stackrox/stackrox 4.0.0-rc.2

on GitHub

Added Features

• ROX-15102: new public_config.telemetry boolean property of the /v1/config
  endpoint request that allows for querying the state, enabling or disabling the
  configured telemetry collection.
• ROX-10818: vulnerability scanning of node components installed through RPM on
  OpenShift cluster nodes running Core OS (RHCOS).
• ROX-15434: new ROX_FORCE_LOCAL_IMAGE_SCANNING env var added to sensor which forces all images observed by sensor to be analyzed by the local scanner (OCP only)

Removed Features

• ROX-14336: product BuildDate attribute was removed. It won't be returned by
  /debug/versions.json endpoint and roxctl version --json command.
• ROX-12750: As announced in 3.73.0 (ROX-11101), some permissions for permission sets are being grouped for simplification. The deprecation process will remove and replace the deprecated permissions with the replacing permission as listed below. The access level granted to the replacing permission will be the lowest among all access levels of the replaced permissions.
  • Permission Administration replaces the deprecated permissions AllComments, Config, DebugLogs, NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig, ServiceIdentity.
  • Permission Compliance replaces the deprecated permission ComplianceRuns.

Deprecated Features

• Deprecated /v1/telemetry/configure service.
• The expiration field in the Exclusion proto has been deprecated and will be removed in a future release.
• The --offline-mode flag for the roxctl scanner generate command is deprecated, as Scanner's default behavior is
  to fetch vulnerability updates from Central. The flag will be removed as part of the 4.2.0 release.
• ROX-15925: The KernelModule collection method is deprecated in favor of EBPF. This method will be removed in the 4.1 release.
• Deprecated v1.0 of Network Graph. Please switch to the new 2.0 version for improved functionality and a better user experience.
• ROX-15337: RHACS Operator is not published to Red Hat Operator Catalogs for OpenShift versions 4.9 and earlier.
• The API endpoint /v1/serviceaccounts is deprecated and will be changed as part of the 4.2.0 release.
• PDF export in current version of the Vulnerability Management UI is deprecated and will be removed in the 4.2.0 release. Use the vuln reporting feature instead, for more comprehensive CSV data.

Required Actions

• The Analyst permission set will change behaviour: instead of allowing read to all resources except DebugLogs, it will
  allow read to all resources except Administration.
  If you were using the Analyst role or permission set for actions requiring read on AllComments, Config,
  NetworkGraphConfig, ProbeUpload, ScannerBundle, ScannerDefinitions, SensorUpgradeConfig or ServiceIdentity
  resources, you should preemptively create a new permission set with read access on the Administration
  and other required resources, and reference it instead of Analyst in the created roles.

Technical Changes

• Active Vulnerability Management has been moved behind that ROX_ACTIVE_VULN_MGMT flag and has been defaulted to false due to
  performance. If Active Vulnerability Management is desired, then a user may set this flag to true and it will be reactivated;
  however, it is recommended to increase the memory limit of Central.
• ROX-14251: StackRox now uses IMDSv2 to retrieve AWS metadata instead of IMDSv1.
• ROX-12750: The Analyst permission set which used to have read access on all permissions except
  the now deprecated DebugLogs permission now has read access to all permissions except Administration.
• The default resources for Sensor have moved to a request of 2 cores, 4GB of RAM and a limit of 4 cores, 8GB of RAM in order to
  support a higher number of clusters without modification.
• ROX-14280: ACS operator default channel changes from latest to stable. Users of older versions must follow the upgrade procedure in order to preserve ACS data in case of issues with the upgrade.