4.3.7-rc.2

Upstream release automation

4.3.7-rc.1

Upstream release automation

4.4.1

Added Features

• ROX-18689: ACS will qualify the registry (and path) of images from the container runtime when env var ROX_UNQUALIFIED_SEARCH_REGISTRIES is set to true on both Central and Sensor.
  • This enables support for CRI-O's unqualified search registries and short name aliases (more info).

Removed Features

• Dropped support for older Helm versions: For rendering the Helm charts stackrox-central-services and
  stackrox-secured-cluster-services a Helm version >= 3.9.0 is now required.

4.4.1-rc.5

Added Features

• ROX-18689: ACS will qualify the registry (and path) of images from the container runtime when env var ROX_UNQUALIFIED_SEARCH_REGISTRIES is set to true on both Central and Sensor.
  • This enables support for CRI-O's unqualified search registries and short name aliases (more info).

Removed Features

• Dropped support for older Helm versions: For rendering the Helm charts stackrox-central-services and
  stackrox-secured-cluster-services a Helm version >= 3.9.0 is now required.

4.4.1-rc.4

Added Features

• ROX-18689: ACS will qualify the registry (and path) of images from the container runtime when env var ROX_UNQUALIFIED_SEARCH_REGISTRIES is set to true on both Central and Sensor.
  • This enables support for CRI-O's unqualified search registries and short name aliases (more info).

Removed Features

• Dropped support for older Helm versions: For rendering the Helm charts stackrox-central-services and
  stackrox-secured-cluster-services a Helm version >= 3.9.0 is now required.

4.4.1-rc.3

Added Features

• ROX-18689: ACS will qualify the registry (and path) of images from the container runtime when env var ROX_UNQUALIFIED_SEARCH_REGISTRIES is set to true on both Central and Sensor.
  • This enables support for CRI-O's unqualified search registries and short name aliases (more info).

Removed Features

• Dropped support for older Helm versions: For rendering the Helm charts stackrox-central-services and
  stackrox-secured-cluster-services a Helm version >= 3.9.0 is now required.

4.4.1-rc.2

Added Features

• ROX-18689: ACS will qualify the registry (and path) of images from the container runtime when env var ROX_UNQUALIFIED_SEARCH_REGISTRIES is set to true on both Central and Sensor.
  • This enables support for CRI-O's unqualified search registries and short name aliases (more info).

Removed Features

• Dropped support for older Helm versions: For rendering the Helm charts stackrox-central-services and
  stackrox-secured-cluster-services a Helm version >= 3.9.0 is now required.

4.4.1-rc.1

Added Features

• ROX-18689: ACS will qualify the registry (and path) of images from the container runtime when env var ROX_UNQUALIFIED_SEARCH_REGISTRIES is set to true on both Central and Sensor.
  • This enables support for CRI-O's unqualified search registries and short name aliases (more info).

Removed Features

• Dropped support for older Helm versions: For rendering the Helm charts stackrox-central-services and
  stackrox-secured-cluster-services a Helm version >= 3.9.0 is now required.

Deprecated Fatures

Technical Changes

• ROX-18969: Added a label selector for the caching configuration of secrets and configmaps to the operator.
  • Reduces memory consumption of the operator significantly, especially on large clusters. (28% on a fresh OCP cluster)
  • Increases number of requests sent to the API server to get secrets that are not managed by the operator and don't match the cache label selector.
  • Adds a label app.stackrox.io/managed-by: operator to all helm chart resources and secrets created by the operator

4.4.0

Added Features

• Customer-provided PostgreSQL databases are now GA
• ROX-21235: /api/extensions/certs/backup added to provide external database consumers a means to backup certs. --certs-only flag added to roxctl central backup to exercise that endpoint.
• The "Kubernetes Resource Name" policy criteria now supports regex values. Note: the value must be prefixed with "r/" to activate regex matching.
• ROX-22238: roxctl deployment check results now contain additional information about the Permission Level and applicable Network Policies for a deployment, if --cluster and --namespace are provided together with --verbose.
• Export APIs have been added for deployments, nodes, pods, and images as a tech preview.
• ROX-21950: roxctl scanner download-db has been added to help download version specific offline vulnerability bundles introduced with Scanner V4.
• The new vulnerability scanner named "Scanner V4" has been integrated. At the moment it needs to run side-by-side with the current default scanner named "StackRox Scanner". Installation instructions can be found in the official RHACS documentation.
• ROX-19932: ACS can pull information about available clusters to secure from
  Red Hat OpenShift Cluster Manager and Paladin Cloud.
• ROX-13367: ACS now supports short-lived token integrations for GCP via
  workload identity federation and AWS via the Secure Token Service.
• ROX-17382: An enhanced version of the ACS and Compliance Operator integration is now available under the heading "Compliance (2.0)". This feature is in Tech Preview.
• ROX-20100: Machine access configurations have been added to provide short-lived access tokens for Central.
• A new image scanner based on ClairCore, Scanner V4, is now available.
  • It is disabled by default, but it is recommended for more accurate image scan results.
• ROX-22505: It is now possible to set up authentication provider claim mappings via UI.
• API token expiration date can be configured. If expiration date is not specified, API token will expire in 1 year.

Removed Features

• ROX-18840: Sunburst widgets in the Compliance section have been removed (deprecation announced in version 4.2 release notes)

• The Docker CIS benchmark has been removed as announced in the 4.2 release notes.

• ROX-12982: All custom stackrox-* SecurityContextConstraints (SCC) have been replaced with default SCCs (deprecation announced in 4.1 release notes).

• ROX-9156: In Helm and Operator installation modes, references to image pull secrets with certain names are no longer
  unconditionally added to service accounts. This is done to avoid causing log spam for kubelet due to non-existing secrets.

  References will still be added for backwards compatibility if during installation or upgrade the secrets in question
  are found to actually exist. The names of these special secrets are:

  • for central components: stackrox, stackrox-scanner,
  • for secured cluster components: stackrox, stackrox-scanner, secured-cluster-services-main,
    secured-cluster-services-collector, collector-stackrox.

  We recommend to explicitly list image pull secrets that are needed, if any:

  • for Helm-based installs: via the imagePullSecrets.useExisting Helm value
  • for operator-based installs: via the spec.imagePullSecrets field in stackrox custom resources
    This may be necessary in case the Helm chart is applied in an environment where cluster lookup is unavailable
    (such as a CD pipeline like ArgoCD).

Deprecated Features

• The following search terms will be disabled in the next release and removed from the deployment context in 2 releases:
  • Environment variable terms that can be removed by setting ROX_DEPLOYMENT_ENVVAR_SEARCH=false:
    • Environment Key, Environment Value, Environment Variable Source
  • Volume terms that can be removed by setting ROX_DEPLOYMENT_VOLUME_SEARCH=false:
    • Volume Destination, Volume Name, Volume ReadOnly, Volume Source, Volume Type
  • Secret terms that can be removed by setting ROX_DEPLOYMENT_SECRET_SEARCH=false:
    • Secret, Secret Path
• The following search terms will be disabled in the next release and removed from the secret context in 2 releases. They can be removed in the current release by setting ROX_SECRET_FILE_SEARCH=false:
  • Secret Type, Cert Expiration,Image Pull Secret Registry
• The /v1/availableAuthProviders endpoint will in a future release require authentication and at least READ permission on the Access resource.
  Ensure that any flow interacting with it is authenticated and has the proper permissions going forward.
• The /v1/tls-challenge will require authentication, ensure that all interactions with these endpoints include proper authentication going forward.
• The Helm setting central.db.persistence.hostPath for hostPath storage will be deprecated in 2 releases. It is recommended to switch to an alternative persistent storage.
• Users running ACS version 3.74.x or earlier must stop at version 4.4.x before upgrading to 4.5 or later. In version 4.0.0, ACS switched the underlying datastore to PostgreSQL. On an upgrade, data would be automatically migrated to PostgresSQL from the previous store.
  In 4.5.0 this previous store will no longer be available, thus any existing data will not be migrated over if users jump from 3.74.x directly to 4.5.0. By stopping at any version from 4.0.0 to 4.4.x, users can ensure that the data will be properly migrated.
• StackRox Scanner will no longer receive new features and will be in maintenance-mode. Development is now focused on the new Scanner V4.

Technical Changes

• Increased default memory request for scanner-db from 200MiB to 512MiB,
  to prevent OOMs during DB initialization in case of memory pressure on the node.
• ROX-20105: Scanner slim will now read additional CAs from the additional-ca-sensor secret.
• ROX-20623: Fixed bug mistakenly requiring admin access to delegate ad-hoc scan requests to secured clusters.
• ROX-20492: Existing autogenerated integrations will now be deleted on Central startup if ROX_DISABLE_AUTOGENERATED_REGISTRIES is true.
• /v1/administration/usage API endpoint is now considered stable.
• Enforce the existence of the OpenShift monitoring /metrics server certificate by requiring
  the secrets central-monitoring-tls / sensor-monitoring-tls to exist on start up. This only applies
  if OpenShift monitoring is enabled.
• Configuration files now specify ROX_MEMLIMIT instead of GOMEMLIMIT.
  • ROX_MEMLIMIT is meant to capture the memory limit of the deployment, so it may adjust the GOMEMLIMIT accordingly.
  • ROX_MEMLIMIT is not as flexible as GOMEMLIMIT. It may only be set to an integer representing a number of bytes.
• ROX-21620: publish opensource instead of stackrox.io helm charts
• ROX-20163: Sensor captures runtime events even if it is disconnected from Central.
• ROX-20280: Fixed bug that prevented user from editing the endpoint from an unauthenticated email notifier. The credentials are still required to change the endpoint if it's not unauthenticated.
• ROX-21729: - ROX-21729: When deleting a collection that is referenced by other objects such as report configurations, the error message now includes the names of the collection being deleted and its referencing object (report configuration).
• ROX_SCAN_TIMEOUT environment variable in Central and Sensor now defaults to 10m instead of 6m.
• ROX-19814: As announced in 4.2, the /v1/resources endpoint now requires authenticated access.
• The default policy "systemctl Execution" has been updated to not trigger when the process argument --version is used. This does not pose a security issue because the information printed relates to features supported by systemd at the build time and not the capabilities of the host OS.
• The default policy "No resource requests or limits specified" has been renamed to "No CPU request or memory limit specified" and now no longer checks CPU limit or memory request. Rather it only detects that the CPU request and memory limits are set.

4.4.0-rc.11

Added Features

• Customer-provided PostgreSQL databases are now GA
• ROX-21235: /api/extensions/certs/backup added to provide external database consumers a means to backup certs. --certs-only flag added to roxctl central backup to exercise that endpoint.
• The "Kubernetes Resource Name" policy criteria now supports regex values. Note: the value must be prefixed with "r/" to activate regex matching.
• ROX-22238: roxctl deployment check results now contain additional information about the Permission Level and applicable Network Policies for a deployment, if --cluster and --namespace are provided together with --verbose.
• Export APIs have been added for deployments, nodes, pods, and images as a tech preview.
• ROX-21950: roxctl scanner download-db has been added to help download version specific offline vulnerability bundles introduced with Scanner V4.
• The new vulnerability scanner named "Scanner V4" has been integrated. At the moment it needs to run side-by-side with the current default scanner named "StackRox Scanner". Installation instructions can be found in the official RHACS documentation.
• ROX-19932: ACS can pull information about available clusters to secure from
  Red Hat OpenShift Cluster Manager and Paladin Cloud.
• ROX-13367: ACS now supports short-lived token integrations for GCP via
  workload identity federation and AWS via the Secure Token Service.
• ROX-17382: An enhanced version of the ACS and Compliance Operator integration is now available under the heading "Compliance (2.0)". This feature is in Tech Preview.
• ROX-20100: Machine access configurations have been added to provide short-lived access tokens for Central.
• A new image scanner based on ClairCore, Scanner V4, is now available.
  • It is disabled by default, but it is recommended for more accurate image scan results.
• ROX-22505: It is now possible to set up authentication provider claim mappings via UI.
• API token expiration date can be configured. If expiration date is not specified, API token will expire in 1 year.

Removed Features

• ROX-18840: Sunburst widgets in the Compliance section have been removed (deprecation announced in version 4.2 release notes)

• The Docker CIS benchmark has been removed as announced in the 4.2 release notes.

• ROX-12982: All custom stackrox-* SecurityContextConstraints (SCC) have been replaced with default SCCs (deprecation announced in 4.1 release notes).

• ROX-9156: In Helm and Operator installation modes, references to image pull secrets with certain names are no longer
  unconditionally added to service accounts. This is done to avoid causing log spam for kubelet due to non-existing secrets.

  References will still be added for backwards compatibility if during installation or upgrade the secrets in question
  are found to actually exist. The names of these special secrets are:

  • for central components: stackrox, stackrox-scanner,
  • for secured cluster components: stackrox, stackrox-scanner, secured-cluster-services-main,
    secured-cluster-services-collector, collector-stackrox.

  We recommend to explicitly list image pull secrets that are needed, if any:

  • for Helm-based installs: via the imagePullSecrets.useExisting Helm value
  • for operator-based installs: via the spec.imagePullSecrets field in stackrox custom resources
    This may be necessary in case the Helm chart is applied in an environment where cluster lookup is unavailable
    (such as a CD pipeline like ArgoCD).

Deprecated Features

• The following search terms will be disabled in the next release and removed from the deployment context in 2 releases:
  • Environment variable terms that can be removed by setting ROX_DEPLOYMENT_ENVVAR_SEARCH=false:
    • Environment Key, Environment Value, Environment Variable Source
  • Volume terms that can be removed by setting ROX_DEPLOYMENT_VOLUME_SEARCH=false:
    • Volume Destination, Volume Name, Volume ReadOnly, Volume Source, Volume Type
  • Secret terms that can be removed by setting ROX_DEPLOYMENT_SECRET_SEARCH=false:
    • Secret, Secret Path
• The following search terms will be disabled in the next release and removed from the secret context in 2 releases. They can be removed in the current release by setting ROX_SECRET_FILE_SEARCH=false:
  • Secret Type, Cert Expiration,Image Pull Secret Registry
• The /v1/availableAuthProviders endpoint will in a future release require authentication and at least READ permission on the Access resource.
  Ensure that any flow interacting with it is authenticated and has the proper permissions going forward.
• The /v1/tls-challenge will require authentication, ensure that all interactions with these endpoints include proper authentication going forward.
• The Helm setting central.db.persistence.hostPath for hostPath storage will be deprecated in 2 releases. It is recommended to switch to an alternative persistent storage.
• Users running ACS version 3.74.x or earlier must stop at version 4.4.x before upgrading to 4.5 or later. In version 4.0.0, ACS switched the underlying datastore to PostgreSQL. On an upgrade, data would be automatically migrated to PostgresSQL from the previous store.
  In 4.5.0 this previous store will no longer be available, thus any existing data will not be migrated over if users jump from 3.74.x directly to 4.5.0. By stopping at any version from 4.0.0 to 4.4.x, users can ensure that the data will be properly migrated.
• StackRox Scanner will no longer receive new features and will be in maintenance-mode. Development is now focused on the new Scanner V4.

Technical Changes

• Increased default memory request for scanner-db from 200MiB to 512MiB,
  to prevent OOMs during DB initialization in case of memory pressure on the node.
• ROX-20105: Scanner slim will now read additional CAs from the additional-ca-sensor secret.
• ROX-20623: Fixed bug mistakenly requiring admin access to delegate ad-hoc scan requests to secured clusters.
• ROX-20492: Existing autogenerated integrations will now be deleted on Central startup if ROX_DISABLE_AUTOGENERATED_REGISTRIES is true.
• /v1/administration/usage API endpoint is now considered stable.
• Enforce the existence of the OpenShift monitoring /metrics server certificate by requiring
  the secrets central-monitoring-tls / sensor-monitoring-tls to exist on start up. This only applies
  if OpenShift monitoring is enabled.
• Configuration files now specify ROX_MEMLIMIT instead of GOMEMLIMIT.
  • ROX_MEMLIMIT is meant to capture the memory limit of the deployment, so it may adjust the GOMEMLIMIT accordingly.
  • ROX_MEMLIMIT is not as flexible as GOMEMLIMIT. It may only be set to an integer representing a number of bytes.
• ROX-21620: publish opensource instead of stackrox.io helm charts
• ROX-20163: Sensor captures runtime events even if it is disconnected from Central.
• ROX-20280: Fixed bug that prevented user from editing the endpoint from an unauthenticated email notifier. The credentials are still required to change the endpoint if it's not unauthenticated.
• ROX-21729: - ROX-21729: When deleting a collection that is referenced by other objects such as report configurations, the error message now includes the names of the collection being deleted and its referencing object (report configuration).
• ROX_SCAN_TIMEOUT environment variable in Central and Sensor now defaults to 10m instead of 6m.
• ROX-19814: As announced in 4.2, the /v1/resources endpoint now requires authenticated access.
• The default policy "systemctl Execution" has been updated to not trigger when the process argument --version is used. This does not pose a security issue because the information printed relates to features supported by systemd at the build time and not the capabilities of the host OS.
• The default policy "No resource requests or limits specified" has been renamed to "No CPU request or memory limit specified" and now no longer checks CPU limit or memory request. Rather it only detects that the CPU request and memory limits are set.