Skip to content

Releases: kubernetes-sigs/security-profiles-operator

v0.6.0

21 Nov 13:16
@saschagrunert saschagrunert
v0.6.0
f96ba83

Choose a tag to compare

View all tags
v0.6.0

Release notes

Welcome to our glorious v0.6.0 release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.6.0/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.6.0

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

  • SELinux profiles gained a new attribute .spec.permissive which defaults to false. When set to true, the profile will run in a permissive mode, that means that all actions would be allowed, but logged. This allows for a more iterative approach for profile development. (#1278, @jhrozek)

Feature

  • Log-enricher support for both short and long AppArmor log entries (#1298, @pjbgf)
  • Add a command argument to the daemon which allows to disable the profile recorder controller. (#1290, @ccojocar)
  • Configure the default local seccomp profile according to the runtime (e.g. cri-o expects the profile to be prefixed with localhost). (#1255, @ccojocar)
  • Make the daemon resource requirements configurable. (#1291, @ccojocar)

Documentation

  • A new AppArmor profile example for the CNCF Flux project. (#1302, @pjbgf)

Bug or Regression

  • This pr fixes seccompprofiles deletion when a node is removed, we added a check to see if the node finalizer is a deleted node, if so, we remove such finalizer so the seccompprofile can be deleted without any issues. (#1236, @Vincent056)
  • Fixes the controller panicking when AppArmor is enabled. (#1063, @pjbgf)

Other (Cleanup or Flake)

  • Switched to registry.k8s.io for the main container image. (#1289, @saschagrunert)
  • Add directly the file header when generating the mock types. (#1295, @ccojocar)
  • Fix bundle goal into the Makefile for macos. (#1300, @ccojocar)
  • Fix flaky unit test which checks default operator namespace. (#1296, @ccojocar)
  • Fix integration tests for Flatcar Linux. (#1252, @ccojocar)
  • Prefix with localhost the local seccomp profile for cri-o only for older Kubernetes versions. (#1310, @ccojocar)

Dependencies

Added

  • github.com/evanphx/json-patch/v5: v5.6.0
  • github.com/pavlo-v-chernykh/keystore-go/v4: v4.4.0
  • github.com/youmark/pkcs8: 1326539

Changed

Removed

  • github.com/bgentry/go-netrc: 9fd32a8
  • github.com/crossplane/crossplane-runtime: v0.18.0
  • github.com/googleapis/google-cloud-go-testing: bcd43fb
  • github.com/hashicorp/go-getter: v1.4.0
  • github.com/hashicorp/go-safetemp: v1.0.0
  • github.com/pavel-v-chernykh/keystore-go/v4: v4.2.0

Contributors

ccojocar, saschagrunert, and 3 other contributors
Loading

v0.5.0

18 Oct 13:52
@saschagrunert saschagrunert
v0.5.0
9d77a69

Choose a tag to compare

View all tags
v0.5.0

Release notes

Welcome to our glorious v0.5.0 release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.5.0/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ COSIGN_EXPERIMENTAL=1 cosign verify k8s.gcr.io/security-profiles-operator/security-profiles-operator:v0.5.0

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Deprecation

  • In order to increase stability and scalability of the profile recording webhooks, the internal state of the webhooks has been removed. The user-visible effect is that container recordings no longer include a trailing number in their name (they used to be named e.g. myrecording-nginx-1, myrecording-nginx-2) but instead the hash that comes from the pod's generated name.
    In addition, the support hook based recording has been deprecated. The only supported modes of profile recording going forward are logs and bpf. (#1112, @jhrozek)

API Change

  • Add support for Seccomp Profiles that make use of the Seccomp Notify feature with the wait_killable semantic (SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV). (#1201, @alban)
  • The profileRecording CR contains a new optional field mergeStrategy, defaulting to none. When this field is set to containers, the recorded profiles will be set as partial, both using a label and the profile status. These profiles are not reconciled until the profileRecording exists, at which point the partial profiles are merged and a union of the partial profiles is created and finally reconciled.
    This allows for easier recording of policies e.g. during longer e2e runs which are recording the policies. (#1179, @jhrozek)
  • The spod CR now has a new attribute objectSelector that allows to configure which objects would SPO's webhooks match on. By default, the selector matches all, but setting the selector to include e.g. only certain labels might be a way to further ensure that possible bugs in the webhooks don't affect the rest of the cluster. (#1232, @jhrozek)

Feature

  • Add an option to deploy statically all webhook resources in order to improve the operator security. (#1053, @ccojocar)
  • Add imagePullSecrets to SPOD configuration. (#1227, @ccojocar)
  • Add v1 to admission review versions and AARCH64 architecture to default profile. (#1238, @ccojocar)
  • Added Affinity to SPOD configuration. (#1217, @ccojocar)
  • Added a basic helm chart. The chart is generated by running "make deployments" (#1013, @stephen-fox)
  • It is now possible to enable the log enricher at install time by setting the ENABLE_LOG_ENRICHER environment value to true. (#1235, @jhrozek)
  • Pod denials labeling feature was removed. (#1088, @JAORMX)
  • SPO changed the way the webhooks are enabled from listening on all namespaces by default to explicitly listening for activity on namespaces labeled with spo.x-k8s.io/enable-binding and spo.x-k8s.io/enable-recording respectively. (#1207, @jhrozek)
  • Updated BPF event processing to run in parallel. (#1110, @saschagrunert)
  • Use security context to set up the default seccomp profile for spod pod and security-profiles-operator container. (#1239, @ccojocar)

Documentation

  • Added documentation about how to install the operator on OpenShift via OperatorHub. (#1145, @saschagrunert)
  • If the log-based recorder is in use and the user attempts to either record a container which already had its SecurityContext set or attempts to record a privileged container (which ignores both seccomp profiles and selinux contexts), the profile recording webhook issues a warning event. (#1156, @jhrozek)
  • Updated the bpf recorder to fail if running on Linux kernels < 5.8. We now also updated the documentation and shipped BTF about that behavior. (#1039, @saschagrunert)

Bug or Regression

  • Automatically add openshift.io/cluster-monitoring=true to the operator namespace to allow the service monitor to work as intended. (#1148, @saschagrunert)
  • Filtering host processes by host mount namespace to prevent ebpf map from filling up during recording. (#1166, @neblen)
  • Fix the finalizer string too long, shorten the length of the node name if the finalizer string combined length is over the size of 63 (#1178, @Vincent056)

Other (Cleanup or Flake)

Dependencies

Added

  • 4d63.com/gochecknoglobals: v0.1.0
  • bitbucket.org/creachadair/shell: v0.0.7
  • cloud.google.com/go/compute: v1.7.0
  • cloud.google.com/go/spanner: v1.7.0
  • contrib.go.opencensus.io/exporter/stackdriver: v0.13.4
  • cuelang.org/go: v0.4.3
  • github.com/Antonboom/errname: v0.1.5
  • github.com/Antonboom/nilnil: v0.1.0
  • github.com/Azure/go-autorest/autorest/azure/auth: v0.5.11
  • github.com/Azure/go-autorest/autorest/azure/cli: v0.4.5
  • github.com/Azure/go-ntlmssp: 6637195
  • github.com/DATA-DOG/go-sqlmock: v1.5.0
  • github.com/Djarvur/go-err113: aea10b5
  • github.com/Masterminds/semver: v1.5.0
  • github.com/Masterminds/sprig: v2.22.0+incompatible
  • github.com/Masterminds/vcs: v1.13.3
  • github.com/OpenPeeDeeP/depguard: v1.0.1
  • github.com/StackExchange/wmi: v1.2.1
  • github.com/ThalesIgnite/crypto11: v1.2.5
  • github.com/agnivade/levenshtein: v1.0.1
  • github.com/alexkohler/prealloc: v1.0.0
  • github.com/aokoli/goutils: v1.0.1
  • github.com/ashanbrown/forbidigo: v1.2.0
  • github.com/ashanbrown/makezero: b626158
  • github.com/aws/aws-sdk-go-v2/config: v1.17.1
  • github.com/aws/aws-sdk-go-v2/credentials: v1.12.14
  • github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.12.12
  • github.com/aws/aws-sdk-go-v2/internal/configsources: v1.1.18
  • github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.4.12
  • github.com/aws/aws-sdk-go-v2/internal/ini: v1.3.19
  • github.com/aws/aws-sdk-go-v2/service/ecr: v1.15.0
  • github.com/aws/aws-sdk-go-v2/service/ecrpublic: v1.12.0
  • github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.9.12
  • github.com/aws/aws-sdk-go-v2/service/sso: v1.11.17
  • github.com/aws/aws-sdk-go-v2/service/sts: v1.16.13
  • github.com/aws/aws-sdk-go-v2: v1.16.11
  • github.com/aws/smithy-go: v1.12.1
  • github.com/awslabs/amazon-ecr-credential-helper/ecr-login: 396b203
  • github.com/bkielbasa/cyclop: v1.2.0
  • github.com/blizzy78/varnamelen: v0.3.0
  • github.com/bombsimon/wsl/v3: v3.3.0
  • github.com/breml/bidichk: v0.1.1
  • github.com/butuzov/ireturn: v0.1.1
  • github.com/charithe/durationcheck: v0.0.9
  • github.com/chavacava/garif: e8a0a40
  • github.com/chrismellard/docker-credential-acr-env: fe33c00
  • github.com/cockroachdb/apd/v2: v2.0.1
  • github.com/coreos/go-etcd: v2.0.0+incompatible
  • github.com/coreos/go-oidc/v3: [v3.2.0](htt...
Read more

Contributors

alban, JAORMX, and 7 other contributors
Loading

v0.4.3

07 Jun 12:11
@saschagrunert saschagrunert
v0.4.3
b199097

Choose a tag to compare

View all tags
v0.4.3

Release notes

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.3/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

  • Added the ability to tag pods that present denials from either Seccomp or SELinux. This will happen through the 'spo.x-k8s.io/had-denials' label. (#846, @JAORMX)

Feature

  • Added the ability to use SelinuxProfile when creating profilebinding objects. (#854, @Vincent056)
  • The security_profiles_operator_selinux_profile_audit_total metric was actually enabled and uses the appropriate labels scraped from the audit.log file. (#916, @jhrozek)
  • The spod CR gains a new field webhookOptions which allows the webhooks' failurePolicy and namespaceSelector to be configurable. (#883, @jhrozek)
  • Added a syscall allow list in the SPOD configuration (#913, @ccojocar)
  • Make allowed seccomp actions configurable in the SPOD configuration. (#927, @ccojocar)
  • Make the tolerations of the webhook configurable via the SPOD configuration (#892, @ccojocar)

Documentation

  • It is now possible to install SPO from packages provided on operatorhub.io. User-facing documentation is provided in the installation-usage.md document. (#889, @jhrozek)

Bug or Regression

  • The security-profiles-operator namespace is now labeled with the following labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged
    To account for clusters that are enabling PSA and defaulting to the restricted one.

    When using another namespace or creating the namespace with other means,
    please ensure that the namespace has the above labels. (#944, @jhrozek)

Other (Cleanup or Flake)

Dependencies

Added

  • github.com/AdaLogics/go-fuzz-headers: 6c3934b
  • github.com/ahmetb/gen-crd-api-reference-docs: v0.3.0
  • github.com/andybalholm/brotli: v1.0.1
  • github.com/cert-manager/cert-manager: v1.8.0
  • github.com/dsnet/compress: f669936
  • github.com/go-logr/stdr: v1.2.2
  • github.com/golang-jwt/jwt/v4: v4.0.0
  • github.com/google/gnostic: v0.5.7-v3refs
  • github.com/googleapis/google-cloud-go-testing: bcd43fb
  • github.com/hashicorp/go-plugin: v1.4.3
  • github.com/hashicorp/go-secure-stdlib/mlock: v0.1.1
  • github.com/hashicorp/go-secure-stdlib/parseutil: v0.1.1
  • github.com/hashicorp/go-secure-stdlib/strutil: v0.1.1
  • github.com/hashicorp/yamux: 3520598
  • github.com/intel/goresctrl: v0.2.0
  • github.com/lithammer/dedent: v1.1.0
  • github.com/mholt/archiver/v3: v3.5.1
  • github.com/moby/sys/signal: v0.6.0
  • github.com/mogensen/kubernetes-split-yaml: v0.3.0
  • github.com/networkplumbing/go-nft: v0.2.0
  • github.com/nwaples/rardecode: v1.1.0
  • github.com/oklog/run: v1.0.0
  • github.com/pierrec/lz4/v4: v4.1.2
  • github.com/segmentio/asm: v1.1.3
  • github.com/segmentio/encoding: v0.3.3
  • github.com/xi2/xz: 48954b6
  • github.com/xrash/smetrics: 039620a
  • go.opentelemetry.io/otel/exporters/otlp/internal/retry: v1.3.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.3.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.3.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.3.0

Changed

Read more

Contributors

JAORMX, ccojocar, and 3 other contributors
Loading

v0.4.2

01 Apr 11:53
@saschagrunert saschagrunert
v0.4.2
a9afc52

Choose a tag to compare

View all tags
v0.4.2

Release notes

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.2/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

  • Added more verbose output to operator version information. (#859, @saschagrunert)
  • Automatically determine if cert-manager is required or not, for example in OpenShift deployments.
  • Update BTF to remove unnecessary distributions. (#812, @saschagrunert)
  • Updated metrics container to contain a read-only root filesystem. (#869, @saschagrunert)
  • Add a new field selinuxTypeTag in the SPOD CRD which allows to configure the SELinux type in the SPOd deployment (#851, @ccojocar)
  • Extend the ProfileRecording CRD with a containers list which allows to select only specific containers in a pod for which the profile will be recorded (#833, @ccojocar)

Documentation

Other (Cleanup or Flake)

Dependencies

Added

  • github.com/Azure/go-autorest/autorest/to: v0.4.0
  • github.com/Azure/go-autorest/autorest/validation: v0.3.1
  • github.com/MakeNowJust/heredoc: bb23615
  • github.com/Masterminds/goutils: v1.1.1
  • github.com/Masterminds/semver/v3: v3.1.1
  • github.com/Masterminds/sprig/v3: v3.2.2
  • github.com/Masterminds/squirrel: v1.5.0
  • github.com/Nvveen/Gotty: cd52737
  • github.com/Venafi/vcert/v4: v4.14.3
  • github.com/akamai/AkamaiOPEN-edgegrid-golang: v1.1.1
  • github.com/cenkalti/backoff/v3: v3.0.0
  • github.com/chai2010/gettext-go: c6fed77
  • github.com/cloudflare/cloudflare-go: v0.20.0
  • github.com/common-nighthawk/go-figure: 734e95f
  • github.com/cpu/goacmedns: v0.1.1
  • github.com/dave/dst: v0.26.2
  • github.com/dave/gopackages: 46e7023
  • github.com/dave/jennifer: v1.2.0
  • github.com/dave/kerr: bc25dd6
  • github.com/dave/rebecca: v0.9.1
  • github.com/digitalocean/godo: v1.65.0
  • github.com/exponent-io/jsonpath: d6023ce
  • github.com/fatih/camelcase: v1.0.0
  • github.com/go-errors/errors: v1.0.1
  • github.com/gobwas/glob: v0.2.3
  • github.com/google/shlex: e7afc7f
  • github.com/gosuri/uitable: v0.0.4
  • github.com/gotestyourself/gotestyourself: v2.2.0+incompatible
  • github.com/hashicorp/vault/api: v1.1.1
  • github.com/hashicorp/vault/sdk: v0.2.1
  • github.com/huandu/xstrings: v1.3.2
  • github.com/jetstack/cert-manager: v1.7.2
  • github.com/jmoiron/sqlx: v1.3.1
  • github.com/lann/builder: 47ae307
  • github.com/lann/ps: 62de8c4
  • github.com/lib/pq: v1.10.0
  • github.com/liggitt/tabwriter: 89fcab3
  • github.com/mitchellh/copystructure: v1.1.1
  • github.com/mitchellh/go-wordwrap: v1.0.0
  • github.com/mitchellh/reflectwalk: v1.0.1
  • github.com/monochromegane/go-gitignore: 205db1a
  • github.com/munnerz/crd-schema-fuzz: v1.0.0
  • github.com/openshift/api: b632c5f
  • github.com/openshift/build-machinery-go: 7e33a7e
  • github.com/patrickmn/go-cache: v2.1.0+incompatible
  • github.com/pavel-v-chernykh/keystore-go/v4: v4.2.0
  • github.com/pierrec/lz4: v2.5.2+incompatible
  • github.com/rubenv/sql-migrate: 55d5740
  • github.com/ryanuber/go-glob: v1.0.0
  • github.com/shopspring/decimal: v1.2.0
  • github.com/xlab/treeprint: a009c39
  • go.starlark.net: 8dd3e2e
  • golang.org/x/arch: b19384d
  • gopkg.in/gorp.v1: v1.7.2
  • gopkg.in/src-d/go-billy.v4: v4.3.0
  • helm.sh/helm/v3: v3.7.1
  • k8s.io/cli-runtime: v0.23.1
  • k8s.io/kube-aggregator: v0.23.1
  • k8s.io/kubectl: v0.23.1
  • oras.land/oras-go: v0.4.0
  • sigs.k8s.io/gateway-api: v0.3.0
  • sigs.k8s.io/kustomize/api: v0.10.1
  • sigs.k8s.io/kustomize/kyaml: v0.13.0
  • software.sslmate.com/src/go-pkcs12: c5206de

Changed

Read more

Contributors

ccojocar and saschagrunert
Loading

v0.4.1

07 Feb 09:30
@saschagrunert saschagrunert
v0.4.1
19e7ffe

Choose a tag to compare

View all tags
v0.4.1

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.1/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

  • Added support for Seccomp Profiles that make use of the Seccomp Notify feature. (#801, @alban)
  • Added hostProcVolumePath option to spod to define a custom /proc volume on the host. (#788, @saschagrunert)
  • Support verbosity=1 for log-enricher (#787, @saschagrunert)
  • When deploying on OpenShift, cert-manager is no longer required. (#740, @jhrozek)

Bug or Regression

Other (Cleanup or Flake)

Dependencies

Added

  • github.com/antlr/antlr4/runtime/Go/antlr: b48c857
  • github.com/getkin/kin-openapi: v0.76.0
  • github.com/google/cel-go: v0.9.0
  • github.com/google/cel-spec: v0.6.0
  • sigs.k8s.io/json: c049b76

Changed

  • github.com/ReneKroon/ttlcache/v2: v2.10.0 → v2.11.0
  • github.com/aquasecurity/libbpfgo: f097a01 → 0.6.1
  • github.com/cespare/xxhash/v2: v2.1.1 → v2.1.2
  • github.com/evanphx/json-patch: v4.11.0+incompatible → v4.12.0+incompatible
  • github.com/fsnotify/fsnotify: v1.4.9 → v1.5.1
  • github.com/go-logr/logr: v0.4.0 → v1.2.2
  • github.com/go-logr/zapr: v0.4.0 → v1.2.0
  • github.com/golang/glog: 23def4e → v1.0.0
  • github.com/json-iterator/go: v1.1.11 → v1.1.12
  • github.com/moby/term: 9d4ed18 → 3f7ff69
  • github.com/modern-go/reflect2: v1.0.1 → v1.0.2
  • github.com/onsi/ginkgo: v1.16.4 → v1.16.5
  • github.com/onsi/gomega: v1.16.0 → v1.17.0
  • github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.52.1 → v0.54.0
  • github.com/prometheus/client_golang: v1.11.0 → v1.12.1
  • github.com/prometheus/common: v0.26.0 → v0.32.1
  • github.com/prometheus/procfs: v0.6.0 → v0.7.3
  • github.com/yuin/goldmark: v1.3.5 → v1.4.0
  • go.uber.org/goleak: v1.1.10 → v1.1.12
  • go.uber.org/zap: v1.19.0 → v1.19.1
  • golang.org/x/crypto: 0c34fe9 → 32db794
  • golang.org/x/net: 37e1c6a → 491a49a
  • golang.org/x/oauth2: 2e8d934 → 2bc19b1
  • golang.org/x/sys: 0a5406a → da31bd3
  • golang.org/x/term: 6a3ed07 → 6886f2d
  • golang.org/x/tools: v0.1.5 → d4cc65f
  • google.golang.org/genproto: f16073e → fe13028
  • google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.1.0 → v1.2.0
  • google.golang.org/grpc: v1.42.0 → v1.44.0
  • k8s.io/api: v0.22.4 → v0.23.3
  • k8s.io/apiextensions-apiserver: v0.22.3 → v0.23.0
  • k8s.io/apimachinery: v0.22.4 → v0.23.3
  • k8s.io/apiserver: v0.22.3 → v0.23.0
  • k8s.io/client-go: v0.22.4 → v0.23.3
  • k8s.io/code-generator: v0.22.3 → v0.23.0
  • k8s.io/component-base: v0.22.3 → v0.23.0
  • k8s.io/gengo: b6c5ce2 → 485abfe
  • k8s.io/klog/v2: v2.10.0 → v2.40.1
  • k8s.io/kube-openapi: 2043435 → e816edb
  • k8s.io/utils: bdf08cb → 6203023
  • sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.22 → v0.0.25
  • sigs.k8s.io/controller-runtime: v0.10.3 → v0.11.0
  • sigs.k8s.io/controller-tools: v0.7.0 → v0.8.0
  • sigs.k8s.io/release-utils: v0.3.0 → v0.4.0
  • sigs.k8s.io/structured-merge-diff/v4: v4.1.2 → v4.2.1
  • sigs.k8s.io/yaml: v1.2.0 → v1.3.0

Removed

Nothing has changed.

Contributors

alban, saschagrunert, and jhrozek
Loading

v0.4.0

14 Dec 09:56
@saschagrunert saschagrunert
v0.4.0
577c915

Choose a tag to compare

View all tags
v0.4.0

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

  • A v1alpha2 version of the SelinuxProfile object has been introduced. This
    removes the raw CIL from the object itself and instead adds a simple policy
    language to ease the writing and parsing experience.

    Alongside, a RawSelinuxProfile object was also introduced. This contains a wrapped
    and raw representation of the policy. This was intended for folks to be able to take
    their existing policies into use as soon as possible. However, on validations are done here. (#675, @JAORMX)

  • Add CRD type to represent AppArmor profiles. (#643, @pjbgf)

  • Change seccomp profile type Architectures to []Arch from []*Arch (#671, @saschagrunert)

  • Graduate seccomp profile API from v1alpha1 to v1beta1 (#674, @saschagrunert)

Feature

  • Added Metrics for SELinux profiles (#470, @mrogers950)
  • Added arm64 support for retrieving the correct syscall names within the log enricher. (#539, @saschagrunert)
  • Added retry functionality to log enricher if container ID is still empty during pod creation. (#491, @saschagrunert)
  • Added CLI flag -V and environment variable parsing SPO_VERBOSITY to set the logging verbosity. (#657, @saschagrunert)
  • Added metrics-token secret to the operator namespace for metrics client retrieval. (#457, @saschagrunert)
  • Added metrics service endpoint to the operator namespace, which now serves the security_profiles_operator_seccomp_profile metric. (#422, @saschagrunert)
  • Added seccomp_profile_error_total metrics. (#461, @saschagrunert)
  • Added verbosity option to spod configuration. Currently supports 0 (the default) and 1 for enhanced verbosity. (#665, @saschagrunert)
  • Added automatic ServiceMonitor deployment if the CRD is available within the cluster. (#458, @saschagrunert)
  • Added container ID caching to log enricher for performance reasons. (#509, @saschagrunert)
  • Added libseccomp version output to version subcommand output. (#524, @saschagrunert)
  • Added liveness and startup probe to operator daemon set to streamline the operator startup. (#430, @saschagrunert)
  • Added log enricher metrics security_profiles_operator_seccomp_profile_audit_total and security_profiles_operator_selinux_profile_audit_total. (#492, @saschagrunert)
  • Added logging to non-root-enabler (#486, @saschagrunert)
  • Added name=spod label to metrics service. (#456, @saschagrunert)
  • Added new seccomp profile recorder bpf. (#618, @saschagrunert)
  • Added single TLS certificate for serving metrics. See installation-usage.md for more details. (#451, @saschagrunert)
  • Added support for recording profiles by using the log enricher. (#513, @saschagrunert)
  • Added syslog support for log enricher. (#531, @saschagrunert)
  • Added the seccomp profile architecture to the bpf and log recorder. (#670, @saschagrunert)
  • Adding profiling endpoint support via the SPOD configuration enableProfiling (#746, @saschagrunert)
  • Automatically mount /dev/kmsg for log enricher usage if running with CRI-O and an allowed io.kubernetes.cri-o.Devices annotation. (#479, @saschagrunert)
  • Changed DaemonSet update strategy to update all Pods in parallel. (#722, @saschagrunert)
  • Deploying kube-rbac-proxy sidecar in SPOD for exposing metrics via the new metrics-spod and metrics-controller-runtime services. (#424, @saschagrunert)
  • SPO's ProfileRecording CRD ProfileRecording which allows the admin to
    record workloads and create security policies was extended to allow
    recording SELinux profiles as well. In order to record a SELinux profile
    for a workload, set ProfileRecording.Spec.Kind to SelinuxProfile. (#592, @jhrozek)
  • Show libbpf version in version subcommand (#742, @saschagrunert)
  • Switched to unix domain sockets for the GRPC servers. (#631, @saschagrunert)
  • This patch re-adds the no_bpf build tag triggered by the BPF_ENABLED=0 tag
    environment variable if set to 0. A developer can then build SPO without the
    built-in BPF support by running:
    BPF_ENABLED=0 make
    This is useful to build SPO in environments with older dependencies
    that don't allow building the in-tree BPF-based recorder. (#690, @jhrozek)
  • Update example base profiles to their recent runtime versions. (#543, @saschagrunert)
  • Update kube-rbac-proxy to v0.11.0 (#724, @saschagrunert)
  • spod can load and unload AppArmor profiles into clusters host servers.
    spod now runs as root and privileged when apparmor is enabled. (#680, @pjbgf)

Documentation

  • Added documentation about how to record profiles by using the log enricher. (#521, @saschagrunert)
  • Added documentation how to use the automatically deployed ServiceMonitor with OpenShift as example platform. (#460, @saschagrunert)
  • Added log enricher documentation to installation-usage.md. (#498, @saschagrunert)
  • Added metrics documentation to installation-usage.md. (#449, @saschagrunert)
  • Added table of contents to installation documentation. (#493, @saschagrunert)
  • Changed documentation to reference main instead of master as default git branch. (#706, @saschagrunert)
  • Fixed header links containing source code in installation-usage.md (#606, @saschagrunert)

Bug or Regression

  • Do not retry container ID retrieval on container creation failures any more. (#612, @saschagrunert)

Other (Cleanup or Flake)

  • An OpenShift deployment manifest was included in deploy/openshift.yaml (#695, @JAORMX)

  • Bumps golang.org/x/text to fix advisory GO-2021-0113 (#655, @pjbgf)

  • Log enricher now requires running auditd (/var/log/audit/audit.log) (#487, @saschagrunert)

  • Log libseccomp version on operator startup. (#556, @saschagrunert)

  • Removed CPU limits from SPOD and added resource requests/limits to manager and webhook. (#550, @saschagrunert)

  • Selinuxd now uses containers from quay.io/security-profiles-operator (#750, @jhrozek)

  • The directory /etc/selinux.d used to be mounted on the hosts in previous SPO versions.
    This is no longer the case, the directory was converted to an emptyDir instead,
    reducing the number of required host mounts. (#698, @jhrozek)

  • The securityprofilenodestatus CR now links with the security profile its status
    it represents using label spo.x-k8s.io/profile-id. If the profile name is less
    than 64 characters long, then the label value is the profile name, otherwise it's
    kind-sha256hashofthename, trimmed to fit into 64 characters

    This change supports profile names whose names are over 64 characters. (#685, @jhrozek)

  • Update cert-manager to v1.5.3 (#577, @saschagrunert)

Contributors

JAORMX, saschagrunert, and 3 other contributors
Loading

v0.3.0

26 Apr 12:22
@saschagrunert saschagrunert
v0.3.0
fafb2b6

Choose a tag to compare

View all tags
v0.3.0

Welcome to the next iteration of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳

Please be aware that the operator now requires cert-manager as hard requirement. To install cert-manager, simply run:

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
$ kubectl --namespace cert-manager wait --for condition=ready pod -l app.kubernetes.io/instance=cert-manager

To install the operator afterwards, execute:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.3.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

  • Adds a new CRD ProfileBinding to define a relationship between a Pod and a profile resource. Currently only supports the SeccompProfile kind. (#179, @cmurphy)
  • Adds a new attribute status.seccompProfile\.localhostProfile and column SECCOMPPROFILE.LOCALHOSTPROFILE to indicate what should be included in a pod spec. (#166, @cmurphy)
  • SelinuxPolicy has been removed and is now SelinuxProfile. (#396, @JAORMX)
  • The DaemonSet configuration is now handled by a Custom Resource called
    SecurityProfilesOperatorDaemon. (#336, @JAORMX)
  • The SelinuxProfile CRD no longer has the apply flag in the spec. (#406, @JAORMX)

Feature

  • Added possibility to record seccomp profiles from replicas (#363, @saschagrunert)
  • Added seccomp audit log enrichment feature (#251, @pjbgf)
  • Added seccomp profile recording support via the OCI seccomp BPF hook (#247, @saschagrunert)
  • Added toleration for the control-plane taint to support the renaming of "master" taints (#196, @pjbgf)
  • Added minimum crun base profile (#291, @saschagrunert)
  • Added multi-architecture support to the container image (amd64 and arm64 for now) (#296, @saschagrunert)
  • Added the ability to delete seccomp profiles from nodes by deleting SeccompProfile resources. Added new fields activeWorkloads and status to the status subresource of the SeccompProfile kind. (#155, @cmurphy)
  • Added UBI-based Dockerfile. (#172, @JAORMX)
  • Automatically deploy the default profiles in the correct namespace without having a need for an additional kubectl apply command. (#269, @saschagrunert)
  • Log enricher now supports SELinux log lines and runs unprivileged. (#339, @pjbgf)
  • Removed docker.io/bash:5 container image dependency for non-root-enabler logic. (#306, @saschagrunert)
  • The selinux component can now be enabled or disabled through the CongfiMap named config by toggling a boolean option called EnableSelinux.
    Since not all Linux distributions support SeLinux, its support is disabled by default. (#214, @jhrozek)
  • The separate webhook deployment, which enabled the ProfileBinding and ProfileRecording resources, has now been merged into the main operator deployment manifest. (#387, @cmurphy)
  • Updates to the SecurityProfilesOperatorDaemon object are now reflected in the daemonset. (#342, @JAORMX)
  • Initial SELinux policy support is implemented. This adds a CRD called SelinuxPolicy, which the operator uses to ensure policies are installed on the nodes. (#165, @JAORMX)
  • Conditions were added to the SelinuxPolicy object's status. (#174, @JAORMX)
  • The main deployment method is now a Deployment object that requires a ConfigMap called "config". (#180, @JAORMX)

Documentation

  • Added complain-mode seccomp profile that is safer to run in production workloads (#260, @pjbgf)
  • Removed additional custom-profiles seccomp path from installation manual. (#414, @saschagrunert)

Failing Test

  • The sigs.k8s.io/security-profiles-operator/api/v1alpha1 package which defined the SeccompProfile and SelinuxPolicy types was split into two packages, sigs.k8s.io/security-profiles-operator/api/seccompprofile/v1alpha1 and sigs.k8s.io/security-profiles-operator/api/selinuxpolicy/v1alpha1 and must be imported separately. (#178, @cmurphy)

Bug or Regression

  • A bug where a profile could have been deleted while still in use by pods was fixed (#383, @jhrozek)
  • A new node status controller now runs on the main operator Deployment.
    To standardize on a common status model, the SelinuxPolicy state was renamed to status.
    The controller manager now listens on the same namespaces as the DaemonSet does. And thus requires more RBAC permissions.
    The SecurityProfilesOperatorDaemon Custom Resource is now Namespaced and not Cluster scoped. (#389, @JAORMX)
  • Fixed default nginx seccomp profile to work with crun (tested with v0.17) (#290, @saschagrunert)
  • The security-profiles-operator now ships with separate service accounts for the daemon and webhook (#325, @JAORMX)

Other (Cleanup or Flake)

  • Added support for seccomp CRD architecture SCMP_ARCH_NATIVE. (#272, @saschagrunert)
  • Decreased docker builds duration by using cache (#243, @naveensrinivasan)
  • Removed targetWorkload field from seccomp profile CRD (#350, @saschagrunert)
  • The namespaced-operator deployment now relies on a ClusterRole and a ClusterRoleBinding instead of the previous Role And RoleBinding objects. It now more closely resembles the cluster-operator deployment. (#295, @JAORMX)
  • The workload that handles SELinux policy installation (selinuxd) is no longer a privileged container. (#372, @JAORMX)
  • Throw "profile saved to disk" event only if a profile modification happened on the node. (#370, @saschagrunert)

Dependencies

Added

Read more
Loading

v0.2.0

12 Nov 17:40
@saschagrunert saschagrunert
v0.2.0
75b9a91

Choose a tag to compare

View all tags
v0.2.0

Welcome to the next release of the security-profiles-operator, the former seccomp-operator. We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳

To install the operator, simply run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.2.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

  • Added new Custom Resource Definition seccompprofiles.seccomp-operator.k8s-sigs.io as an alternative to an annotated ConfigMap for defining seccomp profiles. (#125, @cmurphy)
  • Seccomp profiles can now no longer be configured using the ConfigMap native resource, and instead may now only be defined using the provided SeccompProfile custom resource. (#138, @cmurphy)

Feature

  • Added a new example SeccompProfile to provide a starting point on which to build custom profiles, and an attribute BaseProfileName to the SeccompProfile kind to allow merging syscalls from two profiles. (#152, @cmurphy)
  • Added profile name to events (#129, @saschagrunert)
  • Added Status field to SeccompProfile CRD to provide the path on disk to the profile. (#144, @cmurphy)

Documentation

Bug or Regression

  • Fixed bug to reconcile all profiles in a configMap if one of them is invalid. (#122, @saschagrunert)
  • Fixed error messages in operator log to be displayed correctly, without any additional "reason" field. (#124, @saschagrunert)

Dependencies

Added

  • cloud.google.com/go/firestore: v1.1.0
  • cloud.google.com/go/pubsub: v1.3.1
  • cloud.google.com/go/storage: v1.11.0
  • dmitri.shuralyov.com/gpu/mtl: 666a987
  • github.com/14rcole/gopopulate: b175b21
  • github.com/MakeNowJust/heredoc: bb23615
  • github.com/Microsoft/go-winio: fc70bd9
  • github.com/Microsoft/hcsshim: v0.8.9
  • github.com/VividCortex/ewma: v1.1.1
  • github.com/acarl005/stripansi: 5a71ef0
  • github.com/armon/circbuf: bbbad09
  • github.com/armon/go-metrics: f0300d1
  • github.com/armon/go-radix: 7fddfc3
  • github.com/bketelsen/crypt: 5cbc8cc
  • github.com/cespare/xxhash/v2: v2.1.1
  • github.com/chai2010/gettext-go: c6fed77
  • github.com/checkpoint-restore/go-criu/v4: v4.0.2
  • github.com/chzyer/logex: v1.1.10
  • github.com/chzyer/readline: 2972be2
  • github.com/chzyer/test: a1ea475
  • github.com/cilium/ebpf: a9f01ed
  • github.com/cncf/udpa/go: 269d4d4
  • github.com/containerd/cgroups: bf292b2
  • github.com/containerd/console: v1.0.0
  • github.com/containerd/containerd: v1.3.2
  • github.com/containerd/continuity: aaeac12
  • github.com/containerd/fifo: a9fb20d
  • github.com/containerd/go-runc: 5a6d9f3
  • github.com/containerd/ttrpc: 0e0f228
  • github.com/containerd/typeurl: a93fcdb
  • github.com/containers/common: v0.26.3
  • github.com/containers/image/v5: v5.7.0
  • github.com/containers/libtrust: 14b9617
  • github.com/containers/ocicrypt: v1.0.3
  • github.com/containers/storage: v1.23.7
  • github.com/coreos/go-systemd/v22: v22.0.0
  • github.com/cyphar/filepath-securejoin: v0.2.2
  • github.com/daviddengcn/go-colortext: 511bcaf
  • github.com/docker/distribution: v2.7.1+incompatible
  • github.com/docker/docker-credential-helpers: v0.6.3
  • github.com/docker/go-connections: v0.4.0
  • github.com/docker/go-metrics: v0.0.1
  • github.com/docker/libtrust: aabc10e
  • github.com/exponent-io/jsonpath: d6023ce
  • github.com/fatih/camelcase: v1.0.0
  • github.com/fvbommel/sortorder: v1.0.1
  • github.com/go-gl/glfw/v3.3/glfw: 6f7a984
  • github.com/go-gl/glfw: e6da0ac
  • github.com/godbus/dbus/v5: v5.0.3
  • github.com/godbus/dbus: ade71ed
  • github.com/golangplus/bytes: 45c989f
  • github.com/golangplus/fmt: 2a5d6d7
  • github.com/golangplus/testing: af21d9c
  • github.com/google/martian/v3: v3.0.0
  • github.com/gorilla/mux: v1.7.4
  • github.com/hashicorp/consul/api: v1.1.0
  • github.com/hashicorp/consul/sdk: v0.1.1
  • github.com/hashicorp/go-immutable-radix: v1.0.0
  • github.com/hashicorp/go-msgpack: v0.5.3
  • github.com/hashicorp/go-rootcerts: v1.0.0
  • github.com/hashicorp/go-sockaddr: v1.0.0
  • github.com/hashicorp/go-syslog: v1.0.0
  • github.com/hashicorp/go-uuid: v1.0.1
  • github.com/hashicorp/go.net: v0.0.1
  • github.com/hashicorp/logutils: v1.0.0
  • github.com/hashicorp/mdns: v1.0.0
  • github.com/hashicorp/memberlist: v0.1.3
  • github.com/hashicorp/serf: v0.8.2
  • github.com/ianlancetaylor/demangle: 5e5cf60
  • github.com/klauspost/pgzip: v1.2.5
  • github.com/liggitt/tabwriter: 89fcab3
  • github.com/lithammer/dedent: v1.1.0
  • github.com/mattn/go-shellwords: v1.0.10
  • github.com/miekg/dns: v1.0.14
  • github.com/mistifyio/go-zfs: v2.1.1+incompatible
  • github.com/mitchellh/cli: v1.0.0
  • github.com/mitchellh/go-wordwrap: v1.0.0
  • github.com/mitchellh/gox: v0.4.0
  • github.com/mitchellh/iochan: v1.0.0
  • github.com/moby/sys/mountinfo: [v0.4.0](https://github.com/moby/sys/mou...
Read more
Loading

v0.1.0

14 Aug 12:47
@saschagrunert saschagrunert
v0.1.0
0db42aa

Choose a tag to compare

View all tags
v0.1.0

Welcome to the first release of the seccomp-operator, we hope you enjoy this release as much as we do! The initial set of features can be found in our documentation. 🥳

To install the operator, simply run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/seccomp-operator/v0.1.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #seccomp-operator channel.

Changes by Kind

Feature

  • Added version,v subcommand and CLI parser (--version works too now) (#20, @saschagrunert)
  • Added ability to restrict seccomp-operator to watch config maps in a single namespace (#94, @hasheddan)
  • Added basic seccomp profile validation before syncing them on disk (#72, @saschagrunert)
  • Added default operator profiles to the deployment. For now we added an nginx:1.19.1 profile (#54, @saschagrunert)
  • Added manifest for deploying operator to watch for profile ConfigMaps in a single namespace. (#100, @hasheddan)
  • Added new seccompProfile field to examples/pod.yaml, which can be used for Kubernetes releases > v1.19.0 (#90, @saschagrunert)
  • Added support for seccomp operator in master nodes (#95, @pjbgf)
  • Do not requeue after successfully writing profile to disk and do not immediately requeue on errors. (#101, @hasheddan)
  • Link seccomp-operator statically for easier distribution (#16, @saschagrunert)
  • Make rootless operator deployment the default (#38, @saschagrunert)
  • Nodes not supporting seccomp will not reconcile profiles to disk. Additionally a warning event will be thrown for the config map. (#85, @saschagrunert)
  • Operator now runs under a specific seccomp profile. (#52, @pjbgf)
  • Profile controller will emit warning events on failure to get profile path or save profile to disk (#56, @hasheddan)
  • Seccomp profiles can be created in any namespace now. Profiles end up in different subdirectories per namespace. (#49, @rhafer)
Loading