Inspektor Gadget v0.5.0 Release Notes.
This release contains a lot of new gadgets and some important changes to the Inspektor Gadget architecture. Please read the following section before upgrading to it.
The most relevant changes are:
Better categorization of gadgets in the CLI (#500)
We divided the gadgets into the following categories to provide a better user experience:
- advise: Gadgets in this category collect events from the system and use them to recommend system configurations, like seccomp profiles or network policies.
- audit: Audit workloads with regards to security configuration, like seccomp profiles.
- profile: Gadgets that run for a window of time and then generate a report at the end. Examples are block-io latency and cpu usage.
- snapshot: These gadgets generate and print a snapshot of the system status, like a list of sockets or processes.
- top: These gadgets show the current activity sorted by the highest to the lowest in the resource being observed, generating the output every few seconds. Examples are list of files with more reads/writes or tcp connections generating the most traffic.
- trace: Capture and print events related to different subsystems, like new process creation, access to files, network activity and so on.
Implement the control plane of most gadgets directly in Golang
We reworked many of the gadgets to be directly integrated into Inspektor Gadget instead of executing the BCC binaries and parsing their output. This avoids creating additional processes for each trace and brings additional flexibility, allowing us to introduce changes without being dependent on the upstream version of BCC.
The list of gadgets that we ported to this approach are:
- trace exec (#438)
- trace open (#488)
- trace mount (#510)
- trace tcpconnect (#518)
- trace bind (#523)
- top tcp (#555)
- top block-io (#551)
Move the gadget pod to its own namespace and use RBAC
In older versions we were deploying Inspektor Gadget in the kube-system namespace and it required cluster admin permissions. To make it less intrusive with more granular security, this new release of Inspektor Gadget uses a separate namespace and RBAC to give it only the permissions it needs. (#429)
Heads up
This change could potentially cause problems if you deploy a Inspektor Gadget >= v0.5.0 without first removing an older version. Please be sure you remove the older version before upgrading kubectl-gadget. If you upgraded kubectl-gadget without removing the older version, you can still remove it by running kubectl gadget undeploy.
Detailed list with other relevant changes
New Gadgets
- audit seccomp: Trace syscalls that seccomp sent to the audit log (#383)
- trace signal: Trace signals received by processes (#507)
- trace sni: Trace Server Name Indication requests (#369)
- top file: Trace reads and writes by file (#425)
- trace oomkill: Trace when OOM killer is triggered and kills a process (#484)
- trace fsslower: Trace open, read, write and fsync operations slower than a threshold (#506)
General Improvements
- Implement trace CRD support for capabilities (#524) and tcptracer (#526) gadgets
- Add integration tests for all gadgets (#437)
- Remove tools-mode flag (#548)
- Implement proto filtering for snapshot socket gadget (#439)
- Implement undeploy command (#444)
- Add owner reference to generated seccomp profile (#435)
- Add container information to biotop output (#464)
- Add query type to DNS gadget (#461)
- Speed up CI (#469)
- Add init containers to pod informer (#549)
Bug fixes
- Remove /var/run symlink from container image to mitigate Kubernetes bug (#434)
- Fix opensnoop bug in non-BTF kernel with BTFHub (#475)
- Fix kernel headers download for CentOS (#486)
- Update CRI container status syntax for cri-o (#493)
- Fix localtime volume (#501)