Release notes

Welcome to our glorious v0.8.1 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.1/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.1

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

• The ProfileRecorder CR gets a new attribute disableProfileAfterRecording that can be used to avoid installing profiles after recording. (#1712, @jhrozek)

Feature

• Added support for platforms (os[/arch][/variant][:os_version]) when using seccomp OCI artifact profiles. (#1658, @saschagrunert)
• Added an env variable to the Make file so we can use it to pass extra build arguments to enable features like FIPS. (#1945, @Vincent056)
• Added disableOciArtifactSignatureVerification option to spod config to be able to disable signature verification for OCI artifact profiles. (#1804, @saschagrunert)

Bug or Regression

• Fixed #1769 (#1770, @CoreyCook8)
  Changed errnoRet value in the seccomp types definition to be the right type of uint.
• Fixed bug on daemon rollout when SPOD config HostProcVolumePath is unset. (#1647, @saschagrunert)
• Fixed SELinux policy constantly being processed. (#1843, @novaesis)
• Fixed spod being stuck in UPDATING state because the webhook thinks it's requiring an update. (#1985, @saschagrunert)
• Fixed an issue when we create a raw SELinux profile that inherits another SELinux profile. (#1904, @Vincent056)
• Fixed an issue when we create a raw SELinux profile, we are not able to recognize the owner of the NodeStatus if a RawSelinuxProfile is being created. (#1889, @Vincent056)
• Fixed missing nodestatus issues on some nodes when we have a crashed pod. (#1928, @Vincent056)
• In conjunction to PR#1904, this pr is also needed in order to fix the SELinux profile inherit issue for OCPBUGS-17164, do not add inherit system container line when we have selinuxprofile inherit. (#1919, @Vincent056)
• Support docker-in-docker for looking up the container ID in the ebpf based recorder (#1648, @slashben)
• Updated kube-rbac-proxy to v0.15.0.
  • Disable kube-rbac-proxy HTTP/2 support (#1940, @yuumasato)
• Fixed file descriptor memory leak (#1879, @CoreyCook8)

Other (Cleanup or Flake)

• Added an e2e test for apparmor profile which covers base functionality such as loading and unloading profiles into the cluster nodes. (#1684, @ccojocar)
• Updated controller-runtime (#1700, @saschagrunert)
• Updated cert-manager (#1709, @saschagrunert)
• Updated libbpf (#1670, @saschagrunert)
• Updated project to require golang 1.21. (#1854, @saschagrunert)
• Updated runc and crun base profiles to their latest release. (#1650, @saschagrunert)