Release notes

Welcome to our glorious v0.8.2 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.2/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.2

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Failing Test

• Fixed upgrade issue introduced in v0.8.1. (#2023, @yuumasato)

Dependencies

Added

• github.com/DATA-DOG/go-sqlmock: v1.5.0
• github.com/Khan/genqlient: v0.6.0
• github.com/alexflint/go-arg: v1.4.2
• github.com/alexflint/go-scalar: v1.0.0
• github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.11.76
• github.com/buildkite/go-pipeline: v0.2.0

Changed

• cloud.google.com/go/compute: v1.23.2 → v1.23.3
• cloud.google.com/go/iam: v1.1.4 → v1.1.5
• cloud.google.com/go/kms: v1.15.4 → v1.15.5
• cloud.google.com/go: v0.110.9 → v0.110.10
• github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.8.0 → v1.9.0
• github.com/Azure/azure-sdk-for-go/sdk/internal: v1.4.0 → v1.5.0
• github.com/DataDog/datadog-agent/pkg/obfuscate: v0.48.1 → v0.48.0
• github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.48.1 → 2549ba9
• github.com/DataDog/sketches-go: v1.4.3 → v1.4.2
• github.com/andybalholm/brotli: v1.0.6 → v1.0.1
• github.com/aws/aws-sdk-go-v2/config: v1.19.1 → v1.25.11
• github.com/aws/aws-sdk-go-v2/credentials: v1.13.43 → v1.16.9
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.13.13 → v1.14.9
• github.com/aws/aws-sdk-go-v2/internal/configsources: v1.1.43 → v1.2.8
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.4.37 → v2.5.8
• github.com/aws/aws-sdk-go-v2/internal/ini: v1.3.45 → v1.7.1
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.9.14 → v1.10.3
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.9.37 → v1.10.8
• github.com/aws/aws-sdk-go-v2/service/kms: v1.24.7 → v1.27.2
• github.com/aws/aws-sdk-go-v2/service/sso: v1.15.2 → v1.18.2
• github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.17.3 → v1.21.2
• github.com/aws/aws-sdk-go-v2/service/sts: v1.23.2 → v1.26.2
• github.com/aws/aws-sdk-go-v2: v1.21.2 → v1.23.5
• github.com/aws/aws-sdk-go: v1.47.0 → v1.48.11
• github.com/aws/smithy-go: v1.15.0 → v1.18.1
• github.com/buildkite/agent/v3: v3.58.0 → v3.59.0
• github.com/buildkite/bintest/v3: v3.1.1 → v3.2.0
• github.com/cert-manager/cert-manager: v1.13.2 → v1.13.3
• github.com/containers/common: v0.57.0 → v0.57.1
• github.com/ebitengine/purego: v0.5.0 → v0.5.0-alpha.1
• github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
• github.com/gabriel-vasile/mimetype: v1.4.3 → v1.4.2
• github.com/go-openapi/spec: v0.20.9 → v0.20.11
• github.com/go-openapi/strfmt: v0.21.7 → v0.21.8
• github.com/go-openapi/validate: v0.22.1 → v0.22.3
• github.com/go-rod/rod: v0.114.4 → v0.114.5
• github.com/google/go-tpm-tools: v0.4.1 → v0.4.2
• github.com/gorilla/mux: v1.8.0 → v1.8.1
• github.com/hashicorp/go-retryablehttp: v0.7.4 → v0.7.5
• github.com/jellydator/ttlcache/v3: v3.1.0 → v3.1.1
• github.com/montanaflynn/stats: v0.6.6 → 1bf9dbc
• github.com/open-policy-agent/opa: v0.58.0 → v0.59.0
• github.com/pierrec/lz4/v4: v4.1.18 → v4.1.2
• github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.69.1 → v0.70.0
• github.com/sigstore/cosign/v2: v2.2.1 → v2.2.2
• github.com/sigstore/rekor: v1.3.3 → v1.3.4
• github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.7.5 → v1.7.6
• github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.7.5 → v1.7.6
• github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.7.5 → v1.7.6
• github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.7.5 → v1.7.6
• github.com/sigstore/sigstore: v1.7.5 → v1.7.6
• github.com/stretchr/objx: v0.5.1 → v0.5.0
• github.com/theupdateframework/go-tuf: v0.6.1 → v0.7.0
• github.com/tidwall/pretty: v1.2.1 → v1.2.0
• github.com/urfave/cli/v2: v2.25.7 → v2.26.0
• github.com/xanzy/go-gitlab: v0.93.2 → v0.94.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.45.0 → v0.46.1
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.21.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.21.0
• go.opentelemetry.io/otel/metric: v1.19.0 → v1.21.0
• go.opentelemetry.io/otel/sdk: v1.19.0 → v1.21.0
• go.opentelemetry.io/otel/trace: v1.19.0 → v1.21.0
• go.opentelemetry.io/otel: v1.19.0 → v1.21.0
• go.step.sm/crypto: v0.36.1 → v0.38.0
• golang.org/x/crypto: v0.16.0 → v0.17.0
• golang.org/x/exp: 7918f67 → 2478ac8
• golang.org/x/oauth2: v0.13.0 → v0.15.0
• golang.org/x/time: v0.3.0 → v0.5.0
• golang.org/x/tools: v0.14.0 → v0.15.0
• google.golang.org/api: v0.149.0 → v0.152.0
• google.golang.org/genproto/googleapis/api: 49dd2c1 → bbf56f3
• google.golang.org/genproto/googleapis/bytestream: d783a09 → 83a465c
• google.golang.org/genproto/googleapis/rpc: 49dd2c1 → 83a465c
• google.golang.org/genproto: 49dd2c1 → bbf56f3
• google.golang.org/grpc: v1.59.0 → v1.60.1
• k8s.io/api: v0.28.4 → v0.29.0
• k8s.io/apiextensions-apiserver: v0.28.3 → v0.28.4
• k8s.io/apimachinery: v0.28.4 → v0.29.0
• k8s.io/apiserver: v0.28.3 → v0.28.4
• k8s.io/cli-runtime: v0.28.4 → v0.29.0
• k8s.io/client-go: v0.28.4 → v0.29.0
• k8s.io/code-generator: v0.28.3 → v0.28.4
• k8s.io/component-base: v0.28.3 → v0.28.4
• k8s.io/kms: v0.28.3 → v0.28.4
• k8s.io/utils: 3b25d92 → b307cd5
• sigs.k8s.io/structured-merge-diff/v4: v4.3.0 → v4.4.1

Removed

• github.com/99designs/gqlgen: v0.17.36
• github.com/DataDog/gostackparse: v0.7.0
• github.com/IBM/sarama: v1.40.0
• github.com/Shopify/sarama: v1.38.1
• github.com/aws/aws-sdk-go-v2/service/dynamodb: v1.21.4
• github.com/aws/aws-sdk-go-v2/service/ec2: v1.93.2
• github.com/aws/aws-sdk-go-v2/service/eventbridge: v1.20.4
• github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery: v1.7.34
• github.com/aws/aws-sdk-go-v2/service/kinesis: v1.18.4
• github.com/aws/aws-sdk-go-v2/service/sfn: v1.19.4
• github.com/aws/aws-sdk-go-v2/service/sns: v1.21.4
• github.com/aws/aws-sdk-go-v2/service/sqs: v1.24.4
• github.com/bradfitz/gomemcache: acc6962
• github.com/bytedance/sonic: v1.10.0
• github.com/chenzhuoyu/base64x: 296ad89
• github.com/chenzhuoyu/iasm: v0.9.0
• github.com/confluentinc/confluent-kafka-go/v2: v2.2.0
• github.com/confluentinc/confluent-kafka-go: v1.9.2
• github.com/decred/dcrd/crypto/blake256: v1.0.1
• github.com/denisenkom/go-mssqldb: v0.11.0
• github.com/dimfeld/httptreemux/v5: v5.5.0
• github.com/dvyukov/go-fuzz: 6a8e9d1
• github.com/eapache/go-resiliency: v1.4.0
• github.com/eapache/go-xerial-snappy: c322873
• github.com/eapache/queue: v1.1.0
• github.com/elastic/elastic-transport-go/v8: v8.1.0
• github.com/elastic/go-elasticsearch/v6: v6.8.5
• github.com/elastic/go-elasticsearch/v7: v7.17.1
• github.com/elastic/go-elasticsearch/v8: v8.4.0
• github.com/emicklei/go-restful: v2.16.0+incompatible
• github.com/garyburd/redigo: v1.6.4
• github.com/gin-contrib/sse: v0.1.0
• github.com/gin-gonic/gin: v1.9.1
• github.com/globalsign/mgo: eeefdec
• github.com/go-pg/pg/v10: v10.11.1
• github.com/go-pg/zerochecker: v0.2.0
• github.com/go-playground/assert/v2: v2.2.0
• github.com/go-redis/redis/v7: v7.4.1
• github.com/go-redis/redis/v8: v8.11.5
• github.com/go-redis/redis: v6.15.9+incompatible
• github.com/go-stack/stack: v1.8.0
• github.com/gobuffalo/attrs: a9411de
• github.com/gobuffalo/depgen: v0.1.0
• github.com/gobuffalo/envy: v1.7.0
• github.com/gobuffalo/genny: v0.1.1
• github.com/gobuffalo/gitgen: cc08618
• github.com/gobuffalo/gogen: v0.1.1
• github.com/gobuffalo/logger: 86e12af
• github.com/gobuffalo/mapi: v1.0.2
• github.com/gobuffalo/packd: v0.1.0
• github.com/gobuffalo/packr/v2: v2.2.0
• github.com/gobuffalo/syncx: 33c2958
• github.com/gocql/gocql: 0eacd31
• github.com/gofiber/fiber/v2: v2.50.0
• github.com/gofrs/uuid: v4.4.0+incompatible
• github.com/golang-sql/civil: b832511
• github.com/golang-sql/sqlexp: v0.1.0
• github.com/gomodule/redigo: v1.8.9
• github.com/googleapis/gnostic: v0.5.5
• github.com/graph-gophers/graphql-go: v1.5.0
• github.com/hailocab/go-hostpool: e80d13c
• github.com/hashicorp/go-uuid: v1.0.3
• github.com/hashicorp/golang-lru/v2: v2.0.3
• github.com/jackc/pgpassfile: v1.0.0
• github.com/jackc/pgservicefile: 091c0ba
• github.com/jackc/pgx/v5: v5.3.1
• github.com/jcmturner/aescts/v2: v2.0.0
• github.com/jcmturner/dnsutils/v2: v2.0.0
• github.com/jcmturner/gofork: v1.7.6
• github.com/jcmturner/gokrb5/v8: v8.4.4
• github.com/jcmturner/rpc/v2: v2.0.3
• github.com/jinzhu/gorm: v1.9.16
• github.com/jinzhu/inflection: v1.0.0
• github.com/jinzhu/now: v1.1.5
• github.com/joho/godotenv: v1.3.0
• github.com/karrick/godirwalk: v1.10.3
• github.com/klauspost/cpuid/v2: v2.2.5
• github.com/konsorten/go-windows-terminal-sequences: v1.0.2
• github.com/labstack/echo/v4: v4.11.1
• github.com/labstack/echo: v3.3.10+incompatible
• github.com/labstack/gommon: v0.4.0
• github.com/markbates/oncer: bf2de49
• github.com/markbates/safe: v1.0.1
• github.com/microsoft/go-mssqldb: v0.21.0
• github.com/richardartoul/molecule: 32cfee0
• github.com/segmentio/kafka-go: v0.4.42
• github.com/spaolacci/murmur3: v1.1.0
• github.com/tidwall/btree: v1.6.0
• github.com/tidwall/buntdb: v1.3.0
• github.com/tidwall/gjson: v1.16.0
• github.com/tidwall/grect: v0.1.4
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/rtred: v0.1.2
• github.com/tidwall/tinyqueue: v0.1.1
• github.com/tmthrgd/go-hex: 447a304
• github.com/twitchtv/twirp: v8.1.3+incompatible
• github.com/twitchyliquid64/golang-asm: v0.15.1
• github.com/ugorji/go/codec: v1.2.11
• github.com/valyala/bytebufferpool: v1.0.0
• github.com/valyala/fasthttp: v1.50.0
• github.com/valyala/fasttemplate: v1.2.2
• github.com/valyala/tcplisten: v1.0.0
• github.com/vmihailenco/bufpool: v0.1.11
• github.com/vmihailenco/msgpack/v5: v5.3.5
• github.com/vmihailenco/tagparser/v2: v2.0.0
• github.com/vmihailenco/tagparser: v0.1.2
• github.com/zenazn/goji: v1.0.1
• golang.org/x/arch: v0.4.0
• gopkg.in/jinzhu/gorm.v1: v1.9.2
• gopkg.in/olivere/elastic.v3: v3.0.75
• gopkg.in/olivere/elastic.v5: v5.0.84
• gorm.io/driver/mysql: v1.0.1
• gorm.io/driver/postgres: v1.4.6
• gorm.io/driver/sqlserver: v1.4.2
• gorm.io/gorm: v1.25.3
• honnef.co/go/gotraceui: v0.2.0
• mellium.im/sasl: v0.3.1