- Rollbacks from future releases to the 4.2 or later release will no longer require
ForceRollbackVersionto be set. - ROX-18173: A few previously public endpoints now require authentication:
/v1/metadata,/v1/database/status,/v1/mitreattackvectors. This reduces the surface for DoS attacks and prevents an attacker from taking advantage of the information served by these endpoints. - Non autogenerated image integrations will no longer use repo list (
/v2/_catalog) during matching. - ROX-18477: Fixed an issue that breaks operator installations if a
CentralorSecuredClusterCR configures egress proxy environment variables while openshift cluster-wide proxy is enabled. - ROX-15969: The column
Component Upgradein vulnerability reports has been renamed toCVE Fixed In. - The removal of
/v1/reportAPIs in this release, that was communicated in release 4.0.0, has been postponed by one release. Consequently, the/v1/reportAPIs will continue to be available in this release. - The
/api/docs/swaggerAPI previously required read on the resourceIntegration. Now it only requires users to be authenticated to via the API docs. - StackRox Scanner will now opt to scan the image whose architecture matches the Scanner's architecture instead of always opting for amd64 when scanning a multi-arch image.
- For example, if StackRox Scanner is running on arm64, and there is an arm64 version of the multi-arch image, it will scan that arm64 image.
- If there is no image which matches Scanner's architecture, then it will attempt to scan the amd64 version, as it did previously.
- Two new default permission sets
Vulnerability Management ConsumerandVulnerability Management Adminhave been added for vulnerability management.Vulnerability Management Consumerprovides read-only access to analyze vulnerabilities and initiate risk acceptance process.Vulnerability Management Adminprovides administrative access to analyze vulnerabilities, generate reports, and manage risk acceptance process.
- A default role
Network Graph Viewerhas been added that provides sufficient privileges to display network graphs. - A new command
roxctl central loginhas been added that allows to use a user's token within roxctl instead of an API token or admin password. - ROX-15447: A new
DelegatedRegistryConfigAPI at/v1/delegatedregistryconfighas been added that provides dynamic configuration for local registry scanning (replacesROX_FORCE_LOCAL_IMAGE_SCANNING). - A new environment variable
ROX_DISABLE_SIGNATURE_FETCHINGhas been added to Central and Sensor which stops fetching image signatures in case the signature verification feature shall not be used. You may set this in case there's too much load on registries due to attempts to fetch image signatures. Note that if the environment variable is set, no signatures will be fetched and thus the signature verification feature cannot be used. - ROX-16532: Resource limits and requests for the node-inventory container can now be configured via the operator.
- A new environment variable
ROX_SCAN_TIMEOUThas been added to Sensor which allows for customizing the image scan timeout used in Sensor initiated scans. - ROX-17365: A new environment variable
ROX_DELEGATED_SCANNING_DISABLEDhas been added that disables delegated scanning capabilities while leaving other local scanning capabilities intact. - ROX-16703: Helm setting
scanner.disable=falsenow valid for any secured cluster (instead of OpenShift only). This enables scanner slim to be installed in non-OCP secured clusters.
-
ROX-14398: As announced in 3.74, the permission
Accessreplaces the deprecated permissionRole. -
ROX-14398: As announced in 3.74, the
Scope Managersystem role and permission set will be removed. If existing product installations do have customer references to either theScope Managersystem role or theScope Managersystem permission set, then the referenced object will be adjusted to contain a description mentioning its deprecation. Furthermore, the objects will not be marked as system resources, and will not be supported anymore. -
ROX-17031: env var
ROX_FORCE_LOCAL_IMAGE_SCANNINGhas been removed and replaced by theDelegatedRegistryConfigAPI. -
ROX-13888: As announced in 3.74, the permission
WorkflowAdministrationreplaces the deprecated permissionsVulnerability ReportsandPolicy. -
KernelModule collection has been removed, following deprecation in 4.0.
- Secured clusters configured to use KernelModule collection will automatically switch to EBPF
- Vulnerability Management 1.0 sections Image CVEs, Image Components, Images, Deployments, and Namespaces are deprecated and will be removed in the future. Once removed, use Vulnerability Management 2.0 for managing workload vulnerabilities.
- Custom Security Context Constraints (SCC) (e.g.:
stackrox-collector,stackrox-admission-control,stackrox-sensor) are deprecated and will be removed in the future. Users should ensure that those SCCs are not being used by workloads other than Stackrox/RHACS. - The default permission set
Vulnerability Management Approveris deprecated and will be removed in a future release. Customers are advised to useVulnerability Management Adminpermission set instead. WhenVulnerability Management Approverpermission set is removed existing roles using it will be updated to useVulnerability Management Admin. - The default permission set
Vulnerability Management Requesteris deprecated and will be removed in a future release. Customers are advised to useVulnerability Management Consumerpermission set instead. WhenVulnerability Management Requesterpermission set is removed existing roles using it will be updated to useVulnerability Management Consumer. - The default permission set
Vulnerability Report Creatoris deprecated and will be removed in a future release. Customers are advised to useVulnerability Management Adminpermission set instead. WhenVulnerability Report Creatorpermission set is removed existing roles using it will be updated to useVulnerability Management Admin. /v1/imagecves/suppressand/v1/imagecves/unsuppressAPIs used to defer image vulnerabilities globally and undo deferral are deprecated and will be removed in a future release. Once removed, use Risk Acceptance workflow to defer image vulnerabilities globally.
- The Central PVC stackrox-db is no longer required after this upgrade. To obsolete existing PVC, please check the docs online.
- The output of
roxctl central whoaminow includes the username as well. - Helm setting
collector.nodeInventoryResourceshas been renamed tocollector.nodeScanningResources. - ROX-16959: Helm setting
admissionController.replicashas been added to configure admission controller replicas. - The k8s-istio.zip file inside of scanner-vuln-updates.zip (the file downloaded from https://install.stackrox.io/scanner/scanner-vuln-updates.zip for updating Scanner vulnerabilities in offline-mode) is no longer needed. We will continue to populate it to support older versions of the product, but it will be ignored.
- The time interval used to determine the frequency to scan orchestrator-level components (Kubernetes, OpenShift, Istio) is now configurable via ROX_ORCHESTRATOR_VULN_SCAN_INTERVAL.
- Image Integrations will now be synced with secured clusters that have local scanning enabled.
- ROX-15102: new
public_config.telemetryboolean property of the/v1/configendpoint request that allows for querying the state, enabling or disabling the configured telemetry collection. - ROX-10818: vulnerability scanning of node components installed through RPM on OpenShift cluster nodes running Core OS (RHCOS).
- ROX-15434: new
ROX_FORCE_LOCAL_IMAGE_SCANNINGenv var added to sensor which forces all images observed by sensor to be analyzed by the local scanner (OCP only) - ROX-11268: new ListeningEndpointsService at
/v1/listening_endpoints/deploymentreports which processes are listening on which ports.
- ROX-14336: product
BuildDateattribute was removed. It won't be returned by/debug/versions.jsonendpoint androxctl version --jsoncommand. - ROX-12750: As announced in 3.73.0 (ROX-11101), some permissions for permission sets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.
- Permission
Administrationreplaces the deprecated permissionsAllComments, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig, ServiceIdentity. - Permission
Compliancereplaces the deprecated permissionComplianceRuns.
- Permission
- Deprecated
/v1/telemetry/configureservice. - The
expirationfield in theExclusionproto has been deprecated and will be removed in a future release. - The
--offline-modeflag for theroxctl scanner generatecommand is deprecated, as Scanner's default behavior is to fetch vulnerability updates from Central. The flag will be removed as part of the 4.2.0 release. - ROX-15925: The KernelModule collection method is deprecated in favor of EBPF. This method will be removed in the 4.1 release.
- Deprecated v1.0 of Network Graph. Please switch to the new 2.0 version for improved functionality and a better user experience.
- ROX-15337: RHACS Operator is not published to Red Hat Operator Catalogs for OpenShift versions 4.9 and earlier.
- The API endpoint
/v1/serviceaccountsis deprecated and will be changed as part of the 4.2.0 release. - PDF export in current version of the Vulnerability Management UI is deprecated and will be removed in the 4.2.0 release. Use the vuln reporting feature instead, for more comprehensive CSV data.
- All
/v1/reportAPIs for creating and managing vulnerability reports are deprecated and will be replaced with new/v2/reportsAPIs in 4.2.0 release.
- The
Analystpermission set will change behaviour: instead of allowing read to all resources exceptDebugLogs, it will allow read to all resources exceptAdministration. If you were using theAnalystrole or permission set for actions requiring read onAllComments,Config,NetworkGraphConfig,ProbeUpload,ScannerBundle,ScannerDefinitions,SensorUpgradeConfigorServiceIdentityresources, you should preemptively create a new permission set with read access on theAdministrationand other required resources, and reference it instead ofAnalystin the created roles.
- Active Vulnerability Management has been moved behind that ROX_ACTIVE_VULN_MGMT flag and has been defaulted to false due to performance. If Active Vulnerability Management is desired, then a user may set this flag to true and it will be reactivated; however, it is recommended to increase the memory limit of Central.
- ROX-14251: StackRox now uses IMDSv2 to retrieve AWS metadata instead of IMDSv1.
- ROX-12750: The
Analystpermission set which used to have read access on all permissions except the now deprecatedDebugLogspermission now has read access to all permissions exceptAdministration. - The default resources for Sensor have moved to a request of 2 cores, 4GB of RAM and a limit of 4 cores, 8GB of RAM in order to support a higher number of clusters without modification.
- ROX-14280: ACS operator default channel changes from
latesttostable. Users of older versions must follow the upgrade procedure in order to preserve ACS data in case of issues with the upgrade. - ROX-14917: Helm charts versioning scheme changed. Previously the product version (Major).(Minor).(Patch) was rendered to the Helm chart version (Minor).(Patch).0, e.g. 3.74.2 -> 74.2.0. The new versioning scheme maps product version (Major).(Minor).(Patch) to the Helm chart version as (Major*100).(Minor).(Patch), e.g. 4.0.2 -> 400.0.2.
- ROX-13814: A new "Public Kubernetes Registry" image integration is now available as a replacement for the (now deprecated) "Public Kubernetes GCR" image integration.
- ROX-12316: As announced in 3.72, the permission
Clusterreplaces the deprecated permissionClusterCVE. - ROX-13535: Built-in documentation link redirects now to the online version.
- The
docsimage and the embedded documentation have been removed from the product.
-
ROX-12620: We continue to simplify access control management by grouping some permissions in permission sets. As a result:
- The permission
WorkflowAdministrationwill deprecate the permissionsPolicy, VulnerabilityReports.
- The permission
-
ROX-14398: We continue to simplify access control management by grouping some permissions in permission sets. As a result:
- The permission
Accesswill deprecate the permissionsRole. - The default role
Scope Managerwill be removed.
- The permission
-
ROX-14400: product
BuildDateattribute is deprecated and will be removed in4.0release. It won't be returned by/debug/versions.jsonendpoint androxctl version --jsoncommand.
-
The permission
WorkflowAdministrationwill replacePolicy, VulnerabilityReportsin permission sets starting with the 4.1 release. You should preemptively start replacing thePolicyandVulnerabilityReportsresources within your permission sets in favor ofWorkflowAdministration. During the migration of the permission sets within the 4.1, theWorfklowAdministrationpermission will have the lowest access permission granted for eitherPolicyorVulnerabilityReports. As an example, a permission set withWRITE PolicyandREAD VulnerabilityReportsaccess will haveREAD WorkflowAdministrationaccess after the migration within the 4.1 release, leading to potentially unwanted side-effects and missing access if you did not update your permission sets beforehand. -
The permission
Accesswill replaceRolein permission sets starting with the 4.1 release. You should preemptively start replacing theRoleresource within your permission sets in favor ofAccess. During the migration of the permission sets within the 4.1, theAccesspermission will have the lowest access permission granted for eitherAccessorRole. As an example, a permission set withREAD AccessandWRITE Rolewill haveREAD Accessafter the migration, leading to potentially unwanted side-effects and missing access if the permission sets were not updated beforehand. -
The default
ScopeManagerrole will be removed starting with release 4.1. During the migration, Authentication provider rules referencing that role will be updated to use theNonerole. Should Authentication Provider rules reference theScopeManagerrole for other purposes than Vulnerability Report management, a similar role should be manually created and referenced in the Authentication provider rules instead ofScopeManager. -
ROX-13814: The "Public Kubernetes GCR" image integration is now deprecated in line with upstream.
- ROX-12967: Re-introduce
rpmto the main image in order to be able to parse installed packages on RHCOS nodes (from Compliance container)
- The 3.74.z set of releases will be the last major release in the 3.x series. The next release will be 4.0.
- Postgres will become the backing database as of 4.0.
- Restoring a backup taken on a 3.y release will no longer be supported starting from 4.1.
- The stackrox-db PVC will no longer be used starting from 4.1. All users must upgrade from a 3.y release to 4.0 prior to upgrading to a later release in order to properly migrate to Postgres.
3.73.0 introduced a change to ACS autogenerated image integration workflows. However, this change in workflow caused Central to take too long on startup (details here). To fix the issue introduced in 3.73.0, 3.73.1 will reinstate the old workflow. Therefore, autogenerated integrations may not work successfully in environments with various credentials used for multiple repos within a global registry.
- ROX-12839: we will stop shipping the docs embedded in the product, starting with the release following this one (docs will still be available online)
- ROX-6194:
ROX_WHITELIST_GENERATION_DURATIONenv var is removed in favor ofROX_BASELINE_GENERATION_DURATION;DeploymentWithProcessInfoitems in/v1/deploymentswithprocessinfoendpoint response do not includewhitelist_statusesanymore. LabelandAnnotationsearch options are removed. Use the following search options:- Resource | Deprecated Search Option | New Search Option
- Node | Label | Node Label
- Node | Annotation | Node Annotation
- Namespace | Label | Namespace Label
- Deployment | Label | Deployment Label
- ServiceAccount | Label | Service Account Label
- ServiceAccount | Annotation | Service Account Annotation
- K8sRole | Label | Role Label
- K8sRole | Annotation | Role Annotation
- K8sRoleBinding | Label | Role Binding Label
- K8sRoleAnnotation | Annotation | Role Binding Annotation
idsfield in/v1/cves/suppressand/v1/cves/unsuppressAPI payload renamed tocves.- ROX-11592: Support to Get / Update / Mutate / Remove of groups via the
propsfield and without theprops.idfield being set in the/v1/groupsendpoint have been removed. - The unused "ComplianceRunSchedule" resource has been removed.
- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permission sets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.
- Permission
Accessreplaces the deprecated permissionsAuthProvider, Group, Licenses, User. - Permission
DeploymentExtensionreplaces the deprecated permissionsIndicator, NetworkBaseline, ProcessWhitelist, Risk. - Permission
Integrationreplaces the deprecated permissionsAPIToken, BackupPlugins, ImageIntegration, Notifier, SignatureIntegration. - Permission
Imagereplaces the deprecated permissionImageComponent. - Note: the
Rolepermission, previously announced as being grouped underAccessremains a standalone permission. - Important: As stated above, the access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions. This can impact the ability of some created roles to perform their intended duty. Consolidation of the mapping from replaced resources to new ones can help assess the desired access level, should any issue be experienced.
- Permission
- ROX-13034: Central reaches out to scanner
scanner.<namespace>.svcnow to respect OpenShift'sNO_PROXYconfiguration.
- ROX-11101: As first announced in 3.71.0 for ROX-8250, we continue to simplify access control management by grouping some permissions in permission sets. As a result:
- New permission
Administrationwill deprecate the permissionsAllComments, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig, ServiceIdentity. - The permission
Compliancewill deprecate the permissionComplianceRuns.
- New permission
- ROX-11937: The Splunk integration now processes all additional standards of the compliance operator (ocp4-cis & ocp4-cis-node) correctly.
- ROX-9342: Sensor no longer uses
anyuidSecurity Context Constraint (SCC). The default SCC for sensor is nowrestricted[-v2]orstackrox-sensordepending on the settings. Both therunAsUserandfsGroupfor the admission-control and sensor deployments are no longer hardcoded to 4000 on Openshift clusters to allow using therestrictedandrestricted-v2SCCs. - The service account "central", which is used by the central deployment, will now include
getandlistaccess to the following resources in the namespace where central is deployed to:pods,events, andnamespaces. This fixes an issue when generating diagnostic bundles to now correctly include all relevant information within the namespace of central. - ROX-13265: Fix missing rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy"
- ROX-13500: Previously, deployment YAML check on V1 CronJob workload would cause Central to panic. This is now fixed.
cves.idsfield ofstorage.VulnerabilityRequestobject, which is in the response ofVulnerabilityRequestService(/v1/cve/requests/) endpoints, has been renamed tocves.cves.- ROX-13347: Vulnerability reporting scopes specifying cluster and/or namespace names now perform exact matches on those entities, as opposed to the erroneous prefix match.
- ROX-11784: The
RenamePolicyCategoryandDeletePolicyCategorymethods in thev1/policycategoriesendpoint have been removed. - Support for violation tags and process tags has been removed.
- ROX-11284: Permission
ClusterCVEis deprecated and will be superseded by the existing permissionCluster. LabelandAnnotationsearch options are deprecated and will be removed in 3.73. Use the following search options starting 3.73:- Resource | Deprecated Search Option | New Search Option
- Node | Label | Node Label
- Node | Annotation | Node Annotation
- Namespace | Label | Namespace Label
- Deployment | Label | Deployment Label
- ServiceAccount | Label | Service Account Label
- ServiceAccount | Annotation | Service Account Annotation
- K8sRole | Label | Role Label
- K8sRole | Annotation | Role Annotation
- K8sRoleBinding | Label | Role Binding Label
- K8sRoleAnnotation | Annotation | Role Binding Annotation
- ROX-11181: Any clusters that have been unhealthy (defined as central being unable to reach sensor running on those clusters) for a configured period of time will be automatically removed. The number of days after which an 'unhealthy' cluster is removed can be configured in the System Configuration page or using the cluster API.
- Any cluster that is expected to be unavailable for a period of time (e.g. clusters used in disaster recovery), can be tagged with a customizable label. Clusters with those labels will never be removed automatically.
- By default, this unhealthy cluster removal is disabled (number of days set to 0)
- ROX-7591: Policy
Fixable CVSS >= 6 and Privilegeddisabled by default on new installations, new policySeverity Important and Privilegedadded and enabled by default. - ROX-11348: The email notifier now allows for unauthenticated SMTP. By default, authentication is still required for an email notifier, but the user can now choose to turn it off.
- Previously, the syslog integration did not respect a configured TCP proxy. This is now fixed.
- The default technique used by string expression searches will be to match any substrings in future release. Currently, string search uses prefix matching technique in most cases.
- ROX-9484: When integrating Quay registry you can now optionally use robot account instead of just OAuth tokens. In fact this is Quay's recommended integration credentials. However, integration with Quay scanner still requires an OAuth token.
- The
init-dbinit-container for ScannerDB now specifies resource requests/limits which match thedbcontainer in ScannerDB. - Starting 3.73, CSV export API
/api/vm/export/csvwould require to passCVE Typefilter as part of the input query parameter. Requests that do not have the filter would error out.- Examples :
CVE Type:NODE_CVE,CVE Type:IMAGE_CVE,CVE Type:K8S_CVE
- Examples :
- ROX-8051: The default collection method is changed from KernelModule to eBPF, following improved eBPF performance in collector.
- ROX-11070: There have been changes made to the
v1/groupsAPI, including a deprecation:- Each group will now have a new field,
props.idwhich uniquely identifies it. - Get / Update / Mutate / Remove of groups via the
propsfield and without theprops.idfield being set is deprecated and will be removed in release 3.73. - Get of groups via the
propsfield and without theprops.idfield being set will fail if more than one group was found for the givenpropsfield.
- Each group will now have a new field,
- ROX-11349: Updated rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy"
- ROX-11443: The default value for
--include-snoozedoption ofroxctl image scancommand is set tofalse. The result ofroxctl image scanexecution without--include-snoozedflag will not include deferred CVEs anymore. - ROX-9292: The default expiration time of tokens issued by auth providers has been lowered to 12 hours.
- ROX-9760: The deployment tab on violation detail now contains a list of network policies in the deployment's namespace.
- ROX-9358: The diagnostic bundle includes notifiers, auth providers and auth provider groups, access control roles with attached permission set and access scope, and system configuration. Users with
DebugLogspermission will be able to read listed entities from a generated diagnostic bundle regardless of their respective permissions. - ROX-10819: The documentation for API v1/notifiers ("GetNotifiers") previously stated that the request could be filtered by name or type. This is incorrect as this API never allowed filtering. The documentation has been fixed to reflect that.
- ROX-9614: Add
filequery parameter to Central's/api/extensions/scannerdefinitions, allowing retrieval of individual files (not directories) from Scanner's Definition bundle using their full path within the archive. AddsensorEndpointto Scanner's configmap, so Scanner in slim mode knows how to reach Sensor from its cluster. - ROX-9928: Policy "OpenShift: Advanced Cluster Security Central Admin Secret Accessed" renamed to "OpenShift: Central Admin Secret Accessed"
- ROX-8277: changed UserAgent Header for all requests from stackrox operator to kubernetes API server to show appropriate version of the operator, for example:
rhacs-operator/v3.70.0 opensource (linux/amd64) idsfield in/v1/cves/suppressand/v1/cves/unsuppressAPI payload will be renamed tocvesin 73.0 release.cves.idsfield ofstorage.VulnerabilityRequestobject, which is in the response ofVulnerabilityRequestServiceendpoints, will be renamed tocves.cvesin 73.0 release.- ROX-8520: Permissions for permission sets will be grouped for simplification. As a result, the following permissions will be deprecated in favor of a new permission:
- New permission
Accesswill deprecate the permissionsAuthPlugin, AuthProvider, Group, Licenses, Role, User. - New permission
DeploymentExtensionwill deprecate the permissionsIndicator, NetworkBaseline, ProcessWhitelist, Risk. - New permission
Integrationwill deprecate the permissionsAPIToken, BackupPlugins, ImageIntegration, Notifier, SignatureIntegration. Each deprecated permission will be removed in a future release.
- New permission
- Permission
ImageComponentis deprecated and will be superseded by the existing permissionImage. Similar to the permission changes introduced with ROX-8520,ImageComponentwill be removed in a future release. - /v1/telemetry and /v1/licenses endpoints, and related CLI functionality, are now deprecated and will be removed in 2 releases.
- These endpoints are deprecated as license files are not required to run the platform
firstNodeOccurrencefield ofstorage.Nodeobject, which is in the response of Node endpoints, has been removed.vulnsfields ofstorage.Nodeobject, which is in the response payload ofv1/nodesis deprecated and will be removed in future release./v1/cves/suppressand/v1/cves/unsuppresshas been deprecated and will be removed in the future.- Use
/v1/imagecves/suppressand/v1/imagecves/unsuppressto snooze and unsnooze image vulnerabilities. - Use
/v1/nodecves/suppressand/v1/nodecves/unsuppressto snooze and unsnooze node/host vulnerabilities. - Use
/v1/clustercves/suppressand/v1/clustercves/unsuppressto snooze and unsnooze platform (k8s, istio, and openshift) vulnerabilities.
- Use
- /v1/compliance/results was never implemented and will be removed in this release
- In release 73.0, the /v1/compliance/runresults endpoint will contain a slimmed down version of the ComplianceDomain object. This allows for greater scalability and reduced memory usage.
- When the underlying database changes to Postgres the api
/db/restorewill no longer be a supported means for database restores. At that time usingroxctlwill be the supported mechanism for database restores. - PodSecurityPolicies can be disabled when generating deployment bundles and when configuring the Helm charts. The Helm charts also support auto-sensing availability of the PodSecurityPolicies API. PodSecurityPolicies must be disabled when deploying to Kubernetes >= v1.25.
- ROX-11533: Fixed preferred node affinity for Central, Sensor and Scanner pods so that OpenShift Infra nodes are favored more than Compute nodes. Match expressions will also prefer not scheduling on Control Plane nodes on both Kubernetes and OpenShift clusters, including kube versions 1.25 and newer.
- ROX-10948: A new default policy added to detect if a deployment is running with a container that has allowPrivilegeEscalation set to true. The policy is enabled by default.
- ROX-10699: A new default policy added to detect if a deployment has any service that is externally exposed through any methods. The policy is disabled by default.
- Scanner's "db" container no longer mounts the "scanner-db-password" secret. Instead, the init container, "init-db", mounts it.
- This means the configuration for the init container has been updated to include "POSTGRES_PASSWORD_FILE" and some volume mounts which are now required.
- Debian 9 has reached EOL, so Scanner now marks Debian 9 images as stale.
- The Debian Security Tracker has also stopped tracking Debian 9 vulnerabilities, so there will be no more new Debian 9 vulnerabilities.
- Support for violation comments and process comments has been removed.
- The default Admission Controller "fail open" timeout has been changed from 3 seconds to 20 seconds in Helm templates.
- The maximum Admission Controller "fail open" timeout has been set at 25 seconds in Helm template verification performed by the Operator.
- This change is not backwards compatible; if an existing Custom Resource sets the value to > 25 seconds, then it will fail validation in case operator is downgraded. This change is accepted because the operator is still in v1alpha1 and subject to change.
- The admission webhook timeout is now set to the admission controller timeout plus 2 seconds.
- The "Process Ancestor" search term has been deprecated.
- Central will now respond with a 421 Misdirected Request status code to requests where the ServerName sent via TLS SNI
does not match the
:authority(Host) header. This feature can be turned off by setting the environment variableROX_ALLOW_MISDIRECTED_REQUESTS=true. - Registry integrations for ECR are now auto-generated if the cluster's cloud provider is AWS, and the nodes' Instance IAM Role has policies granting access to ECR. Customers can turn this feature off by disabling the EC2 instance metadata service in their nodes.
- A new default policy added to detect Spring Cloud Function RCE vulnerability (CVE-2022-22963) and Spring Framework Spring4Shell RCE vulnerability (CVE-2022-22965).
- Fixed permissions checks in the UI that prevented users with certain limited permissions from creating report configurations.
- ROX-8957: A new default policy added to detect missing ingress NetworkPolicy associated with deployments. The policy is disabled by default.
- Two new policy criteria were added to alert on missing ingress or egress NetworkPolicy associations.
- ROX-8789: Change operator catalog format from deprecated SQLite database format to new file-based format.
- ROX-8331: Increase the front-end limit on rendered nodes in the Network Graph from 1100 to 2000
- ROX-9792: Introduced central limit of 2000 nodes in a Network Graph to avoid out-of-memory crashes
- ROX-9946: Fixed default permissions for the default Vuln Reporter role to exclude the modify permission on notifiers, since it is not needed for report creation.
- Added AllowPrivilegeEscalation as a new policy criteria.
- ROX-10038: Removed limit of 10 inclusions and 10 exclusions from policy form
- ROX-10090: Made the username and password optional on the Artifactory integration form
- ROX-10217: Remove format validation from the URL field of the generic webhook integration form
- ROX-9435: Updated dryrun API to generate preview violations for disabled policies
- Support for security policies that do not have a policyVersion or have versions prior to 1.1 will be removed. If you have externally stored older policies, they cannot be imported.
- ROX-10021: RHCOS node support is dropped until major improvements are made in ROX-8944.
- The UI shows the node scanning notes in the same manner as image scanning notes.
- ROX-10097: Updated the base for the docs image from
nginx-118:1-46tonginx-120:latest. - ROX-10666:
FROMoption will be deprecated fromDisallowed Dockerfile linepolicy field and removed in a future release. Any policies containingDisallowed dockerfile linepolicy field withFROMoption must be updated to remove those policy sections. For more information, please refer "Known Issues" section in Red-Hat ACS 3.69 release notes. - ROX-10270: The
RenamePolicyCategoryandDeletePolicyCategorymethods in thev1/policycategoriesendpoint have been deprecated, and will be removed in future releases.- For questions about this change, please contact the Red Hat support team at support@redhat.com.
- ROX-10018: The policy
OpenShift: Kubeadmin Secret Accessedwill no longer trigger if the request was from the default OpenShiftoauth-apiserver-saservice account, because this is an expected access pattern for the OpenShift apiserver. - Violation tags and process tags are deprecated, and will be removed in version 3.72.0.
- Users who do not want to include the RBAC factor in risk calculation can set the "ROX_INCLUDE_RBAC_IN_RISK" environment variable to "false" in the Central deployment spec.
- Kubernetes' PodSecurityPolicy API is deprecated which is why installation of PodSecurityPolicies will be disabled with version 3.71.0.
- A version of Scanner and ScannerDB will be installed in each OpenShift cluster to support images stored in the OpenShift Internal Image Registry.
- The images are "slimmed" down versions of Scanner and ScannerDB
- scanner-slim and scanner-db-slim
- They require the same resources as the normal Scanner and ScannerDB.
- The images are "slimmed" down versions of Scanner and ScannerDB
collectorimage with-slimimage tag is no longer published (collector-slimwith suffix in the image name will continue to be published).collector-rhel,main-rhel,scanner-rhel, andscanner-db-rhelimages are not published any more. These images were identical to non-rhel ones since version 3.66.- Increased default Scanner memory limit from 3000 MiB to 4GiB.
- API changes/deprecations:
GetKernelSupportAvailable (GET /v1/clusters-env/kernel-support-available)is deprecated, useGetClusterDefaultValues (GET /v1/cluster-defaults)instead.- The following features have been deprecated and will be removed in version 3.71.0:
- The external authorization plugin for scoped access control will be removed. Please use the existing in-product scoped access control.
- The Anchore, Tenable, and Docker Trusted Registry integrations will be removed. Please use the ACS Scanner instead as it is more widely supported.
- Alert and process comments will be removed.
CreateRoleandUpdateRolein/v1/roles/:role.access_scope_idempty value is deprecated, will be set to the unrestricted access scope ID (io.stackrox.authz.accessscope.unrestricted) during the adoption period.- API endpoint
/api/helm/cluster/addwas deleted as not being used in the product.
- Improved accuracy of active component and vulnerability and presented it with higher confidence.
- Analyzed dependencies between OS components and detected derived active components.
- Added
Activestate to list of components and list of vulnerabilities under Vulnerability Management within the scope of a specific deployment. - Added
Inactivestate: the component or vulnerability was not run in the specific deployment. - Added image scope so that the Active State can be determined in the scope of a deployment for a specific image.
- The default gRPC port in Scanner's config map is changed to 8443, as that is what Scanner has actually been defaulting to this whole time.
- Note: Scanner had been ignoring the default
httpsPortandgrpcPortin its config map, as Scanner expectedHTTPSPortandGRPCPort(andMetricsPort, if ever specified).
- Note: Scanner had been ignoring the default
- Scanner now supports Alpine 3.15.
- Scanner now identifies busybox as a base OS.
- It does not find vulnerabilities nor packages, though. It solely identifies busybox as a base OS.
- CVEs in Ubuntu images will no longer link to http://people.ubuntu.com/~ubuntu-security/cve/. Now it links to https://ubuntu.com/security/.
- Setting ROX_DISABLE_AUTOGENERATED_REGISTRIES environment variable to true will ignore all new registry integrations from Sensors
- Vulnerability snoozing and un-snoozing will not impact image and component risk. Furthermore, it will not impact
Image Vulnerabilitiesrisk factor for deployments. - In 3.70, support for security policies that do not have a policyVersion will be removed. Therefore, if you have externally stored older policies (without policyVersion or version prior to 1.1), you must convert them to use policyVersion 1.1. To do this, import the old policies into RHACS and then export them again. You can check the policyVersion field for your stored policies to identify if they need conversion.
- Vulnerability Risk Assessment: Deferral update requests that are in pending state can now be canceled.
- AWS ECR integration supports AssumeRole authentication.
- The default policy to detect Log4Shell vulnerability has been updated to also detect CVE-2021-45046 and the remediation has been updated to reflect the latest guidance by the Apache Logging security team.
- Prior to this release, CVEs could be snoozed using global write access on
Images. Starting this release, requests to snooze CVEs can be created only usingVulnerabilityManagementRequestsglobal write access and requests can be approved only usingVulnerabilityManagementApprovalsglobal write access. Roles with write access onImages, created prior to this release, are provided with both the newly added permissions. We recommend updating the roles to only include the least amount of resources required for each role. All new roles must be explicitly supplied withVulnerabilityManagementRequestsand/orVulnerabilityManagementApprovalspermissions in order to use CVE snoozing functionality. - Editing the cluster configuration in the UI is now disabled for Helm-based installations.
- For
roxctl helm outputandroxctl central generateadded a new flag--image-defaultsthat allows selecting the default registry from which container images will be taken for deploying central and scanner. - For
roxctl helm outputdeprecated flag--rhacsin favor of--image-defaults=rhacs(using--rhacswith--image-defaultsresults in an error). - Default behavior of
roxctl helm outputresults now in using container images fromregistry.redhat.ioinstead ofstackrox.io. - By default, notifications will be sent for every runtime policy violation instead of only the first encountered violation. If this is undesired, setting an environment variable
NOTIFY_EVERY_RUNTIME_EVENTtofalsewill restore the previous behavior. Please note that the environment variable will be removed in a future release, so please notify the ACS team if you have a valid use case. - Certain ACS images were moved to new repositories:
- main: from
registry.redhat.io/rh-acs/maintoregistry.redhat.io/advanced-cluster-security/rhacs-main-rhel8 - collector: from
registry.redhat.io/rh-acs/collector(with-latesttag) toregistry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8 - collector (slim): from
registry.redhat.io/rh-acs/collector(with-slimtag) toregistry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8 - scanner: from
registry.redhat.io/rh-acs/scannertoregistry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8 - scanner-db: from
registry.redhat.io/rh-acs/scanner-dbtoregistry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8
- main: from
- Tags of
scanner,scanner-db, andcollector(including slim variant) images are now identical to the tag ofmainimage (same as product version) for the released images. For example, a scanner image for ACS 3.68.0 is now identified as followingregistry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.68.0andstackrox.io/scanner:3.68.0. Please make sure you follow this versioning scheme when upgrading manually. This scheme will be used for all future releases. - Collector Slim image name and tag have changed. Now the
-slimis not part of the image tag but part of the image name. This means that Collector Slim image for the release 3.68.0 is identified asregistry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:3.68.0andcollector.stackrox.io/collector-slim:3.68.0.
- A new default policy to detect Log4Shell vulnerability (CVE-2021-44228) has been added.
-
When the environment variable
ROX_NETWORK_ACCESS_LOGfor Central is enabled, the logs will now contain the request URI andX-Forwarded-Forheader values. Note: The network access logging feature was introduced in 51.0 and when enabled will cause noisy logging, and hence should be turned on only for the purpose of debugging network connectivity issues. -
Scanner container image
uid:gidchanged to65534:65534(user nobody). -
A new default Role called
Scope Managerhas been introduced, to be used to provide users the minimal set of privileges required to create and modify access scopes for the purpose of configuring access control or use in vulnerability reporting. -
The Compliance Operator integration now supports TailoredProfiles.
-
Presence of
microdnf(presence in the image and process execution) is treated as violation of policiesRed Hat Package Manager in ImageandRed Hat Package Manager Executionrespectively. -
Central is now the only source for Scanner vulnerability updates.
- Central, instead of Scanner, now queries definitions.stackrox.io in online-mode (determined based on
ROX_OFFLINE_MODE). ROX_SCANNER_VULN_UPDATE_INTERVALdetermines the frequency Central should query definitions.stackrox.io, in online-mode. It is defaulted to 5 minutes.- Scanner's ConfigMap still has an
updater.intervalfield for its own updating frequency, but it no longer hasupdater.fetchFromCentral.
- Central, instead of Scanner, now queries definitions.stackrox.io in online-mode (determined based on
-
Users may upload Scanner vulnerability dumps even when we are not in "offline-mode".
- If we are in online-mode, this vuln dump is used over the Scanner's requested one if it is more recent.
- K8s and Istio vulns manually uploaded in online-mode are ignored. This is just for Scanner definitions.
-
Roxctl's
image scan | image check | deployment checkcommands received a usability overhaul. This includes introducing output format'stable, csv, jsonfor each command. Note: thecsvandjsonoutput formats contain breaking changes, the old formats are kept as default but marked as deprecated. Ensure that you switch to the new formats in a timely manner. -
In policy exclusions, the deployment name can now be a regex. Earlier, it was an exact string match.
-
Behaviour change: The built-in
Nonerole is no longer taken into account when determining the roles for a user. Therefore, users with only theNonerole will be logged out and not be able to log in, as a valid user must have some role assigned. Logout and login prevention are materialized with HTTP status 401Unauthorizedand error message reporting the lack of valid role.
- Default system policies
DockerHub NGINX 1.10,Shellshock: Multiple CVEs, andHeartbleed: CVE-2014-0160have been deprecated. - Default system policy deletion is prohibited in fresh installations of 65 or greater. If the initial installation was done in a version lower than 65, then default policies can be deleted even after an upgrade to 65 or greater.
Analystpermission set and corresponding role will no longer haveDebugLogspermission. The only default role with this permission will beAdminrole.- The "Mount Docker Socket" policy has been renamed to "Mount Container Runtime Socket" and will now also detect if a deployment mounts the CRI-O socket for both Kubernetes and OpenShift.
- The policy "Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches" is now disabled by default
- Alpine-based images are now deprecated and all images will be based on UBI. main-rhel will continue to be pushed for consistency.
- Added
central.tolerations,scanner.tolerationsandscanner.dbTolerationsto thestackrox-central-servicesHelm chart - Added
sensor.tolerationsandadmission-control.tolerationsto thestackrox-secured-cluster-servicesHelm chart - Operator now supports
tolerationsforCentralandSecuredCluster - Operator now supports disabling the admin password generation by setting Central's option
adminPasswordGenerationDisabledtotrue. - Roxctl now supports shell completion for bash, zsh, fish and powershell
- Added
roxctl central debug authz-tracecommand. It streams built-in authorizer traces for all incoming requests. - Operator defaults changed for
SecuredClusterfieldsspec.admissionControl.listenOnCreatesandspec.admissionControl.listenOnUpdatesfromfalsetotrue. This should not affect these settings in existingSecuredClusterresource instances where the previous default had already been applied at instance creation (this typically happens when creating the resource from the OpenShift console). In some circumstances (for example if the instance was created without aspec.admissionControlsection from the CLI), the default might not have been applied: a symptom of this is that the fields are not shown when printing the object. In these cases this update will change the behaviour of admission controller. - Scanner no longer supports Oracle Linux
- Added component
Activestate to individual component and list of components under Vulnerability Management within the scope of a specific deployment. The Active state can be:Undetermined: the component is not detected to be run in the specific deployment.Active: the component was run in the specific deployment.
- Starting 65.0, default system policies' criteria fields are read-only. This applies to all default system policies included in fresh install of 65.0 and later, and new default system policies added since 65.0. Policy criteria fields for user-defined policies, created through 'New' and 'Clone' operation, will continue to be editable.
- Newly added MITRE ATT&CK policy section is read-only for default system policies. MITRE ATT&CK section for user-defined policies, created through 'New' and 'Clone' operation, will continue to be editable.
- Alert titles for the PagerDuty, Slack, Microsoft Teams, JIRA and email notifiers now contain the cluster and policy names in addition to the deployment or image name if it exists.
- PagerDuty alerts for violations now include the full alert JSON as a custom detail.
- Message attribute keys for audit log based violation messages shortened to be more readable
- Cluster internal endpoints set to
*.svcto be respected by OpenShift's cluster widenoProxyconfigurationsensor.stackroxchanged tosensor.stackrox.svccentral.stackroxchanged tocentral.stackrox.svcscanner.stackroxchanged toscanner.stackrox.svcscanner-db.stackroxchanged toscanner-db.stackrox.svc
- Increased Operator memory requests from 80 MiB to 200 MiB and memory limits from 300 MiB to 1 GiB. The latter is to prevent operator restarts due to OOM on certain deployments.
- Customer advisory: Default system policies
DockerHub NGINX 1.10,Shellshock: Multiple CVEs, andHeartbleed: CVE-2014-0160will be deprecated starting release66.0.
- Cluster internal endpoints set to
*.svcto be respected by OpenShift's cluster widenoProxyconfigurationsensor.stackroxchanged tosensor.stackrox.svccentral.stackroxchanged tocentral.stackrox.svcscanner.stackroxchanged toscanner.stackrox.svcscanner-db.stackroxchanged toscanner-db.stackrox.svc
- Increased Operator memory requests from 80 MiB to 200 MiB and memory limits from 300 MiB to 1 GiB. The latter is to prevent operator restarts due to OOM on certain deployments.
- Support for BadgerDB is being completely removed. Users running a version less than 48.0 will need to upgrade to 63.0 prior to upgrading to 64.0. All backups taken prior to version 48.0 cannot be restored to 64.0 and newer.
- The
/v1/namespacesendpoint now accepts pagination query parameters. - Message attribute keys for audit log based violations changed to use capital case instead of lowercase in API response.
- On OpenShift, the names of all
SecurityContextConstraint(SCC) resources are now prefixed withstackrox-.
- Cluster internal endpoints set to
*.svcto be respected by OpenShift's cluster widenoProxyconfigurationsensor.stackroxchanged tosensor.stackrox.svccentral.stackroxchanged tocentral.stackrox.svcscanner.stackroxchanged toscanner.stackrox.svcscanner-db.stackroxchanged toscanner-db.stackrox.svc
- Increased Operator memory requests from 80 MiB to 200 MiB and memory limits from 300 MiB to 1 GiB. The latter is to prevent operator restarts due to OOM on certain deployments.
- Clusters now can have labels.
- Role is now a combination of a permission set and an optional access scope.
- API changes/deprecations:
AuthService(/v1/auth/status):user_info.permissions.nameanduser_info.permissions.global_accessare deprecated, useuser_info.rolesinstead.CreateRole(POST /v1/roles/{name}),UpdateRole(PUT /v1/roles/{name}): specifyingresource_to_accessis disallowed,permission_set_idmust be provided instead.GetRoles(GET /v1/roles),GetRole(GET /v1/roles/{name}):resource_to_accessis never set, usepermission_set_idinstead.- In the GraphQL API,
Role { resourceToAccess: [Label!]! }is deprecated, usePermissionSet { resourceToAccess: [Label!]! }instead. - In the GraphQL API,
Role { globalAccess: Access! }is deprecated with no replacement intended.
- The operator now sets dynamic admission control settings (
enforceOnCreates,enforceOnUpdates) based onspec.admissionControl.listenOn*in theSecuredClusterresource.
- Cluster internal endpoints set to
*.svcto be respected by OpenShift's cluster widenoProxyconfigurationsensor.stackroxchanged tosensor.stackrox.svccentral.stackroxchanged tocentral.stackrox.svcscanner.stackroxchanged toscanner.stackrox.svcscanner-db.stackroxchanged toscanner-db.stackrox.svc
- Increased Operator memory requests from 80 MiB to 200 MiB and memory limits from 300 MiB to 1 GiB. The latter is to prevent operator restarts due to OOM on certain deployments.
- Fixed RHSA-2021:2569, RHSA-2021:2574, RHSA-2021:2575, RHSA-2021:2717, RHBA-2021:2581 in RHEL images.
- Scanner now supports alpine:edge and alpine:3.14.
- Scan results for alpine 3.2 - 3.7 were marked as stale before. It has since become clear that there are still updates to the secdb for these versions, so they are no longer marked stale.
- The
ROX_ALERT_RENOTIF_DEBOUNCE_DURATIONcan be set to a duration (see https://golang.org/pkg/time/#ParseDuration for supported syntax), and if set, then duplicate notifications for deploy-time alerts for the same deployment-policy pair will not be sent if the previous alert was resolved more recently than the debounce duration. - Scanner now supports alpine:edge.
globalAccessfield in roles is no longer supported- Policy matching on all fields has been made case-insensitive. For example, if you set "Volume Type" to "hostpath", that will match volumes that are "HostPath".
- Added the ability to make policies based on
Severity(ROX-6639)- Added new default policy (disabled by default) for a
Highalert for fixable CVEs with severity at least Important (includes Important and Critical).
- Added new default policy (disabled by default) for a
- roxctl image scan --format {csv,pretty} are now sorted by layer and severity instead of layer and CVSS.
- Image risk is now calculated using a score assigned to the Severity Rating, opposed to using the CVSS score. Severity Rating is a more accurate measure of a vulnerability's risk. (ROX-7133)
- CVE Severity levels are now mapped to their respective Red Hat security ratings (https://access.redhat.com/security/updates/classification)
- StackRox Scanner passes Red Hat Scanner Certification
- Images based on RHEL base images created after June 2020 will be scanned in a certified manner.
- These images will say
rhelas the OS instead ofcentos. - Language-related files like JAR (Java), egg-info (Python) will only be scanned if they are not provided by RPM.
To determine if a file is provided by RPM, run
rpm -q --whatprovides <absolute filepath>in the image.
- These images will say
- Older RHEL-based images will be scanned the traditional way.
- These images will continue to say
centosis the base OS.
- These images will continue to say
- Images based on RHEL base images created after June 2020 will be scanned in a certified manner.
- StackRox Scanner now officially supports ubuntu:21.04 images
- Added
GET /v1/centralhealth/upgradestatusendpoint to support upgrade rollback. - Scanner no longer supports RHEL/CentOS 5.
- Default value for
--json-fail-on-policy-violationsflag ofroxctl image checkchanged fromfalsetotrue.
- A few CVSS3.1 scores for applicable vulnerabilities were miscalculated, but it has since been fixed.
- Fixed CVE-2021-20305, RHSA-2021:1206 in RHEL scanner images
- Fixed Java package scanning when the package has the word "agent"
- The product no longer requires a license to run. Several license-related functionalities and flags have been removed from the product and related tooling, as well as from the Helm charts.
- Components now have
Fixed Byfield that indicates the version that will fixes all the fixable vulnerabilities in the component.- Note:
- It is supported only when StackRox Scanner is used.
- It is not namespaced to distro.
- Note:
- Added upgrade rollback function. By default, users may rollback to their previous version if upgrade fails before Central has started.
After services started, users must explicitly specify the version they are rolling back to in central config
maintenance.forceRollbackVersion. - Added a
central.exposeMonitoringoption to the Central Services Helm chart, which, when set totrue, allows exposing a/metricsendpoint on port 9090.
- The published time for CVEs in RHEL and CentOS images is now populated correctly.
- Secured clusters deployed via Helm with
helmManagedset tofalsecan now be used with cluster init bundles, creating a new cluster within StackRox on-the-fly. Previously,helmManaged=falseonly worked with certificates that were specific to an existing cluster. roxctl central generate openshiftandroxctl sensor generate openshiftnow accept an--openshift-versionflag, which can be set to the major version (3or4) of the OpenShift platform to deploy on. By default, deployment files are generated in a compatibility mode that works on OpenShift 3.11 as well as 4.x. When deploying to a cluster running a recent OpenShift version, set this flag to4in order to take advantage of features only supported on OpenShift 4.x.
-
Page titles now reflect the URL location of the user within the app in the browser tab and history.
-
SAML authentication providers:
- When using the "Dynamic configuration" option, the
IdP Metadata URLcan now specify a scheme ofhttps+insecure://to instruct StackRox to skip TLS validation when fetching the metadata. It is strongly advised to limit the use of this to testing environments. - When using the "Static configuration" option, the
IdP Certificate(s) (PEM)option now supports specifying multiple PEM-encoded certificates.
- When using the "Dynamic configuration" option, the
-
When creating a new Role, Namespace and Node have been added to the default minimal access specification.
-
Admission Control health status is now available as part of Cluster Health in System Health, and in the in the Platform Configuration -> Clusters View.
-
roxctl image checknow has a--json-fail-on-policy-violationsflag. Its current default value isfalsewhich preserves the legacy behavior of--jsonflag: the command does not exit with an error code, even if policy violations are present.This default value of
falseis also now deprecated and will change in three releases. -
New default policies:
- Added default policies for Docker CIS checks
- 4.1
- 4.4
- 4.7
- 5.1
- 5.7
- 5.9
- 5.15
- 5.16
- 5.19
- 5.20
- 5.21
- Added default policies for Docker CIS checks
-
Splunk alert events send to HEC will no longer include policy description, remediation and rationale in order to allow for more violations underneath the HEC limit.
-
The ROX_NETWORK_DETECTION_BASELINE_VIOLATION feature flag is now on by default: a deployment with network flows that are outside of its network baseline can now raise violations
-
New roxctl option for roxctl image check: --categories. Specifying a comma separated list of categories will only run policies with categories in the specified list.
- The
/v1/metadataendpoint redacts version information from unauthenticated users. - API changes/deprecations:
/db/backupis deprecated; please use/api/extensions/backupinstead.- In the GraphQL API,
ProcessActivityEvent { whitelisted: Boolean! }is deprecated, useProcessActivityEvent { inBaseline: Boolean! }instead. - In the GraphQL schema, the type name
Policy { whitelists: [Whitelist]! }changes toPolicy { whitelists: [Exclusion]! }preserving the existing structure and field names. - In the GraphQL API,
Policy { whitelists: [Whitelist]! }is deprecated, usePolicy { exclusions: [Whitelist]! }instead. PolicyService(/v1/policies/*): in all affected responses,Policy.whitelistsis now always empty, usePolicy.exclusionsinstead. This is because the current policy version has been updated to "1.1" which deprecates thePolicy.whitelistsfield. All previous policy versions are still accepted as input.- Deprecated
includeCertificatesflag in/v1/externalbackups/*. Certificates are included in central backups by default for both new and existing backup configs.
- Admission controller service will be deployed by default in new k8s and Openshift clusters. The validating webhook configuration for exec and port forward events is not supported on and hence will not be deployed on OpenShift clusters.
roxctl image checknow has a--send-notificationsflag, which will send notifications for build time alerts to the notifiers configured in each violated policy.roxctl central db backupis deprecated; please useroxctl central backupinstead.- The following roxctl flags have been deprecated for the command
sensor generate:--create-admission-controller(replaced by--admission-controller-listen-on-creates)--admission-controller-enabled(replaced by--admission-controller-enforce-on-creates)
- Added retry flags to
roxctl image scan,roxctl image check, androxctl deployment check:- Introduced two new flags,
--retriesand--retry-delay, that change how the commands deal with errors --retries 3 --retry-delay 2will retry the command three times on failure with two seconds delay between retries- As the default value for
retriesis 0, the behaviour of the commands is unchanged if the flag is not used
- Introduced two new flags,
- Added a new flag
--admission-controller-listen-on-eventstoroxctl sensor generate k8sandroxctl sensor generate openshift, that controls the deployment of the admission controller webhook which listens on Kubernetes events like exec and portforward. Default value istrueforroxctl sensor generate k8sand false forroxctl sensor generate openshift.
- Added option to backup certificates for central.
- API changes/deprecations:
ProcessWhitelistService(/v1/processwhitelists/*): allprocesswhitelists/*endpoints are deprecated, useprocessbaselines/*instead.ResolveAlert(/v1/alerts/{id}/resolve):whitelistis deprecated, useadd_to_baselineinstead.- In the
ListDeploymentsWithProcessInfo(/v1/deploymentswithprocessinfo)response,deployments.whitelist_statusesis deprecated, usedeployments.baseline_statusesinstead. ROX_WHITELIST_GENERATION_DURATIONenvironment variable is deprecated, useROX_BASELINE_GENERATION_DURATIONinstead.
- [Security Advisory] Scanner was not validating Central client certificates allowing for intra-cluster unauthenticated users to initiate or get scans. This only affects environments without NetworkPolicy enforcement.
- Added ContainerName as one of the policy criteria
- Added support for ubuntu:20.10 in Scanner.
- Added support for distroless images in Scanner.
- UI: fix a browser crash when a port's exposure type is UNSET in the Deployment Details of a Risk side panel (ROX-5864)
- UI: remove "phantom" turndown triangle on Network Flows table rows that have only one bidirectional connection on the same port and protocol
- UI: fix pagination in Vuln Mmgt so that filtering a list by searching will reset the page number to 1 (ROX-5751)
- A new environment variable for Central ROX_NETWORK_ACCESS_LOG, defaulted to false, is available. When set to true, each network request to Central (via API, UI) is logged in the Central logs. Note: When turned on, this environment variable will cause noisy logging, and hence should be turned on only for the purpose of debugging network connectivity issues. Once network connectivity is established, we should advise to immediately set this to false to stop logging.
- Added Namespace as one of the policy criteria
- UI: Display full height of Vulnerability Management side panel in Safari (ROX-5771)
- Added a
--force-http1option toroxctlthat will cause HTTP/2 to be avoided for all outgoing requests. This can be used in case of connectivity issues which are suspected to be due to an ingress or proxy. - UI: Fix bug where some policy criteria values, with equal signs, are parsed incorrectly (ROX-5767)
- UI: Do not display incomplete process status when Sensor Upgrade is up to date (ROX-5579)
- The minimum number of replicas for the Scanner Horizontal Pod Autoscaler has been set to 2 for better availability.
- The ROX_CONTINUE_UNKNOWN_OS feature flag is on by default in Scanner
- Scans done by StackRox Scanner on images whose OS cannot be determined will no longer fail if the image also has feature components. Instead, they will continue and give partial scan results.
- An example is the
fedora:32image
- An example is the
- Scans done by StackRox Scanner on images whose OS cannot be determined will no longer fail if the image also has feature components. Instead, they will continue and give partial scan results.
- The default resource limit for Central has been changed to 4 cores. Please see the resource sizing guidelines in the help documentation for finer-grained settings.
- A new policy criteria on "Service Account" has been added which runs policy evaluation against the deployment's service account name.
- Use Red Hat CVSS scores instead of NVD for
rhelandcentosbased images scanned by StackRox Scanner.- CVSS3 is used if it exists otherwise CVSS2 is used.
- Added support for .NET Core runtime CVEs (data from NVD).
- This affects images with .NET Core and/or ASP.NET Core runtime(s) installed
- UI: Update the Network Graph when a different cluster is selected (ROX-5662)
- Support sub-CVEs for RHEAs and RHBAs as well as RHSAs for rhel/centos-based images.
- Though it is not specified, it is possible RHEAs and RHBAs to have associated CVEs.
- The default policy "Required Label: Email" has been deprecated starting release 50.0.
- OIDC authentication providers: added support for two rarely-needed configuration options:
- The
Issuercan now be prefixed withhttps+insecure://to instruct StackRox to skip TLS validation when talking to the provider endpoints. It is strongly advised to limit the use of this to testing environments. - The
Issuercan now contain a querystring (?key1=value1&key2=value2), which will be appended as-is to the authorization endpoint. This can be used to customize the provider's login screen, e.g., by optimizing the GSuite login screen to a specific hosted domain via thehdparameter, or to pre-select an authentication method in PingFederate via thepfidpadapteridparameter.
- The
- In
GetImage(/v1/images/{id})response, thevulnsfielddiscoveredAtis replaced byfirstSystemOccurrencestarting release 49.0. This field represents the first time the CVE was ever discovered in the system. - In
GetImage(/v1/images/{id})response, a new fieldfirstImageOccurrenceis added tovulnswhich represents the first time a CVE was discovered in respective image. - The default for the
--create-upgrader-saflag has changed totruein both theroxctl sensor generateand theroxctl sensor get-bundlecommands. In order to restore the old behavior, you need to explicitly specify--create-upgrader-sa=false. - UI: Hovering over a node in the Network Graph will show that node's listening ports (ROX-5469)
- Fixed an issue on the API docs page where the left menu panel no longer scrolled independently of the main content.
- UI: Added
Scannerto the image single page in Vuln Mgmt (ROX-5289) - In
v1/clustersresponse,status.lastContacthas been deprecated, hence usehealthStatus.lastContactinstead. - UI: Disable the Next button when required fields are empty in the Cluster form (ROX-5519)
roxctlcan now be instructed to generate YAML files with support for Istio-enabled clusters, via the--istio-support=<istio version>flag. Istio versions in the range of 1.0-1.7 are supported. The flag is available for the commandsroxctl central generate,roxctl scanner generate,roxctl sensor generate, androxctl sensor get-bundle. The interactive installer (roxctl central generate interactive) will also prompt for this configuration option.- Support for enforcing policies on DeploymentConfig resources in Openshift.
- The following deprecated roxctl flags have been removed for the command
sensor generate:--admission-controller(replaced by--create-admission-controller)--image(replaced by--main-image-repository)--collector-image(replaced by--collector-image-repository--runtime(--collection-methodis to be used instead)--monitoring-endpoint
- UI: Hovering over a namespace edge in the Network Graph will show the ports and protocols for it's connections (ROX-5228).
- UI: Hovering over a namespace edge in the Network Graph will show a summary of the directionality of it's connections (ROX-5215)
- UI: Hovering over a node edge in the Network Graph will show the ports and protocols for it's connection (ROX-5227)
- UI: Platform Configuration > Clusters (ROX-5317)
- add 'Cloud Provider' column
- remove 'Current Sensor version' column
- replace 'Upgrade status' column with 'Sensor Upgrade' and add tooltip which displays 'Sensor version' and 'Central version'
- display cells in 'Sensor Upgrade' columns with same style as adjacent new Cluster Health columns
- UI: Added a toggle in the Network Policy Simulator in Network Graph to exclude ports and protocols (ROX-5248).
- UI: Platform Configuration > Clusters: Make CertificateExpiration look similar to recently improved Sensor Upgrade style and future cluster health style (ROX-5398)
- Red X icon at left of phrase for less than 7 days (for example, in 59 minutes, in 7 hours, in 6 days on Friday)
- Yellow triangle icon at left of phrase for less than 30 days (for example, in 29 days on 7/31/2020)
- Green check icon at left of other phrases (for example, in 1 month on 7/31/2020, in 2 months)
- UI and strings from API: Replace term 'whitelist' with 'excluded scope' in policy context, and 'baseline' in process context (ROX-5315, ROX-5316)
- UI: Deployment Details in the Violations Side Panel now shows full deployment data if available. If not, a message will appear explaining that the deployment no longer exists.
- UI: When selecting a deployment in the Network Graph, the Network Flows table will now show some additional information: traffic, deployment name, namespace name, ports, protocols, connection type (ROX-5219)
- In
v1/clustersresponse,healthStatus.lastContactfield is added that represents last time sensor health was probed (aka last sensor contact).status.lastContactwill be deprecated starting release 49.0, hence usehealthStatus.lastContactinstead. - When attempting to scan an image, we now send back error messages under any of the following conditions:
- no registries integrated
- no matching registries found
- no scanners integrated
- In
GetImage(/v1/images/{id})response, thevulnsfielddiscoveredAtwill be replaced byfirstSystemOccurrencestarting release 49.0. This field represents the first time the CVE was ever discovered in the system.
-
Configuration Management tables (except for Controls and Policies) are now paginated through the API, rather than loading all rows into the browser, for better performance in large environments (ROX-5067).
-
Added a global flag
--token-fileto roxctl causing an API token to be read from the specified file (ROX-2319). -
Added strict validation for env var policies such that policies with non-raw sources must not specify expected values (ROX-5208). This change introduces a breaking adjustment to the
/v1.PolicyService/PostPolicyRPC, with existing REST clients remaining unaffected. -
Emit warning if the default value for flag
--create-updater-sais used in roxctl (ROX-5264). -
New parameter
defaultfor flag--collection-method. -
UI: Omit Cluster column from Deployments list when entity context includes Namespace (ROX-5207)
-
The help output of
roxctlcommands mentions implicit defaults for optional flags. -
UI: Fix a regression, where CSVs for a Compliance standard, or for a Cluster viewed in Compliance, were not scoped to the particular filter (ROX-5179)
-
The following command line flags of
roxctlhave been deprecated:- Flag
--imageforroxctl sensor generate. Use--main-image-repositoryinstead. - Flag
--collector-imageforroxctl sensor generate. Use--collector-image-repositoryinstead. - Flag
--admission-controllerforroxctl sensor generate k8s. Use--create-admission-controllerinstead.
The old flags are currently still supported but they are scheduled for removal in a future version of
roxctl. - Flag
-
UI: Added arrows to indicate directionality (ingress/egress) for Network Graph connections between deployments (ROX-5211).
-
UI: Added
Image OSto the image list and image single page in Vuln Mgmt (ROX-4083). -
Added the ability to make policies based on
Image OS(ROX-4083). -
roxctl image scan and /v1/image/
no longer return snoozed CVEs as a part of their output. The
include-snoozedcommand line parameter and theincludeSnoozedquery parameter respectively can be used to include all CVEs. -
The 'namespace.metadata.stackrox.io/id' label is now removed in order to better support Terraform cluster management.
-
UI: Hovering over a deployment in the Network Graph will show the ports and protocols for it's ingress/egress network flows (ROX-5226).
-
Adding the annotation
auto-upgrade.stackrox.io/preserve-resources=trueon thesensordeployment and thecollectordaemonset will cause the auto-upgrader to preserve any overridden resource requests and limits whenever an upgrade is performed.
- Added the following REST APIs:
- PATCH
/v1/notifiers/{id}modifies a given notifier, with optional stored credential reconciliation. - POST
/v1/notifiers/test/updatedchecks if the given notifier is correctly configured, with optional stored credential reconciliation. - PATCH
/v1/scopedaccessctrl/config/{id}modifies a given scoped access control plugin, with optional stored credential reconciliation. - POST
/v1/scopedaccessctrl/test/updatedchecks if the given scoped access control plugin is correctly configured, with optional stored credential reconciliation - PATCH
/v1/externalbackups/{id}modifies a given external backup, with optional stored credential reconciliation. - POST
/v1/externalbackups/test/updatedchecks if the given external backup is correctly configured, with optional stored credential reconciliation.
- PATCH
- UI: Reset page to 1 when sort fields change (ROX-4267)
- Add a tcp prefix to the spec.Ports.name for the scanner-db service. Istio uses this name for protocol detection.
- Customer advisory: The default policy "Required Label: Email" will be deprecated starting release 48.0
- RocksDB is set as the default DB and completely replaces BadgerDB and replaces a majority of BoltDB. This should make Central significantly more performant. Users may see slowness during startup on initial upgrade as the data is being migrated.
- Added UI to show cluster credential expiry in the cluster page (ROX-5034).
- UI: The deployment event timeline should now visibly group events that would otherwise overlap. The grouped events will show a number in the top right that indicates how many events were grouped. Clicking on the icon will show an interactive tooltip that displays information for each event in a scrollable manner (ROX-5190).
- UI: Under Vulnerability Management, update "Deployment Count" column on policy entity list pages to show failing deployments count instead of all applicable deployments count (ROX-5176).
- StackRox now supports the Garden Linux operating system. Previous, collector pods would enter a crash loop when deployed on Garden Linux nodes.
- Default policies that have been excluded for the kube-system namespace, have now been additionally excluded for the istio-system namespace.
- Default integration added for public Microsoft Container Registry
- Heads up advisory on
roxctl sensor generate k8scommand option changes slated for release in 47.0:admission-controlleroption will be renamed tocreate-admission-controller- The default for
create-upgrader-sawill change totrue - The default for
collection-methodwill change toKERNEL_MODULE - Deprecated option
runtimewill be removed imageoption will be renamed tomain-image-repositorycollector-imageoption will be renamed tocollector-image-repositorymonitoring-endpointoption, which has already been deprecated, will be removed
- Add CVE Type to CVE list and overview pages (ROX-4482)
- UI: Open API Reference in current Web UI browser tab instead of a new tab and replace Help Center popup menu with two half-height links in left navigation for API Reference and Help Center (ROX-2200)
- UI: Move Images link on VM dashboard out of Applications menu, and into tile like Policies and CVEs link (ROX-5052)
- UI: Add Disable TLS Certificate Validation (Insecure) toggle for JFrog Artifactory registry in Platform Configuration > Integrations > New Integration (ROX-5031)
- UI: Add Disable TLS Certificate Validation (Insecure) toggle for Anchore Scanner, CoreOS Clair (Scanner), and Quay.io (Registry + Scanner) in Platform Configuration > Integrations > New Integration (ROX-5084)
- Added the ability to make secret creation for sensor, collector and admission controller optional when deploying using Helm charts.
- Added native Google Cloud Storage (GCS) external backup. This should now be the preferred way to backup to GCS as opposed to using the S3 integration because S3 upload to GCS is incompatible with large databases.
- The Central and Migrator binaries are now compiled without AVX2 instructions, which fixes an Illegal Instruction issue on older CPUs. SSE4.2 instructions are still used, which mean the lowest supported Intel processor is SandyBridge (2011) and the lowest supported AMD processor is BullDozer (2011).
- Previously, a scan for an image that may have been retagged (e.g. using the latest tag) would return a stale scan if it had been previously scanned.
- UI: In Platform Configuration > Interactions: 1. replace "AWS ECR" with "Amazon ECR" and 2. replace "S3" (and "AWS S3" placeholder for Integration Name in New Integration pane) with "Amazon S3" (ROX-4912)
- Docker Registry Integration now doesn't require entering password every time an existing integration is tested or updated (part of ROX-4539).
- UI: Replace
Page 1 of 0withPage 1 of 1for 0 results in table pagination (ROX-1072) - Added
ExportPolicies(POST /v1/policies/export)API which accepts a list of policy IDs and returns a list of json policies - Added
ImportPolicies(POST /v1/policies/import)API which accepts a json list of policies, imports them into your StackRox installation, and returns a list with success/failure details per policy - Added UI to export a single policy from the policy details on the System Policies page
- Added UI to import a single policy from the System Policies page
- Sensor resource requests and limits have been increased to 1 core / 1GB and 2 cores / 4GB respectively.
- Added User Page in UI to show current User Permissions and Roles
roxctlcommands now gives users an error message when unexpected arguments are given (ROX-4709)- UI: In Platform Configuration > Roles and Permissions > Add New Role form: 1. disable the Save button when required Role Name is empty; 2. display
(required)at the right of the Role Name label with gold warning color if the input box is empty, otherwise with gray color (ROX-1808) - UI: Increase timeout for Axios-fetch for GraphQL endpoint, to allow Vuln Mgmt pages in large-scale customer environments to load (ROX-4989)
- Detection APIs were not properly handling suppressed CVEs and they were being included in evaluation. This is now resolved.
- Previously, the Scanner deployment did not mount the additional CA secret and thus would fail to scan self-signed registries. This is resolved.
- AWS S3 and AWS ECR integrations now accept an endpoint to work with non public AWS endpoints.
- UI: Fixed the display of the Privileged field when viewing a policy in the Vulnerability Management section (ROX-4752)
- API changes/deprecations related to supporting multiple roles:
GenerateToken(/v1/apitokens/generate): the singularrolefield in the request field is deprecated; please use the array fieldroles.GetAPIToken(/v1/apitokens/{id}),GetAPITokens(/v1/apitokens): the singularrolefield in the response payload is deprecated; please use the array fieldroles.- Audit logs: the singular
user.rolefield in the audit message payload is deprecated; please use the singularuser.permissionsfield for the effective permissions of the user, and the array fielduser.rolesfor all the the individual roles associated with a user.
- The Compliance container within the Collector daemonset now has a hostpath of '/', which is needed to be able to read configuration files anywhere on the host. This requires the allowedHostVolumes within the stackrox-collector PSP to allow '/' to be mounted. For added security, the PSP has set '/' as readonly and the Collector container's docker socket mount has also been set to readonly.
- All
/v1/API endpoints now support pretty-printing. Make requests with the?prettypath parameter to receive pretty-printed json responses. - UI: added "Deployment Name" property in side panel for Deployment Details on Violations and Risk pages.
- UI: In the Risk view, the URL now includes any search filters applied. You can now share the link and see the same filtered view.
- UI: In the Config Management section, fixed a UI crash issue when going from a single image view within containing context, like a single cluster, down to that image's deployments. (ROX-4543)
- UI: In the Platform Configuration -> Clusters view, the text “On the latest version” has been changed to “Up to date with Central version” (ROX-4739).
SuppressCVEs(/v1/cves/suppress)endpoint now only supports cve suppression/snoozing.SuppressCVEs(/v1/cves/suppress)endpoint now supports cve suppression/snoozing for specific duration.- Added
UnsuppressCVEs(/v1/cves/unsuppress)endpoint to support cve un-suppression/un-snoozing. - Changed central and sensor's SecurityContextConstraint (SCC) priority to 0 for OpenShift, so that they don't supercede default SCCs.
- Updated RHEL base images from UBI7.7 to UBI8.1
- Added the ability to customize the endpoints exposed by Central via a YAML-based configuration file.
- Added a Required Image Label policy type. Policies of this type will create a violation for any deployment containing images that lack the required label. This policy type uses a regex match on either the key or the key and the value of a label.
- Added a Disallowed Image Label policy type. Policies of this type will create a violation for any deployment containing images with the disallowed label. This policy type uses a regex match on either the key or the key and the value of a label.
- Collector images shipped with versions of the StackRox platform prior to this were affected by CVE-2019-5482, CVE-2019-5481 and CVE-2019-5436. The cause was an older version of curl that was vulnerable to buffer overflow and double free vulnerabilities in the FTP handler. We have upgraded curl to a version that does not suffer from these vulnerabilties. The curl program is only used to download new collector modules from a fixed set of URLs that do not make use of FTP, therefore according to our assessment there never existed a risk of an attacker exploiting this vulnerability.
- The
-e/--endpointargument ofroxctlnow supports URLs as arguments. The path in this URLs must either be empty or/(i.e.,https://central.stackroxandhttps://central.stackrox/are both allowed, whilehttps://central.stackrox/apiis not). If this format is used, the URL scheme determines whether or not an unecrypted (plaintext) connection is established; if the--plaintextflag is used explicitly, its value has to be compatible with the chosen scheme (e.g., specifying anhttps://URL along with--plaintextwill result in an error, as will ahttp://URL in conjunction with--plaintext=false). - Detection and image enrichment have been moved to the individual Sensor clusters. Sensor will proxy image scan requests through Central and then run detection to generate both runtime and deploytime alerts. These alerts are sent to Central and any enforcement if necessary will be executed by Sensor without a roundtrip to Central.
roxctl central certcan be used to download Central's TLS certificate, which is then passed toroxctl --ca.- The Scanner deployment has been split into two separate deployments: Scanner and Scanner DB. The Scanner deployment is now controlled by a Horizontal Pod Autoscaler (HPA) that will automatically scale up the scanner as the number of requests increase.
- Added a feature to report telemetry about a StackRox installation. This will default to off in existing installations and can be enabled through the System Configuration page.
- Added a feature to download a diagnostic bundle. This can be accessed through the System Configuration page or through
roxctl central debug download-diagnostics - A new
ScannerBundleresource type (for the purposes of StackRox RBAC) is introduced. The resource definition for this is: Read permission: Download the scanner bundle (withroxctl scanner generate) Write permission: N/A - Related to above,
roxctl scanner generatenow requires users to have read permissions to the newly createdScannerBundleresource. Previously, this endpoint was accessible to any authenticated user. - OIDC auth providers now support refresh tokens, in order to keep you logged in beyond the ID token expiration time configured in your identity provider (sometimes only 15 minutes or less). In order to use refresh tokens, a client secret must be specified in the OIDC auth provider configuration.
- UseStartTLS field in the Email notifier configuration has been deprecated in lieu of an enum which supports several different authentication methods
roxctl central generate k8sandroxctl central generate openshiftno longer contain prompts for the monitoring stack because it is now deprecated- The scanner v2 preview is now removed
- The scanner's updater now pulls from https://definitions.stackrox.io, and not https://storage.googleapis.com/definitions.stackrox.io/ like it previously would.
- Fixed https://stack-rox.atlassian.net/browse/ROX-3985.
- Collector images shipped with versions of the StackRox platform prior to this were affected by CVE-2017-14062. The cause was an older version of libidn (parsing of internationalized domain names) that was vulnerable due to a possible buffer overflow. We have upgraded libidn to a version that no longer suffers from this vulnerability. Since libidn is only used by curl, and curl is only used to download new collector modules from a fixed set of URLs that do not make use of international domain names, according to our assessment there never existed a risk of an attacker exploiting this vulnerability.
- Added a REST endpoint
/v1/groupthat can be used to retrieve a single group by exact property match (cf. ROX-3928). - Scanner version updated to 2.0.4
- Collector version updated to 3.0.2
- The "NIST 800-190" standard has been renamed to "NIST SP 800-190", for correctness. The ID continues to be the same, so no API calls will need to be updated. Existing data will be preserved and available on upgrade.
- Added a
roxctl sensor get-bundle <cluster-name-or-id>command to download sensor bundles for existing clusters by name or ID.
- Removed the endpoints
GET /v1/complianceManagement/schedules,POST /v1/complianceManagement/schedules,POST /v1/complianceManagement/schedules/{schedule_id}, andDELETE /v1/complianceManagement/schedules/{schedule_id}. These were purely experimental and did not function correctly. They were erroneously included in the public API specification. - All YAML files have been updated to no longer reference the deprecated
extensions/v1beta1API group. Previously, we used these API versions for deployments, daemonsets and pod security policies. This should have no effect on existing installs, but will mean that new installs can successfully install on Kube 1.16.
- Proxy configuration can now be changed at runtime by editing and applying
proxy-config-secret.yamlin the cluster where central and scanner run (ROX-3348, #3994, #4127). - The component object within the image object now contains a field "Source", which indicates how the component was identified. Components derived from package managers will have the type "OS" whereas components derived from language analysis will have the language as the source (e.g. PYTHON).
- Images based on the Red Hat Universal Base Image (UBI) are published in stackrox.io/main-rhel, stackrox.io/scanner-rhel, stackrox.io/scanner-db-rhel and collector.stackrox.io/collector-rhel repositories. These images are functionally equivalent to our regular images and use the same version tags.
- Policy excluded scopes are now shown in the UI. Previously, we only showed excluded deployment names, and not the entire structure that was actually in the policy object. This means that users can now exclude by cluster, namespace and labels using the UI.
- There now exists a
roxctl collector support-packages upload <file>command, which can be used to upload files from a Collector runtime support package to Central (e.g., kernel modules, eBPF probes). Assuming that Collectors can talk to Sensor, and Sensor can talk to Central, Collectors can then download these files they require at runtime from Central, even if none of the components has access the internet. Refer to the official documentation or contact StackRox support for information on obtaining a Collector support package. - The
roxctl image scancommand now has a--forceflag, which causes Central to re-pull the data from the registry and the scanner.
- Both the
runAsUserandfsGroupfor the central deployment are now 4000. This required changes in the the pod security policy, and the OpenShift Security Context Contraint (scc) objects. If you are upgrading from a previous version, please refer to the upgrade instructions on how to apply these changes to your existing deployment, pod security policy and OpenShift scc objects. - CVEs with a CVSS score of 0 will now be displayed as "Pending" in the UI because it indicates that a CVE is still being analyzed or the CVE has been disputed. The API will continue to return a CVSS score of 0.
- Scopes now include support for Regex on the namespace and label fields including both Policy Scope and Exclusion Scope. The supported Regex syntax can be found here: https://github.com/google/re2/wiki/Syntax.
- The
validatedfield in an auth provider is deprecated and will be removed in 3 releases. Please use theactivefield instead. - RHSA vulnerabilities will now be displayed with the highest CVSS score from the CVEs it references. The referenced CVEs will now also be available. (ROX-3519, ROX-3550; d36f2ccf)
GetRisk(/v1/risks/{subjectType}/{subjectID})endpoint is removed. For obtaining deployment risk, useGetDeploymentWithRisk(/v1/deploymentswithrisk/{id}). (8844549b)
- The port used for prometheus metrics can now be customized with the environment variable
ROX_METRICS_PORT. Supported options includedisabled,:port-num(will bind to wildcard address) andhost_or_addr:port. IPv6 address literals are supported with brackets, like so:[2001:db8::1234]:9090. The default setting is still:9090. (ROX-3209) - The
roxctl sensor generateandroxctl scanner generatesubcommands now accept an optional--output-dir <dir>flag that can be used to extract the bundle files to a custom directory. (ROX-2529) - The
roxctl central debug dumpsubcommand now accepts an optional--output-dir <dir>flag that can be used to specify a custom directory for the debug zip file. - The format of collector tags changed from
<version>to<version>-latest. This tag references a mutable image in canonical upstream repository (collector.stackrox.io/collector) that will get updated whenever kernel modules/eBPF probes for new Linux kernel versions become available. This decreases the need to rely on module downloads via the internet. If you configure StackRox to pull collector images from your private registry, you need to configure a periodic mirroring to take advantage of this effect.
roxctlcan now talk to Central instances exposed behind a non-gRPC-capable proxy (e.g., AWS ELB/ALB). To support this, requests go through an ephemeral client-side reverse proxy. If you observe any issues withroxctlthat you suspect might be due to this change, pass the--direct-grpcflag to resort to the old connection behavior.roxctlcan now talk to Central instances exposed via plaintext (either directly, or via a plaintext proxy talking to a plaintext or TLS-enabled backend). While we advise against this, this behavior can be enabled via the--plaintextflag in conjunction with the--insecureflag.roxctlnow has a--tolerationsflag that is true by default, and can be set to false to disable tolerations for tainted nodes from being added intosensor.yaml. If the flag is set to true, collectors will be deployed to and run on all nodes of the cluster.- Changes to default TLS cert and
htpasswdsecrets (central-default-tls-certandcentral-htpasswd) are now picked up automatically, without needing to restart Central. Note that Kubernetes secret changes may take up to a minute to get propagated to the pod.
TriggerRun(/v1/complianceManagement/runs)endpoint is removed. All clients should useTriggerRuns(/v1/compliancemanagement/runs)to start a compliance run.- The EmitTimestamp field that was unset in the ProcessIndicator resource has been removed
- Link field is removed from the violation message
- The Prometheus scrape endpoint has been moved from localhost:9090 to :9090 so users can use their own Prometheus installations and pull StackRox metrics.
- UpdatedAt in the deployment object has been corrected to Created
- Reprocessing of deployments and images has been moved to an interval of 4 hours
- Improved user experience for
roxctl central db restore:- Resuming restores is now supported, either after connection interruptions (automatic) or
after terminating
roxctl(manual). In the latter case, resuming is performed automatically by invokingroxctlwith the same database export file. - The
--timeoutflag now specifies the relative time (from the start of theroxctlinvocation) after whichroxctlwill no longer automatically try to resume restore operations. This does not affect the restore operation on the server side, it can still be resumed by restartingroxctlwith the same parameters. - Restore operations cannot be resumed across restarts of the Central pod. If a restore operation is interrupted, it must be resumed within 24 hours (and before Central restarts), otherwise it will be canceled.
roxctl central db restore statuscan be used to inspect the status of the ongoing restore process, if any.roxctl central db restore cancelcan be used to cancel any ongoing restore process.- The
--fileflag is deprecated (but still valid). The preferred invocation now isroxctl central db restore <file>instead ofroxctl central db restore --file <file>. If for any reason the name of the database export file isstatusorcancel, insert an--in front of the file name, e.g.,roxctl central db restore -- status.
- Resuming restores is now supported, either after connection interruptions (automatic) or
after terminating
roxctl central db backupnow supports an optional--outputargument to specify the output location to write the backup to.
roxctl sensor generate openshiftcan be used to generate sensor bundles for OpenShift clusters from the command line.
- Removed DebugMetrics resource.
Only users with Admin role can access
/debugendpoint. Note: This is also applicable with authorization plugin for scoped access control enabled. - Due to the addition of the
roxctl sensor generate openshiftcommand, the--admission-controllerflags that are exclusive to Kubernetes (non-OpenShift,k8s) clusters must be specified after thek8scommand. For example,roxctl sensor generate --admission-controller=true k8sis no longer a legal invocation; useroxctl sensor generate k8s --admission-controller=trueinstead.
- Queries against time fields involving a duration have now flipped directionality to a more intuitive way.
Previously, searching
Image Creation Time: >3hwould show all images created after 3 hours before the current time; now, it shows all images created more than three hours ago -- that is, before the moment in time 3 hours before the current time. - Removed the
/v1/deployments/metadata/multipliersAPI. User defined risk multipliers will no longer be taken into account.
- Installer prompt to configure the size of the external volume for central.
- Prometheus endpoint changed from https://localhost:8443 to http://localhost:9090.
- Scanner is now given certificates, and Central<->Scanner communication secured via mTLS.
- Central CPU Request changed from 1 core to 1.5 cores
- Central Memory Request changed from 2Gi to 4Gi
- Sensor CPU Request changed from .2 cores to .5 cores
- Sensor Memory Request changes from 250Mi to 500Mi
- Sensor CPU Limit changed from .5 cores to 1 core
- Default size of central's PV changed from 10Gi to 100Gi.