Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.0/deploy/operator.yaml
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
API Change
-
A v1alpha2 version of the SelinuxProfile object has been introduced. This
removes the raw CIL from the object itself and instead adds a simple policy
language to ease the writing and parsing experience.Alongside, a RawSelinuxProfile object was also introduced. This contains a wrapped
and raw representation of the policy. This was intended for folks to be able to take
their existing policies into use as soon as possible. However, on validations are done here. (#675, @JAORMX) -
Change seccomp profile type
Architectures
to[]Arch
from[]*Arch
(#671, @saschagrunert) -
Graduate seccomp profile API from
v1alpha1
tov1beta1
(#674, @saschagrunert)
Feature
- Added Metrics for SELinux profiles (#470, @mrogers950)
- Added arm64 support for retrieving the correct syscall names within the log enricher. (#539, @saschagrunert)
- Added retry functionality to log enricher if container ID is still empty during pod creation. (#491, @saschagrunert)
- Added CLI flag
-V
and environment variable parsingSPO_VERBOSITY
to set the logging verbosity. (#657, @saschagrunert) - Added
metrics-token
secret to the operator namespace for metrics client retrieval. (#457, @saschagrunert) - Added
metrics
service endpoint to the operator namespace, which now serves thesecurity_profiles_operator_seccomp_profile
metric. (#422, @saschagrunert) - Added
seccomp_profile_error_total
metrics. (#461, @saschagrunert) - Added
verbosity
option to spod configuration. Currently supports0
(the default) and1
for enhanced verbosity. (#665, @saschagrunert) - Added automatic ServiceMonitor deployment if the CRD is available within the cluster. (#458, @saschagrunert)
- Added container ID caching to log enricher for performance reasons. (#509, @saschagrunert)
- Added libseccomp version output to
version
subcommand output. (#524, @saschagrunert) - Added liveness and startup probe to operator daemon set to streamline the operator startup. (#430, @saschagrunert)
- Added log enricher metrics
security_profiles_operator_seccomp_profile_audit_total
andsecurity_profiles_operator_selinux_profile_audit_total
. (#492, @saschagrunert) - Added logging to non-root-enabler (#486, @saschagrunert)
- Added name=spod label to metrics service. (#456, @saschagrunert)
- Added new seccomp profile recorder
bpf
. (#618, @saschagrunert) - Added single TLS certificate for serving metrics. See
installation-usage.md
for more details. (#451, @saschagrunert) - Added support for recording profiles by using the log enricher. (#513, @saschagrunert)
- Added syslog support for log enricher. (#531, @saschagrunert)
- Added the seccomp profile architecture to the
bpf
andlog
recorder. (#670, @saschagrunert) - Adding profiling endpoint support via the SPOD configuration
enableProfiling
(#746, @saschagrunert) - Automatically mount /dev/kmsg for log enricher usage if running with CRI-O and an allowed
io.kubernetes.cri-o.Devices
annotation. (#479, @saschagrunert) - Changed DaemonSet update strategy to update all Pods in parallel. (#722, @saschagrunert)
- Deploying kube-rbac-proxy sidecar in SPOD for exposing metrics via the new
metrics-spod
andmetrics-controller-runtime
services. (#424, @saschagrunert) - SPO's ProfileRecording CRD ProfileRecording which allows the admin to
record workloads and create security policies was extended to allow
recording SELinux profiles as well. In order to record a SELinux profile
for a workload, set ProfileRecording.Spec.Kind to SelinuxProfile. (#592, @jhrozek) - Show libbpf version in
version
subcommand (#742, @saschagrunert) - Switched to unix domain sockets for the GRPC servers. (#631, @saschagrunert)
- This patch re-adds the no_bpf build tag triggered by the BPF_ENABLED=0 tag
environment variable if set to 0. A developer can then build SPO without the
built-in BPF support by running:
BPF_ENABLED=0 make
This is useful to build SPO in environments with older dependencies
that don't allow building the in-tree BPF-based recorder. (#690, @jhrozek) - Update example base profiles to their recent runtime versions. (#543, @saschagrunert)
- Update kube-rbac-proxy to v0.11.0 (#724, @saschagrunert)
spod
can load and unload AppArmor profiles into clusters host servers.
spod
now runs asroot
andprivileged
when apparmor is enabled. (#680, @pjbgf)
Documentation
- Added documentation about how to record profiles by using the log enricher. (#521, @saschagrunert)
- Added documentation how to use the automatically deployed
ServiceMonitor
with OpenShift as example platform. (#460, @saschagrunert) - Added log enricher documentation to installation-usage.md. (#498, @saschagrunert)
- Added metrics documentation to
installation-usage.md
. (#449, @saschagrunert) - Added table of contents to installation documentation. (#493, @saschagrunert)
- Changed documentation to reference
main
instead ofmaster
as default git branch. (#706, @saschagrunert) - Fixed header links containing source code in
installation-usage.md
(#606, @saschagrunert)
Bug or Regression
- Do not retry container ID retrieval on container creation failures any more. (#612, @saschagrunert)
Other (Cleanup or Flake)
-
An OpenShift deployment manifest was included in deploy/openshift.yaml (#695, @JAORMX)
-
Bumps golang.org/x/text to fix advisory GO-2021-0113 (#655, @pjbgf)
-
Log enricher now requires running auditd (
/var/log/audit/audit.log
) (#487, @saschagrunert) -
Log libseccomp version on operator startup. (#556, @saschagrunert)
-
Removed CPU limits from SPOD and added resource requests/limits to manager and webhook. (#550, @saschagrunert)
-
Selinuxd now uses containers from quay.io/security-profiles-operator (#750, @jhrozek)
-
The directory /etc/selinux.d used to be mounted on the hosts in previous SPO versions.
This is no longer the case, the directory was converted to an emptyDir instead,
reducing the number of required host mounts. (#698, @jhrozek) -
The
securityprofilenodestatus
CR now links with the security profile its status
it represents using label spo.x-k8s.io/profile-id. If the profile name is less
than 64 characters long, then the label value is the profile name, otherwise it's
kind-sha256hashofthename, trimmed to fit into 64 charactersThis change supports profile names whose names are over 64 characters. (#685, @jhrozek)
-
Update cert-manager to v1.5.3 (#577, @saschagrunert)