Release notes
Welcome to our glorious v0.8.3 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.3/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.3
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Add a new
--no-startflag that allows spoc to record profiles without driving the process execution. (#2161, @mhils) - Added a
spoc mergecommand to merge multiple security profiles from the command line. (#2136, @mhils) - Added initial support for merging AppArmor profiles with
spoc merge. (#2140, @mhils) - Adds functionality to the profile binding functionality to establish a default seccomp/selinux profile for a given namespace.
Specific image bindings have priority over the default profiles allowing more tailored profiles for specific images while allowing customization of a default profile applied to all pods without having to specify specific images strings. (#1869, @CoreyCook8) - The
spoccli tool now featuresapparmorandraw-apparmortypes to generate CRDs and raw apparmor profiles. (#1917, @0xmilkmix)
Bug or Regression
- Fixed issue with crashing SPOD daemon by allowing
clock_gettimesyscall. (#2121, @CoreyCook8) - Fixed reporting of status and the policy usage string for RawSelinuxProfile CRs (#1496, @jhrozek)
- Make the field disabling profiles after recording optional (#2033, @yuumasato)
Dependencies
Added
- cuelabs.dev/go/oci/ociregistry: 93e78c0
- github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns: v1.2.0
- github.com/Venafi/vcert/v5: v5.3.0
- github.com/containerd/errdefs: v0.1.0
- github.com/moby/sys/user: v0.1.0
- github.com/sosodev/duration: v1.2.0
- golang.org/x/telemetry: b75ee88
Changed
- cloud.google.com/go/compute: v1.23.3 → v1.24.0
- cloud.google.com/go/firestore: v1.13.0 → v1.14.0
- cloud.google.com/go/longrunning: v0.5.1 → v0.5.4
- cloud.google.com/go/security: v1.15.1 → v1.15.4
- cloud.google.com/go/storage: v1.33.0 → v1.35.1
- cloud.google.com/go: v0.110.10 → v0.112.0
- cuelang.org/go: v0.6.0 → v0.7.0
- filippo.io/edwards25519: v1.0.0 → v1.1.0
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.9.0 → v1.9.1
- github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.4.0 → v1.5.1
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.5.0 → v1.5.1
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.2.0 → v1.2.1
- github.com/Microsoft/hcsshim: v0.12.0-rc.1 → v0.12.0-rc.3
- github.com/alecthomas/kingpin/v2: v2.3.2 → v2.4.0
- github.com/aws/aws-sdk-go-v2/config: v1.25.11 → v1.26.6
- github.com/aws/aws-sdk-go-v2/credentials: v1.16.9 → v1.16.16
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.14.9 → v1.14.11
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.2.8 → v1.2.10
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.5.8 → v2.5.10
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.7.1 → v1.7.3
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.10.3 → v1.10.4
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.10.8 → v1.10.10
- github.com/aws/aws-sdk-go-v2/service/kms: v1.27.2 → v1.27.9
- github.com/aws/aws-sdk-go-v2/service/sso: v1.18.2 → v1.18.7
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.21.2 → v1.21.7
- github.com/aws/aws-sdk-go-v2/service/sts: v1.26.2 → v1.26.7
- github.com/aws/aws-sdk-go-v2: v1.23.5 → v1.24.1
- github.com/aws/aws-sdk-go: v1.48.11 → v1.50.0
- github.com/aws/smithy-go: v1.18.1 → v1.19.0
- github.com/beevik/ntp: v1.3.0 → v1.3.1
- github.com/buildkite/go-pipeline: v0.2.0 → v0.3.2
- github.com/cert-manager/cert-manager: v1.13.3 → v1.14.4
- github.com/cilium/ebpf: v0.7.0 → v0.9.1
- github.com/cloudflare/circl: v1.3.5 → v1.3.7
- github.com/cncf/xds/go: 8bd2eac → 0fa0005
- github.com/containerd/containerd: v1.7.9 → v1.7.13
- github.com/containernetworking/plugins: v1.3.0 → v1.4.0
- github.com/containers/common: v0.57.1 → v0.58.1
- github.com/containers/image/v5: v5.29.0 → v5.30.0
- github.com/containers/storage: v1.51.0 → v1.53.0
- github.com/coreos/go-oidc/v3: v3.7.0 → v3.9.0
- github.com/cyberphone/json-canonicalization: 785e297 → ba74d44
- github.com/danieljoos/wincred: v1.2.0 → v1.2.1
- github.com/digitalocean/godo: v1.102.1 → v1.107.0
- github.com/digitorus/timestamp: 6877345 → 220c5c2
- github.com/docker/docker-credential-helpers: v0.8.0 → v0.8.1
- github.com/docker/docker: v24.0.7+incompatible → v25.0.5+incompatible
- github.com/docker/go-connections: v0.4.0 → v0.5.0
- github.com/envoyproxy/go-control-plane: v0.11.1 → v0.12.0
- github.com/envoyproxy/protoc-gen-validate: v1.0.2 → v1.0.4
- github.com/evanphx/json-patch/v5: v5.6.0 → v5.8.0
- github.com/evanphx/json-patch: v5.6.0+incompatible → v5.7.0+incompatible
- github.com/fatih/color: v1.15.0 → v1.16.0
- github.com/frankban/quicktest: v1.14.4 → v1.14.6
- github.com/go-asn1-ber/asn1-ber: v1.5.4 → v1.5.5
- github.com/go-jose/go-jose/v3: v3.0.1 → v3.0.3
- github.com/go-ldap/ldap/v3: v3.4.5 → v3.4.6
- github.com/go-logr/logr: v1.3.0 → v1.4.1
- github.com/go-logr/zapr: v1.2.4 → v1.3.0
- github.com/go-openapi/analysis: v0.21.4 → v0.22.0
- github.com/go-openapi/errors: v0.20.4 → v0.21.1
- github.com/go-openapi/jsonpointer: v0.20.0 → v0.20.2
- github.com/go-openapi/jsonreference: v0.20.2 → v0.20.4
- github.com/go-openapi/loads: v0.21.2 → v0.21.5
- github.com/go-openapi/runtime: v0.26.0 → v0.27.1
- github.com/go-openapi/spec: v0.20.11 → v0.20.13
- github.com/go-openapi/strfmt: v0.21.8 → v0.22.2
- github.com/go-openapi/swag: v0.22.4 → v0.22.10
- github.com/go-openapi/validate: v0.22.3 → v0.22.4
- github.com/go-playground/validator/v10: v10.15.5 → v10.16.0
- github.com/go-quicktest/qt: v1.100.0 → v1.101.0
- github.com/go-rod/rod: v0.114.5 → v0.114.7
- github.com/golang-jwt/jwt/v5: v5.0.0 → v5.2.0
- github.com/golang/glog: v1.1.2 → v1.2.0
- github.com/golang/protobuf: v1.5.3 → v1.5.4
- github.com/google/cel-go: v0.16.1 → v0.17.7
- github.com/google/go-containerregistry: v0.17.0 → v0.19.1
- github.com/google/uuid: v1.4.0 → v1.6.0
- github.com/googleapis/google-cloud-go-testing: bcd43fb → 1c9a4c6
- github.com/grpc-ecosystem/grpc-gateway/v2: v2.18.0 → v2.18.1
- github.com/hashicorp/go-secure-stdlib/parseutil: v0.1.7 → v0.1.8
- github.com/hashicorp/go-sockaddr: v1.0.5 → v1.0.6
- github.com/hashicorp/vault/sdk: v0.10.0 → v0.10.2
- github.com/jellydator/ttlcache/v3: v3.1.1 → v3.2.0
- github.com/klauspost/compress: v1.17.3 → v1.17.7
- github.com/lestrrat-go/jwx/v2: v2.0.16 → v2.0.18
- github.com/mattn/go-sqlite3: v1.14.18 → v1.14.22
- github.com/maxbrunsfeld/counterfeiter/v6: v6.7.0 → v6.8.1
- github.com/miekg/dns: v1.1.55 → v1.1.57
- github.com/nats-io/nats.go: v1.30.2 → v1.31.0
- github.com/nats-io/nkeys: v0.4.5 → v0.4.6
- github.com/onsi/ginkgo/v2: v2.13.1 → v2.14.0
- github.com/open-policy-agent/opa: v0.59.0 → v0.61.0
- github.com/opencontainers/image-spec: v1.1.0-rc5 → v1.1.0
- github.com/opencontainers/runc: v1.1.10 → v1.1.12
- github.com/opencontainers/runtime-spec: v1.1.0 → v1.2.0
- github.com/pkg/browser: 681adbf → 5ac0b6a
- github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.70.0 → v0.73.0
- github.com/prometheus/client_golang: v1.17.0 → v1.19.0
- github.com/prometheus/client_model: v0.5.0 → v0.6.1
- github.com/prometheus/common: v0.45.0 → v0.48.0
- github.com/rogpeppe/go-internal: v1.11.0 → v1.12.0
- github.com/sagikazarmark/crypt: v0.15.0 → v0.17.0
- github.com/sagikazarmark/locafero: v0.3.0 → v0.4.0
- github.com/secure-systems-lab/go-securesystemslib: v0.7.0 → v0.8.0
- github.com/sigstore/cosign/v2: v2.2.2 → v2.2.3
- github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.7.6 → v1.8.1
- github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.7.6 → v1.8.1
- github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.7.6 → v1.8.1
- github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.7.6 → v1.8.1
- github.com/sigstore/sigstore: v1.7.6 → v1.8.2
- github.com/sigstore/timestamp-authority: v1.2.0 → v1.2.1
- github.com/smallstep/go-attestation: cf579e5 → 413678f
- github.com/spf13/afero: v1.10.0 → v1.11.0
- github.com/spf13/cast: v1.5.1 → v1.6.0
- github.com/spf13/viper: v1.17.0 → v1.18.2
- github.com/spiffe/go-spiffe/v2: v2.1.6 → v2.1.7
- github.com/stoewer/go-strcase: v1.2.0 → v1.3.0
- github.com/stretchr/objx: v0.5.0 → v0.5.2
- github.com/stretchr/testify: v1.8.4 → v1.9.0
- github.com/sylabs/sif/v2: v2.15.0 → v2.15.1
- github.com/urfave/cli/v2: v2.26.0 → v2.27.1
- github.com/vbauerster/mpb/v8: v8.6.2 → v8.7.2
- github.com/xanzy/go-gitlab: v0.94.0 → v0.96.0
- go.etcd.io/bbolt: v1.3.8 → v1.3.9
- go.etcd.io/etcd/api/v3: v3.5.10 → v3.5.11
- go.etcd.io/etcd/client/pkg/v3: v3.5.10 → v3.5.11
- go.etcd.io/etcd/client/v3: v3.5.10 → v3.5.11
- go.mongodb.org/mongo-driver: v1.12.1 → v1.14.0
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.46.0 → v0.47.0
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.46.1 → v0.47.0
- go.opentelemetry.io/otel/metric: v1.21.0 → v1.22.0
- go.opentelemetry.io/otel/sdk: v1.21.0 → v1.22.0
- go.opentelemetry.io/otel/trace: v1.21.0 → v1.22.0
- go.opentelemetry.io/otel: v1.21.0 → v1.22.0
- go.step.sm/crypto: v0.38.0 → v0.42.1
- golang.org/x/crypto: v0.17.0 → v0.22.0
- golang.org/x/exp: 2478ac8 → 814bf88
- golang.org/x/lint: 83fdc39 → d0100b6
- golang.org/x/mod: v0.14.0 → v0.17.0
- golang.org/x/net: v0.19.0 → v0.24.0
- golang.org/x/oauth2: v0.15.0 → v0.17.0
- golang.org/x/sync: v0.5.0 → v0.7.0
- golang.org/x/sys: v0.15.0 → v0.19.0
- golang.org/x/term: v0.15.0 → v0.19.0
- golang.org/x/tools: v0.15.0 → v0.18.0
- google.golang.org/api: v0.152.0 → v0.162.0
- google.golang.org/genproto/googleapis/api: bbf56f3 → 6ceb2ff
- google.golang.org/genproto/googleapis/bytestream: 83a465c → 1f4bbc5
- google.golang.org/genproto/googleapis/rpc: 83a465c → 6ceb2ff
- google.golang.org/genproto: bbf56f3 → 6ceb2ff
- google.golang.org/grpc: v1.60.1 → v1.63.0
- google.golang.org/protobuf: v1.31.0 → v1.33.0
- gopkg.in/go-jose/go-jose.v2: v2.6.1 → v2.6.3
- honnef.co/go/tools: v0.0.1-2020.1.4 → ea95bdf
- k8s.io/api: v0.29.0 → v0.29.3
- k8s.io/apiextensions-apiserver: v0.28.4 → v0.29.3
- k8s.io/apimachinery: v0.29.0 → v0.29.3
- k8s.io/apiserver: v0.28.4 → v0.29.3
- k8s.io/cli-runtime: v0.29.0 → v0.29.3
- k8s.io/client-go: v0.29.0 → v0.29.3
- k8s.io/code-generator: v0.28.4 → v0.29.3
- k8s.io/component-base: v0.28.4 → v0.29.3
- k8s.io/klog/v2: v2.110.1 → v2.120.1
- k8s.io/kms: v0.28.4 → v0.29.3
- k8s.io/kube-aggregator: v0.28.1 → v0.29.0
- k8s.io/kube-openapi: 2dd684a → eec4567
- k8s.io/utils: b307cd5 → 4693a02
- oras.land/oras-go/v2: v2.3.1 → v2.4.0
- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.1.2 → v0.29.0
- sigs.k8s.io/controller-runtime: v0.16.3 → v0.17.2
- sigs.k8s.io/controller-tools: v0.13.0 → v0.14.0
- sigs.k8s.io/gateway-api: v0.8.0 → v1.0.0
- software.sslmate.com/src/go-pkcs12: v0.2.1 → v0.4.0
Removed
- cloud.google.com/go/bigquery: v1.8.0
- cloud.google.com/go/datastore: v1.1.0
- dmitri.shuralyov.com/gpu/mtl: 666a987
- github.com/Azure/go-autorest/autorest/to: v0.4.0
- github.com/Azure/go-autorest/autorest/validation: v0.3.1
- github.com/BurntSushi/xgb: 27f1227
- github.com/Venafi/vcert/v4: 69f417a
- github.com/go-gl/glfw/v3.3/glfw: 6f7a984
- github.com/go-gl/glfw: e6da0ac
- github.com/google/martian/v3: v3.1.0
- github.com/google/martian: v2.1.0+incompatible
- github.com/google/renameio: v0.1.0
- github.com/jstemmer/go-junit-report: v0.9.1
- github.com/minio/highwayhash: v1.0.2
- github.com/nats-io/jwt/v2: v2.4.1
- github.com/tidwall/pretty: v1.2.0
- golang.org/x/image: cff245a
- golang.org/x/mobile: d2bd2a2
- gopkg.in/errgo.v2: v2.1.0
- rsc.io/binaryregexp: v0.2.0
- rsc.io/quote/v3: v3.1.0
- rsc.io/sampler: v1.3.0