Welcome to the next iteration of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳
Please be aware that the operator now requires cert-manager as hard requirement. To install cert-manager, simply run:
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
$ kubectl --namespace cert-manager wait --for condition=ready pod -l app.kubernetes.io/instance=cert-manager
To install the operator afterwards, execute:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.3.0/deploy/operator.yaml
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
API Change
- Adds a new CRD
ProfileBindingto define a relationship between a Pod and a profile resource. Currently only supports the SeccompProfile kind. (#179, @cmurphy) - Adds a new attribute
status.seccompProfile\.localhostProfileand columnSECCOMPPROFILE.LOCALHOSTPROFILEto indicate what should be included in a pod spec. (#166, @cmurphy) - SelinuxPolicy has been removed and is now SelinuxProfile. (#396, @JAORMX)
- The DaemonSet configuration is now handled by a Custom Resource called
SecurityProfilesOperatorDaemon. (#336, @JAORMX) - The SelinuxProfile CRD no longer has the
applyflag in thespec. (#406, @JAORMX)
Feature
- Added possibility to record seccomp profiles from replicas (#363, @saschagrunert)
- Added seccomp audit log enrichment feature (#251, @pjbgf)
- Added seccomp profile recording support via the OCI seccomp BPF hook (#247, @saschagrunert)
- Added toleration for the control-plane taint to support the renaming of "master" taints (#196, @pjbgf)
- Added minimum crun base profile (#291, @saschagrunert)
- Added multi-architecture support to the container image (amd64 and arm64 for now) (#296, @saschagrunert)
- Added the ability to delete seccomp profiles from nodes by deleting
SeccompProfileresources. Added new fieldsactiveWorkloadsandstatusto thestatussubresource of theSeccompProfilekind. (#155, @cmurphy) - Added UBI-based Dockerfile. (#172, @JAORMX)
- Automatically deploy the default profiles in the correct namespace without having a need for an additional
kubectl applycommand. (#269, @saschagrunert) - Log enricher now supports SELinux log lines and runs unprivileged. (#339, @pjbgf)
- Removed
docker.io/bash:5container image dependency for non-root-enabler logic. (#306, @saschagrunert) - The selinux component can now be enabled or disabled through the CongfiMap named config by toggling a boolean option called EnableSelinux.
Since not all Linux distributions support SeLinux, its support is disabled by default. (#214, @jhrozek) - The separate webhook deployment, which enabled the
ProfileBindingandProfileRecordingresources, has now been merged into the main operator deployment manifest. (#387, @cmurphy) - Updates to the SecurityProfilesOperatorDaemon object are now reflected in the daemonset. (#342, @JAORMX)
- Initial SELinux policy support is implemented. This adds a CRD called
SelinuxPolicy, which the operator uses to ensure policies are installed on the nodes. (#165, @JAORMX) - Conditions were added to the SelinuxPolicy object's status. (#174, @JAORMX)
- The main deployment method is now a Deployment object that requires a ConfigMap called "config". (#180, @JAORMX)
Documentation
- Added complain-mode seccomp profile that is safer to run in production workloads (#260, @pjbgf)
- Removed additional
custom-profilesseccomp path from installation manual. (#414, @saschagrunert)
Failing Test
- The
sigs.k8s.io/security-profiles-operator/api/v1alpha1package which defined theSeccompProfileandSelinuxPolicytypes was split into two packages,sigs.k8s.io/security-profiles-operator/api/seccompprofile/v1alpha1andsigs.k8s.io/security-profiles-operator/api/selinuxpolicy/v1alpha1and must be imported separately. (#178, @cmurphy)
Bug or Regression
- A bug where a profile could have been deleted while still in use by pods was fixed (#383, @jhrozek)
- A new node status controller now runs on the main operator Deployment.
To standardize on a common status model, the SelinuxPolicystatewas renamed tostatus.
The controller manager now listens on the same namespaces as the DaemonSet does. And thus requires more RBAC permissions.
The SecurityProfilesOperatorDaemon Custom Resource is now Namespaced and not Cluster scoped. (#389, @JAORMX) - Fixed default nginx seccomp profile to work with crun (tested with v0.17) (#290, @saschagrunert)
- The security-profiles-operator now ships with separate service accounts for the daemon and webhook (#325, @JAORMX)
Other (Cleanup or Flake)
- Added support for seccomp CRD architecture
SCMP_ARCH_NATIVE. (#272, @saschagrunert) - Decreased docker builds duration by using cache (#243, @naveensrinivasan)
- Removed
targetWorkloadfield from seccomp profile CRD (#350, @saschagrunert) - The namespaced-operator deployment now relies on a ClusterRole and a ClusterRoleBinding instead of the previous Role And RoleBinding objects. It now more closely resembles the cluster-operator deployment. (#295, @JAORMX)
- The workload that handles SELinux policy installation (selinuxd) is no longer a privileged container. (#372, @JAORMX)
- Throw "profile saved to disk" event only if a profile modification happened on the node. (#370, @saschagrunert)
Dependencies
Added
- bazil.org/fuse: 371fbbd
- cloud.google.com/go/logging: v1.1.2
- github.com/Azure/azure-sdk-for-go: v42.3.0+incompatible
- github.com/Azure/go-autorest/autorest/to: v0.3.0
- github.com/Azure/go-autorest/autorest/validation: v0.2.0
- github.com/Azure/go-autorest: v14.2.0+incompatible
- github.com/GoogleCloudPlatform/k8s-cloud-provider: 27a4ced
- github.com/Microsoft/hcsshim/test: 43a75bb
- github.com/Shopify/logrus-bugsnag: 577dee2
- github.com/alexflint/go-filemutex: 72bdc8e
- github.com/bitly/go-simplejson: v0.5.0
- github.com/bmizerany/assert: b7ed37b
- github.com/bshuster-repo/logrus-logstash-hook: v0.4.1
- github.com/buger/jsonparser: f4dd9f5
- github.com/bugsnag/bugsnag-go: b1d1530
- github.com/bugsnag/osext: 0dd3f91
- github.com/bugsnag/panicwrap: e2c2850
- github.com/cenkalti/backoff/v4: v4.1.0
- github.com/containerd/aufs: 20793ff
- github.com/containerd/btrfs: 918d888
- github.com/containerd/go-cni: v1.0.1
- github.com/containerd/imgcrypt: 7ed62a5
- github.com/containerd/nri: dbaa18c
- github.com/containerd/stargz-snapshotter/estargz: 2b97b58
- github.com/containerd/zfs: dde8f0f
- github.com/containernetworking/cni: v0.8.0
- github.com/containernetworking/plugins: v0.8.6
- github.com/coreos/go-iptables: v0.4.5
- github.com/d2g/dhcp4: a1d1b6c
- github.com/d2g/dhcp4client: v1.0.0
- github.com/d2g/dhcp4server: 7d4a0a7
- github.com/d2g/hardwareaddr: e7d9fbe
- github.com/denverdino/aliyungo: a747050
- github.com/dnaeon/go-vcr: v1.0.1
- github.com/docker/cli: a8ff7f8
- github.com/docker/go-events: e31b211
- github.com/form3tech-oss/jwt-go: v3.2.2+incompatible
- github.com/fullsailor/pkcs7: d7302db
- github.com/garyburd/redigo: 535138d
- github.com/go-ini/ini: v1.25.4
- github.com/go-task/slim-sprig: 348f09d
- github.com/gogo/googleapis: v1.4.0
- github.com/golang/snappy: v0.0.3
- github.com/gomarkdown/markdown: 8c8b381
- github.com/google/go-containerregistry: v0.3.0
- github.com/google/go-github/v33: v33.0.0
- github.com/google/go-intervals: v0.0.2
- github.com/gorilla/handlers: 60c7bfd
- github.com/j-keck/arping: 2cf9dc6
- github.com/juju/ansiterm: 720a095
- github.com/lunixbochs/vtclean: 2d01aac
- github.com/magefile/mage: v1.10.0
- github.com/manifoldco/promptui: v0.8.0
- github.com/marstr/guid: v1.1.0
- github.com/miekg/pkcs11: v1.0.3
- github.com/mitchellh/osext: 5e2d6d4
- github.com/mmarkdown/mmark: v2.0.40+incompatible
- github.com/moby/spdystream: v0.2.0
- github.com/moby/sys/symlink: v0.1.0
- github.com/ncw/swift: v1.0.47
- github.com/pelletier/go-buffruneio: v0.2.0
- github.com/rivo/uniseg: v0.2.0
- github.com/rubiojr/go-vhd: 0bfd3b3
- github.com/safchain/ethtool: 42ed695
- github.com/satori/go.uuid: v1.2.0
- github.com/shirou/gopsutil/v3: v3.20.12
- github.com/src-d/gcfg: v1.4.0
- github.com/stefanberger/go-pkcs11uri: 78d3cae
- github.com/stoewer/go-strcase: v1.2.0
- github.com/vbauerster/mpb/v6: v6.0.3
- github.com/vdemeester/k8s-pkg-credentialprovider: f1d1696
- github.com/vmware/govmomi: v0.20.3
- github.com/yvasiyarov/go-metrics: 57bccd1
- github.com/yvasiyarov/gorelic: a9bba5b
- github.com/yvasiyarov/newrelic_platform_go: b21fdbd
- go.uber.org/goleak: v1.1.10
- go.uber.org/tools: 2cfd321
- golang.org/dl: 82a15e2
- golang.org/x/term: 7de9c90
- google.golang.org/cloud: 975617b
- gopkg.in/airbrake/gobrake.v2: v2.0.9
- gopkg.in/gcfg.v1: v1.2.0
- gopkg.in/gemnasium/logrus-airbrake-hook.v2: v2.1.2
- gopkg.in/src-d/go-billy.v4: v4.3.2
- gopkg.in/src-d/go-git-fixtures.v3: v3.5.0
- gopkg.in/src-d/go-git.v4: v4.13.1
- k8s.io/cloud-provider: v0.18.8
- k8s.io/cri-api: v0.20.1
- k8s.io/csi-translation-lib: v0.18.8
- k8s.io/kubernetes: v1.13.0
- k8s.io/legacy-cloud-providers: v0.18.8
- sigs.k8s.io/mdtoc: v1.0.1
Changed
- cloud.google.com/go/storage: v1.11.0 → v1.12.0
- cloud.google.com/go: v0.65.0 → v0.75.0
- github.com/Azure/go-autorest/autorest/adal: v0.8.2 → v0.9.5
- github.com/Azure/go-autorest/autorest/date: v0.2.0 → v0.3.0
- github.com/Azure/go-autorest/autorest/mocks: v0.3.0 → v0.4.1
- github.com/Azure/go-autorest/autorest: v0.9.6 → v0.11.1
- github.com/Azure/go-autorest/logger: v0.1.0 → v0.2.0
- github.com/Azure/go-autorest/tracing: v0.5.0 → v0.6.0
- github.com/GoogleCloudPlatform/testgrid: v0.0.22 → v0.0.38
- github.com/Microsoft/go-winio: fc70bd9 → 6eac466
- github.com/Microsoft/hcsshim: v0.8.9 → v0.8.16
- github.com/StackExchange/wmi: 5d04971 → cbe6696
- github.com/aws/aws-sdk-go: v1.15.78 → v1.31.6
- github.com/checkpoint-restore/go-criu/v4: v4.0.2 → v4.1.0
- github.com/cilium/ebpf: a9f01ed → v0.2.0
- github.com/cncf/udpa/go: 269d4d4 → efcf912
- github.com/containerd/cgroups: bf292b2 → 8a68de5
- github.com/containerd/console: v1.0.0 → v1.0.1
- github.com/containerd/containerd: v1.3.2 → v1.5.0-beta.4
- github.com/containerd/continuity: aaeac12 → 50096c9
- github.com/containerd/fifo: a9fb20d → 115abcc
- github.com/containerd/go-runc: 5a6d9f3 → 16b287b
- github.com/containerd/ttrpc: 0e0f228 → v1.0.2
- github.com/containerd/typeurl: a93fcdb → v1.0.1
- github.com/containers/common: v0.26.3 → v0.37.0
- github.com/containers/image/v5: v5.7.0 → v5.11.1
- github.com/containers/ocicrypt: v1.0.3 → v1.1.0
- github.com/containers/storage: v1.23.7 → v1.30.0
- github.com/coreos/go-systemd/v22: v22.0.0 → v22.1.0
- github.com/creack/pty: v1.1.9 → v1.1.11
- github.com/crossplane/crossplane-runtime: v0.10.0 → v0.13.0
- github.com/docker/docker: a9416c6 → 646072e
- github.com/envoyproxy/go-control-plane: v0.9.4 → v0.9.7
- github.com/go-git/go-git-fixtures/v4: v4.0.1 → f56387b
- github.com/go-git/go-git/v5: v5.1.0 → v5.2.0
- github.com/go-logr/logr: v0.3.0 → v0.4.0
- github.com/go-logr/zapr: v0.1.0 → v0.2.0
- github.com/go-ole/go-ole: v1.2.1 → v1.2.4
- github.com/go-openapi/analysis: v0.19.5 → v0.19.2
- github.com/go-openapi/loads: v0.19.4 → v0.19.2
- github.com/go-openapi/runtime: v0.19.4 → v0.19.0
- github.com/go-openapi/strfmt: v0.19.3 → v0.19.0
- github.com/go-openapi/validate: v0.19.5 → v0.19.2
- github.com/go-sql-driver/mysql: v1.4.0 → v1.5.0
- github.com/gobuffalo/flect: v0.1.5 → v0.2.2
- github.com/gogo/protobuf: v1.3.1 → v1.3.2
- github.com/golang/protobuf: v1.4.2 → v1.4.3
- github.com/google/go-cmp: v0.5.2 → v0.5.5
- github.com/google/martian/v3: v3.0.0 → v3.1.0
- github.com/google/pprof: 1a94d86 → b9804c9
- github.com/google/uuid: v1.1.2 → v1.1.4
- github.com/googleapis/gnostic: v0.4.1 → v0.5.1
- github.com/gorilla/mux: v1.7.4 → v1.8.0
- github.com/hashicorp/go-multierror: v1.1.0 → v1.1.1
- github.com/ianlancetaylor/demangle: 5e5cf60 → 28f6c0f
- github.com/jmespath/go-jmespath: 0b12d6b → v0.3.0
- github.com/kisielk/errcheck: v1.2.0 → v1.5.0
- github.com/klauspost/compress: v1.11.1 → v1.12.1
- github.com/mattn/go-colorable: v0.1.4 → v0.1.8
- github.com/mattn/go-isatty: v0.0.11 → v0.0.12
- github.com/mattn/go-runewidth: v0.0.9 → v0.0.10
- github.com/mattn/go-shellwords: v1.0.10 → v1.0.11
- github.com/maxbrunsfeld/counterfeiter/v6: v6.2.3 → v6.4.1
- github.com/mistifyio/go-zfs: v2.1.1+incompatible → f784269
- github.com/mitchellh/mapstructure: v1.1.2 → v1.4.1
- github.com/moby/sys/mountinfo: v0.4.0 → v0.4.1
- github.com/moby/term: 672ec06 → df9cb8a
- github.com/mrunalp/fileutils: 7d4729f → v0.5.0
- github.com/nxadm/tail: v1.4.4 → v1.4.8
- github.com/onsi/ginkgo: v1.14.2 → v1.16.1
- github.com/onsi/gomega: v1.10.3 → v1.11.0
- github.com/opencontainers/image-spec: 775207b → 79b036d
- github.com/opencontainers/runc: v1.0.0-rc91 → v1.0.0-rc93
- github.com/opencontainers/runtime-spec: 237cc4f → e6143ca
- github.com/opencontainers/selinux: v1.6.0 → v1.8.0
- github.com/prometheus/procfs: v0.1.3 → v0.6.0
- github.com/psampaz/go-mod-outdated: v0.6.0 → v0.7.0
- github.com/saschagrunert/go-modiff: v1.2.0 → v1.2.1
- github.com/sendgrid/rest: v2.6.1+incompatible → v2.6.2+incompatible
- github.com/sendgrid/sendgrid-go: v3.6.3+incompatible → v3.7.2+incompatible
- github.com/sirupsen/logrus: v1.7.0 → v1.8.1
- github.com/spf13/cobra: v1.1.1 → v1.1.3
- github.com/stretchr/testify: v1.6.1 → v1.7.0
- github.com/syndtr/gocapability: d983527 → 42c35b4
- github.com/ulikunitz/xz: v0.5.8 → v0.5.10
- github.com/urfave/cli: v1.22.1 → v1.22.2
- github.com/willf/bitset: d5bec33 → v1.1.11
- github.com/yuin/goldmark: v1.2.1 → v1.3.1
- go.etcd.io/etcd: 3cf2f69 → dd1b699
- go.opencensus.io: v0.22.4 → v0.22.5
- go.uber.org/atomic: v1.4.0 → v1.6.0
- go.uber.org/multierr: v1.1.0 → v1.5.0
- go.uber.org/zap: v1.10.0 → v1.15.0
- golang.org/x/crypto: 75b2880 → 7f63de1
- golang.org/x/lint: 738671d → 83fdc39
- golang.org/x/mod: v0.3.0 → v0.4.0
- golang.org/x/net: a7d1128 → 0fccb6f
- golang.org/x/oauth2: 5d25da1 → 01de73c
- golang.org/x/sync: 6e8e738 → 09787c9
- golang.org/x/sys: fdedc70 → 4fbd30e
- golang.org/x/text: v0.3.3 → v0.3.5
- golang.org/x/time: 555d28b → 3af7569
- golang.org/x/tools: 39188db → v0.1.0
- gomodules.xyz/jsonpatch/v2: v2.0.1 → v2.1.0
- google.golang.org/api: v0.32.0 → v0.36.0
- google.golang.org/appengine: v1.6.6 → v1.6.7
- google.golang.org/genproto: 0bd0a95 → 22ae2b1
- google.golang.org/grpc: v1.31.1 → v1.34.0
- gopkg.in/check.v1: 8fa4692 → 038fdea
- gopkg.in/square/go-jose.v2: v2.3.1 → v2.5.1
- gopkg.in/yaml.v2: v2.3.0 → v2.4.0
- gopkg.in/yaml.v3: 9f266ea → eeeca48
- gotest.tools/v3: v3.0.2 → v3.0.3
- k8s.io/api: v0.19.3 → v0.20.5
- k8s.io/apiextensions-apiserver: v0.18.6 → v0.20.2
- k8s.io/apimachinery: v0.19.3 → v0.21.0
- k8s.io/apiserver: v0.18.6 → v0.20.2
- k8s.io/client-go: v0.19.2 → v0.20.5
- k8s.io/code-generator: v0.19.2 → v0.20.2
- k8s.io/component-base: v0.19.2 → v0.20.2
- k8s.io/gengo: 8167cfd → 83324d8
- k8s.io/klog/v2: v2.4.0 → v2.8.0
- k8s.io/kube-openapi: 6aeccd4 → 591a79e
- k8s.io/release: v0.4.1 → v0.7.0
- k8s.io/utils: 4140de9 → fddb29f
- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.7 → v0.0.14
- sigs.k8s.io/controller-runtime: v0.6.3 → v0.8.3
- sigs.k8s.io/controller-tools: v0.2.4 → v0.5.0
- sigs.k8s.io/structured-merge-diff/v4: v4.0.1 → v4.1.0
Removed
- github.com/MakeNowJust/heredoc: bb23615
- github.com/agnivade/levenshtein: v1.0.1
- github.com/andreyvit/diff: c7f18ee
- github.com/chai2010/gettext-go: c6fed77
- github.com/daviddengcn/go-colortext: 511bcaf
- github.com/exponent-io/jsonpath: d6023ce
- github.com/fatih/camelcase: v1.0.0
- github.com/golangplus/bytes: 45c989f
- github.com/golangplus/fmt: 2a5d6d7
- github.com/golangplus/testing: af21d9c
- github.com/liggitt/tabwriter: 89fcab3
- github.com/lithammer/dedent: v1.1.0
- github.com/mitchellh/go-wordwrap: v1.0.0
- github.com/tidwall/pretty: v1.0.0
- github.com/vektah/gqlparser: v1.1.2
- go.mongodb.org/mongo-driver: v1.1.2
- k8s.io/cli-runtime: v0.19.2
- k8s.io/kubectl: v0.19.2
- k8s.io/metrics: v0.19.2
- sigs.k8s.io/kustomize: v2.0.3+incompatible