Entries in this file should be limited to:
- Any changes that introduce a deprecation in functionality, OR
- Obscure side-effects that are not obviously apparent based on the JIRA associated with the changes. Please avoid adding duplicate information across this changelog and JIRA/doc input pages.
- Dropped support for older Helm versions: For rendering the Helm charts stackrox-central-services and stackrox-secured-cluster-services a Helm version >= 3.9.0 is now required.
- ROX-18969: Added a label selector for the caching configuration of secrets and configmaps to the operator.
- Reduces memory consumption of the operator significantly, especially on large clusters. (28% on a fresh OCP cluster)
- Increases number of requests sent to the API server to get secrets that are not managed by the operator and don't match the cache label selector.
- Adds a label
app.stackrox.io/managed-by: operator
to all helm chart resources and secrets created by the operator
- Customer-provided PostgreSQL databases are now GA
- ROX-21235:
/api/extensions/certs/backup
added to provide external database consumers a means to backup certs.--certs-only
flag added toroxctl central backup
to exercise that endpoint. - The "Kubernetes Resource Name" policy criteria now supports regex values. Note: the value must be prefixed with "r/" to activate regex matching.
- ROX-22238:
roxctl deployment check
results now contain additional information about the Permission Level and applicable Network Policies for a deployment, if--cluster
and--namespace
are provided together with--verbose
. - Export APIs have been added for deployments, nodes, pods, and images as a tech preview.
- ROX-21950:
roxctl scanner download-db
has been added to help download version specific offline vulnerability bundles introduced withScanner V4
. - The new vulnerability scanner named "Scanner V4" has been integrated. At the moment it needs to run side-by-side with the current default scanner named "StackRox Scanner". Installation instructions can be found in the official RHACS documentation.
- ROX-19932: ACS can pull information about available clusters to secure from Red Hat OpenShift Cluster Manager and Paladin Cloud.
- ROX-13367: ACS now supports short-lived token integrations for GCP via workload identity federation and AWS via the Secure Token Service.
- ROX-17382: An enhanced version of the ACS and Compliance Operator integration is now available under the heading "Compliance (2.0)". This feature is in Tech Preview.
- ROX-20100:
Machine access configurations
have been added to provide short-lived access tokens for Central. - A new image scanner based on ClairCore, Scanner V4, is now available.
- It is disabled by default, but it is recommended for more accurate image scan results.
- ROX-22505: It is now possible to set up authentication provider claim mappings via UI.
- API token expiration date can be configured. If expiration date is not specified, API token will expire in 1 year.
-
ROX-18840: Sunburst widgets in the Compliance section have been removed (deprecation announced in version 4.2 release notes)
-
The Docker CIS benchmark has been removed as announced in the 4.2 release notes.
-
ROX-12982: All custom
stackrox-*
SecurityContextConstraints (SCC) have been replaced with default SCCs (deprecation announced in 4.1 release notes). -
ROX-9156: In Helm and Operator installation modes, references to image pull secrets with certain names are no longer unconditionally added to service accounts. This is done to avoid causing log spam for kubelet due to non-existing secrets.
References will still be added for backwards compatibility if during installation or upgrade the secrets in question are found to actually exist. The names of these special secrets are:
- for central components:
stackrox
,stackrox-scanner
, - for secured cluster components:
stackrox
,stackrox-scanner
,secured-cluster-services-main
,secured-cluster-services-collector
,collector-stackrox
.
We recommend to explicitly list image pull secrets that are needed, if any:
- for Helm-based installs: via the
imagePullSecrets.useExisting
Helm value - for operator-based installs: via the
spec.imagePullSecrets
field in stackrox custom resources This may be necessary in case the Helm chart is applied in an environment where cluster lookup is unavailable (such as a CD pipeline like ArgoCD).
- for central components:
- The following search terms will be disabled in the next release and removed from the deployment context in 2 releases:
- Environment variable terms that can be removed by setting ROX_DEPLOYMENT_ENVVAR_SEARCH=false:
- Environment Key, Environment Value, Environment Variable Source
- Volume terms that can be removed by setting ROX_DEPLOYMENT_VOLUME_SEARCH=false:
- Volume Destination, Volume Name, Volume ReadOnly, Volume Source, Volume Type
- Secret terms that can be removed by setting ROX_DEPLOYMENT_SECRET_SEARCH=false:
- Secret, Secret Path
- Environment variable terms that can be removed by setting ROX_DEPLOYMENT_ENVVAR_SEARCH=false:
- The following search terms will be disabled in the next release and removed from the secret context in 2 releases. They can be removed in the current release by setting ROX_SECRET_FILE_SEARCH=false:
- Secret Type, Cert Expiration,Image Pull Secret Registry
- The
/v1/availableAuthProviders
endpoint will in a future release require authentication and at least READ permission on theAccess
resource. Ensure that any flow interacting with it is authenticated and has the proper permissions going forward. - The
/v1/tls-challenge
will require authentication, ensure that all interactions with these endpoints include proper authentication going forward. - The Helm setting
central.db.persistence.hostPath
for hostPath storage will be deprecated in 2 releases. It is recommended to switch to an alternative persistent storage. - Users running ACS version 3.74.x or earlier must stop at version 4.4.x before upgrading to 4.5 or later. In version 4.0.0, ACS switched the underlying datastore to PostgreSQL. On an upgrade, data would be automatically migrated to PostgresSQL from the previous store. In 4.5.0 this previous store will no longer be available, thus any existing data will not be migrated over if users jump from 3.74.x directly to 4.5.0. By stopping at any version from 4.0.0 to 4.4.x, users can ensure that the data will be properly migrated.
- StackRox Scanner will no longer receive new features and will be in maintenance-mode. Development is now focused on the new Scanner V4.
- Increased default memory request for scanner-db from 200MiB to 512MiB, to prevent OOMs during DB initialization in case of memory pressure on the node.
- ROX-20105: Scanner slim will now read additional CAs from the
additional-ca-sensor
secret. - ROX-20623: Fixed bug mistakenly requiring admin access to delegate ad-hoc scan requests to secured clusters.
- ROX-20492: Existing autogenerated integrations will now be deleted on Central startup if
ROX_DISABLE_AUTOGENERATED_REGISTRIES
istrue
. /v1/administration/usage
API endpoint is now considered stable.- Enforce the existence of the OpenShift monitoring
/metrics
server certificate by requiring the secretscentral-monitoring-tls
/sensor-monitoring-tls
to exist on start up. This only applies if OpenShift monitoring is enabled. - Configuration files now specify ROX_MEMLIMIT instead of GOMEMLIMIT.
- ROX_MEMLIMIT is meant to capture the memory limit of the deployment, so it may adjust the GOMEMLIMIT accordingly.
- ROX_MEMLIMIT is not as flexible as GOMEMLIMIT. It may only be set to an integer representing a number of bytes.
- ROX-21620: publish opensource instead of stackrox.io helm charts
- ROX-20163: Sensor captures runtime events even if it is disconnected from Central.
- ROX-20280: Fixed bug that prevented user from editing the endpoint from an unauthenticated email notifier. The credentials are still required to change the endpoint if it's not unauthenticated.
- ROX-21729: - ROX-21729: When deleting a collection that is referenced by other objects such as report configurations, the error message now includes the names of the collection being deleted and its referencing object (report configuration).
- ROX_SCAN_TIMEOUT environment variable in Central and Sensor now defaults to 10m instead of 6m.
- ROX-19814: As announced in 4.2, the /v1/resources endpoint now requires authenticated access.
- The default policy "systemctl Execution" has been updated to not trigger when the process argument
--version
is used. This does not pose a security issue because the information printed relates to features supported by systemd at the build time and not the capabilities of the host OS. - The default policy "No resource requests or limits specified" has been renamed to "No CPU request or memory limit specified" and now no longer checks CPU limit or memory request. Rather it only detects that the CPU request and memory limits are set.
- ROX-18525, ROX-19158: A new
cluster
flag has been added to theroxctl
commands and APIs that perform image scans, this enables delegating scans to specific secured clusters on demand. - ROX-19156: Ad-hoc image scanning is now enabled for images in the OCP integrated registry.
- RHACS attempts to infer the OCP project name from the image path and utilize the project secrets for registry authentication.
- ROX-19561: Few new environment variables have been introduced in Central. They can be used to rate limit requests and Sensor communications.
ROX_CENTRAL_MAX_INIT_SYNC_SENSORS
functions as a restriction on the quantity of Sensors engaged in their initial synchronization process. It is set to a default value0
(unlimited). This synchronization occurs once Sensor establishes a connection with Central. It is recommended to set this limit when a significant number of secured clusters are connected to a single Central instance to avoid resource exhaustion.ROX_CENTRAL_RATE_LIMIT_PER_SECOND
setting functions as a global rate limiter for all requests directed to Central. It is set to a default value0
(unlimited). The primary objective of this configuration is to serve as a protective measure against Distributed Denial of Service (DDoS) attacks on Central.ROX_CENTRAL_RATE_LIMIT_THROTTLE_DURATION
setting allows you to specify the maximum throttle duration when the rate limit is reached. If set to less than 1 second (or 0), requests are immediately rejected. The default value is10s
(10 seconds).
- ROX-9510: As announced in release 69.0, empty value for
role.access_scope_id
is not supported anymore forCreateRole
andUpdateRole
in/v1/roles/
. Role creation and update now require passing an identifier referencing a valid access scope inrole.access_scope_id
. - The UI menu option
Vulnerability Reporting
underVulnerability Management (1.0)
has been removed. The new and improved v2 version is available underVulnerability Management (2.0)
. - The
/v1/report
APIs have been removed. Please use/v2/reports/
APIs.
- The UI menu option
Vulnerability Management (1.0)
has been deprecated and will be removed in the future. It will be replaced byVulnerability Management (2.0)
. - The
/v1/cve/requests
APIs have been deprecated and will be replaced by/v2/vulnerability-exceptions/
APIs in the future. - Vulnerability deferral management for host(/node) and platform(/cluster) vulnerabilities has been deprecated and
will be removed in the future. Once removed, deferral cannot be created for host and platform vulnerabilities
and the existing exceptions enforced on host and platform vulnerabilities will be reverted. The affected APIs are
/v1/nodecves/suppress
,/v1/nodecves/unsuppress
,/v1/clustercves/suppress
, and/v1/clustercves/unsuppress
.
- Increased minimum Node.js version to 18.0.0 because 16 reached end of life. This change affects
yarn
commands in the ui folder. - ROX-19738: Previously categories passed to the detection service's APIs
v1/detect/build, v1/detect/deploy, v1/detect/deploy/yaml
have been always lower-cased by the backend. However, this is not the case anymore to support custom categories, which are required to be title-cased. - ROX-14701: Starting from 4.3.0 release,
roxctl
binaries forppc64le
ands390x
architectures are available for download fromhttps://mirror.openshift.com/pub/rhacs/assets/<version>/Linux/roxctl-<ppc64le|s390x>
(e.g. https://mirror.openshift.com/pub/rhacs/assets/4.3.0/Linux/roxctl-s390x). - The experimental API
/v1/product/usage
has been renamed to/v1/administration/usage
. - ROX-19566: The results of registry TLS checks made by Sensor are now cached (for 15 minutes by default, which can be changed by setting the
ROX_SENSOR_REGISTRY_TLS_CHECK_CACHE_TTL
environment variable). This will result in faster Sensor startup times in clusters with a large number of pull secrets. - Risk reprocessing has been shifted from being potentially computed every 15 seconds to 10 minutes. This will improve system performance by debouncing expensive risk calculations.
- ROX-20303: Fixed a bug that may have incorrectly matched an image to an image integration during scanning.
- ROX:20288: A new environment variable
ROX_AUDIT_LOG_WITHOUT_PERMISSIONS
has been added to Central (defaults tofalse
). When set totrue
, audit log messages will not contain the detailed permissions of the user associated with the request. Instead, only the associated role names will be there. Enabling this will lower the verbosity of the audit log messages, but investigating associated permissions for a requester might be harder (i.e. the associated role would have be known at the time of the request). Thus, it is generally not recommended to set this totrue
. - ROX-18978: The default policy "Iptables Executed in Privileged Container" has been renamed to "Iptables or nftables Executed in Privileged Container" and now also detects the
nft
process which is used bynftables
.
- Telemetry collection enabled by default for self-managed installations. Opt-out is available on bundle generation, or at any time via the System Configuration UI.
- Integration with OpenShift Container Platform monitoring is configured and enabled by default for OpenShift 4 installations. The flag
monitoring.openshift.enabled: false
disables the integration. - A new environment variable
ROX_DISABLE_REGISTRY_REPO_LIST
has been added to Central (defaults tofalse
). When set totrue
will disable registry repo list (/v2/_catalog
) usage when matching integrations to image registries. - A new environment variable
ROX_REGISTRY_MIRRORING_ENABLED
has been added to Sensor that is set totrue
by default and enables processing registry mirrors during Sensor image enrichment. Mirror details are obtained via theImageContentSourcePolicy
,ImageDigestMirrorSet
, andImageTagMirrorSet
CRs. - ROX-17112: CORE_BPF collection is now generally available.
- ROX-17702: Product usage metrics experimental API:
/v1/product/usage/secured-units/current
,/v1/product/usage/secured-units/max
. New/api/product/usage/secured-units/csv
endpoint. - ROX-19096, ROX-19098, ROX-19099: StackRox Scanner now supports alpine:v3.18, debian:12, ubuntu:23.04, ubuntu:23.10
- The
--offline-mode
flag for theroxctl scanner generate
command was removed, as Scanner's default behavior is to fetch vulnerability updates from Central. - In version 4.0, RHACS released the collections feature that replaced access scopes used in report configurations. RHACS automatically created equivalent collections for access scopes used in existing report configurations and migrated report configurations to use newly-created collections. If the migration failed, the report configurations became non-functional, and RHACS logged the error messages in Central logs. In this release, any report configurations that could not be migrated will be deleted.
- RBAC risk was deprecated in release 4.0 due to poor performance.
- (Tech preview feature) CLI command
roxctl generate netpol
is deprecated in favor ofroxctl netpol generate
- (Tech preview feature) CLI command
roxctl connextivity-map
is deprecated in favor ofroxctl netpol connectivity map
- The CIS Docker v1.2.0 standard will be removed from RHACS Compliance checks starting in RHACS version 4.4.
- The Syslog notifier used to send the message header incorrect - the severity and name fields were flipped. Starting in this release, there is now an option
to choose which format the header should be sent it:
CEF
which is the correct order orCEF (legacy field order)
which is the older incorrect way. The UI will default toCEF
but when using the API if a value isn't selected, it will default toCEF (legacy field order)
. Starting in version 4.4 the notifier will default toCEF
. - A few public endpoints will soon require authentication, ensure that any flow interacting with these endpoints is authenticated going forward:
/v1/featureflags
/v1/resources
- ROX-16962: A new parameter
spec.admissionControl.replicas
has been added to theSecuredCluster
CRD. - ROX-18073: The implementation of Add Capabilities policy criteria has been fixed to ensure violations are generated correctly for the specified values.
- Rollback to a 3.y release or the 4.0 release will no longer be supported starting from 4.3.
- Rollbacks from future releases to the 4.2 or later release will no longer require
ForceRollbackVersion
to be set. - ROX-18173: A few previously public endpoints now require authentication:
/v1/metadata
,/v1/database/status
,/v1/mitreattackvectors
. This reduces the surface for DoS attacks and prevents an attacker from taking advantage of the information served by these endpoints. - Non autogenerated image integrations will no longer use repo list (
/v2/_catalog
) during matching. - ROX-18477: Fixed an issue that breaks operator installations if a
Central
orSecuredCluster
CR configures egress proxy environment variables while openshift cluster-wide proxy is enabled. - ROX-15969: The column
Component Upgrade
in vulnerability reports has been renamed toCVE Fixed In
. - The removal of
/v1/report
APIs in this release, that was communicated in release 4.0.0, has been postponed by one release. Consequently, the/v1/report
APIs will continue to be available in this release. - The
/api/docs/swagger
API previously required read on the resourceIntegration
. Now it only requires users to be authenticated to via the API docs. - StackRox Scanner will now opt to scan the image whose architecture matches the Scanner's architecture instead of always opting for amd64 when scanning a multi-arch image.
- For example, if StackRox Scanner is running on arm64, and there is an arm64 version of the multi-arch image, it will scan that arm64 image.
- If there is no image which matches Scanner's architecture, then it will attempt to scan the amd64 version, as it did previously.
- Two new default permission sets
Vulnerability Management Consumer
andVulnerability Management Admin
have been added for vulnerability management.Vulnerability Management Consumer
provides read-only access to analyze vulnerabilities and initiate risk acceptance process.Vulnerability Management Admin
provides administrative access to analyze vulnerabilities, generate reports, and manage risk acceptance process.
- A default role
Network Graph Viewer
has been added that provides sufficient privileges to display network graphs. - A new command
roxctl central login
has been added that allows to use a user's token within roxctl instead of an API token or admin password. - ROX-15447: A new
DelegatedRegistryConfig
API at/v1/delegatedregistryconfig
has been added that provides dynamic configuration for local registry scanning (replacesROX_FORCE_LOCAL_IMAGE_SCANNING
). - A new environment variable
ROX_DISABLE_SIGNATURE_FETCHING
has been added to Central and Sensor which stops fetching image signatures in case the signature verification feature shall not be used. You may set this in case there's too much load on registries due to attempts to fetch image signatures. Note that if the environment variable is set, no signatures will be fetched and thus the signature verification feature cannot be used. - ROX-16532: Resource limits and requests for the node-inventory container can now be configured via the operator.
- A new environment variable
ROX_SCAN_TIMEOUT
has been added to Sensor which allows for customizing the image scan timeout used in Sensor initiated scans. - ROX-17365: A new environment variable
ROX_DELEGATED_SCANNING_DISABLED
has been added that disables delegated scanning capabilities while leaving other local scanning capabilities intact. - ROX-16703: Helm setting
scanner.disable=false
now valid for any secured cluster (instead of OpenShift only). This enables scanner slim to be installed in non-OCP secured clusters.
-
ROX-14398: As announced in 3.74, the permission
Access
replaces the deprecated permissionRole
. -
ROX-14398: As announced in 3.74, the
Scope Manager
system role and permission set will be removed. If existing product installations do have customer references to either theScope Manager
system role or theScope Manager
system permission set, then the referenced object will be adjusted to contain a description mentioning its deprecation. Furthermore, the objects will not be marked as system resources, and will not be supported anymore. -
ROX-17031: env var
ROX_FORCE_LOCAL_IMAGE_SCANNING
has been removed and replaced by theDelegatedRegistryConfig
API. -
ROX-13888: As announced in 3.74, the permission
WorkflowAdministration
replaces the deprecated permissionsVulnerability Reports
andPolicy
. -
KernelModule collection has been removed, following deprecation in 4.0.
- Secured clusters configured to use KernelModule collection will automatically switch to EBPF
- Vulnerability Management 1.0 sections Image CVEs, Image Components, Images, Deployments, and Namespaces are deprecated and will be removed in the future. Once removed, use Vulnerability Management 2.0 for managing workload vulnerabilities.
- Custom Security Context Constraints (SCC) (e.g.:
stackrox-collector
,stackrox-admission-control
,stackrox-sensor
) are deprecated and will be removed in the future. Users should ensure that those SCCs are not being used by workloads other than Stackrox/RHACS. - The default permission set
Vulnerability Management Approver
is deprecated and will be removed in a future release. Customers are advised to useVulnerability Management Admin
permission set instead. WhenVulnerability Management Approver
permission set is removed existing roles using it will be updated to useVulnerability Management Admin
. - The default permission set
Vulnerability Management Requester
is deprecated and will be removed in a future release. Customers are advised to useVulnerability Management Consumer
permission set instead. WhenVulnerability Management Requester
permission set is removed existing roles using it will be updated to useVulnerability Management Consumer
. - The default permission set
Vulnerability Report Creator
is deprecated and will be removed in a future release. Customers are advised to useVulnerability Management Admin
permission set instead. WhenVulnerability Report Creator
permission set is removed existing roles using it will be updated to useVulnerability Management Admin
. /v1/imagecves/suppress
and/v1/imagecves/unsuppress
APIs used to defer image vulnerabilities globally and undo deferral are deprecated and will be removed in a future release. Once removed, use Risk Acceptance workflow to defer image vulnerabilities globally.
- The Central PVC stackrox-db is no longer required after this upgrade. To obsolete existing PVC, please check the docs online.
- The output of
roxctl central whoami
now includes the username as well. - Helm setting
collector.nodeInventoryResources
has been renamed tocollector.nodeScanningResources
. - ROX-16959: Helm setting
admissionController.replicas
has been added to configure admission controller replicas. - The k8s-istio.zip file inside of scanner-vuln-updates.zip (the file downloaded from https://install.stackrox.io/scanner/scanner-vuln-updates.zip for updating Scanner vulnerabilities in offline-mode) is no longer needed. We will continue to populate it to support older versions of the product, but it will be ignored.
- The time interval used to determine the frequency to scan orchestrator-level components (Kubernetes, OpenShift, Istio) is now configurable via ROX_ORCHESTRATOR_VULN_SCAN_INTERVAL.
- Image Integrations will now be synced with secured clusters that have local scanning enabled.
- ROX-15102: new
public_config.telemetry
boolean property of the/v1/config
endpoint request that allows for querying the state, enabling or disabling the configured telemetry collection. - ROX-10818: vulnerability scanning of node components installed through RPM on OpenShift cluster nodes running Core OS (RHCOS).
- ROX-15434: new
ROX_FORCE_LOCAL_IMAGE_SCANNING
env var added to sensor which forces all images observed by sensor to be analyzed by the local scanner (OCP only) - ROX-11268: new ListeningEndpointsService at
/v1/listening_endpoints/deployment
reports which processes are listening on which ports.
- ROX-14336: product
BuildDate
attribute was removed. It won't be returned by/debug/versions.json
endpoint androxctl version --json
command. - ROX-12750: As announced in 3.73.0 (ROX-11101), some permissions for permission sets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.
- Permission
Administration
replaces the deprecated permissionsAllComments, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig, ServiceIdentity
. - Permission
Compliance
replaces the deprecated permissionComplianceRuns
.
- Permission
- Deprecated
/v1/telemetry/configure
service. - The
expiration
field in theExclusion
proto has been deprecated and will be removed in a future release. - The
--offline-mode
flag for theroxctl scanner generate
command is deprecated, as Scanner's default behavior is to fetch vulnerability updates from Central. The flag will be removed as part of the 4.2.0 release. - ROX-15925: The KernelModule collection method is deprecated in favor of EBPF. This method will be removed in the 4.1 release.
- Deprecated v1.0 of Network Graph. Please switch to the new 2.0 version for improved functionality and a better user experience.
- ROX-15337: RHACS Operator is not published to Red Hat Operator Catalogs for OpenShift versions 4.9 and earlier.
- The API endpoint
/v1/serviceaccounts
is deprecated and will be changed as part of the 4.2.0 release. - PDF export in current version of the Vulnerability Management UI is deprecated and will be removed in the 4.2.0 release. Use the vuln reporting feature instead, for more comprehensive CSV data.
- All
/v1/report
APIs for creating and managing vulnerability reports are deprecated and will be replaced with new/v2/reports
APIs in 4.2.0 release.
- The
Analyst
permission set will change behaviour: instead of allowing read to all resources exceptDebugLogs
, it will allow read to all resources exceptAdministration
. If you were using theAnalyst
role or permission set for actions requiring read onAllComments
,Config
,NetworkGraphConfig
,ProbeUpload
,ScannerBundle
,ScannerDefinitions
,SensorUpgradeConfig
orServiceIdentity
resources, you should preemptively create a new permission set with read access on theAdministration
and other required resources, and reference it instead ofAnalyst
in the created roles.
- Active Vulnerability Management has been moved behind that ROX_ACTIVE_VULN_MGMT flag and has been defaulted to false due to performance. If Active Vulnerability Management is desired, then a user may set this flag to true and it will be reactivated; however, it is recommended to increase the memory limit of Central.
- ROX-14251: StackRox now uses IMDSv2 to retrieve AWS metadata instead of IMDSv1.
- ROX-12750: The
Analyst
permission set which used to have read access on all permissions except the now deprecatedDebugLogs
permission now has read access to all permissions exceptAdministration
. - The default resources for Sensor have moved to a request of 2 cores, 4GB of RAM and a limit of 4 cores, 8GB of RAM in order to support a higher number of clusters without modification.
- ROX-14280: ACS operator default channel changes from
latest
tostable
. Users of older versions must follow the upgrade procedure in order to preserve ACS data in case of issues with the upgrade. - ROX-14917: Helm charts versioning scheme changed. Previously the product version (Major).(Minor).(Patch) was rendered to the Helm chart version (Minor).(Patch).0, e.g. 3.74.2 -> 74.2.0. The new versioning scheme maps product version (Major).(Minor).(Patch) to the Helm chart version as (Major*100).(Minor).(Patch), e.g. 4.0.2 -> 400.0.2.
- ROX-13814: A new "Public Kubernetes Registry" image integration is now available as a replacement for the (now deprecated) "Public Kubernetes GCR" image integration.
- ROX-12316: As announced in 3.72, the permission
Cluster
replaces the deprecated permissionClusterCVE
. - ROX-13535: Built-in documentation link redirects now to the online version.
- The
docs
image and the embedded documentation have been removed from the product.
-
ROX-12620: We continue to simplify access control management by grouping some permissions in permission sets. As a result:
- The permission
WorkflowAdministration
will deprecate the permissionsPolicy, VulnerabilityReports
.
- The permission
-
ROX-14398: We continue to simplify access control management by grouping some permissions in permission sets. As a result:
- The permission
Access
will deprecate the permissionsRole
. - The default role
Scope Manager
will be removed.
- The permission
-
ROX-14400: product
BuildDate
attribute is deprecated and will be removed in4.0
release. It won't be returned by/debug/versions.json
endpoint androxctl version --json
command.
-
The permission
WorkflowAdministration
will replacePolicy, VulnerabilityReports
in permission sets starting with the 4.1 release. You should preemptively start replacing thePolicy
andVulnerabilityReports
resources within your permission sets in favor ofWorkflowAdministration
. During the migration of the permission sets within the 4.1, theWorfklowAdministration
permission will have the lowest access permission granted for eitherPolicy
orVulnerabilityReports
. As an example, a permission set withWRITE Policy
andREAD VulnerabilityReports
access will haveREAD WorkflowAdministration
access after the migration within the 4.1 release, leading to potentially unwanted side-effects and missing access if you did not update your permission sets beforehand. -
The permission
Access
will replaceRole
in permission sets starting with the 4.1 release. You should preemptively start replacing theRole
resource within your permission sets in favor ofAccess
. During the migration of the permission sets within the 4.1, theAccess
permission will have the lowest access permission granted for eitherAccess
orRole
. As an example, a permission set withREAD Access
andWRITE Role
will haveREAD Access
after the migration, leading to potentially unwanted side-effects and missing access if the permission sets were not updated beforehand. -
The default
ScopeManager
role will be removed starting with release 4.1. During the migration, Authentication provider rules referencing that role will be updated to use theNone
role. Should Authentication Provider rules reference theScopeManager
role for other purposes than Vulnerability Report management, a similar role should be manually created and referenced in the Authentication provider rules instead ofScopeManager
. -
ROX-13814: The "Public Kubernetes GCR" image integration is now deprecated in line with upstream.
- ROX-12967: Re-introduce
rpm
to the main image in order to be able to parse installed packages on RHCOS nodes (from Compliance container)
- The 3.74.z set of releases will be the last major release in the 3.x series. The next release will be 4.0.
- Postgres will become the backing database as of 4.0.
- Restoring a backup taken on a 3.y release will no longer be supported starting from 4.1.
- The stackrox-db PVC will no longer be used starting from 4.1. All users must upgrade from a 3.y release to 4.0 prior to upgrading to a later release in order to properly migrate to Postgres.
3.73.0 introduced a change to ACS autogenerated image integration workflows. However, this change in workflow caused Central to take too long on startup (details here). To fix the issue introduced in 3.73.0, 3.73.1 will reinstate the old workflow. Therefore, autogenerated integrations may not work successfully in environments with various credentials used for multiple repos within a global registry.
- ROX-12839: we will stop shipping the docs embedded in the product, starting with the release following this one (docs will still be available online)
- ROX-6194:
ROX_WHITELIST_GENERATION_DURATION
env var is removed in favor ofROX_BASELINE_GENERATION_DURATION
;DeploymentWithProcessInfo
items in/v1/deploymentswithprocessinfo
endpoint response do not includewhitelist_statuses
anymore. Label
andAnnotation
search options are removed. Use the following search options:- Resource | Deprecated Search Option | New Search Option
- Node | Label | Node Label
- Node | Annotation | Node Annotation
- Namespace | Label | Namespace Label
- Deployment | Label | Deployment Label
- ServiceAccount | Label | Service Account Label
- ServiceAccount | Annotation | Service Account Annotation
- K8sRole | Label | Role Label
- K8sRole | Annotation | Role Annotation
- K8sRoleBinding | Label | Role Binding Label
- K8sRoleAnnotation | Annotation | Role Binding Annotation
ids
field in/v1/cves/suppress
and/v1/cves/unsuppress
API payload renamed tocves
.- ROX-11592: Support to Get / Update / Mutate / Remove of groups via the
props
field and without theprops.id
field being set in the/v1/groups
endpoint have been removed. - The unused "ComplianceRunSchedule" resource has been removed.
- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permission sets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.
- Permission
Access
replaces the deprecated permissionsAuthProvider, Group, Licenses, User
. - Permission
DeploymentExtension
replaces the deprecated permissionsIndicator, NetworkBaseline, ProcessWhitelist, Risk
. - Permission
Integration
replaces the deprecated permissionsAPIToken, BackupPlugins, ImageIntegration, Notifier, SignatureIntegration
. - Permission
Image
replaces the deprecated permissionImageComponent
. - Note: the
Role
permission, previously announced as being grouped underAccess
remains a standalone permission. - Important: As stated above, the access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions. This can impact the ability of some created roles to perform their intended duty. Consolidation of the mapping from replaced resources to new ones can help assess the desired access level, should any issue be experienced.
- Permission
- ROX-13034: Central reaches out to scanner
scanner.<namespace>.svc
now to respect OpenShift'sNO_PROXY
configuration.
- ROX-11101: As first announced in 3.71.0 for ROX-8250, we continue to simplify access control management by grouping some permissions in permission sets. As a result:
- New permission
Administration
will deprecate the permissionsAllComments, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig, ServiceIdentity
. - The permission
Compliance
will deprecate the permissionComplianceRuns
.
- New permission
- ROX-11937: The Splunk integration now processes all additional standards of the compliance operator (ocp4-cis & ocp4-cis-node) correctly.
- ROX-9342: Sensor no longer uses
anyuid
Security Context Constraint (SCC). The default SCC for sensor is nowrestricted[-v2]
orstackrox-sensor
depending on the settings. Both therunAsUser
andfsGroup
for the admission-control and sensor deployments are no longer hardcoded to 4000 on Openshift clusters to allow using therestricted
andrestricted-v2
SCCs. - The service account "central", which is used by the central deployment, will now include
get
andlist
access to the following resources in the namespace where central is deployed to:pods
,events
, andnamespaces
. This fixes an issue when generating diagnostic bundles to now correctly include all relevant information within the namespace of central. - ROX-13265: Fix missing rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy"
- ROX-13500: Previously, deployment YAML check on V1 CronJob workload would cause Central to panic. This is now fixed.
cves.ids
field ofstorage.VulnerabilityRequest
object, which is in the response ofVulnerabilityRequestService
(/v1/cve/requests/
) endpoints, has been renamed tocves.cves
.- ROX-13347: Vulnerability reporting scopes specifying cluster and/or namespace names now perform exact matches on those entities, as opposed to the erroneous prefix match.
- ROX-11784: The
RenamePolicyCategory
andDeletePolicyCategory
methods in thev1/policycategories
endpoint have been removed. - Support for violation tags and process tags has been removed.
- ROX-11284: Permission
ClusterCVE
is deprecated and will be superseded by the existing permissionCluster
. Label
andAnnotation
search options are deprecated and will be removed in 3.73. Use the following search options starting 3.73:- Resource | Deprecated Search Option | New Search Option
- Node | Label | Node Label
- Node | Annotation | Node Annotation
- Namespace | Label | Namespace Label
- Deployment | Label | Deployment Label
- ServiceAccount | Label | Service Account Label
- ServiceAccount | Annotation | Service Account Annotation
- K8sRole | Label | Role Label
- K8sRole | Annotation | Role Annotation
- K8sRoleBinding | Label | Role Binding Label
- K8sRoleAnnotation | Annotation | Role Binding Annotation
- ROX-11181: Any clusters that have been unhealthy (defined as central being unable to reach sensor running on those clusters) for a configured period of time will be automatically removed. The number of days after which an 'unhealthy' cluster is removed can be configured in the System Configuration page or using the cluster API.
- Any cluster that is expected to be unavailable for a period of time (e.g. clusters used in disaster recovery), can be tagged with a customizable label. Clusters with those labels will never be removed automatically.
- By default, this unhealthy cluster removal is disabled (number of days set to 0)
- ROX-7591: Policy
Fixable CVSS >= 6 and Privileged
disabled by default on new installations, new policySeverity Important and Privileged
added and enabled by default. - ROX-11348: The email notifier now allows for unauthenticated SMTP. By default, authentication is still required for an email notifier, but the user can now choose to turn it off.
- Previously, the syslog integration did not respect a configured TCP proxy. This is now fixed.
- The default technique used by string expression searches will be to match any substrings in future release. Currently, string search uses prefix matching technique in most cases.
- ROX-9484: When integrating Quay registry you can now optionally use robot account instead of just OAuth tokens. In fact this is Quay's recommended integration credentials. However, integration with Quay scanner still requires an OAuth token.
- The
init-db
init-container for ScannerDB now specifies resource requests/limits which match thedb
container in ScannerDB. - Starting 3.73, CSV export API
/api/vm/export/csv
would require to passCVE Type
filter as part of the input query parameter. Requests that do not have the filter would error out.- Examples :
CVE Type:NODE_CVE
,CVE Type:IMAGE_CVE
,CVE Type:K8S_CVE
- Examples :
- ROX-8051: The default collection method is changed from KernelModule to eBPF, following improved eBPF performance in collector.
- ROX-11070: There have been changes made to the
v1/groups
API, including a deprecation:- Each group will now have a new field,
props.id
which uniquely identifies it. - Get / Update / Mutate / Remove of groups via the
props
field and without theprops.id
field being set is deprecated and will be removed in release 3.73. - Get of groups via the
props
field and without theprops.id
field being set will fail if more than one group was found for the givenprops
field.
- Each group will now have a new field,
- ROX-11349: Updated rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy"
- ROX-11443: The default value for
--include-snoozed
option ofroxctl image scan
command is set tofalse
. The result ofroxctl image scan
execution without--include-snoozed
flag will not include deferred CVEs anymore. - ROX-9292: The default expiration time of tokens issued by auth providers has been lowered to 12 hours.
- ROX-9760: The deployment tab on violation detail now contains a list of network policies in the deployment's namespace.
- ROX-9358: The diagnostic bundle includes notifiers, auth providers and auth provider groups, access control roles with attached permission set and access scope, and system configuration. Users with
DebugLogs
permission will be able to read listed entities from a generated diagnostic bundle regardless of their respective permissions. - ROX-10819: The documentation for API v1/notifiers ("GetNotifiers") previously stated that the request could be filtered by name or type. This is incorrect as this API never allowed filtering. The documentation has been fixed to reflect that.
- ROX-9614: Add
file
query parameter to Central's/api/extensions/scannerdefinitions
, allowing retrieval of individual files (not directories) from Scanner's Definition bundle using their full path within the archive. AddsensorEndpoint
to Scanner's configmap, so Scanner in slim mode knows how to reach Sensor from its cluster. - ROX-9928: Policy "OpenShift: Advanced Cluster Security Central Admin Secret Accessed" renamed to "OpenShift: Central Admin Secret Accessed"
- ROX-8277: changed UserAgent Header for all requests from stackrox operator to kubernetes API server to show appropriate version of the operator, for example:
rhacs-operator/v3.70.0 opensource (linux/amd64)
ids
field in/v1/cves/suppress
and/v1/cves/unsuppress
API payload will be renamed tocves
in 73.0 release.cves.ids
field ofstorage.VulnerabilityRequest
object, which is in the response ofVulnerabilityRequestService
endpoints, will be renamed tocves.cves
in 73.0 release.- ROX-8520: Permissions for permission sets will be grouped for simplification. As a result, the following permissions will be deprecated in favor of a new permission:
- New permission
Access
will deprecate the permissionsAuthPlugin, AuthProvider, Group, Licenses, Role, User
. - New permission
DeploymentExtension
will deprecate the permissionsIndicator, NetworkBaseline, ProcessWhitelist, Risk
. - New permission
Integration
will deprecate the permissionsAPIToken, BackupPlugins, ImageIntegration, Notifier, SignatureIntegration
. Each deprecated permission will be removed in a future release.
- New permission
- Permission
ImageComponent
is deprecated and will be superseded by the existing permissionImage
. Similar to the permission changes introduced with ROX-8520,ImageComponent
will be removed in a future release. - /v1/telemetry and /v1/licenses endpoints, and related CLI functionality, are now deprecated and will be removed in 2 releases.
- These endpoints are deprecated as license files are not required to run the platform
firstNodeOccurrence
field ofstorage.Node
object, which is in the response of Node endpoints, has been removed.vulns
fields ofstorage.Node
object, which is in the response payload ofv1/nodes
is deprecated and will be removed in future release./v1/cves/suppress
and/v1/cves/unsuppress
has been deprecated and will be removed in the future.- Use
/v1/imagecves/suppress
and/v1/imagecves/unsuppress
to snooze and unsnooze image vulnerabilities. - Use
/v1/nodecves/suppress
and/v1/nodecves/unsuppress
to snooze and unsnooze node/host vulnerabilities. - Use
/v1/clustercves/suppress
and/v1/clustercves/unsuppress
to snooze and unsnooze platform (k8s, istio, and openshift) vulnerabilities.
- Use
- /v1/compliance/results was never implemented and will be removed in this release
- In release 73.0, the /v1/compliance/runresults endpoint will contain a slimmed down version of the ComplianceDomain object. This allows for greater scalability and reduced memory usage.
- When the underlying database changes to Postgres the api
/db/restore
will no longer be a supported means for database restores. At that time usingroxctl
will be the supported mechanism for database restores. - PodSecurityPolicies can be disabled when generating deployment bundles and when configuring the Helm charts. The Helm charts also support auto-sensing availability of the PodSecurityPolicies API. PodSecurityPolicies must be disabled when deploying to Kubernetes >= v1.25.
- ROX-11533: Fixed preferred node affinity for Central, Sensor and Scanner pods so that OpenShift Infra nodes are favored more than Compute nodes. Match expressions will also prefer not scheduling on Control Plane nodes on both Kubernetes and OpenShift clusters, including kube versions 1.25 and newer.
- ROX-10948: A new default policy added to detect if a deployment is running with a container that has allowPrivilegeEscalation set to true. The policy is enabled by default.
- ROX-10699: A new default policy added to detect if a deployment has any service that is externally exposed through any methods. The policy is disabled by default.
- Scanner's "db" container no longer mounts the "scanner-db-password" secret. Instead, the init container, "init-db", mounts it.
- This means the configuration for the init container has been updated to include "POSTGRES_PASSWORD_FILE" and some volume mounts which are now required.
- Debian 9 has reached EOL, so Scanner now marks Debian 9 images as stale.
- The Debian Security Tracker has also stopped tracking Debian 9 vulnerabilities, so there will be no more new Debian 9 vulnerabilities.
- Support for violation comments and process comments has been removed.
- The default Admission Controller "fail open" timeout has been changed from 3 seconds to 20 seconds in Helm templates.
- The maximum Admission Controller "fail open" timeout has been set at 25 seconds in Helm template verification performed by the Operator.
- This change is not backwards compatible; if an existing Custom Resource sets the value to > 25 seconds, then it will fail validation in case operator is downgraded. This change is accepted because the operator is still in v1alpha1 and subject to change.
- The admission webhook timeout is now set to the admission controller timeout plus 2 seconds.
- The "Process Ancestor" search term has been deprecated.
- Central will now respond with a 421 Misdirected Request status code to requests where the ServerName sent via TLS SNI
does not match the
:authority
(Host
) header. This feature can be turned off by setting the environment variableROX_ALLOW_MISDIRECTED_REQUESTS=true
. - Registry integrations for ECR are now auto-generated if the cluster's cloud provider is AWS, and the nodes' Instance IAM Role has policies granting access to ECR. Customers can turn this feature off by disabling the EC2 instance metadata service in their nodes.
- A new default policy added to detect Spring Cloud Function RCE vulnerability (CVE-2022-22963) and Spring Framework Spring4Shell RCE vulnerability (CVE-2022-22965).
- Fixed permissions checks in the UI that prevented users with certain limited permissions from creating report configurations.
- ROX-8957: A new default policy added to detect missing ingress NetworkPolicy associated with deployments. The policy is disabled by default.
- Two new policy criteria were added to alert on missing ingress or egress NetworkPolicy associations.
- ROX-8789: Change operator catalog format from deprecated SQLite database format to new file-based format.
- ROX-8331: Increase the front-end limit on rendered nodes in the Network Graph from 1100 to 2000
- ROX-9792: Introduced central limit of 2000 nodes in a Network Graph to avoid out-of-memory crashes
- ROX-9946: Fixed default permissions for the default Vuln Reporter role to exclude the modify permission on notifiers, since it is not needed for report creation.
- Added AllowPrivilegeEscalation as a new policy criteria.
- ROX-10038: Removed limit of 10 inclusions and 10 exclusions from policy form
- ROX-10090: Made the username and password optional on the Artifactory integration form
- ROX-10217: Remove format validation from the URL field of the generic webhook integration form
- ROX-9435: Updated dryrun API to generate preview violations for disabled policies
- Support for security policies that do not have a policyVersion or have versions prior to 1.1 will be removed. If you have externally stored older policies, they cannot be imported.
- ROX-10021: RHCOS node support is dropped until major improvements are made in ROX-8944.
- The UI shows the node scanning notes in the same manner as image scanning notes.
- ROX-10097: Updated the base for the docs image from
nginx-118:1-46
tonginx-120:latest
. - ROX-10666:
FROM
option will be deprecated fromDisallowed Dockerfile line
policy field and removed in a future release. Any policies containingDisallowed dockerfile line
policy field withFROM
option must be updated to remove those policy sections. For more information, please refer "Known Issues" section in Red-Hat ACS 3.69 release notes. - ROX-10270: The
RenamePolicyCategory
andDeletePolicyCategory
methods in thev1/policycategories
endpoint have been deprecated, and will be removed in future releases.- For questions about this change, please contact the Red Hat support team at support@redhat.com.
- ROX-10018: The policy
OpenShift: Kubeadmin Secret Accessed
will no longer trigger if the request was from the default OpenShiftoauth-apiserver-sa
service account, because this is an expected access pattern for the OpenShift apiserver. - Violation tags and process tags are deprecated, and will be removed in version 3.72.0.
- Users who do not want to include the RBAC factor in risk calculation can set the "ROX_INCLUDE_RBAC_IN_RISK" environment variable to "false" in the Central deployment spec.
- Kubernetes' PodSecurityPolicy API is deprecated which is why installation of PodSecurityPolicies will be disabled with version 3.71.0.
- A version of Scanner and ScannerDB will be installed in each OpenShift cluster to support images stored in the OpenShift Internal Image Registry.
- The images are "slimmed" down versions of Scanner and ScannerDB
- scanner-slim and scanner-db-slim
- They require the same resources as the normal Scanner and ScannerDB.
- The images are "slimmed" down versions of Scanner and ScannerDB
collector
image with-slim
image tag is no longer published (collector-slim
with suffix in the image name will continue to be published).collector-rhel
,main-rhel
,scanner-rhel
, andscanner-db-rhel
images are not published any more. These images were identical to non-rhel ones since version 3.66.- Increased default Scanner memory limit from 3000 MiB to 4GiB.
- API changes/deprecations:
GetKernelSupportAvailable (GET /v1/clusters-env/kernel-support-available)
is deprecated, useGetClusterDefaultValues (GET /v1/cluster-defaults)
instead.- The following features have been deprecated and will be removed in version 3.71.0:
- The external authorization plugin for scoped access control will be removed. Please use the existing in-product scoped access control.
- The Anchore, Tenable, and Docker Trusted Registry integrations will be removed. Please use the ACS Scanner instead as it is more widely supported.
- Alert and process comments will be removed.
CreateRole
andUpdateRole
in/v1/roles/
:role.access_scope_id
empty value is deprecated, will be set to the unrestricted access scope ID (io.stackrox.authz.accessscope.unrestricted
) during the adoption period.- API endpoint
/api/helm/cluster/add
was deleted as not being used in the product.
- Improved accuracy of active component and vulnerability and presented it with higher confidence.
- Analyzed dependencies between OS components and detected derived active components.
- Added
Active
state to list of components and list of vulnerabilities under Vulnerability Management within the scope of a specific deployment. - Added
Inactive
state: the component or vulnerability was not run in the specific deployment. - Added image scope so that the Active State can be determined in the scope of a deployment for a specific image.
- The default gRPC port in Scanner's config map is changed to 8443, as that is what Scanner has actually been defaulting to this whole time.
- Note: Scanner had been ignoring the default
httpsPort
andgrpcPort
in its config map, as Scanner expectedHTTPSPort
andGRPCPort
(andMetricsPort
, if ever specified).
- Note: Scanner had been ignoring the default
- Scanner now supports Alpine 3.15.
- Scanner now identifies busybox as a base OS.
- It does not find vulnerabilities nor packages, though. It solely identifies busybox as a base OS.
- CVEs in Ubuntu images will no longer link to http://people.ubuntu.com/~ubuntu-security/cve/. Now it links to https://ubuntu.com/security/.
- Setting ROX_DISABLE_AUTOGENERATED_REGISTRIES environment variable to true will ignore all new registry integrations from Sensors
- Vulnerability snoozing and un-snoozing will not impact image and component risk. Furthermore, it will not impact
Image Vulnerabilities
risk factor for deployments. - In 3.70, support for security policies that do not have a policyVersion will be removed. Therefore, if you have externally stored older policies (without policyVersion or version prior to 1.1), you must convert them to use policyVersion 1.1. To do this, import the old policies into RHACS and then export them again. You can check the policyVersion field for your stored policies to identify if they need conversion.
- Vulnerability Risk Assessment: Deferral update requests that are in pending state can now be canceled.
- AWS ECR integration supports AssumeRole authentication.
- The default policy to detect Log4Shell vulnerability has been updated to also detect CVE-2021-45046 and the remediation has been updated to reflect the latest guidance by the Apache Logging security team.
- Prior to this release, CVEs could be snoozed using global write access on
Images
. Starting this release, requests to snooze CVEs can be created only usingVulnerabilityManagementRequests
global write access and requests can be approved only usingVulnerabilityManagementApprovals
global write access. Roles with write access onImages
, created prior to this release, are provided with both the newly added permissions. We recommend updating the roles to only include the least amount of resources required for each role. All new roles must be explicitly supplied withVulnerabilityManagementRequests
and/orVulnerabilityManagementApprovals
permissions in order to use CVE snoozing functionality. - Editing the cluster configuration in the UI is now disabled for Helm-based installations.
- For
roxctl helm output
androxctl central generate
added a new flag--image-defaults
that allows selecting the default registry from which container images will be taken for deploying central and scanner. - For
roxctl helm output
deprecated flag--rhacs
in favor of--image-defaults=rhacs
(using--rhacs
with--image-defaults
results in an error). - Default behavior of
roxctl helm output
results now in using container images fromregistry.redhat.io
instead ofstackrox.io
. - By default, notifications will be sent for every runtime policy violation instead of only the first encountered violation. If this is undesired, setting an environment variable
NOTIFY_EVERY_RUNTIME_EVENT
tofalse
will restore the previous behavior. Please note that the environment variable will be removed in a future release, so please notify the ACS team if you have a valid use case. - Certain ACS images were moved to new repositories:
- main: from
registry.redhat.io/rh-acs/main
toregistry.redhat.io/advanced-cluster-security/rhacs-main-rhel8
- collector: from
registry.redhat.io/rh-acs/collector
(with-latest
tag) toregistry.redhat.io/advanced-cluster-security/rhacs-collector-rhel8
- collector (slim): from
registry.redhat.io/rh-acs/collector
(with-slim
tag) toregistry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8
- scanner: from
registry.redhat.io/rh-acs/scanner
toregistry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8
- scanner-db: from
registry.redhat.io/rh-acs/scanner-db
toregistry.redhat.io/advanced-cluster-security/rhacs-scanner-db-rhel8
- main: from
- Tags of
scanner
,scanner-db
, andcollector
(including slim variant) images are now identical to the tag ofmain
image (same as product version) for the released images. For example, a scanner image for ACS 3.68.0 is now identified as followingregistry.redhat.io/advanced-cluster-security/rhacs-scanner-rhel8:3.68.0
andstackrox.io/scanner:3.68.0
. Please make sure you follow this versioning scheme when upgrading manually. This scheme will be used for all future releases. - Collector Slim image name and tag have changed. Now the
-slim
is not part of the image tag but part of the image name. This means that Collector Slim image for the release 3.68.0 is identified asregistry.redhat.io/advanced-cluster-security/rhacs-collector-slim-rhel8:3.68.0
andcollector.stackrox.io/collector-slim:3.68.0
.
- A new default policy to detect Log4Shell vulnerability (CVE-2021-44228) has been added.
-
When the environment variable
ROX_NETWORK_ACCESS_LOG
for Central is enabled, the logs will now contain the request URI andX-Forwarded-For
header values. Note: The network access logging feature was introduced in 51.0 and when enabled will cause noisy logging, and hence should be turned on only for the purpose of debugging network connectivity issues. -
Scanner container image
uid:gid
changed to65534:65534
(user nobody). -
A new default Role called
Scope Manager
has been introduced, to be used to provide users the minimal set of privileges required to create and modify access scopes for the purpose of configuring access control or use in vulnerability reporting. -
The Compliance Operator integration now supports TailoredProfiles.
-
Presence of
microdnf
(presence in the image and process execution) is treated as violation of policiesRed Hat Package Manager in Image
andRed Hat Package Manager Execution
respectively. -
Central is now the only source for Scanner vulnerability updates.
- Central, instead of Scanner, now queries definitions.stackrox.io in online-mode (determined based on
ROX_OFFLINE_MODE
). ROX_SCANNER_VULN_UPDATE_INTERVAL
determines the frequency Central should query definitions.stackrox.io, in online-mode. It is defaulted to 5 minutes.- Scanner's ConfigMap still has an
updater.interval
field for its own updating frequency, but it no longer hasupdater.fetchFromCentral
.
- Central, instead of Scanner, now queries definitions.stackrox.io in online-mode (determined based on
-
Users may upload Scanner vulnerability dumps even when we are not in "offline-mode".
- If we are in online-mode, this vuln dump is used over the Scanner's requested one if it is more recent.
- K8s and Istio vulns manually uploaded in online-mode are ignored. This is just for Scanner definitions.
-
Roxctl's
image scan | image check | deployment check
commands received a usability overhaul. This includes introducing output format'stable, csv, json
for each command. Note: thecsv
andjson
output formats contain breaking changes, the old formats are kept as default but marked as deprecated. Ensure that you switch to the new formats in a timely manner. -
In policy exclusions, the deployment name can now be a regex. Earlier, it was an exact string match.
-
Behaviour change: The built-in
None
role is no longer taken into account when determining the roles for a user. Therefore, users with only theNone
role will be logged out and not be able to log in, as a valid user must have some role assigned. Logout and login prevention are materialized with HTTP status 401Unauthorized
and error message reporting the lack of valid role.
- Default system policies
DockerHub NGINX 1.10
,Shellshock: Multiple CVEs
, andHeartbleed: CVE-2014-0160
have been deprecated. - Default system policy deletion is prohibited in fresh installations of 65 or greater. If the initial installation was done in a version lower than 65, then default policies can be deleted even after an upgrade to 65 or greater.
Analyst
permission set and corresponding role will no longer haveDebugLogs
permission. The only default role with this permission will beAdmin
role.- The "Mount Docker Socket" policy has been renamed to "Mount Container Runtime Socket" and will now also detect if a deployment mounts the CRI-O socket for both Kubernetes and OpenShift.
- The policy "Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches" is now disabled by default
- Alpine-based images are now deprecated and all images will be based on UBI. main-rhel will continue to be pushed for consistency.
- Added
central.tolerations
,scanner.tolerations
andscanner.dbTolerations
to thestackrox-central-services
Helm chart - Added
sensor.tolerations
andadmission-control.tolerations
to thestackrox-secured-cluster-services
Helm chart - Operator now supports
tolerations
forCentral
andSecuredCluster
- Operator now supports disabling the admin password generation by setting Central's option
adminPasswordGenerationDisabled
totrue
. - Roxctl now supports shell completion for bash, zsh, fish and powershell
- Added
roxctl central debug authz-trace
command. It streams built-in authorizer traces for all incoming requests. - Operator defaults changed for
SecuredCluster
fieldsspec.admissionControl.listenOnCreates
andspec.admissionControl.listenOnUpdates
fromfalse
totrue
. This should not affect these settings in existingSecuredCluster
resource instances where the previous default had already been applied at instance creation (this typically happens when creating the resource from the OpenShift console). In some circumstances (for example if the instance was created without aspec.admissionControl
section from the CLI), the default might not have been applied: a symptom of this is that the fields are not shown when printing the object. In these cases this update will change the behaviour of admission controller. - Scanner no longer supports Oracle Linux
- Added component
Active
state to individual component and list of components under Vulnerability Management within the scope of a specific deployment. The Active state can be:Undetermined
: the component is not detected to be run in the specific deployment.Active
: the component was run in the specific deployment.
- Starting 65.0, default system policies' criteria fields are read-only. This applies to all default system policies included in fresh install of 65.0 and later, and new default system policies added since 65.0. Policy criteria fields for user-defined policies, created through 'New' and 'Clone' operation, will continue to be editable.
- Newly added MITRE ATT&CK policy section is read-only for default system policies. MITRE ATT&CK section for user-defined policies, created through 'New' and 'Clone' operation, will continue to be editable.
- Alert titles for the PagerDuty, Slack, Microsoft Teams, JIRA and email notifiers now contain the cluster and policy names in addition to the deployment or image name if it exists.
- PagerDuty alerts for violations now include the full alert JSON as a custom detail.
- Message attribute keys for audit log based violation messages shortened to be more readable
- Cluster internal endpoints set to
*.svc
to be respected by OpenShift's cluster widenoProxy
configurationsensor.stackrox
changed tosensor.stackrox.svc
central.stackrox
changed tocentral.stackrox.svc
scanner.stackrox
changed toscanner.stackrox.svc
scanner-db.stackrox
changed toscanner-db.stackrox.svc
- Increased Operator memory requests from 80 MiB to 200 MiB and memory limits from 300 MiB to 1 GiB. The latter is to prevent operator restarts due to OOM on certain deployments.
- Customer advisory: Default system policies
DockerHub NGINX 1.10
,Shellshock: Multiple CVEs
, andHeartbleed: CVE-2014-0160
will be deprecated starting release66.0
.
- Cluster internal endpoints set to
*.svc
to be respected by OpenShift's cluster widenoProxy
configurationsensor.stackrox
changed tosensor.stackrox.svc
central.stackrox
changed tocentral.stackrox.svc
scanner.stackrox
changed toscanner.stackrox.svc
scanner-db.stackrox
changed toscanner-db.stackrox.svc
- Increased Operator memory requests from 80 MiB to 200 MiB and memory limits from 300 MiB to 1 GiB. The latter is to prevent operator restarts due to OOM on certain deployments.
- Support for BadgerDB is being completely removed. Users running a version less than 48.0 will need to upgrade to 63.0 prior to upgrading to 64.0. All backups taken prior to version 48.0 cannot be restored to 64.0 and newer.
- The
/v1/namespaces
endpoint now accepts pagination query parameters. - Message attribute keys for audit log based violations changed to use capital case instead of lowercase in API response.
- On OpenShift, the names of all
SecurityContextConstraint
(SCC) resources are now prefixed withstackrox-
.
- Cluster internal endpoints set to
*.svc
to be respected by OpenShift's cluster widenoProxy
configurationsensor.stackrox
changed tosensor.stackrox.svc
central.stackrox
changed tocentral.stackrox.svc
scanner.stackrox
changed toscanner.stackrox.svc
scanner-db.stackrox
changed toscanner-db.stackrox.svc
- Increased Operator memory requests from 80 MiB to 200 MiB and memory limits from 300 MiB to 1 GiB. The latter is to prevent operator restarts due to OOM on certain deployments.
- Clusters now can have labels.
- Role is now a combination of a permission set and an optional access scope.
- API changes/deprecations:
AuthService(/v1/auth/status)
:user_info.permissions.name
anduser_info.permissions.global_access
are deprecated, useuser_info.roles
instead.CreateRole(POST /v1/roles/{name})
,UpdateRole(PUT /v1/roles/{name})
: specifyingresource_to_access
is disallowed,permission_set_id
must be provided instead.GetRoles(GET /v1/roles)
,GetRole(GET /v1/roles/{name})
:resource_to_access
is never set, usepermission_set_id
instead.- In the GraphQL API,
Role { resourceToAccess: [Label!]! }
is deprecated, usePermissionSet { resourceToAccess: [Label!]! }
instead. - In the GraphQL API,
Role { globalAccess: Access! }
is deprecated with no replacement intended.
- The operator now sets dynamic admission control settings (
enforceOnCreates
,enforceOnUpdates
) based onspec.admissionControl.listenOn*
in theSecuredCluster
resource.
- Cluster internal endpoints set to
*.svc
to be respected by OpenShift's cluster widenoProxy
configurationsensor.stackrox
changed tosensor.stackrox.svc
central.stackrox
changed tocentral.stackrox.svc
scanner.stackrox
changed toscanner.stackrox.svc
scanner-db.stackrox
changed toscanner-db.stackrox.svc
- Increased Operator memory requests from 80 MiB to 200 MiB and memory limits from 300 MiB to 1 GiB. The latter is to prevent operator restarts due to OOM on certain deployments.
- Fixed RHSA-2021:2569, RHSA-2021:2574, RHSA-2021:2575, RHSA-2021:2717, RHBA-2021:2581 in RHEL images.
- Scanner now supports alpine:edge and alpine:3.14.
- Scan results for alpine 3.2 - 3.7 were marked as stale before. It has since become clear that there are still updates to the secdb for these versions, so they are no longer marked stale.
- The
ROX_ALERT_RENOTIF_DEBOUNCE_DURATION
can be set to a duration (see https://golang.org/pkg/time/#ParseDuration for supported syntax), and if set, then duplicate notifications for deploy-time alerts for the same deployment-policy pair will not be sent if the previous alert was resolved more recently than the debounce duration. - Scanner now supports alpine:edge.
globalAccess
field in roles is no longer supported- Policy matching on all fields has been made case-insensitive. For example, if you set "Volume Type" to "hostpath", that will match volumes that are "HostPath".
- Added the ability to make policies based on
Severity
(ROX-6639)- Added new default policy (disabled by default) for a
High
alert for fixable CVEs with severity at least Important (includes Important and Critical).
- Added new default policy (disabled by default) for a
- roxctl image scan --format {csv,pretty} are now sorted by layer and severity instead of layer and CVSS.
- Image risk is now calculated using a score assigned to the Severity Rating, opposed to using the CVSS score. Severity Rating is a more accurate measure of a vulnerability's risk. (ROX-7133)
- CVE Severity levels are now mapped to their respective Red Hat security ratings (https://access.redhat.com/security/updates/classification)
- StackRox Scanner passes Red Hat Scanner Certification
- Images based on RHEL base images created after June 2020 will be scanned in a certified manner.
- These images will say
rhel
as the OS instead ofcentos
. - Language-related files like JAR (Java), egg-info (Python) will only be scanned if they are not provided by RPM.
To determine if a file is provided by RPM, run
rpm -q --whatprovides <absolute filepath>
in the image.
- These images will say
- Older RHEL-based images will be scanned the traditional way.
- These images will continue to say
centos
is the base OS.
- These images will continue to say
- Images based on RHEL base images created after June 2020 will be scanned in a certified manner.
- StackRox Scanner now officially supports ubuntu:21.04 images
- Added
GET /v1/centralhealth/upgradestatus
endpoint to support upgrade rollback. - Scanner no longer supports RHEL/CentOS 5.
- Default value for
--json-fail-on-policy-violations
flag ofroxctl image check
changed fromfalse
totrue
.
- A few CVSS3.1 scores for applicable vulnerabilities were miscalculated, but it has since been fixed.
- Fixed CVE-2021-20305, RHSA-2021:1206 in RHEL scanner images
- Fixed Java package scanning when the package has the word "agent"
- The product no longer requires a license to run. Several license-related functionalities and flags have been removed from the product and related tooling, as well as from the Helm charts.
- Components now have
Fixed By
field that indicates the version that will fixes all the fixable vulnerabilities in the component.- Note:
- It is supported only when StackRox Scanner is used.
- It is not namespaced to distro.
- Note:
- Added upgrade rollback function. By default, users may rollback to their previous version if upgrade fails before Central has started.
After services started, users must explicitly specify the version they are rolling back to in central config
maintenance.forceRollbackVersion
. - Added a
central.exposeMonitoring
option to the Central Services Helm chart, which, when set totrue
, allows exposing a/metrics
endpoint on port 9090.
- The published time for CVEs in RHEL and CentOS images is now populated correctly.
- Secured clusters deployed via Helm with
helmManaged
set tofalse
can now be used with cluster init bundles, creating a new cluster within StackRox on-the-fly. Previously,helmManaged=false
only worked with certificates that were specific to an existing cluster. roxctl central generate openshift
androxctl sensor generate openshift
now accept an--openshift-version
flag, which can be set to the major version (3
or4
) of the OpenShift platform to deploy on. By default, deployment files are generated in a compatibility mode that works on OpenShift 3.11 as well as 4.x. When deploying to a cluster running a recent OpenShift version, set this flag to4
in order to take advantage of features only supported on OpenShift 4.x.
-
Page titles now reflect the URL location of the user within the app in the browser tab and history.
-
SAML authentication providers:
- When using the "Dynamic configuration" option, the
IdP Metadata URL
can now specify a scheme ofhttps+insecure://
to instruct StackRox to skip TLS validation when fetching the metadata. It is strongly advised to limit the use of this to testing environments. - When using the "Static configuration" option, the
IdP Certificate(s) (PEM)
option now supports specifying multiple PEM-encoded certificates.
- When using the "Dynamic configuration" option, the
-
When creating a new Role, Namespace and Node have been added to the default minimal access specification.
-
Admission Control health status is now available as part of Cluster Health in System Health, and in the in the Platform Configuration -> Clusters View.
-
roxctl image check
now has a--json-fail-on-policy-violations
flag. Its current default value isfalse
which preserves the legacy behavior of--json
flag: the command does not exit with an error code, even if policy violations are present.This default value of
false
is also now deprecated and will change in three releases. -
New default policies:
- Added default policies for Docker CIS checks
- 4.1
- 4.4
- 4.7
- 5.1
- 5.7
- 5.9
- 5.15
- 5.16
- 5.19
- 5.20
- 5.21
- Added default policies for Docker CIS checks
-
Splunk alert events send to HEC will no longer include policy description, remediation and rationale in order to allow for more violations underneath the HEC limit.
-
The ROX_NETWORK_DETECTION_BASELINE_VIOLATION feature flag is now on by default: a deployment with network flows that are outside of its network baseline can now raise violations
-
New roxctl option for roxctl image check: --categories. Specifying a comma separated list of categories will only run policies with categories in the specified list.
- The
/v1/metadata
endpoint redacts version information from unauthenticated users. - API changes/deprecations:
/db/backup
is deprecated; please use/api/extensions/backup
instead.- In the GraphQL API,
ProcessActivityEvent { whitelisted: Boolean! }
is deprecated, useProcessActivityEvent { inBaseline: Boolean! }
instead. - In the GraphQL schema, the type name
Policy { whitelists: [Whitelist]! }
changes toPolicy { whitelists: [Exclusion]! }
preserving the existing structure and field names. - In the GraphQL API,
Policy { whitelists: [Whitelist]! }
is deprecated, usePolicy { exclusions: [Whitelist]! }
instead. PolicyService(/v1/policies/*)
: in all affected responses,Policy.whitelists
is now always empty, usePolicy.exclusions
instead. This is because the current policy version has been updated to "1.1" which deprecates thePolicy.whitelists
field. All previous policy versions are still accepted as input.- Deprecated
includeCertificates
flag in/v1/externalbackups/*
. Certificates are included in central backups by default for both new and existing backup configs.
- Admission controller service will be deployed by default in new k8s and Openshift clusters. The validating webhook configuration for exec and port forward events is not supported on and hence will not be deployed on OpenShift clusters.
roxctl image check
now has a--send-notifications
flag, which will send notifications for build time alerts to the notifiers configured in each violated policy.roxctl central db backup
is deprecated; please useroxctl central backup
instead.- The following roxctl flags have been deprecated for the command
sensor generate
:--create-admission-controller
(replaced by--admission-controller-listen-on-creates
)--admission-controller-enabled
(replaced by--admission-controller-enforce-on-creates
)
- Added retry flags to
roxctl image scan
,roxctl image check
, androxctl deployment check
:- Introduced two new flags,
--retries
and--retry-delay
, that change how the commands deal with errors --retries 3 --retry-delay 2
will retry the command three times on failure with two seconds delay between retries- As the default value for
retries
is 0, the behaviour of the commands is unchanged if the flag is not used
- Introduced two new flags,
- Added a new flag
--admission-controller-listen-on-events
toroxctl sensor generate k8s
androxctl sensor generate openshift
, that controls the deployment of the admission controller webhook which listens on Kubernetes events like exec and portforward. Default value istrue
forroxctl sensor generate k8s
and false forroxctl sensor generate openshift
.
- Added option to backup certificates for central.
- API changes/deprecations:
ProcessWhitelistService(/v1/processwhitelists/*)
: allprocesswhitelists/*
endpoints are deprecated, useprocessbaselines/*
instead.ResolveAlert(/v1/alerts/{id}/resolve)
:whitelist
is deprecated, useadd_to_baseline
instead.- In the
ListDeploymentsWithProcessInfo(/v1/deploymentswithprocessinfo)
response,deployments.whitelist_statuses
is deprecated, usedeployments.baseline_statuses
instead. ROX_WHITELIST_GENERATION_DURATION
environment variable is deprecated, useROX_BASELINE_GENERATION_DURATION
instead.
- [Security Advisory] Scanner was not validating Central client certificates allowing for intra-cluster unauthenticated users to initiate or get scans. This only affects environments without NetworkPolicy enforcement.
- Added ContainerName as one of the policy criteria
- Added support for ubuntu:20.10 in Scanner.
- Added support for distroless images in Scanner.
- UI: fix a browser crash when a port's exposure type is UNSET in the Deployment Details of a Risk side panel (ROX-5864)
- UI: remove "phantom" turndown triangle on Network Flows table rows that have only one bidirectional connection on the same port and protocol
- UI: fix pagination in Vuln Mmgt so that filtering a list by searching will reset the page number to 1 (ROX-5751)
- A new environment variable for Central ROX_NETWORK_ACCESS_LOG, defaulted to false, is available. When set to true, each network request to Central (via API, UI) is logged in the Central logs. Note: When turned on, this environment variable will cause noisy logging, and hence should be turned on only for the purpose of debugging network connectivity issues. Once network connectivity is established, we should advise to immediately set this to false to stop logging.
- Added Namespace as one of the policy criteria
- UI: Display full height of Vulnerability Management side panel in Safari (ROX-5771)
- Added a
--force-http1
option toroxctl
that will cause HTTP/2 to be avoided for all outgoing requests. This can be used in case of connectivity issues which are suspected to be due to an ingress or proxy. - UI: Fix bug where some policy criteria values, with equal signs, are parsed incorrectly (ROX-5767)
- UI: Do not display incomplete process status when Sensor Upgrade is up to date (ROX-5579)
- The minimum number of replicas for the Scanner Horizontal Pod Autoscaler has been set to 2 for better availability.
- The ROX_CONTINUE_UNKNOWN_OS feature flag is on by default in Scanner
- Scans done by StackRox Scanner on images whose OS cannot be determined will no longer fail if the image also has feature components. Instead, they will continue and give partial scan results.
- An example is the
fedora:32
image
- An example is the
- Scans done by StackRox Scanner on images whose OS cannot be determined will no longer fail if the image also has feature components. Instead, they will continue and give partial scan results.
- The default resource limit for Central has been changed to 4 cores. Please see the resource sizing guidelines in the help documentation for finer-grained settings.
- A new policy criteria on "Service Account" has been added which runs policy evaluation against the deployment's service account name.
- Use Red Hat CVSS scores instead of NVD for
rhel
andcentos
based images scanned by StackRox Scanner.- CVSS3 is used if it exists otherwise CVSS2 is used.
- Added support for .NET Core runtime CVEs (data from NVD).
- This affects images with .NET Core and/or ASP.NET Core runtime(s) installed
- UI: Update the Network Graph when a different cluster is selected (ROX-5662)
- Support sub-CVEs for RHEAs and RHBAs as well as RHSAs for rhel/centos-based images.
- Though it is not specified, it is possible RHEAs and RHBAs to have associated CVEs.
- The default policy "Required Label: Email" has been deprecated starting release 50.0.
- OIDC authentication providers: added support for two rarely-needed configuration options:
- The
Issuer
can now be prefixed withhttps+insecure://
to instruct StackRox to skip TLS validation when talking to the provider endpoints. It is strongly advised to limit the use of this to testing environments. - The
Issuer
can now contain a querystring (?key1=value1&key2=value2
), which will be appended as-is to the authorization endpoint. This can be used to customize the provider's login screen, e.g., by optimizing the GSuite login screen to a specific hosted domain via thehd
parameter, or to pre-select an authentication method in PingFederate via thepfidpadapterid
parameter.
- The
- In
GetImage(/v1/images/{id})
response, thevulns
fielddiscoveredAt
is replaced byfirstSystemOccurrence
starting release 49.0. This field represents the first time the CVE was ever discovered in the system. - In
GetImage(/v1/images/{id})
response, a new fieldfirstImageOccurrence
is added tovulns
which represents the first time a CVE was discovered in respective image. - The default for the
--create-upgrader-sa
flag has changed totrue
in both theroxctl sensor generate
and theroxctl sensor get-bundle
commands. In order to restore the old behavior, you need to explicitly specify--create-upgrader-sa=false
. - UI: Hovering over a node in the Network Graph will show that node's listening ports (ROX-5469)
- Fixed an issue on the API docs page where the left menu panel no longer scrolled independently of the main content.
- UI: Added
Scanner
to the image single page in Vuln Mgmt (ROX-5289) - In
v1/clusters
response,status.lastContact
has been deprecated, hence usehealthStatus.lastContact
instead. - UI: Disable the Next button when required fields are empty in the Cluster form (ROX-5519)
roxctl
can now be instructed to generate YAML files with support for Istio-enabled clusters, via the--istio-support=<istio version>
flag. Istio versions in the range of 1.0-1.7 are supported. The flag is available for the commandsroxctl central generate
,roxctl scanner generate
,roxctl sensor generate
, androxctl sensor get-bundle
. The interactive installer (roxctl central generate interactive
) will also prompt for this configuration option.- Support for enforcing policies on DeploymentConfig resources in Openshift.
- The following deprecated roxctl flags have been removed for the command
sensor generate
:--admission-controller
(replaced by--create-admission-controller
)--image
(replaced by--main-image-repository
)--collector-image
(replaced by--collector-image-repository
--runtime
(--collection-method
is to be used instead)--monitoring-endpoint
- UI: Hovering over a namespace edge in the Network Graph will show the ports and protocols for it's connections (ROX-5228).
- UI: Hovering over a namespace edge in the Network Graph will show a summary of the directionality of it's connections (ROX-5215)
- UI: Hovering over a node edge in the Network Graph will show the ports and protocols for it's connection (ROX-5227)
- UI: Platform Configuration > Clusters (ROX-5317)
- add 'Cloud Provider' column
- remove 'Current Sensor version' column
- replace 'Upgrade status' column with 'Sensor Upgrade' and add tooltip which displays 'Sensor version' and 'Central version'
- display cells in 'Sensor Upgrade' columns with same style as adjacent new Cluster Health columns
- UI: Added a toggle in the Network Policy Simulator in Network Graph to exclude ports and protocols (ROX-5248).
- UI: Platform Configuration > Clusters: Make CertificateExpiration look similar to recently improved Sensor Upgrade style and future cluster health style (ROX-5398)
- Red X icon at left of phrase for less than 7 days (for example, in 59 minutes, in 7 hours, in 6 days on Friday)
- Yellow triangle icon at left of phrase for less than 30 days (for example, in 29 days on 7/31/2020)
- Green check icon at left of other phrases (for example, in 1 month on 7/31/2020, in 2 months)
- UI and strings from API: Replace term 'whitelist' with 'excluded scope' in policy context, and 'baseline' in process context (ROX-5315, ROX-5316)
- UI: Deployment Details in the Violations Side Panel now shows full deployment data if available. If not, a message will appear explaining that the deployment no longer exists.
- UI: When selecting a deployment in the Network Graph, the Network Flows table will now show some additional information: traffic, deployment name, namespace name, ports, protocols, connection type (ROX-5219)
- In
v1/clusters
response,healthStatus.lastContact
field is added that represents last time sensor health was probed (aka last sensor contact).status.lastContact
will be deprecated starting release 49.0, hence usehealthStatus.lastContact
instead. - When attempting to scan an image, we now send back error messages under any of the following conditions:
- no registries integrated
- no matching registries found
- no scanners integrated
- In
GetImage(/v1/images/{id})
response, thevulns
fielddiscoveredAt
will be replaced byfirstSystemOccurrence
starting release 49.0. This field represents the first time the CVE was ever discovered in the system.
-
Configuration Management tables (except for Controls and Policies) are now paginated through the API, rather than loading all rows into the browser, for better performance in large environments (ROX-5067).
-
Added a global flag
--token-file
to roxctl causing an API token to be read from the specified file (ROX-2319). -
Added strict validation for env var policies such that policies with non-raw sources must not specify expected values (ROX-5208). This change introduces a breaking adjustment to the
/v1.PolicyService/PostPolicy
RPC, with existing REST clients remaining unaffected. -
Emit warning if the default value for flag
--create-updater-sa
is used in roxctl (ROX-5264). -
New parameter
default
for flag--collection-method
. -
UI: Omit Cluster column from Deployments list when entity context includes Namespace (ROX-5207)
-
The help output of
roxctl
commands mentions implicit defaults for optional flags. -
UI: Fix a regression, where CSVs for a Compliance standard, or for a Cluster viewed in Compliance, were not scoped to the particular filter (ROX-5179)
-
The following command line flags of
roxctl
have been deprecated:- Flag
--image
forroxctl sensor generate
. Use--main-image-repository
instead. - Flag
--collector-image
forroxctl sensor generate
. Use--collector-image-repository
instead. - Flag
--admission-controller
forroxctl sensor generate k8s
. Use--create-admission-controller
instead.
The old flags are currently still supported but they are scheduled for removal in a future version of
roxctl
. - Flag
-
UI: Added arrows to indicate directionality (ingress/egress) for Network Graph connections between deployments (ROX-5211).
-
UI: Added
Image OS
to the image list and image single page in Vuln Mgmt (ROX-4083). -
Added the ability to make policies based on
Image OS
(ROX-4083). -
roxctl image scan and /v1/image/ no longer return snoozed CVEs as a part of their output. The
include-snoozed
command line parameter and theincludeSnoozed
query parameter respectively can be used to include all CVEs. -
The 'namespace.metadata.stackrox.io/id' label is now removed in order to better support Terraform cluster management.
-
UI: Hovering over a deployment in the Network Graph will show the ports and protocols for it's ingress/egress network flows (ROX-5226).
-
Adding the annotation
auto-upgrade.stackrox.io/preserve-resources=true
on thesensor
deployment and thecollector
daemonset will cause the auto-upgrader to preserve any overridden resource requests and limits whenever an upgrade is performed.
- Added the following REST APIs:
- PATCH
/v1/notifiers/{id}
modifies a given notifier, with optional stored credential reconciliation. - POST
/v1/notifiers/test/updated
checks if the given notifier is correctly configured, with optional stored credential reconciliation. - PATCH
/v1/scopedaccessctrl/config/{id}
modifies a given scoped access control plugin, with optional stored credential reconciliation. - POST
/v1/scopedaccessctrl/test/updated
checks if the given scoped access control plugin is correctly configured, with optional stored credential reconciliation - PATCH
/v1/externalbackups/{id}
modifies a given external backup, with optional stored credential reconciliation. - POST
/v1/externalbackups/test/updated
checks if the given external backup is correctly configured, with optional stored credential reconciliation.
- PATCH
- UI: Reset page to 1 when sort fields change (ROX-4267)
- Add a tcp prefix to the spec.Ports.name for the scanner-db service. Istio uses this name for protocol detection.
- Customer advisory: The default policy "Required Label: Email" will be deprecated starting release 48.0
- RocksDB is set as the default DB and completely replaces BadgerDB and replaces a majority of BoltDB. This should make Central significantly more performant. Users may see slowness during startup on initial upgrade as the data is being migrated.
- Added UI to show cluster credential expiry in the cluster page (ROX-5034).
- UI: The deployment event timeline should now visibly group events that would otherwise overlap. The grouped events will show a number in the top right that indicates how many events were grouped. Clicking on the icon will show an interactive tooltip that displays information for each event in a scrollable manner (ROX-5190).
- UI: Under Vulnerability Management, update "Deployment Count" column on policy entity list pages to show failing deployments count instead of all applicable deployments count (ROX-5176).
- StackRox now supports the Garden Linux operating system. Previous, collector pods would enter a crash loop when deployed on Garden Linux nodes.
- Default policies that have been excluded for the kube-system namespace, have now been additionally excluded for the istio-system namespace.
- Default integration added for public Microsoft Container Registry
- Heads up advisory on
roxctl sensor generate k8s
command option changes slated for release in 47.0:admission-controller
option will be renamed tocreate-admission-controller
- The default for
create-upgrader-sa
will change totrue
- The default for
collection-method
will change toKERNEL_MODULE
- Deprecated option
runtime
will be removed image
option will be renamed tomain-image-repository
collector-image
option will be renamed tocollector-image-repository
monitoring-endpoint
option, which has already been deprecated, will be removed
- Add CVE Type to CVE list and overview pages (ROX-4482)
- UI: Open API Reference in current Web UI browser tab instead of a new tab and replace Help Center popup menu with two half-height links in left navigation for API Reference and Help Center (ROX-2200)
- UI: Move Images link on VM dashboard out of Applications menu, and into tile like Policies and CVEs link (ROX-5052)
- UI: Add Disable TLS Certificate Validation (Insecure) toggle for JFrog Artifactory registry in Platform Configuration > Integrations > New Integration (ROX-5031)
- UI: Add Disable TLS Certificate Validation (Insecure) toggle for Anchore Scanner, CoreOS Clair (Scanner), and Quay.io (Registry + Scanner) in Platform Configuration > Integrations > New Integration (ROX-5084)
- Added the ability to make secret creation for sensor, collector and admission controller optional when deploying using Helm charts.
- Added native Google Cloud Storage (GCS) external backup. This should now be the preferred way to backup to GCS as opposed to using the S3 integration because S3 upload to GCS is incompatible with large databases.
- The Central and Migrator binaries are now compiled without AVX2 instructions, which fixes an Illegal Instruction issue on older CPUs. SSE4.2 instructions are still used, which mean the lowest supported Intel processor is SandyBridge (2011) and the lowest supported AMD processor is BullDozer (2011).
- Previously, a scan for an image that may have been retagged (e.g. using the latest tag) would return a stale scan if it had been previously scanned.
- UI: In Platform Configuration > Interactions: 1. replace "AWS ECR" with "Amazon ECR" and 2. replace "S3" (and "AWS S3" placeholder for Integration Name in New Integration pane) with "Amazon S3" (ROX-4912)
- Docker Registry Integration now doesn't require entering password every time an existing integration is tested or updated (part of ROX-4539).
- UI: Replace
Page 1 of 0
withPage 1 of 1
for 0 results in table pagination (ROX-1072) - Added
ExportPolicies(POST /v1/policies/export)
API which accepts a list of policy IDs and returns a list of json policies - Added
ImportPolicies(POST /v1/policies/import)
API which accepts a json list of policies, imports them into your StackRox installation, and returns a list with success/failure details per policy - Added UI to export a single policy from the policy details on the System Policies page
- Added UI to import a single policy from the System Policies page
- Sensor resource requests and limits have been increased to 1 core / 1GB and 2 cores / 4GB respectively.
- Added User Page in UI to show current User Permissions and Roles
roxctl
commands now gives users an error message when unexpected arguments are given (ROX-4709)- UI: In Platform Configuration > Roles and Permissions > Add New Role form: 1. disable the Save button when required Role Name is empty; 2. display
(required)
at the right of the Role Name label with gold warning color if the input box is empty, otherwise with gray color (ROX-1808) - UI: Increase timeout for Axios-fetch for GraphQL endpoint, to allow Vuln Mgmt pages in large-scale customer environments to load (ROX-4989)
- Detection APIs were not properly handling suppressed CVEs and they were being included in evaluation. This is now resolved.
- Previously, the Scanner deployment did not mount the additional CA secret and thus would fail to scan self-signed registries. This is resolved.
- AWS S3 and AWS ECR integrations now accept an endpoint to work with non public AWS endpoints.
- UI: Fixed the display of the Privileged field when viewing a policy in the Vulnerability Management section (ROX-4752)
- API changes/deprecations related to supporting multiple roles:
GenerateToken(/v1/apitokens/generate)
: the singularrole
field in the request field is deprecated; please use the array fieldroles
.GetAPIToken(/v1/apitokens/{id})
,GetAPITokens(/v1/apitokens)
: the singularrole
field in the response payload is deprecated; please use the array fieldroles
.- Audit logs: the singular
user.role
field in the audit message payload is deprecated; please use the singularuser.permissions
field for the effective permissions of the user, and the array fielduser.roles
for all the the individual roles associated with a user.
- The Compliance container within the Collector daemonset now has a hostpath of '/', which is needed to be able to read configuration files anywhere on the host. This requires the allowedHostVolumes within the stackrox-collector PSP to allow '/' to be mounted. For added security, the PSP has set '/' as readonly and the Collector container's docker socket mount has also been set to readonly.
- All
/v1/
API endpoints now support pretty-printing. Make requests with the?pretty
path parameter to receive pretty-printed json responses. - UI: added "Deployment Name" property in side panel for Deployment Details on Violations and Risk pages.
- UI: In the Risk view, the URL now includes any search filters applied. You can now share the link and see the same filtered view.
- UI: In the Config Management section, fixed a UI crash issue when going from a single image view within containing context, like a single cluster, down to that image's deployments. (ROX-4543)
- UI: In the Platform Configuration -> Clusters view, the text “On the latest version” has been changed to “Up to date with Central version” (ROX-4739).
SuppressCVEs(/v1/cves/suppress)
endpoint now only supports cve suppression/snoozing.SuppressCVEs(/v1/cves/suppress)
endpoint now supports cve suppression/snoozing for specific duration.- Added
UnsuppressCVEs(/v1/cves/unsuppress)
endpoint to support cve un-suppression/un-snoozing. - Changed central and sensor's SecurityContextConstraint (SCC) priority to 0 for OpenShift, so that they don't supercede default SCCs.
- Updated RHEL base images from UBI7.7 to UBI8.1
- Added the ability to customize the endpoints exposed by Central via a YAML-based configuration file.
- Added a Required Image Label policy type. Policies of this type will create a violation for any deployment containing images that lack the required label. This policy type uses a regex match on either the key or the key and the value of a label.
- Added a Disallowed Image Label policy type. Policies of this type will create a violation for any deployment containing images with the disallowed label. This policy type uses a regex match on either the key or the key and the value of a label.
- Collector images shipped with versions of the StackRox platform prior to this were affected by CVE-2019-5482, CVE-2019-5481 and CVE-2019-5436. The cause was an older version of curl that was vulnerable to buffer overflow and double free vulnerabilities in the FTP handler. We have upgraded curl to a version that does not suffer from these vulnerabilties. The curl program is only used to download new collector modules from a fixed set of URLs that do not make use of FTP, therefore according to our assessment there never existed a risk of an attacker exploiting this vulnerability.
- The
-e
/--endpoint
argument ofroxctl
now supports URLs as arguments. The path in this URLs must either be empty or/
(i.e.,https://central.stackrox
andhttps://central.stackrox/
are both allowed, whilehttps://central.stackrox/api
is not). If this format is used, the URL scheme determines whether or not an unecrypted (plaintext) connection is established; if the--plaintext
flag is used explicitly, its value has to be compatible with the chosen scheme (e.g., specifying anhttps://
URL along with--plaintext
will result in an error, as will ahttp://
URL in conjunction with--plaintext=false
). - Detection and image enrichment have been moved to the individual Sensor clusters. Sensor will proxy image scan requests through Central and then run detection to generate both runtime and deploytime alerts. These alerts are sent to Central and any enforcement if necessary will be executed by Sensor without a roundtrip to Central.
roxctl central cert
can be used to download Central's TLS certificate, which is then passed toroxctl --ca
.- The Scanner deployment has been split into two separate deployments: Scanner and Scanner DB. The Scanner deployment is now controlled by a Horizontal Pod Autoscaler (HPA) that will automatically scale up the scanner as the number of requests increase.
- Added a feature to report telemetry about a StackRox installation. This will default to off in existing installations and can be enabled through the System Configuration page.
- Added a feature to download a diagnostic bundle. This can be accessed through the System Configuration page or through
roxctl central debug download-diagnostics
- A new
ScannerBundle
resource type (for the purposes of StackRox RBAC) is introduced. The resource definition for this is: Read permission: Download the scanner bundle (withroxctl scanner generate
) Write permission: N/A - Related to above,
roxctl scanner generate
now requires users to have read permissions to the newly createdScannerBundle
resource. Previously, this endpoint was accessible to any authenticated user. - OIDC auth providers now support refresh tokens, in order to keep you logged in beyond the ID token expiration time configured in your identity provider (sometimes only 15 minutes or less). In order to use refresh tokens, a client secret must be specified in the OIDC auth provider configuration.
- UseStartTLS field in the Email notifier configuration has been deprecated in lieu of an enum which supports several different authentication methods
roxctl central generate k8s
androxctl central generate openshift
no longer contain prompts for the monitoring stack because it is now deprecated- The scanner v2 preview is now removed
- The scanner's updater now pulls from https://definitions.stackrox.io, and not https://storage.googleapis.com/definitions.stackrox.io/ like it previously would.
- Fixed https://stack-rox.atlassian.net/browse/ROX-3985.
- Collector images shipped with versions of the StackRox platform prior to this were affected by CVE-2017-14062. The cause was an older version of libidn (parsing of internationalized domain names) that was vulnerable due to a possible buffer overflow. We have upgraded libidn to a version that no longer suffers from this vulnerability. Since libidn is only used by curl, and curl is only used to download new collector modules from a fixed set of URLs that do not make use of international domain names, according to our assessment there never existed a risk of an attacker exploiting this vulnerability.
- Added a REST endpoint
/v1/group
that can be used to retrieve a single group by exact property match (cf. ROX-3928). - Scanner version updated to 2.0.4
- Collector version updated to 3.0.2
- The "NIST 800-190" standard has been renamed to "NIST SP 800-190", for correctness. The ID continues to be the same, so no API calls will need to be updated. Existing data will be preserved and available on upgrade.
- Added a
roxctl sensor get-bundle <cluster-name-or-id>
command to download sensor bundles for existing clusters by name or ID.
- Removed the endpoints
GET /v1/complianceManagement/schedules
,POST /v1/complianceManagement/schedules
,POST /v1/complianceManagement/schedules/{schedule_id}
, andDELETE /v1/complianceManagement/schedules/{schedule_id}
. These were purely experimental and did not function correctly. They were erroneously included in the public API specification. - All YAML files have been updated to no longer reference the deprecated
extensions/v1beta1
API group. Previously, we used these API versions for deployments, daemonsets and pod security policies. This should have no effect on existing installs, but will mean that new installs can successfully install on Kube 1.16.
- Proxy configuration can now be changed at runtime by editing and applying
proxy-config-secret.yaml
in the cluster where central and scanner run (ROX-3348, #3994, #4127). - The component object within the image object now contains a field "Source", which indicates how the component was identified. Components derived from package managers will have the type "OS" whereas components derived from language analysis will have the language as the source (e.g. PYTHON).
- Images based on the Red Hat Universal Base Image (UBI) are published in stackrox.io/main-rhel, stackrox.io/scanner-rhel, stackrox.io/scanner-db-rhel and collector.stackrox.io/collector-rhel repositories. These images are functionally equivalent to our regular images and use the same version tags.
- Policy excluded scopes are now shown in the UI. Previously, we only showed excluded deployment names, and not the entire structure that was actually in the policy object. This means that users can now exclude by cluster, namespace and labels using the UI.
- There now exists a
roxctl collector support-packages upload <file>
command, which can be used to upload files from a Collector runtime support package to Central (e.g., kernel modules, eBPF probes). Assuming that Collectors can talk to Sensor, and Sensor can talk to Central, Collectors can then download these files they require at runtime from Central, even if none of the components has access the internet. Refer to the official documentation or contact StackRox support for information on obtaining a Collector support package. - The
roxctl image scan
command now has a--force
flag, which causes Central to re-pull the data from the registry and the scanner.
- Both the
runAsUser
andfsGroup
for the central deployment are now 4000. This required changes in the the pod security policy, and the OpenShift Security Context Contraint (scc) objects. If you are upgrading from a previous version, please refer to the upgrade instructions on how to apply these changes to your existing deployment, pod security policy and OpenShift scc objects. - CVEs with a CVSS score of 0 will now be displayed as "Pending" in the UI because it indicates that a CVE is still being analyzed or the CVE has been disputed. The API will continue to return a CVSS score of 0.
- Scopes now include support for Regex on the namespace and label fields including both Policy Scope and Exclusion Scope. The supported Regex syntax can be found here: https://github.com/google/re2/wiki/Syntax.
- The
validated
field in an auth provider is deprecated and will be removed in 3 releases. Please use theactive
field instead. - RHSA vulnerabilities will now be displayed with the highest CVSS score from the CVEs it references. The referenced CVEs will now also be available. (ROX-3519, ROX-3550; d36f2ccf)
GetRisk(/v1/risks/{subjectType}/{subjectID})
endpoint is removed. For obtaining deployment risk, useGetDeploymentWithRisk(/v1/deploymentswithrisk/{id})
. (8844549b)
- The port used for prometheus metrics can now be customized with the environment variable
ROX_METRICS_PORT
. Supported options includedisabled
,:port-num
(will bind to wildcard address) andhost_or_addr:port
. IPv6 address literals are supported with brackets, like so:[2001:db8::1234]:9090
. The default setting is still:9090
. (ROX-3209) - The
roxctl sensor generate
androxctl scanner generate
subcommands now accept an optional--output-dir <dir>
flag that can be used to extract the bundle files to a custom directory. (ROX-2529) - The
roxctl central debug dump
subcommand now accepts an optional--output-dir <dir>
flag that can be used to specify a custom directory for the debug zip file. - The format of collector tags changed from
<version>
to<version>-latest
. This tag references a mutable image in canonical upstream repository (collector.stackrox.io/collector
) that will get updated whenever kernel modules/eBPF probes for new Linux kernel versions become available. This decreases the need to rely on module downloads via the internet. If you configure StackRox to pull collector images from your private registry, you need to configure a periodic mirroring to take advantage of this effect.
roxctl
can now talk to Central instances exposed behind a non-gRPC-capable proxy (e.g., AWS ELB/ALB). To support this, requests go through an ephemeral client-side reverse proxy. If you observe any issues withroxctl
that you suspect might be due to this change, pass the--direct-grpc
flag to resort to the old connection behavior.roxctl
can now talk to Central instances exposed via plaintext (either directly, or via a plaintext proxy talking to a plaintext or TLS-enabled backend). While we advise against this, this behavior can be enabled via the--plaintext
flag in conjunction with the--insecure
flag.roxctl
now has a--tolerations
flag that is true by default, and can be set to false to disable tolerations for tainted nodes from being added intosensor.yaml
. If the flag is set to true, collectors will be deployed to and run on all nodes of the cluster.- Changes to default TLS cert and
htpasswd
secrets (central-default-tls-cert
andcentral-htpasswd
) are now picked up automatically, without needing to restart Central. Note that Kubernetes secret changes may take up to a minute to get propagated to the pod.
TriggerRun(/v1/complianceManagement/runs)
endpoint is removed. All clients should useTriggerRuns(/v1/compliancemanagement/runs)
to start a compliance run.- The EmitTimestamp field that was unset in the ProcessIndicator resource has been removed
- Link field is removed from the violation message
- The Prometheus scrape endpoint has been moved from localhost:9090 to :9090 so users can use their own Prometheus installations and pull StackRox metrics.
- UpdatedAt in the deployment object has been corrected to Created
- Reprocessing of deployments and images has been moved to an interval of 4 hours
- Improved user experience for
roxctl central db restore
:- Resuming restores is now supported, either after connection interruptions (automatic) or
after terminating
roxctl
(manual). In the latter case, resuming is performed automatically by invokingroxctl
with the same database export file. - The
--timeout
flag now specifies the relative time (from the start of theroxctl
invocation) after whichroxctl
will no longer automatically try to resume restore operations. This does not affect the restore operation on the server side, it can still be resumed by restartingroxctl
with the same parameters. - Restore operations cannot be resumed across restarts of the Central pod. If a restore operation is interrupted, it must be resumed within 24 hours (and before Central restarts), otherwise it will be canceled.
roxctl central db restore status
can be used to inspect the status of the ongoing restore process, if any.roxctl central db restore cancel
can be used to cancel any ongoing restore process.- The
--file
flag is deprecated (but still valid). The preferred invocation now isroxctl central db restore <file>
instead ofroxctl central db restore --file <file>
. If for any reason the name of the database export file isstatus
orcancel
, insert an--
in front of the file name, e.g.,roxctl central db restore -- status
.
- Resuming restores is now supported, either after connection interruptions (automatic) or
after terminating
roxctl central db backup
now supports an optional--output
argument to specify the output location to write the backup to.
roxctl sensor generate openshift
can be used to generate sensor bundles for OpenShift clusters from the command line.
- Removed DebugMetrics resource.
Only users with Admin role can access
/debug
endpoint. Note: This is also applicable with authorization plugin for scoped access control enabled. - Due to the addition of the
roxctl sensor generate openshift
command, the--admission-controller
flags that are exclusive to Kubernetes (non-OpenShift,k8s
) clusters must be specified after thek8s
command. For example,roxctl sensor generate --admission-controller=true k8s
is no longer a legal invocation; useroxctl sensor generate k8s --admission-controller=true
instead.
- Queries against time fields involving a duration have now flipped directionality to a more intuitive way.
Previously, searching
Image Creation Time: >3h
would show all images created after 3 hours before the current time; now, it shows all images created more than three hours ago -- that is, before the moment in time 3 hours before the current time. - Removed the
/v1/deployments/metadata/multipliers
API. User defined risk multipliers will no longer be taken into account.
- Installer prompt to configure the size of the external volume for central.
- Prometheus endpoint changed from https://localhost:8443 to http://localhost:9090.
- Scanner is now given certificates, and Central<->Scanner communication secured via mTLS.
- Central CPU Request changed from 1 core to 1.5 cores
- Central Memory Request changed from 2Gi to 4Gi
- Sensor CPU Request changed from .2 cores to .5 cores
- Sensor Memory Request changes from 250Mi to 500Mi
- Sensor CPU Limit changed from .5 cores to 1 core
- Default size of central's PV changed from 10Gi to 100Gi.