Added Features
- Customer-provided PostgreSQL databases are now GA
- ROX-21235:
/api/extensions/certs/backup
added to provide external database consumers a means to backup certs.--certs-only
flag added toroxctl central backup
to exercise that endpoint. - The "Kubernetes Resource Name" policy criteria now supports regex values. Note: the value must be prefixed with "r/" to activate regex matching.
- ROX-22238:
roxctl deployment check
results now contain additional information about the Permission Level and applicable Network Policies for a deployment, if--cluster
and--namespace
are provided together with--verbose
. - Export APIs have been added for deployments, nodes, pods, and images as a tech preview.
- ROX-21950:
roxctl scanner download-db
has been added to help download version specific offline vulnerability bundles introduced withScanner V4
. - The new vulnerability scanner named "Scanner V4" has been integrated. At the moment it needs to run side-by-side with the current default scanner named "StackRox Scanner". Installation instructions can be found in the official RHACS documentation.
- ROX-19932: ACS can pull information about available clusters to secure from
Red Hat OpenShift Cluster Manager and Paladin Cloud. - ROX-13367: ACS now supports short-lived token integrations for GCP via
workload identity federation and AWS via the Secure Token Service. - ROX-17382: An enhanced version of the ACS and Compliance Operator integration is now available under the heading "Compliance (2.0)". This feature is in Tech Preview.
- ROX-20100:
Machine access configurations
have been added to provide short-lived access tokens for Central. - A new image scanner based on ClairCore, Scanner V4, is now available.
- It is disabled by default, but it is recommended for more accurate image scan results.
Removed Features
-
ROX-18840: Sunburst widgets in the Compliance section have been removed (deprecation announced in version 4.2 release notes)
-
The Docker CIS benchmark has been removed as announced in the 4.2 release notes.
-
ROX-12982: All custom
stackrox-*
SecurityContextConstraints (SCC) have been replaced with default SCCs (deprecation announced in 4.1 release notes). -
ROX-9156: In Helm and Operator installation modes, references to image pull secrets with certain names are no longer
unconditionally added to service accounts. This is done to avoid causing log spam for kubelet due to non-existing secrets.References will still be added for backwards compatibility if during installation or upgrade the secrets in question
are found to actually exist. The names of these special secrets are:- for central components:
stackrox
,stackrox-scanner
, - for secured cluster components:
stackrox
,stackrox-scanner
,secured-cluster-services-main
,
secured-cluster-services-collector
,collector-stackrox
.
We recommend to explicitly list image pull secrets that are needed, if any:
- for Helm-based installs: via the
imagePullSecrets.useExisting
Helm value - for operator-based installs: via the
spec.imagePullSecrets
field in stackrox custom resources
This may be necessary in case the Helm chart is applied in an environment where cluster lookup is unavailable
(such as a CD pipeline like ArgoCD).
- for central components:
Deprecated Features
- The following search terms will be disabled in the next release and removed from the deployment context in 2 releases:
- Environment variable terms that can be removed by setting ROX_DEPLOYMENT_ENVVAR_SEARCH=false:
- Environment Key, Environment Value, Environment Variable Source
- Volume terms that can be removed by setting ROX_DEPLOYMENT_VOLUME_SEARCH=false:
- Volume Destination, Volume Name, Volume ReadOnly, Volume Source, Volume Type
- Secret terms that can be removed by setting ROX_DEPLOYMENT_SECRET_SEARCH=false:
- Secret, Secret Path
- Environment variable terms that can be removed by setting ROX_DEPLOYMENT_ENVVAR_SEARCH=false:
- The following search terms will be disabled in the next release and removed from the secret context in 2 releases. They can be removed in the current release by setting ROX_SECRET_FILE_SEARCH=false:
- Secret Type, Cert Expiration,Image Pull Secret Registry
- The
/v1/availableAuthProviders
endpoint will in a future release require authentication and at least READ permission on theAccess
resource.
Ensure that any flow interacting with it is authenticated and has the proper permissions going forward. - The
/v1/tls-challenge
will require authentication, ensure that all interactions with these endpoints include proper authentication going forward. - The Helm setting
central.db.persistence.hostPath
for hostPath storage will be deprecated in 2 releases. It is recommended to switch to an alternative persistent storage. - Users running ACS version 3.74.x or earlier must stop at version 4.4.x before upgrading to 4.5 or later. In version 4.0.0, ACS switched the underlying datastore to PostgreSQL. On an upgrade, data would be automatically migrated to PostgresSQL from the previous store.
In 4.5.0 this previous store will no longer be available, thus any existing data will not be migrated over if users jump from 3.74.x directly to 4.5.0. By stopping at any version from 4.0.0 to 4.4.x, users can ensure that the data will be properly migrated. - StackRox Scanner will no longer receive new features and will be in maintenance-mode. Development is now focused on the new Scanner V4.
Technical Changes
- Increased default memory request for scanner-db from 200MiB to 512MiB,
to prevent OOMs during DB initialization in case of memory pressure on the node. - ROX-20105: Scanner slim will now read additional CAs from the
additional-ca-sensor
secret. - ROX-20623: Fixed bug mistakenly requiring admin access to delegate ad-hoc scan requests to secured clusters.
- ROX-20492: Existing autogenerated integrations will now be deleted on Central startup if
ROX_DISABLE_AUTOGENERATED_REGISTRIES
istrue
. /v1/administration/usage
API endpoint is now considered stable.- Enforce the existence of the OpenShift monitoring
/metrics
server certificate by requiring
the secretscentral-monitoring-tls
/sensor-monitoring-tls
to exist on start up. This only applies
if OpenShift monitoring is enabled. - Configuration files now specify ROX_MEMLIMIT instead of GOMEMLIMIT.
- ROX_MEMLIMIT is meant to capture the memory limit of the deployment, so it may adjust the GOMEMLIMIT accordingly.
- ROX_MEMLIMIT is not as flexible as GOMEMLIMIT. It may only be set to an integer representing a number of bytes.
- ROX-21620: publish opensource instead of stackrox.io helm charts
- ROX-20163: Sensor captures runtime events even if it is disconnected from Central.
- ROX-20280: Fixed bug that prevented user from editing the endpoint from an unauthenticated email notifier. The credentials are still required to change the endpoint if it's not unauthenticated.
- ROX-21729: - ROX-21729: When deleting a collection that is referenced by other objects such as report configurations, the error message now includes the names of the collection being deleted and its referencing object (report configuration).
- ROX_SCAN_TIMEOUT environment variable in Central and Sensor now defaults to 10m instead of 6m.
- ROX-19814: As announced in 4.2, the /v1/resources endpoint now requires authenticated access.
- The default policy "systemctl Execution" has been updated to not trigger when the process argument
--version
is used. This does not pose a security issue because the information printed relates to features supported by systemd at the build time and not the capabilities of the host OS. - The default policy "No resource requests or limits specified" has been renamed to "No CPU request or memory limit specified" and now no longer checks CPU limit or memory request. Rather it only detects that the CPU request and memory limits are set.