Releases: kubernetes-sigs/security-profiles-operator
v0.8.4
Release notes
Welcome to our glorious v0.8.4 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.4/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.4
Beside the operator image, we now also ship spoc
, the official Security Profiles Operator Command Line Interface! Binaries for amd64
and arm64
are attached to this release.
To verify the signature of spoc
. download all release artifacts and run for amd64
(works in the same way for arm64
:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom
tool, download the artifacts into a build
directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx
file is signed as well and we also provide .sha512
sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Added a
spoc convert
command to transform security profile YAML definitions to their raw representation. (#2201, @mhils) spoc merge
now combines AppArmor profiles with glob patterns in the first profile. (#2239, @mhils)spoc merge
now has a--check
flag to ensure that a profile is a superset of other profiles. (#2240, @mhils)spoc
can now record Seccomp and AppArmor profiles simultaneously.
The AppArmor recorder is now significantly more robust (#2260, @mhils)
Documentation
- Updated dead documentation link on how to constrain the spod to specific nodes. (#2266, @saschagrunert)
Bug or Regression
- Fix
spoc record
to work with >15 character executable names. Make AppArmor profile generation more robust. (#2241, @mhils) - Fix dynamic clusters encounter finalizer mismatch when nodes are added and removed too quickly. (#2145, @jlowe64)
Dependencies
Added
- github.com/DataDog/go-libddwaf/v2: v2.2.3
- github.com/checkpoint-restore/checkpointctl: v1.1.0
- github.com/checkpoint-restore/go-criu/v7: v7.1.0
- github.com/go-jose/go-jose/v4: v4.0.1
- github.com/go-task/slim-sprig/v3: v3.0.0
- github.com/google/go-configfs-tsm: v0.2.2
- github.com/moby/docker-image-spec: v1.3.1
Changed
- bitbucket.org/creachadair/shell: v0.0.7 β v0.0.8
- chainguard.dev/go-grpc-kit: v0.17.1 β v0.17.2
- cloud.google.com/go/compute: v1.24.0 β v1.25.1
- cloud.google.com/go/iam: v1.1.5 β v1.1.6
- cloud.google.com/go/kms: v1.15.5 β v1.15.8
- cloud.google.com/go/longrunning: v0.5.4 β v0.5.5
- cloud.google.com/go/monitoring: v1.16.1 β v1.17.0
- cloud.google.com/go/pubsub: v1.33.0 β v1.37.0
- cloud.google.com/go/security: v1.15.4 β v1.15.6
- cloud.google.com/go/storage: v1.35.1 β v1.39.1
- cloud.google.com/go/trace: v1.10.2 β v1.10.4
- cloud.google.com/go: v0.112.0 β v0.112.1
- github.com/AdamKorcz/go-fuzz-headers-1: e936619 β 8b5d3ce
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.9.1 β v1.10.0
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.5.1 β v1.5.2
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.0.1 β v1.1.0
- github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.2.0 β v1.2.1
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.2.1 β v1.2.2
- github.com/DATA-DOG/go-sqlmock: v1.5.0 β v1.5.2
- github.com/DataDog/appsec-internal-go: v1.0.0 β v1.4.0
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state: 2549ba9 β v0.48.1
- github.com/DataDog/datadog-go/v5: v5.3.0 β v5.4.0
- github.com/DrJosh9000/zzglob: v0.0.17 β v0.1.0
- github.com/Microsoft/go-winio: v0.6.1 β v0.6.2
- github.com/Microsoft/hcsshim: v0.12.0-rc.3 β v0.12.3
- github.com/aquasecurity/libbpfgo: 1.3 β 1.4
- github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: v1.4.13 β v1.6.1
- github.com/aws/aws-sdk-go-v2/config: v1.26.6 β v1.27.9
- github.com/aws/aws-sdk-go-v2/credentials: v1.16.16 β v1.17.9
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.14.11 β v1.16.0
- github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.11.76 β v1.16.9
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.2.10 β v1.3.4
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.5.10 β v2.6.4
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.7.3 β v1.8.0
- github.com/aws/aws-sdk-go-v2/internal/v4a: v1.1.4 β v1.3.3
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.10.4 β v1.11.1
- github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.1.36 β v1.3.5
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.10.10 β v1.11.6
- github.com/aws/aws-sdk-go-v2/service/internal/s3shared: v1.15.4 β v1.17.3
- github.com/aws/aws-sdk-go-v2/service/kms: v1.27.9 β v1.30.0
- github.com/aws/aws-sdk-go-v2/service/s3: v1.40.0 β v1.51.4
- github.com/aws/aws-sdk-go-v2/service/sso: v1.18.7 β v1.20.3
- github.com/aws/aws-sdk-go-v2/service/ssooidc: [v1.21.7 β v1.23.3](https://git...
v0.8.3
Release notes
Welcome to our glorious v0.8.3 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.3/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.3
Beside the operator image, we now also ship spoc
, the official Security Profiles Operator Command Line Interface! Binaries for amd64
and arm64
are attached to this release.
To verify the signature of spoc
. download all release artifacts and run for amd64
(works in the same way for arm64
:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom
tool, download the artifacts into a build
directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx
file is signed as well and we also provide .sha512
sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Add a new
--no-start
flag that allows spoc to record profiles without driving the process execution. (#2161, @mhils) - Added a
spoc merge
command to merge multiple security profiles from the command line. (#2136, @mhils) - Added initial support for merging AppArmor profiles with
spoc merge
. (#2140, @mhils) - Adds functionality to the profile binding functionality to establish a default seccomp/selinux profile for a given namespace.
Specific image bindings have priority over the default profiles allowing more tailored profiles for specific images while allowing customization of a default profile applied to all pods without having to specify specific images strings. (#1869, @CoreyCook8) - The
spoc
cli tool now featuresapparmor
andraw-apparmor
types to generate CRDs and raw apparmor profiles. (#1917, @0xmilkmix)
Bug or Regression
- Fixed issue with crashing SPOD daemon by allowing
clock_gettime
syscall. (#2121, @CoreyCook8) - Fixed reporting of status and the policy usage string for RawSelinuxProfile CRs (#1496, @jhrozek)
- Make the field disabling profiles after recording optional (#2033, @yuumasato)
Dependencies
Added
- cuelabs.dev/go/oci/ociregistry: 93e78c0
- github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns: v1.2.0
- github.com/Venafi/vcert/v5: v5.3.0
- github.com/containerd/errdefs: v0.1.0
- github.com/moby/sys/user: v0.1.0
- github.com/sosodev/duration: v1.2.0
- golang.org/x/telemetry: b75ee88
Changed
- cloud.google.com/go/compute: v1.23.3 β v1.24.0
- cloud.google.com/go/firestore: v1.13.0 β v1.14.0
- cloud.google.com/go/longrunning: v0.5.1 β v0.5.4
- cloud.google.com/go/security: v1.15.1 β v1.15.4
- cloud.google.com/go/storage: v1.33.0 β v1.35.1
- cloud.google.com/go: v0.110.10 β v0.112.0
- cuelang.org/go: v0.6.0 β v0.7.0
- filippo.io/edwards25519: v1.0.0 β v1.1.0
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.9.0 β v1.9.1
- github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.4.0 β v1.5.1
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.5.0 β v1.5.1
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.2.0 β v1.2.1
- github.com/Microsoft/hcsshim: v0.12.0-rc.1 β v0.12.0-rc.3
- github.com/alecthomas/kingpin/v2: v2.3.2 β v2.4.0
- github.com/aws/aws-sdk-go-v2/config: v1.25.11 β v1.26.6
- github.com/aws/aws-sdk-go-v2/credentials: v1.16.9 β v1.16.16
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.14.9 β v1.14.11
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.2.8 β v1.2.10
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.5.8 β v2.5.10
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.7.1 β v1.7.3
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.10.3 β v1.10.4
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.10.8 β v1.10.10
- github.com/aws/aws-sdk-go-v2/service/kms: v1.27.2 β v1.27.9
- github.com/aws/aws-sdk-go-v2/service/sso: v1.18.2 β v1.18.7
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.21.2 β v1.21.7
- github.com/aws/aws-sdk-go-v2/service/sts: v1.26.2 β v1.26.7
- github.com/aws/aws-sdk-go-v2: v1.23.5 β v1.24.1
- github.com/aws/aws-sdk-go: v1.48.11 β v1.50.0
- github.com/aws/smithy-go: v1.18.1 β v1.19.0
- github.com/beevik/ntp: v1.3.0 β v1.3.1
- github.com/buildkite/go-pipeline: v0.2.0 β v0.3.2
- github.com/cert-manager/cert-manager: v1.13.3 β v1.14.4
- github.com/cilium/ebpf: v0.7.0 β v0.9.1
- github.com/cloudflare/circl: v1.3.5 β v1.3.7
- github.com/cncf/xds/go: 8bd2eac β 0fa0005
- github.com/containerd/containerd: v1.7.9 β v1.7.13
- github.com/containernetworking/plugins: v1.3.0 β v1.4.0
- github.com/containers/common: v0.57.1 β v0.58.1
- github.com/containers/image/v5: v5.29.0 β v5.30.0
- github.com/containers/storage: v1.51.0 β v1.53.0
- github.com/coreos/go-oidc/v3: v3.7.0 β v3.9.0
- github.com/cyberphone/json-canonicalization: 785e297 β ba74d44
- github.com/danieljoos/wincred: v1.2.0 β v1.2.1
- github.com/digitalocean/godo: [v1.102.1 β v1.107.0](https://github.com/digital...
v0.8.2
Release notes
Welcome to our glorious v0.8.2 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.2/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.2
Beside the operator image, we now also ship spoc
, the official Security Profiles Operator Command Line Interface! Binaries for amd64
and arm64
are attached to this release.
To verify the signature of spoc
. download all release artifacts and run for amd64
(works in the same way for arm64
:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom
tool, download the artifacts into a build
directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx
file is signed as well and we also provide .sha512
sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Failing Test
- Fixed upgrade issue introduced in v0.8.1. (#2023, @yuumasato)
Dependencies
Added
- github.com/DATA-DOG/go-sqlmock: v1.5.0
- github.com/Khan/genqlient: v0.6.0
- github.com/alexflint/go-arg: v1.4.2
- github.com/alexflint/go-scalar: v1.0.0
- github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.11.76
- github.com/buildkite/go-pipeline: v0.2.0
Changed
- cloud.google.com/go/compute: v1.23.2 β v1.23.3
- cloud.google.com/go/iam: v1.1.4 β v1.1.5
- cloud.google.com/go/kms: v1.15.4 β v1.15.5
- cloud.google.com/go: v0.110.9 β v0.110.10
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.8.0 β v1.9.0
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.4.0 β v1.5.0
- github.com/DataDog/datadog-agent/pkg/obfuscate: v0.48.1 β v0.48.0
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.48.1 β 2549ba9
- github.com/DataDog/sketches-go: v1.4.3 β v1.4.2
- github.com/andybalholm/brotli: v1.0.6 β v1.0.1
- github.com/aws/aws-sdk-go-v2/config: v1.19.1 β v1.25.11
- github.com/aws/aws-sdk-go-v2/credentials: v1.13.43 β v1.16.9
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.13.13 β v1.14.9
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.1.43 β v1.2.8
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.4.37 β v2.5.8
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.3.45 β v1.7.1
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.9.14 β v1.10.3
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.9.37 β v1.10.8
- github.com/aws/aws-sdk-go-v2/service/kms: v1.24.7 β v1.27.2
- github.com/aws/aws-sdk-go-v2/service/sso: v1.15.2 β v1.18.2
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.17.3 β v1.21.2
- github.com/aws/aws-sdk-go-v2/service/sts: v1.23.2 β v1.26.2
- github.com/aws/aws-sdk-go-v2: v1.21.2 β v1.23.5
- github.com/aws/aws-sdk-go: v1.47.0 β v1.48.11
- github.com/aws/smithy-go: v1.15.0 β v1.18.1
- github.com/buildkite/agent/v3: v3.58.0 β v3.59.0
- github.com/buildkite/bintest/v3: v3.1.1 β v3.2.0
- github.com/cert-manager/cert-manager: v1.13.2 β v1.13.3
- github.com/containers/common: v0.57.0 β v0.57.1
- github.com/ebitengine/purego: v0.5.0 β v0.5.0-alpha.1
- github.com/felixge/httpsnoop: v1.0.3 β v1.0.4
- github.com/gabriel-vasile/mimetype: v1.4.3 β v1.4.2
- github.com/go-openapi/spec: v0.20.9 β v0.20.11
- github.com/go-openapi/strfmt: v0.21.7 β v0.21.8
- github.com/go-openapi/validate: v0.22.1 β v0.22.3
- github.com/go-rod/rod: v0.114.4 β v0.114.5
- github.com/google/go-tpm-tools: v0.4.1 β v0.4.2
- github.com/gorilla/mux: v1.8.0 β v1.8.1
- github.com/hashicorp/go-retryablehttp: v0.7.4 β v0.7.5
- github.com/jellydator/ttlcache/v3: v3.1.0 β v3.1.1
- github.com/montanaflynn/stats: v0.6.6 β 1bf9dbc
- github.com/open-policy-agent/opa: v0.58.0 β v0.59.0
- github.com/pierrec/lz4/v4: v4.1.18 β v4.1.2
- github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.69.1 β v0.70.0
- github.com/sigstore/cosign/v2: v2.2.1 β v2.2.2
- github.com/sigstore/rekor: v1.3.3 β v1.3.4
- github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.7.5 β v1.7.6
- github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.7.5 β v1.7.6
- github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.7.5 β v1.7.6
- github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.7.5 β v1.7.6
- github.com/sigstore/sigsto...
v0.8.1
Release notes
Welcome to our glorious v0.8.1 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.1/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.1
Beside the operator image, we now also ship spoc
, the official Security Profiles Operator Command Line Interface! Binaries for amd64
and arm64
are attached to this release.
To verify the signature of spoc
. download all release artifacts and run for amd64
(works in the same way for arm64
:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom
tool, download the artifacts into a build
directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx
file is signed as well and we also provide .sha512
sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
API Change
- The
ProfileRecorder
CR gets a new attribute disableProfileAfterRecording that can be used to avoid installing profiles after recording. (#1712, @jhrozek)
Feature
- Added support for platforms (
os[/arch][/variant][:os_version]
) when using seccomp OCI artifact profiles. (#1658, @saschagrunert) - Added an env variable to the Make file so we can use it to pass extra build arguments to enable features like FIPS. (#1945, @Vincent056)
- Added
disableOciArtifactSignatureVerification
option to spod config to be able to disable signature verification for OCI artifact profiles. (#1804, @saschagrunert)
Bug or Regression
- Fixed #1769 (#1770, @CoreyCook8)
ChangederrnoRet
value in the seccomp types definition to be the right type of uint. - Fixed bug on daemon rollout when SPOD config
HostProcVolumePath
is unset. (#1647, @saschagrunert) - Fixed SELinux policy constantly being processed. (#1843, @novaesis)
- Fixed spod being stuck in
UPDATING
state because the webhook thinks it's requiring an update. (#1985, @saschagrunert) - Fixed an issue when we create a raw SELinux profile that inherits another SELinux profile. (#1904, @Vincent056)
- Fixed an issue when we create a raw SELinux profile, we are not able to recognize the owner of the
NodeStatus
if aRawSelinuxProfile
is being created. (#1889, @Vincent056) - Fixed missing nodestatus issues on some nodes when we have a crashed pod. (#1928, @Vincent056)
- In conjunction to PR#1904, this pr is also needed in order to fix the SELinux profile inherit issue for OCPBUGS-17164, do not add inherit system container line when we have selinuxprofile inherit. (#1919, @Vincent056)
- Support docker-in-docker for looking up the container ID in the ebpf based recorder (#1648, @slashben)
- Updated kube-rbac-proxy to v0.15.0.
- Disable kube-rbac-proxy HTTP/2 support (#1940, @yuumasato)
- Fixed file descriptor memory leak (#1879, @CoreyCook8)
Other (Cleanup or Flake)
- Added an e2e test for apparmor profile which covers base functionality such as loading and unloading profiles into the cluster nodes. (#1684, @ccojocar)
- Updated controller-runtime (#1700, @saschagrunert)
- Updated cert-manager (#1709, @saschagrunert)
- Updated libbpf (#1670, @saschagrunert)
- Updated project to require golang 1.21. (#1854, @saschagrunert)
- Updated runc and crun base profiles to their latest release. (#1650, @saschagrunert)
v0.8.0
Release notes
Welcome to our glorious v0.8.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.0/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.0
Beside the operator image, we now also ship spoc
, the official Security Profiles Operator Command Line Interface! Binaries for amd64
and arm64
are attached to this release.
To verify the signature of spoc
. download all release artifacts and run for amd64
(works in the same way for arm64
:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom
tool, download the artifacts into a build
directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
| zeitgeist | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx
file is signed as well and we also provide .sha512
sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Added OCI seccomp base profile support if the
baseProfileName
if prefixed withoci://
. (#1560, @saschagrunert) - SPO now auto selects the appropriate selinuxd image based on mapping in the security-profiles-operator-profile. If none of the entries match, SPO falls back to the image provided by
RELATED_IMAGE_SELINUXD
. (#1600, @jhrozek)
Bug or Regression
- Fixed overriding args and error return values when merging profiles. (#1587, @saschagrunert)
Other (Cleanup or Flake)
- Updated crun v1.8.3 and runc v1.1.5 base profiles. (#1586, @saschagrunert)
v0.7.1
Release notes
Welcome to our glorious v0.7.1 release of the security-profiles-operator! This is a small patch release as follow-up on v0.7.0. The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.7.1/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.7.1
Beside the operator image, we now also ship spoc
, the official Security Profiles Operator Command Line Interface! Binaries for amd64
and arm64
are attached to this release.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Bug or Regression
- Fixed a bug that prevents helm install to work when installing on a cluster where the namespace already exists. (#1568, @tuxerrante)
Dependencies
Added
Nothing has changed.
Changed
- github.com/containers/common: v0.51.0 β v0.51.1
- google.golang.org/grpc: v1.53.0 β v1.54.0
Removed
Nothing has changed.
v0.7.0
Release notes
Welcome to our glorious v0.7.0 release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.7.0/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.7.0
Beside the operator image, we now also ship spoc
, the official Security Profiles Operator Command Line Interface! Binaries for amd64
and arm64
are attached to this release.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Deprecation
- Removed default nginx profile from operator deployment. (#1361, @saschagrunert)
Feature
- Added
--base-syscalls
tospoc record
to ensure compatibility with OCI runtimes like runc and crun. (#1510, @saschagrunert) - Added
spoc push/pull
command to manage profiles in OCI registries. (#1551, @saschagrunert) - Added
spoc run
command for experimental testing of seccomp profiles. (#1534, @saschagrunert) - Added
spoc
binary, the Security Profiles Operator CLI. This new binary is also part of the default container images. (#1490, @saschagrunert) - Added option to record raw seccomp JSON profiles via
spoc record -t raw-seccomp β¦
. (#1508, @saschagrunert) - Added support for recording seccomp profiles via
spoc record
. (#1497, @saschagrunert) - Allow to configure a custom kubelet root directory for each node or a pool of nodes. (#1476, @ccojocar)
- Allow to run the
spoc
CLI from an operatorspoc
/s
subcommand. (#1492, @saschagrunert) - CLI change: --namespace flag should be specified when installing the helm chart (#1499, @tuxerrante)
- Integrated enricher into
spoc run
(#1545, @saschagrunert) - Make the kubelet root directory configurable via KUBELET_DIR environment variable. (#1438, @ccojocar)
- Make the priority class name configurable in th SPOD configuration. (#1488, @ccojocar)
- Added registry, repository & tag in values.yaml to make SPO repo & image values configurable in helm charts. (#1396, @rahulroshan-kachchap)
- Exposed
enableSelinux
,enableLogEnricher
andenableAppArmor
values in the helm chart values.yaml to make it configurable by the user during the deployment. (#1376, @rahulroshan-kachchap)
Documentation
- Add a README.md to make user easily discover available SPO settings in the helm chart (#1542, @chenliu1993)
- Automatically adding
replaces
andcontainerImage
to OperatorHub manifest bundle. (#1326, @saschagrunert) - Switched to
gcr.io/kubebuilder/kube-rbac-proxy
fromquay.io/brancz
. (#1429, @saschagrunert) - Add an architecture diagram. (#1550, @ccojocar)
Bug or Regression
-
Add an option to enable memory optimization inside of spod daemon. (#1425, @ccojocar)
-
Fix memory optimization feature after upgrading to controller-runtime v0.14.5. (#1543, @ccojocar)
-
Fix profiling when bpf-recorder is enabled but SELinux is disabled. (#1420, @ccojocar)
-
Fix vagrant for Flatcar Linux to work with Kubernetes 1.26. (#1392, @ccojocar)
-
Fixed a bug where SELinux policies inheriting from another template than container
would not load correctly. (#1495, @jhrozek) -
Install the default log enricher sccomp profile only when log enricher is enabled in the spod configuration. (#1388, @ccojocar)
-
Modified default operator seccomp profile for Amazon Linux 2 (5.4.226-129.415.amzn2.x86_64) (#1434, @saschagrunert)
-
Mount the custom kubelet root directory inside non-root-enabler container when is different from default. (#1447, @ccojocar)
-
Reworked the bpfrecorder to record syscalls per mntns intead of PID. (#1511, @ccojocar)
-
The ProfileRecording setting mergeStrategy=containers did not work
as expected, it was merging all containers from a single recording
into a single policy. This PR fixes the bug and now a single policy
is generated for each container. (#1380, @jhrozek) -
Update the volume mount on the effective object of non-root-enabler container instead of a copy with no effect. (#1450, @ccojocar)
-
When using OLM to install the SPO from a bundle, SPO now defaults to installation in all namespaces and watching CRs across all namespaces. Please refer to https://olm.operatorframework.io/docs/advanced-tasks/operator-scoping-with-operatorgroups/ to learn how to scope the operator to either watch only a subset of namespaces or install SPO to a different namespace when using OLM.
Note that the other installation methods or the RESTRICT_TO_NAMESPACE environment variables are not affected by this change and work as before. (#1337, @jhrozek)
Other (Cleanup or Flake)
- The events in the profilerecorder were renamed to be security-profile-agnostic. Previously, an event that included Seccomp in the name was used for all security profiles. (#1343, @jhrozek)
- Updated
vmlinux.h
to be based on Fedora 37 (#1331, @saschagrunert) - Updated cert-manager to v1.10.1. (#1329, @saschagrunert)
- Updated cert-manager to v1.11.0. (#1414, @saschagrunert)
- Updated crun base seccomp profile to work with crun v1.8. (#1532, @saschagrunert)
- Configure the SELinux type tag when the AppArmor is disabled regardless of
EnableSelinux
flag. (#1339, @ccojocar) - Update golangci-lint to version 1.51.0. (#1453, @ccojocar)
- Use the PID when looking up the command in eBPF map. (#1311, @ccojocar)
Dependencies
Added
- chainguard.dev/go-grpc-kit: v0.14.0
- cloud.google.com/go/accessapproval: v1.5.0
- cloud.google.com/go/accesscontextmanager: v1.4.0
- cloud.google.com/go/aiplatform: v1.27.0
- cloud.google.com/go/analytics: v0.12.0
- cloud.google.com/go/apigateway: v1.4.0
- cloud.google.com/go/apigeeconnect: v1.4.0
- cloud.google.com/go/appengine: v1.5.0
- cloud.google.com/go/area120: v0.6.0
- cloud.google.com/go/artifactregistry: v1.9.0
- cloud.google.com/go/asset: v1.10.0
- cloud.google.com/go/assuredworkloads: v1.9.0
- cloud.google.com/go/automl: v1.8.0
- cloud.google.com/go/baremetalsolution: v0.4.0
- cloud.google.com/go/batch: v0.4.0
- cloud.google.com/go/beyondcorp: v0.3.0
- cloud.google.com/go/billing: v1.7.0
- cloud.google.com/go/binaryauthorization: v1.4.0
- cloud.google.com/go/certificatemanager: v1.4.0
- cloud.google.com/go/channel: v1.9.0
- cloud.google.com/go/cloudbuild: v1.4.0
- cloud.google.com/go/clouddms: v1.4.0
- cloud.google.com/go/cloudtasks: v1.8.0
- cloud.google.com/go/compute/metadata: v0.2.3
- cloud.google.com/go/contactcenterinsights: v1.4.0
- cloud.google.com/go/container: v1.7.0
- cloud.google.com/go/containeranalysis: v0.6.0
- cloud.google.com/go/datacatalog: v1.8.0
- cloud.google.com/go/dataflow: v0.7.0
- cloud.google.com/go/dataform: v0.5.0
- cloud.google.com/go/datafusion: v1.5.0
- cloud.google.com/go/datalabeling: v0.6.0
- cloud.google.com/go/dataplex: v1.4.0
- cloud.google.com/go/dataproc: v1.8.0
- cloud.google.com/go/dataqna: v0.6.0
- cloud.google.com/go/datastream: v1.5.0
- cloud.google.com/go/deploy: v1.5.0
- cloud.google.com/go/dialogflow: v1.19.0
- cloud.google.com/go/dlp: v1.7.0
- cloud.google.com/go/documentai: v1.10.0
- cloud.google.com/go/domains: v0.7.0
- cloud.google.com/go/edgecontainer: v0.2.0
- cloud.google.com/go/errorreporting: v0.3.0
- cloud.google.com/go/essentialcontacts: v1.4.0
- cloud.google.com/go/eventarc: v1.8.0
- cloud.google.com/go/filestore: v1.4.0
- cloud.google.com/go/functions: v1.9.0
- cloud.google.com/go/gaming: v1.8.0
- cloud.google.com/go/gkebackup: v0.3.0
- cloud.google.com/go/gkeconnect: v0.6.0
- cloud.google.com/go/gkehub: v0.10.0
- cloud.google.com/go/gkemulticloud: v0.4.0
- cloud.google.com/go/gsuiteaddons: v1.4.0
- cloud.google.com/go/iam: v0.8.0
- cloud.google.com/go/iap: v1.5.0
- cloud.google.com/go/ids: v1.2.0
- cloud.google.com/go/iot: v1.4.0
- cloud.google.com/go/kms: v1.8.0
- cloud.google.com/go/language: v1.8.0
- cloud.google.com/go/lifesciences: v0.6.0
- cloud.google.com/go/logging: v1.6.1
- cloud.google.com/go/longrunning: v0.3.0
- cloud.google.com/go/managedidentities: v1.4.0
- cloud.google.com/go/maps: v0.1.0
- cloud.google.com/go/mediatranslation: v0.6.0
- cloud.google.com/go/memcache: v1.7.0
- cloud.google.com/go/metastore: v1.8.0
- cloud.google.com/go/monitoring: v1.8.0
- cloud.google.com/go/networkconnectivity: v1.7.0
- cloud.google.com/go/networkmanagement: v1.5.0
- cloud.google.com/go/networksecurity: v0.6.0
- cloud.google.com/go/notebooks: v1.5.0
- cloud.google.com/go/optimization: v1.2.0
- cloud.google.com/go/orchestration: v1.4.0
- cloud.google.com/go/orgpolicy: v1.5.0
- cloud.google.com/go/osconfig: v1.10.0
- cloud.google.com/go/oslogin: v1.7.0
- cloud.google.com/go/phishingprotection: v0.6.0
- cloud.google.com/go/policytroubleshooter: v1.4.0
- cloud.google.com/go/privatecatalog: v0.6.0
- cloud.google.com/go/pubsublite: v1.5.0
- cloud.google.com/go/recaptchaenterprise/v2: v2.5.0
- cloud.google.com/go/recommendationengine: v0.6.0
- cloud.google.com/go/recommender: v1.8.0
- cloud.google.com/go/redis: v1.10.0
- cloud.google.com/go/resourcemanager: v1.4.0
- cloud.google.com/go/resourcesettings: v1.4.0
- cloud.google.com/go/retail: v1.11.0
- cloud.google.com/go/run: v0.3.0
- cloud.google.com/go/scheduler: v1.7.0
- cloud.google.com/go/secretmanager: v1.9.0
- cloud.google.com/go/security: v1.12.0
- cloud.google.com/go/securitycenter:...
v0.6.0
Release notes
Welcome to our glorious v0.6.0 release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.6.0/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.6.0
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
API Change
- SELinux profiles gained a new attribute .spec.permissive which defaults to false. When set to true, the profile will run in a permissive mode, that means that all actions would be allowed, but logged. This allows for a more iterative approach for profile development. (#1278, @jhrozek)
Feature
- Log-enricher support for both short and long AppArmor log entries (#1298, @pjbgf)
- Add a command argument to the daemon which allows to disable the profile recorder controller. (#1290, @ccojocar)
- Configure the default local seccomp profile according to the runtime (e.g. cri-o expects the profile to be prefixed with
localhost
). (#1255, @ccojocar) - Make the daemon resource requirements configurable. (#1291, @ccojocar)
Documentation
Bug or Regression
- This pr fixes seccompprofiles deletion when a node is removed, we added a check to see if the node finalizer is a deleted node, if so, we remove such finalizer so the seccompprofile can be deleted without any issues. (#1236, @Vincent056)
- Fixes the controller panicking when AppArmor is enabled. (#1063, @pjbgf)
Other (Cleanup or Flake)
- Switched to
registry.k8s.io
for the main container image. (#1289, @saschagrunert) - Add directly the file header when generating the mock types. (#1295, @ccojocar)
- Fix bundle goal into the Makefile for macos. (#1300, @ccojocar)
- Fix flaky unit test which checks default operator namespace. (#1296, @ccojocar)
- Fix integration tests for Flatcar Linux. (#1252, @ccojocar)
- Prefix with localhost the local seccomp profile for cri-o only for older Kubernetes versions. (#1310, @ccojocar)
Dependencies
Added
- github.com/evanphx/json-patch/v5: v5.6.0
- github.com/pavlo-v-chernykh/keystore-go/v4: v4.4.0
- github.com/youmark/pkcs8: 1326539
Changed
- cloud.google.com/go/storage: v1.14.0 β v1.10.0
- github.com/Azure/go-autorest/autorest/adal: v0.9.20 β v0.9.21
- github.com/Azure/go-ntlmssp: 6637195 β cb9428e
- github.com/BurntSushi/toml: v1.1.0 β v1.2.1
- github.com/Venafi/vcert/v4: v4.14.3 β v4.22.1
- github.com/akamai/AkamaiOPEN-edgegrid-golang: v1.1.1 β v1.2.1
- github.com/cert-manager/cert-manager: v1.9.1 β v1.10.1
- github.com/cloudflare/cloudflare-go: v0.20.0 β v0.50.0
- github.com/digitalocean/godo: v1.65.0 β v1.86.0
- github.com/go-asn1-ber/asn1-ber: v1.5.1 β v1.5.4
- github.com/go-ldap/ldap/v3: v3.4.2 β v3.4.4
- github.com/google/cel-go: v0.12.4 β v0.12.5
- github.com/googleapis/gax-go/v2: v2.1.1 β v2.4.0
- github.com/hashicorp/go-hclog: v0.16.2 β v1.2.0
- github.com/hashicorp/go-secure-stdlib/parseutil: v0.1.1 β v0.1.6
- github.com/hashicorp/go-secure-stdlib/strutil: v0.1.1 β v0.1.2
- github.com/hashicorp/vault/api: v1.3.1 β v1.8.0
- github.com/hashicorp/vault/sdk: v0.3.0 β v0.6.0
- github.com/miekg/dns: v1.1.47 β v1.1.50
- github.com/mogensen/kubernetes-split-yaml: v0.3.0 β v0.4.0
- github.com/onsi/ginkgo/v2: v2.1.6 β v2.2.0
- github.com/onsi/gomega: v1.20.1 β v1.20.2
- github.com/pjbgf/go-apparmor: v0.0.9 β v0.1.1
- github.com/pkg/sftp: v1.13.1 β v1.10.1
- github.com/prometheus/client_golang: v1.13.0 β v1.14.0
- github.com/prometheus/client_model: v0.2.0 β v0.3.0
- github.com/rogpeppe/go-internal: v1.8.0 β v1.8.1
- github.com/segmentio/encoding: v0.3.3 β v0.3.5
- github.com/stretchr/objx: v0.4.0 β v0.5.0
- github.com/stretchr/testify: v1.8.0 β v1.8.1
- github.com/urfave/cli/v2: v2.20.2 β v2.23.5
- golang.org/x/crypto: 630584e β 4ba4fb4
- golang.org/x/exp: e8c3332 β 7b9b53b
- golang.org/x/net: bea034e β db77216
- golang.org/x/oauth2: 128564f β f213421
- golang.org/x/sync: f12130a β 7f9b162
- golang.org/x/sys: fbc7d0a β 95e765b
- golang.org/x/text: 5bd84dd β v0.4.0
- google.golang.org/api: v0.93.0 β v0.97.0
- google.golang.org/grpc: v1.50.1 β v1.51.0
- k8s.io/api: v0.25.3 β v0.25.4
- k8s.io/apiextensions-apiserver: v0.25.0 β v0.25.2
- k8s.io/apimachinery: v0.25.3 β v0.25.4
- k8s.io/apiserver: v0.25.0 β v0.25.2
- k8s.io/cli-runtime: v0.25.0 β v0.25.2
- k8s.io/client-go: v0.25.3 β v0.25.4
- k8s.io/code-generator: v0.25.0 β v0.25.2
- k8s.io/component-base: v0.25.0 β v0.25.2
- k8s.io/kube-aggregator: v0.24.2 β v0.25.2
- k8s.io/kubectl: v0.25.0 β v0.25.2
- k8s.io/utils: e9cbc92 β 665eaae
- sigs.k8s.io/controller-runtime: v0.12.3 β v0.13.1
- sigs.k8s.io/gateway-api: v0.4.3 β v0.5.0
- software.sslmate.com/src/go-pkcs12: c5206de β v0.2.0
Removed
v0.5.0
Release notes
Welcome to our glorious v0.5.0 release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.5.0/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ COSIGN_EXPERIMENTAL=1 cosign verify k8s.gcr.io/security-profiles-operator/security-profiles-operator:v0.5.0
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Deprecation
- In order to increase stability and scalability of the profile recording webhooks, the internal state of the webhooks has been removed. The user-visible effect is that container recordings no longer include a trailing number in their name (they used to be named e.g.
myrecording-nginx-1, myrecording-nginx-2
) but instead the hash that comes from the pod's generated name.
In addition, the support hook based recording has been deprecated. The only supported modes of profile recording going forward are logs and bpf. (#1112, @jhrozek)
API Change
- Add support for Seccomp Profiles that make use of the Seccomp Notify feature with the wait_killable semantic (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV). (#1201, @alban)
- The profileRecording CR contains a new optional field mergeStrategy, defaulting to none. When this field is set to containers, the recorded profiles will be set as partial, both using a label and the profile status. These profiles are not reconciled until the profileRecording exists, at which point the partial profiles are merged and a union of the partial profiles is created and finally reconciled.
This allows for easier recording of policies e.g. during longer e2e runs which are recording the policies. (#1179, @jhrozek) - The spod CR now has a new attribute objectSelector that allows to configure which objects would SPO's webhooks match on. By default, the selector matches all, but setting the selector to include e.g. only certain labels might be a way to further ensure that possible bugs in the webhooks don't affect the rest of the cluster. (#1232, @jhrozek)
Feature
- Add an option to deploy statically all webhook resources in order to improve the operator security. (#1053, @ccojocar)
- Add imagePullSecrets to SPOD configuration. (#1227, @ccojocar)
- Add v1 to admission review versions and AARCH64 architecture to default profile. (#1238, @ccojocar)
- Added Affinity to SPOD configuration. (#1217, @ccojocar)
- Added a basic helm chart. The chart is generated by running "make deployments" (#1013, @stephen-fox)
- It is now possible to enable the log enricher at install time by setting the
ENABLE_LOG_ENRICHER
environment value to true. (#1235, @jhrozek) - Pod denials labeling feature was removed. (#1088, @JAORMX)
- SPO changed the way the webhooks are enabled from listening on all namespaces by default to explicitly listening for activity on namespaces labeled with spo.x-k8s.io/enable-binding and spo.x-k8s.io/enable-recording respectively. (#1207, @jhrozek)
- Updated BPF event processing to run in parallel. (#1110, @saschagrunert)
- Use security context to set up the default seccomp profile for spod pod and security-profiles-operator container. (#1239, @ccojocar)
Documentation
- Added documentation about how to install the operator on OpenShift via OperatorHub. (#1145, @saschagrunert)
- If the log-based recorder is in use and the user attempts to either record a container which already had its SecurityContext set or attempts to record a privileged container (which ignores both seccomp profiles and selinux contexts), the profile recording webhook issues a warning event. (#1156, @jhrozek)
- Updated the bpf recorder to fail if running on Linux kernels < 5.8. We now also updated the documentation and shipped BTF about that behavior. (#1039, @saschagrunert)
Bug or Regression
- Automatically add
openshift.io/cluster-monitoring=true
to the operator namespace to allow the service monitor to work as intended. (#1148, @saschagrunert) - Filtering host processes by host mount namespace to prevent ebpf map from filling up during recording. (#1166, @neblen)
- Fix the finalizer string too long, shorten the length of the node name if the finalizer string combined length is over the size of 63 (#1178, @Vincent056)
Other (Cleanup or Flake)
- Additional debug information about AppArmor state is now provided at start-up. (#1079, @pjbgf)
- Updated cert-manager to v1.9.1. (#1043, @saschagrunert)
- Updated kube-rbac-proxy to v0.13.0. (#1023, @saschagrunert)
- Updated libbpf to v1.0.1. (#1205, @saschagrunert)
- Updated required golang to version 1.19. (#1109, @saschagrunert)
Dependencies
Added
- 4d63.com/gochecknoglobals: v0.1.0
- bitbucket.org/creachadair/shell: v0.0.7
- cloud.google.com/go/compute: v1.7.0
- cloud.google.com/go/spanner: v1.7.0
- contrib.go.opencensus.io/exporter/stackdriver: v0.13.4
- cuelang.org/go: v0.4.3
- github.com/Antonboom/errname: v0.1.5
- github.com/Antonboom/nilnil: v0.1.0
- github.com/Azure/go-autorest/autorest/azure/auth: v0.5.11
- github.com/Azure/go-autorest/autorest/azure/cli: v0.4.5
- github.com/Azure/go-ntlmssp: 6637195
- github.com/DATA-DOG/go-sqlmock: v1.5.0
- github.com/Djarvur/go-err113: aea10b5
- github.com/Masterminds/semver: v1.5.0
- github.com/Masterminds/sprig: v2.22.0+incompatible
- github.com/Masterminds/vcs: v1.13.3
- github.com/OpenPeeDeeP/depguard: v1.0.1
- github.com/StackExchange/wmi: v1.2.1
- github.com/ThalesIgnite/crypto11: v1.2.5
- github.com/agnivade/levenshtein: v1.0.1
- github.com/alexkohler/prealloc: v1.0.0
- github.com/aokoli/goutils: v1.0.1
- github.com/ashanbrown/forbidigo: v1.2.0
- github.com/ashanbrown/makezero: b626158
- github.com/aws/aws-sdk-go-v2/config: v1.17.1
- github.com/aws/aws-sdk-go-v2/credentials: v1.12.14
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.12.12
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.1.18
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.4.12
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.3.19
- github.com/aws/aws-sdk-go-v2/service/ecr: v1.15.0
- github.com/aws/aws-sdk-go-v2/service/ecrpublic: v1.12.0
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.9.12
- github.com/aws/aws-sdk-go-v2/service/sso: v1.11.17
- github.com/aws/aws-sdk-go-v2/service/sts: v1.16.13
- github.com/aws/aws-sdk-go-v2: v1.16.11
- github.com/aws/smithy-go: v1.12.1
- github.com/awslabs/amazon-ecr-credential-helper/ecr-login: 396b203
- github.com/bkielbasa/cyclop: v1.2.0
- github.com/blizzy78/varnamelen: v0.3.0
- github.com/bombsimon/wsl/v3: v3.3.0
- github.com/breml/bidichk: v0.1.1
- github.com/butuzov/ireturn: v0.1.1
- github.com/charithe/durationcheck: v0.0.9
- github.com/chavacava/garif: e8a0a40
- github.com/chrismellard/docker-credential-acr-env: fe33c00
- github.com/cockroachdb/apd/v2: v2.0.1
- github.com/coreos/go-etcd: v2.0.0+incompatible
- github.com/coreos/go-oidc/v3: [v3.2.0](htt...
v0.4.3
Release notes
Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.3/deploy/operator.yaml
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
API Change
- Added the ability to tag pods that present denials from either Seccomp or SELinux. This will happen through the 'spo.x-k8s.io/had-denials' label. (#846, @JAORMX)
Feature
- Added the ability to use SelinuxProfile when creating profilebinding objects. (#854, @Vincent056)
- The
security_profiles_operator_selinux_profile_audit_total
metric was actually enabled and uses the appropriate labels scraped from the audit.log file. (#916, @jhrozek) - The spod CR gains a new field webhookOptions which allows the webhooks' failurePolicy and namespaceSelector to be configurable. (#883, @jhrozek)
- Added a syscall allow list in the SPOD configuration (#913, @ccojocar)
- Make allowed seccomp actions configurable in the SPOD configuration. (#927, @ccojocar)
- Make the tolerations of the webhook configurable via the SPOD configuration (#892, @ccojocar)
Documentation
- It is now possible to install SPO from packages provided on operatorhub.io. User-facing documentation is provided in the installation-usage.md document. (#889, @jhrozek)
Bug or Regression
-
The security-profiles-operator namespace is now labeled with the following labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
To account for clusters that are enabling PSA and defaulting to the restricted one.When using another namespace or creating the namespace with other means,
please ensure that the namespace has the above labels. (#944, @jhrozek)
Other (Cleanup or Flake)
- Remove unnecessary configmap RBAC rules. (#942, @saschagrunert)
- Updated cert-manager to v1.8.0. (#886, @saschagrunert)
- Add
SCMP_ACT_NOTIFY
to the list of allowed seccomp actions (#929, @ccojocar)
Dependencies
Added
- github.com/AdaLogics/go-fuzz-headers: 6c3934b
- github.com/ahmetb/gen-crd-api-reference-docs: v0.3.0
- github.com/andybalholm/brotli: v1.0.1
- github.com/cert-manager/cert-manager: v1.8.0
- github.com/dsnet/compress: f669936
- github.com/go-logr/stdr: v1.2.2
- github.com/golang-jwt/jwt/v4: v4.0.0
- github.com/google/gnostic: v0.5.7-v3refs
- github.com/googleapis/google-cloud-go-testing: bcd43fb
- github.com/hashicorp/go-plugin: v1.4.3
- github.com/hashicorp/go-secure-stdlib/mlock: v0.1.1
- github.com/hashicorp/go-secure-stdlib/parseutil: v0.1.1
- github.com/hashicorp/go-secure-stdlib/strutil: v0.1.1
- github.com/hashicorp/yamux: 3520598
- github.com/intel/goresctrl: v0.2.0
- github.com/lithammer/dedent: v1.1.0
- github.com/mholt/archiver/v3: v3.5.1
- github.com/moby/sys/signal: v0.6.0
- github.com/mogensen/kubernetes-split-yaml: v0.3.0
- github.com/networkplumbing/go-nft: v0.2.0
- github.com/nwaples/rardecode: v1.1.0
- github.com/oklog/run: v1.0.0
- github.com/pierrec/lz4/v4: v4.1.2
- github.com/segmentio/asm: v1.1.3
- github.com/segmentio/encoding: v0.3.3
- github.com/xi2/xz: 48954b6
- github.com/xrash/smetrics: 039620a
- go.opentelemetry.io/otel/exporters/otlp/internal/retry: v1.3.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.3.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.3.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.3.0
Changed
- bazil.org/fuse: 371fbbd β 5883e5a
- cloud.google.com/go/firestore: v1.6.1 β v1.1.0
- cloud.google.com/go/storage: v1.10.0 β v1.14.0
- github.com/Azure/azure-sdk-for-go: v56.2.0+incompatible β v56.3.0+incompatible
- github.com/Azure/go-autorest/autorest/adal: v0.9.14 β v0.9.15
- github.com/Azure/go-autorest/autorest: v0.11.19 β v0.11.20
- github.com/BurntSushi/toml: v1.0.0 β v1.1.0
- github.com/Masterminds/squirrel: v1.5.0 β v1.5.2
- github.com/Microsoft/go-winio: v0.5.1 β v0.5.2
- github.com/ProtonMail/go-crypto: 428f8ea β a948124
- github.com/armon/go-metrics: v0.3.10 β v0.3.9
- github.com/carolynvs/magex: v0.7.0 β v0.8.1
- github.com/cenkalti/backoff/v4: v4.1.1 β v4.1.2
- github.com/census-instrumentation/opencensus-proto: v0.3.0 β v0.2.1
- github.com/cncf/xds/go: a8f9461 β cb28da3
- github.com/containerd/cgroups: v1.0.2 β v1.0.3
- github.com/containerd/containerd: v1.5.9 β v1.6.4
- github.com/containerd/go-cni: v1.0.2 β v1.1.5
- github.com/containerd/imgcrypt: v1.1.1 β v1.1.4
- github.com/containerd/stargz-snapshotter/estargz: v0.11.0 β v0.11.4
- github.com/containernetworking/cni: v1.0.1 β v1.1.0
- github.com/containernetworking/plugins: v1.0.1 β v1.1.1
- github.com/containers/common: v0.47.5 β 400832f
- github.com/containers/image/v5: v5.19.1 β v5.21.1
- github.com/containers/libtrust: 14b9617 β 9c3a6c2
- github.com/containers/ocicrypt: v1.1.2 β 566b808
- github.com/containers/storage: v1.38.2 β v1.40.2
- github.com/coreos/etcd: v3.3.15+incompatible β v3.3.13+incompatible
- github.com/crossplane/crossplane-runtime: 85b19c2 β v0.16.0
- github.com/docker/cli: v20.10.7+incompatible β v20.10.11+incompatible
- github.com/docker/distribution: v2.8.0+incompatible β v2.8.1+incompatible
- github.com/docker/docker: v20.10.12+incompatible β v20.10.15+incompatible
- github.com/envoyproxy/go-control-plane: v0.10.1 β 49ff273
- github.com/envoyproxy/protoc-gen-validate: v0.6.2 β v0.1.0
- github.com/gobuffalo/flect: v0.2.3 β v0.2.5
- github.com/godbus/dbus/v5: v5.0.6 β v5.1.0
- github.com/golang/snappy: v0.0.3 β v0.0.4
- github.com/google/cel-go: [v0.9.0 β v0.10.1](https://github.com...