github stackrox/stackrox 4.11.0-rc.3
on GitHub

latest releases: 4.10.4-rc.0, 4.9.8-rc.0
pre-release11 hours ago

Added Features

  • The config-controller now periodically reconciles SecurityPolicy CRs (default: every 30 minutes), detecting drift if policies are modified or deleted directly in Central. The interval is configurable via the ROX_CONFIG_CONTROLLER_RECONCILE_INTERVAL environment variable.
  • ROX-26769: Central API for generating CRSs now supports specifying an upper bound for cluster
    registrations using the new field "max_registrations".
    roxctl's "central crs generate" supports specifying a maximum number of cluster registrations
    using the new parameter "--max-clusters".
  • ROX-24311: Detection and enforcement for pods/attach Kubernetes event.
  • ROX-33099: New Operator Helm Chart is now the only recommended way to install on non-OpenShift clusters.
  • ROX-33098 (Tech Preview): Effective path and Actual Path have been combined into a single File Path policy criterion.
  • ROX-33156 (Tech Preview): A new default policy category called "File Activity Monitoring" is now available.
  • ROX-33673: A new default policy has been added to detect missing egress NetworkPolicy associated with deployments. The policy is disabled by default.
  • ROX-33336: The Operator now reads the cluster-wide TLS profile from apiserver.config.openshift.io/cluster on OpenShift and propagates it to all managed ACS components via environment variables. The Operator's own metrics server always honors the cluster TLS profile when running on OpenShift.
  • ROX-26033: Compliance now tracks tailored profiles and custom rules from the Compliance Operator. Tailored profiles can be included in scan configurations, and their check results are shown in the Coverage page and CSV reports.
  • ROX-34407: Deprecated fields to select optional columns NVD CVSS, EPSS Probability and Advisory from Vulnerability Reporting. These columns will be included by default next to similar columns. This change also affects column order in reports.
  • ROX-33108: Added Component Version Column in Vulnerability Reporting.
  • ROX-32865: Images are now uniquely identified by the combination of name and digest, rather
    than by digest alone. This new data model resolves several long-standing issues when multiple
    images share the same digest but have different names (e.g., different registries or tags):
    • Deployments now correctly distinguish images with the same digest but different names,
      so each deployment shows its own image reference in VM dashboards and vice-versa.
    • Vulnerability exceptions (deferrals, false positives) can now be correctly scoped to a
      specific image name. Previously, a deferral/false-positive created for one image name
      would leak to all images sharing the same digest.
    • Policies now evaluate correctly per the deployed/checked image name and respect its
      vulnerability exceptions, rather than being affected by shared-digest exception leakage.

Removed Features

Deprecated Features

  • The following roxctl commands related to manifest-based and Helm-based installation are now deprecated.
    They will be removed in a future release. Please use the operator for deployment management instead.
    • roxctl sensor generate {k8s,openshift}
    • roxctl sensor get-bundle
    • roxctl sensor generate-certs
    • roxctl central generate {interactive,k8s,openshift}
    • roxctl helm output {central-services,secured-cluster-services}
    • roxctl helm derive-local-values
  • Deprecated gRPC endpoints for manifest-based and Helm-based installation: GetCAConfig,
    SensorUpgradeService (all RPCs), DeploymentFormat enum, PostCluster, and
    PutCluster. The REST endpoints /api/extensions/clusters/zip,
    /api/extensions/clusters/helm-config.yaml, and /api/extensions/helm-charts/
    are also deprecated.
    They will be removed in a future release. Please use the operator for deployment management instead.
  • Plaintext (non-TLS) Central endpoints, configured via the ROX_PLAINTEXT_ENDPOINTS environment
    variable, are deprecated and will be removed in a future release. Modern load balancers and
    ingress controllers support TLS passthrough, making plaintext endpoints unnecessary.

Technical Changes

  • ROX-34351: ACS components now always prevent Istio sidecar injection, removing the need for the
    env.istio Helm value and --istio-support CLI flag. Existing Istio service mesh deployments
    continue to work without configuration changes.
  • OpenShift 3 support removed from all installation methods.
  • ROX-34524: Fixed proxy bypass for non-HTTP schemes (e.g., TLS checks) when only HTTPS_PROXY/HTTP_PROXY are configured without ALL_PROXY. Previously, sensor's lazy TLS registry initialization would fail in proxy-only environments.
Check out latest releases or
releases around stackrox/stackrox 4.11.0-rc.3

Don't miss a new stackrox release

NewReleases is sending notifications on new releases.

Get notifications