StackRox Kubernetes Security Platform v3.73 releases
StackRox Kubernetes Security Platform
The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment. StackRox integrates with every stage of the container lifecycle: build, deploy, and runtime.
The StackRox Kubernetes Security platform is built on the foundation of the product formerly known as Prevent, which itself was called Mitigate and Apollo. You may find references to these previous names in the code or documentation.
Dependencies and Recommendations for Running StackRox
The following information has been gathered to help with the installation and operation of the open source StackRox project. These recommendations were developed for the Red Hat Advanced Cluster Security for Kubernetes product and have not been tested with the upstream StackRox project.
Recommended Kubernetes Distributions
The Kubernetes Platforms that StackRox has been deployed onto with minimal issues are listed below.
- Red Hat OpenShift Dedicated (OSD)
- Azure Red Hat OpenShift (ARO)
- Red Hat OpenShift Service on AWS (ROSA)
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)
If you deploy into a Kubernetes distribution other than the ones listed above you may encounter issues.
Recommended Operating Systems
StackRox is known to work on the recent versions of the following operating systems.
- Red Hat Enterprise Linux (RHEL)
- Fedora CoreOS
- Flatcar Container Linux
- Google COS
- Amazon Linux
- Garden Linux
Recommended Web Browsers
The following table lists the browsers that can view the StackRox web user interface.
- Google Chrome 88.0 (64-bit)
- Microsoft Internet Explorer Edge
- Version 44 and later (Windows)
- Version 81 (Official Build) (64-bit)
- Safari on MacOS (Mojave) – Version 14.0
- Mozilla Firefox Version 82.0.2 (64-bit)
- ROX-12839: we will stop shipping the docs embedded in the product, starting with the release following this one (docs will still be available online)
ROX_WHITELIST_GENERATION_DURATIONenv var is removed in favor of
/v1/deploymentswithprocessinfoendpoint response do not include
Annotationsearch options are removed. Use the following search options:
- Resource | Deprecated Search Option | New Search Option
- Node | Label | Node Label
- Node | Annotation | Node Annotation
- Namespace | Label | Namespace Label
- Deployment | Label | Deployment Label
- ServiceAccount | Label | Service Account Label
- ServiceAccount | Annotation | Service Account Annotation
- K8sRole | Label | Role Label
- K8sRole | Annotation | Role Annotation
- K8sRoleBinding | Label | Role Binding Label
- K8sRoleAnnotation | Annotation | Role Binding Annotation
/v1/cves/unsuppressAPI payload renamed to
- ROX-11592: Support to Get / Update / Mutate / Remove of groups via the
propsfield and without the
props.idfield being set in the
/v1/groupsendpoint have been removed.
- The unused “ComplianceRunSchedule” resource has been removed.
- ROX-11101: As announced in 3.71.0 (ROX-8520), some permissions for permission sets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.
Accessreplaces the deprecated permissions
AuthProvider, Group, Licenses, User.
DeploymentExtensionreplaces the deprecated permissions
Indicator, NetworkBaseline, ProcessWhitelist, Risk.
Integrationreplaces the deprecated permissions
APIToken, BackupPlugins, ImageIntegration, Notifier, SignatureIntegration.
Imagereplaces the deprecated permission
- Note: the
Rolepermission, previously announced as being grouped under
Accessremains a standalone permission.
- Important: As stated above, the access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions. This can impact the ability of some created roles to perform their intended duty. Consolidation of the mapping from replaced resources to new ones can help assess the desired access level, should any issue be experienced.
- ROX-13034: Central reaches out to scanner
scanner.<namespace>.svcnow to respect OpenShift’s
- ROX-11101: As first announced in 3.71.0 for ROX-8250, we continue to simplify access control management by grouping some permissions in permission sets. As a result:
- New permission
Administrationwill deprecate the permissions
AllComments, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig, ServiceIdentity.
- The permission
Compliancewill deprecate the permission
- New permission
- ROX-11937: The Splunk integration now processes all additional standards of the compliance operator (ocp4-cis & ocp4-cis-node) correctly.
- ROX-9342: Sensor no longer uses
anyuidSecurity Context Constraint (SCC). The default SCC for sensor is now
stackrox-sensordepending on the settings. Both the
fsGroupfor the admission-control and sensor deployments are no longer hardcoded to 4000 on Openshift clusters to allow using the
- The service account “central”, which is used by the central deployment, will now include
listaccess to the following resources in the namespace where central is deployed to:
namespaces. This fixes an issue when generating diagnostic bundles to now correctly include all relevant information within the namespace of central.
- ROX-13265: Fix missing rationale and remediation texts for default policy “Deployments should have at least one ingress Network Policy”
- ROX-13500: Previously, deployment YAML check on V1 CronJob workload would cause Central to panic. This is now fixed.
storage.VulnerabilityRequestobject, which is in the response of
/v1/cve/requests/) endpoints, has been renamed to
- ROX-13347: Vulnerability reporting scopes specifying cluster and/or namespace names now perform exact matches on those entities, as opposed to the erroneous prefix match.
Copyright (C) 2022 stackrox