Release notes
Welcome to our glorious v0.8.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.0/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.0
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
| zeitgeist | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Added OCI seccomp base profile support if the
baseProfileNameif prefixed withoci://. (#1560, @saschagrunert) - SPO now auto selects the appropriate selinuxd image based on mapping in the security-profiles-operator-profile. If none of the entries match, SPO falls back to the image provided by
RELATED_IMAGE_SELINUXD. (#1600, @jhrozek)
Bug or Regression
- Fixed overriding args and error return values when merging profiles. (#1587, @saschagrunert)
Other (Cleanup or Flake)
- Updated crun v1.8.3 and runc v1.1.5 base profiles. (#1586, @saschagrunert)