StackRox Kubernetes Security Platform v3.74.1 releases

StackRox Kubernetes Security Platform

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment. StackRox integrates with every stage of the container lifecycle: build, deploy, and runtime.

The StackRox Kubernetes Security platform is built on the foundation of the product formerly known as Prevent, which itself was called Mitigate and Apollo. You may find references to these previous names in the code or documentation.

Dependencies and Recommendations for Running StackRox

The following information has been gathered to help with the installation and operation of the open source StackRox project. These recommendations were developed for the Red Hat Advanced Cluster Security for Kubernetes product and have not been tested with the upstream StackRox project.

Recommended Kubernetes Distributions

The Kubernetes Platforms that StackRox has been deployed onto with minimal issues are listed below.

• Red Hat OpenShift Dedicated (OSD)
• Azure Red Hat OpenShift (ARO)
• Red Hat OpenShift Service on AWS (ROSA)
• Amazon Elastic Kubernetes Service (EKS)
• Google Kubernetes Engine (GKE)
• Microsoft Azure Kubernetes Service (AKS)

If you deploy into a Kubernetes distribution other than the ones listed above you may encounter issues.

Recommended Operating Systems

StackRox is known to work on the recent versions of the following operating systems.

• Ubuntu
• Debian
• Red Hat Enterprise Linux (RHEL)
• CentOS
• Fedora CoreOS
• Flatcar Container Linux
• Google COS
• Amazon Linux
• Garden Linux

Recommended Web Browsers

The following table lists the browsers that can view the StackRox web user interface.

• Google Chrome 88.0 (64-bit)
• Microsoft Internet Explorer Edge
  • Version 44 and later (Windows)
  • Version 81 (Official Build) (64-bit)
• Safari on MacOS (Mojave) – Version 14.0
• Mozilla Firefox Version 82.0.2 (64-bit)

Changelog v3.74

Added Features

• ROX-13814: A new “Public Kubernetes Registry” image integration is now available as a replacement
  for the (now deprecated) “Public Kubernetes GCR” image integration.

Removed Features

• ROX-12316: As announced in 3.72, the permission Cluster replaces the deprecated permission ClusterCVE.
• ROX-13535: Built-in documentation link redirects now to the online version.
• The docs image and the embedded documentation have been removed from the product.

Deprecated Features

• ROX-12620: We continue to simplify access control management by grouping some permissions in permission sets. As a result:
  • The permission WorkflowAdministration will deprecate the permissions Policy, VulnerabilityReports.
• ROX-14398: We continue to simplify access control management by grouping some permissions in permission sets. As a result:
  • The permission Access will deprecate the permissions Role.
  • The default role Scope Manager will be removed.
• ROX-14400: product BuildDate attribute is deprecated and will be removed in 4.0 release. It won’t be returned by
  /debug/versions.json endpoint and roxctl version --json command.

Required Actions

• The permission WorkflowAdministration will replace Policy, VulnerabilityReports in permission sets starting with the 4.1 release.
  You should preemptively start replacing the Policy and VulnerabilityReports resources within your permission sets in favor of WorkflowAdministration.
  During the migration of the permission sets within the 4.1, the WorfklowAdministration permission will have the lowest access permission granted for either Policy or VulnerabilityReports.
  As an example, a permission set with WRITE Policy and READ VulnerabilityReports access will have READ WorkflowAdministration access after the migration within the 4.1 release, leading to
  potentially unwanted side-effects and missing access if you did not update your permission sets beforehand.
• The permission Access will replace Role in permission sets starting with the 4.1 release. You should preemptively start replacing
  the Role resource within your permission sets in favor of Access. During the migration of the permission sets within the 4.1, the
  Access permission will have the lowest access permission granted for either Access or Role. As an example, a permission set with
  READ Access and WRITE Role will have READ Access after the migration, leading to potentially unwanted side-effects and missing access
  if the permission sets were not updated beforehand.
• The default ScopeManager role will be removed starting with release 4.1. During the migration, Authentication provider rules referencing that role
  will be updated to use the None role. Should Authentication Provider rules reference the ScopeManager role for other purposes than
  Vulnerability Report management, a similar role should be manually created and referenced in the Authentication provider rules instead of ScopeManager.
• ROX-13814: The “Public Kubernetes GCR” image integration is now deprecated in line with
  upstream.

Technical Changes

• ROX-12967: Re-introduce rpm to the main image in order to be able to parse installed packages on RHCOS nodes (from Compliance container)

Major Upcoming Changes

• The 3.74.z set of releases will be the last major release in the 3.x series. The next release will be 4.0.
• Postgres will become the backing database as of 4.0.
• Restoring a backup taken on a 3.y release will no longer be supported starting from 4.1.
• The stackrox-db PVC will no longer be used starting from 4.1. All users must upgrade from a 3.y release to 4.0 prior to
  upgrading to a later release in order to properly migrate to Postgres.

Install

Copyright (C) 2022 stackrox