The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
ROX_UNQUALIFIED_SEARCH_REGISTRIES
is set to true
on both Central and Sensor.
ROX_UNQUALIFIED_SEARCH_REGISTRIES
is set to true
on both Central and Sensor.
ROX_UNQUALIFIED_SEARCH_REGISTRIES
is set to true
on both Central and Sensor.
ROX_UNQUALIFIED_SEARCH_REGISTRIES
is set to true
on both Central and Sensor.
ROX_UNQUALIFIED_SEARCH_REGISTRIES
is set to true
on both Central and Sensor.
ROX_UNQUALIFIED_SEARCH_REGISTRIES
is set to true
on both Central and Sensor.
app.stackrox.io/managed-by: operator
to all helm chart resources and secrets created by the operator/api/extensions/certs/backup
added to provide external database consumers a means to backup certs. --certs-only
flag added to roxctl central backup
to exercise that endpoint.roxctl deployment check
results now contain additional information about the Permission Level and applicable Network Policies for a deployment, if --cluster
and --namespace
are provided together with --verbose
.roxctl scanner download-db
has been added to help download version specific offline vulnerability bundles introduced with Scanner V4
.Machine access configurations
have been added to provide short-lived access tokens for Central.ROX-18840: Sunburst widgets in the Compliance section have been removed (deprecation announced in version 4.2 release notes)
The Docker CIS benchmark has been removed as announced in the 4.2 release notes.
ROX-12982: All custom stackrox-*
SecurityContextConstraints (SCC) have been replaced with default SCCs (deprecation announced in 4.1 release notes).
ROX-9156: In Helm and Operator installation modes, references to image pull secrets with certain names are no longer unconditionally added to service accounts. This is done to avoid causing log spam for kubelet due to non-existing secrets.
References will still be added for backwards compatibility if during installation or upgrade the secrets in question are found to actually exist. The names of these special secrets are:
stackrox
, stackrox-scanner
,stackrox
, stackrox-scanner
, secured-cluster-services-main
,
secured-cluster-services-collector
, collector-stackrox
.We recommend to explicitly list image pull secrets that are needed, if any:
imagePullSecrets.useExisting
Helm valuespec.imagePullSecrets
field in stackrox custom resources
This may be necessary in case the Helm chart is applied in an environment where cluster lookup is unavailable
(such as a CD pipeline like ArgoCD)./v1/availableAuthProviders
endpoint will in a future release require authentication and at least READ permission on the Access
resource.
Ensure that any flow interacting with it is authenticated and has the proper permissions going forward./v1/tls-challenge
will require authentication, ensure that all interactions with these endpoints include proper authentication going forward.central.db.persistence.hostPath
for hostPath storage will be deprecated in 2 releases. It is recommended to switch to an alternative persistent storage.additional-ca-sensor
secret.ROX_DISABLE_AUTOGENERATED_REGISTRIES
is true
./v1/administration/usage
API endpoint is now considered stable./metrics
server certificate by requiring
the secrets central-monitoring-tls
/ sensor-monitoring-tls
to exist on start up. This only applies
if OpenShift monitoring is enabled.--version
is used. This does not pose a security issue because the information printed relates to features supported by systemd at the build time and not the capabilities of the host OS.