Skip to content

v0.6.0

Compare
Choose a tag to compare
@saschagrunert saschagrunert released this 21 Nov 13:16
· 1285 commits to main since this release

Release notes

Welcome to our glorious v0.6.0 release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. πŸ₯³ πŸ‘―

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.6.0/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.6.0

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

  • SELinux profiles gained a new attribute .spec.permissive which defaults to false. When set to true, the profile will run in a permissive mode, that means that all actions would be allowed, but logged. This allows for a more iterative approach for profile development. (#1278, @jhrozek)

Feature

  • Log-enricher support for both short and long AppArmor log entries (#1298, @pjbgf)
  • Add a command argument to the daemon which allows to disable the profile recorder controller. (#1290, @ccojocar)
  • Configure the default local seccomp profile according to the runtime (e.g. cri-o expects the profile to be prefixed with localhost). (#1255, @ccojocar)
  • Make the daemon resource requirements configurable. (#1291, @ccojocar)

Documentation

  • A new AppArmor profile example for the CNCF Flux project. (#1302, @pjbgf)

Bug or Regression

  • This pr fixes seccompprofiles deletion when a node is removed, we added a check to see if the node finalizer is a deleted node, if so, we remove such finalizer so the seccompprofile can be deleted without any issues. (#1236, @Vincent056)
  • Fixes the controller panicking when AppArmor is enabled. (#1063, @pjbgf)

Other (Cleanup or Flake)

  • Switched to registry.k8s.io for the main container image. (#1289, @saschagrunert)
  • Add directly the file header when generating the mock types. (#1295, @ccojocar)
  • Fix bundle goal into the Makefile for macos. (#1300, @ccojocar)
  • Fix flaky unit test which checks default operator namespace. (#1296, @ccojocar)
  • Fix integration tests for Flatcar Linux. (#1252, @ccojocar)
  • Prefix with localhost the local seccomp profile for cri-o only for older Kubernetes versions. (#1310, @ccojocar)

Dependencies

Added

  • github.com/evanphx/json-patch/v5: v5.6.0
  • github.com/pavlo-v-chernykh/keystore-go/v4: v4.4.0
  • github.com/youmark/pkcs8: 1326539

Changed

Removed

  • github.com/bgentry/go-netrc: 9fd32a8
  • github.com/crossplane/crossplane-runtime: v0.18.0
  • github.com/googleapis/google-cloud-go-testing: bcd43fb
  • github.com/hashicorp/go-getter: v1.4.0
  • github.com/hashicorp/go-safetemp: v1.0.0
  • github.com/pavel-v-chernykh/keystore-go/v4: v4.2.0