Skip to content

v0.8.4

Latest
Compare
Choose a tag to compare
@saschagrunert saschagrunert released this 04 Jun 10:03
· 260 commits to main since this release

Release notes

Welcome to our glorious v0.8.4 release of the security-profiles-operator! The general usage and setup can be found in our documentation. πŸ₯³ πŸ‘―

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.4/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.4

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

  • Added a spoc convert command to transform security profile YAML definitions to their raw representation. (#2201, @mhils)
  • spoc merge now combines AppArmor profiles with glob patterns in the first profile. (#2239, @mhils)
  • spoc merge now has a --check flag to ensure that a profile is a superset of other profiles. (#2240, @mhils)
  • spoc can now record Seccomp and AppArmor profiles simultaneously.
    The AppArmor recorder is now significantly more robust (#2260, @mhils)

Documentation

  • Updated dead documentation link on how to constrain the spod to specific nodes. (#2266, @saschagrunert)

Bug or Regression

  • Fix spoc record to work with >15 character executable names. Make AppArmor profile generation more robust. (#2241, @mhils)
  • Fix dynamic clusters encounter finalizer mismatch when nodes are added and removed too quickly. (#2145, @jlowe64)

Dependencies

Added

  • github.com/DataDog/go-libddwaf/v2: v2.2.3
  • github.com/checkpoint-restore/checkpointctl: v1.1.0
  • github.com/checkpoint-restore/go-criu/v7: v7.1.0
  • github.com/go-jose/go-jose/v4: v4.0.1
  • github.com/go-task/slim-sprig/v3: v3.0.0
  • github.com/google/go-configfs-tsm: v0.2.2
  • github.com/moby/docker-image-spec: v1.3.1

Changed

Removed

  • github.com/DataDog/go-libddwaf: v1.5.0
  • github.com/mattn/go-shellwords: v1.0.12
  • golang.org/dl: 82a15e2