4.11.0-rc.3

Added Features

• The config-controller now periodically reconciles SecurityPolicy CRs (default: every 30 minutes), detecting drift if policies are modified or deleted directly in Central. The interval is configurable via the ROX_CONFIG_CONTROLLER_RECONCILE_INTERVAL environment variable.
• ROX-26769: Central API for generating CRSs now supports specifying an upper bound for cluster
  registrations using the new field "max_registrations".
  roxctl's "central crs generate" supports specifying a maximum number of cluster registrations
  using the new parameter "--max-clusters".
• ROX-24311: Detection and enforcement for pods/attach Kubernetes event.
• ROX-33099: New Operator Helm Chart is now the only recommended way to install on non-OpenShift clusters.
• ROX-33098 (Tech Preview): Effective path and Actual Path have been combined into a single File Path policy criterion.
• ROX-33156 (Tech Preview): A new default policy category called "File Activity Monitoring" is now available.
• ROX-33673: A new default policy has been added to detect missing egress NetworkPolicy associated with deployments. The policy is disabled by default.
• ROX-33336: The Operator now reads the cluster-wide TLS profile from apiserver.config.openshift.io/cluster on OpenShift and propagates it to all managed ACS components via environment variables. The Operator's own metrics server always honors the cluster TLS profile when running on OpenShift.
• ROX-26033: Compliance now tracks tailored profiles and custom rules from the Compliance Operator. Tailored profiles can be included in scan configurations, and their check results are shown in the Coverage page and CSV reports.
• ROX-34407: Deprecated fields to select optional columns NVD CVSS, EPSS Probability and Advisory from Vulnerability Reporting. These columns will be included by default next to similar columns. This change also affects column order in reports.
• ROX-33108: Added Component Version Column in Vulnerability Reporting.
• ROX-32865: Images are now uniquely identified by the combination of name and digest, rather
  than by digest alone. This new data model resolves several long-standing issues when multiple
  images share the same digest but have different names (e.g., different registries or tags):
  • Deployments now correctly distinguish images with the same digest but different names,
    so each deployment shows its own image reference in VM dashboards and vice-versa.
  • Vulnerability exceptions (deferrals, false positives) can now be correctly scoped to a
    specific image name. Previously, a deferral/false-positive created for one image name
    would leak to all images sharing the same digest.
  • Policies now evaluate correctly per the deployed/checked image name and respect its
    vulnerability exceptions, rather than being affected by shared-digest exception leakage.

Removed Features

Deprecated Features

• The following roxctl commands related to manifest-based and Helm-based installation are now deprecated.
  They will be removed in a future release. Please use the operator for deployment management instead.
  • roxctl sensor generate {k8s,openshift}
  • roxctl sensor get-bundle
  • roxctl sensor generate-certs
  • roxctl central generate {interactive,k8s,openshift}
  • roxctl helm output {central-services,secured-cluster-services}
  • roxctl helm derive-local-values
• Deprecated gRPC endpoints for manifest-based and Helm-based installation: GetCAConfig,
  SensorUpgradeService (all RPCs), DeploymentFormat enum, PostCluster, and
  PutCluster. The REST endpoints /api/extensions/clusters/zip,
  /api/extensions/clusters/helm-config.yaml, and /api/extensions/helm-charts/
  are also deprecated.
  They will be removed in a future release. Please use the operator for deployment management instead.
• Plaintext (non-TLS) Central endpoints, configured via the ROX_PLAINTEXT_ENDPOINTS environment
  variable, are deprecated and will be removed in a future release. Modern load balancers and
  ingress controllers support TLS passthrough, making plaintext endpoints unnecessary.

Technical Changes

• ROX-34351: ACS components now always prevent Istio sidecar injection, removing the need for the
  env.istio Helm value and --istio-support CLI flag. Existing Istio service mesh deployments
  continue to work without configuration changes.
• OpenShift 3 support removed from all installation methods.
• ROX-34524: Fixed proxy bypass for non-HTTP schemes (e.g., TLS checks) when only HTTPS_PROXY/HTTP_PROXY are configured without ALL_PROXY. Previously, sensor's lazy TLS registry initialization would fail in proxy-only environments.