github kubernetes-sigs/security-profiles-operator v0.4.0
on GitHub

latest releases: v0.8.3, v0.8.2, v0.8.1...
2 years ago

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run: 

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

  • A v1alpha2 version of the SelinuxProfile object has been introduced. This
    removes the raw CIL from the object itself and instead adds a simple policy
    language to ease the writing and parsing experience.

    Alongside, a RawSelinuxProfile object was also introduced. This contains a wrapped
    and raw representation of the policy. This was intended for folks to be able to take
    their existing policies into use as soon as possible. However, on validations are done here. (#675, @JAORMX)

  • Add CRD type to represent AppArmor profiles. (#643, @pjbgf)

  • Change seccomp profile type Architectures to []Arch from []*Arch (#671, @saschagrunert)

  • Graduate seccomp profile API from v1alpha1 to v1beta1 (#674, @saschagrunert)

Feature

  • Added Metrics for SELinux profiles (#470, @mrogers950)
  • Added arm64 support for retrieving the correct syscall names within the log enricher. (#539, @saschagrunert)
  • Added retry functionality to log enricher if container ID is still empty during pod creation. (#491, @saschagrunert)
  • Added CLI flag -V and environment variable parsing SPO_VERBOSITY to set the logging verbosity. (#657, @saschagrunert)
  • Added metrics-token secret to the operator namespace for metrics client retrieval. (#457, @saschagrunert)
  • Added metrics service endpoint to the operator namespace, which now serves the security_profiles_operator_seccomp_profile metric. (#422, @saschagrunert)
  • Added seccomp_profile_error_total metrics. (#461, @saschagrunert)
  • Added verbosity option to spod configuration. Currently supports 0 (the default) and 1 for enhanced verbosity. (#665, @saschagrunert)
  • Added automatic ServiceMonitor deployment if the CRD is available within the cluster. (#458, @saschagrunert)
  • Added container ID caching to log enricher for performance reasons. (#509, @saschagrunert)
  • Added libseccomp version output to version subcommand output. (#524, @saschagrunert)
  • Added liveness and startup probe to operator daemon set to streamline the operator startup. (#430, @saschagrunert)
  • Added log enricher metrics security_profiles_operator_seccomp_profile_audit_total and security_profiles_operator_selinux_profile_audit_total. (#492, @saschagrunert)
  • Added logging to non-root-enabler (#486, @saschagrunert)
  • Added name=spod label to metrics service. (#456, @saschagrunert)
  • Added new seccomp profile recorder bpf. (#618, @saschagrunert)
  • Added single TLS certificate for serving metrics. See installation-usage.md for more details. (#451, @saschagrunert)
  • Added support for recording profiles by using the log enricher. (#513, @saschagrunert)
  • Added syslog support for log enricher. (#531, @saschagrunert)
  • Added the seccomp profile architecture to the bpf and log recorder. (#670, @saschagrunert)
  • Adding profiling endpoint support via the SPOD configuration enableProfiling (#746, @saschagrunert)
  • Automatically mount /dev/kmsg for log enricher usage if running with CRI-O and an allowed io.kubernetes.cri-o.Devices annotation. (#479, @saschagrunert)
  • Changed DaemonSet update strategy to update all Pods in parallel. (#722, @saschagrunert)
  • Deploying kube-rbac-proxy sidecar in SPOD for exposing metrics via the new metrics-spod and metrics-controller-runtime services. (#424, @saschagrunert)
  • SPO's ProfileRecording CRD ProfileRecording which allows the admin to
    record workloads and create security policies was extended to allow
    recording SELinux profiles as well. In order to record a SELinux profile
    for a workload, set ProfileRecording.Spec.Kind to SelinuxProfile. (#592, @jhrozek)
  • Show libbpf version in version subcommand (#742, @saschagrunert)
  • Switched to unix domain sockets for the GRPC servers. (#631, @saschagrunert)
  • This patch re-adds the no_bpf build tag triggered by the BPF_ENABLED=0 tag
    environment variable if set to 0. A developer can then build SPO without the
    built-in BPF support by running:
    BPF_ENABLED=0 make
    This is useful to build SPO in environments with older dependencies
    that don't allow building the in-tree BPF-based recorder. (#690, @jhrozek)
  • Update example base profiles to their recent runtime versions. (#543, @saschagrunert)
  • Update kube-rbac-proxy to v0.11.0 (#724, @saschagrunert)
  • spod can load and unload AppArmor profiles into clusters host servers.
    spod now runs as root and privileged when apparmor is enabled. (#680, @pjbgf)

Documentation

  • Added documentation about how to record profiles by using the log enricher. (#521, @saschagrunert)
  • Added documentation how to use the automatically deployed ServiceMonitor with OpenShift as example platform. (#460, @saschagrunert)
  • Added log enricher documentation to installation-usage.md. (#498, @saschagrunert)
  • Added metrics documentation to installation-usage.md. (#449, @saschagrunert)
  • Added table of contents to installation documentation. (#493, @saschagrunert)
  • Changed documentation to reference main instead of master as default git branch. (#706, @saschagrunert)
  • Fixed header links containing source code in installation-usage.md (#606, @saschagrunert)

Bug or Regression

  • Do not retry container ID retrieval on container creation failures any more. (#612, @saschagrunert)

Other (Cleanup or Flake)

  • An OpenShift deployment manifest was included in deploy/openshift.yaml (#695, @JAORMX)

  • Bumps golang.org/x/text to fix advisory GO-2021-0113 (#655, @pjbgf)

  • Log enricher now requires running auditd (/var/log/audit/audit.log) (#487, @saschagrunert)

  • Log libseccomp version on operator startup. (#556, @saschagrunert)

  • Removed CPU limits from SPOD and added resource requests/limits to manager and webhook. (#550, @saschagrunert)

  • Selinuxd now uses containers from quay.io/security-profiles-operator (#750, @jhrozek)

  • The directory /etc/selinux.d used to be mounted on the hosts in previous SPO versions.
    This is no longer the case, the directory was converted to an emptyDir instead,
    reducing the number of required host mounts. (#698, @jhrozek)

  • The securityprofilenodestatus CR now links with the security profile its status
    it represents using label spo.x-k8s.io/profile-id. If the profile name is less
    than 64 characters long, then the label value is the profile name, otherwise it's
    kind-sha256hashofthename, trimmed to fit into 64 characters

    This change supports profile names whose names are over 64 characters. (#685, @jhrozek)

  • Update cert-manager to v1.5.3 (#577, @saschagrunert)

Check out latest releases or
releases around kubernetes-sigs/security-profiles-operator v0.4.0

Don't miss a new security-profiles-operator release

NewReleases is sending notifications on new releases.

Get notifications