Release notes
Welcome to our glorious v0.8.4 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.4/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.4
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Added a
spoc convertcommand to transform security profile YAML definitions to their raw representation. (#2201, @mhils) spoc mergenow combines AppArmor profiles with glob patterns in the first profile. (#2239, @mhils)spoc mergenow has a--checkflag to ensure that a profile is a superset of other profiles. (#2240, @mhils)spoccan now record Seccomp and AppArmor profiles simultaneously.
The AppArmor recorder is now significantly more robust (#2260, @mhils)
Documentation
- Updated dead documentation link on how to constrain the spod to specific nodes. (#2266, @saschagrunert)
Bug or Regression
- Fix
spoc recordto work with >15 character executable names. Make AppArmor profile generation more robust. (#2241, @mhils) - Fix dynamic clusters encounter finalizer mismatch when nodes are added and removed too quickly. (#2145, @jlowe64)
Dependencies
Added
- github.com/DataDog/go-libddwaf/v2: v2.2.3
- github.com/checkpoint-restore/checkpointctl: v1.1.0
- github.com/checkpoint-restore/go-criu/v7: v7.1.0
- github.com/go-jose/go-jose/v4: v4.0.1
- github.com/go-task/slim-sprig/v3: v3.0.0
- github.com/google/go-configfs-tsm: v0.2.2
- github.com/moby/docker-image-spec: v1.3.1
Changed
- bitbucket.org/creachadair/shell: v0.0.7 → v0.0.8
- chainguard.dev/go-grpc-kit: v0.17.1 → v0.17.2
- cloud.google.com/go/compute: v1.24.0 → v1.25.1
- cloud.google.com/go/iam: v1.1.5 → v1.1.6
- cloud.google.com/go/kms: v1.15.5 → v1.15.8
- cloud.google.com/go/longrunning: v0.5.4 → v0.5.5
- cloud.google.com/go/monitoring: v1.16.1 → v1.17.0
- cloud.google.com/go/pubsub: v1.33.0 → v1.37.0
- cloud.google.com/go/security: v1.15.4 → v1.15.6
- cloud.google.com/go/storage: v1.35.1 → v1.39.1
- cloud.google.com/go/trace: v1.10.2 → v1.10.4
- cloud.google.com/go: v0.112.0 → v0.112.1
- github.com/AdamKorcz/go-fuzz-headers-1: e936619 → 8b5d3ce
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.9.1 → v1.10.0
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.5.1 → v1.5.2
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.0.1 → v1.1.0
- github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.2.0 → v1.2.1
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.2.1 → v1.2.2
- github.com/DATA-DOG/go-sqlmock: v1.5.0 → v1.5.2
- github.com/DataDog/appsec-internal-go: v1.0.0 → v1.4.0
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state: 2549ba9 → v0.48.1
- github.com/DataDog/datadog-go/v5: v5.3.0 → v5.4.0
- github.com/DrJosh9000/zzglob: v0.0.17 → v0.1.0
- github.com/Microsoft/go-winio: v0.6.1 → v0.6.2
- github.com/Microsoft/hcsshim: v0.12.0-rc.3 → v0.12.3
- github.com/aquasecurity/libbpfgo: 1.3 → 1.4
- github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: v1.4.13 → v1.6.1
- github.com/aws/aws-sdk-go-v2/config: v1.26.6 → v1.27.9
- github.com/aws/aws-sdk-go-v2/credentials: v1.16.16 → v1.17.9
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.14.11 → v1.16.0
- github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.11.76 → v1.16.9
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.2.10 → v1.3.4
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.5.10 → v2.6.4
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.7.3 → v1.8.0
- github.com/aws/aws-sdk-go-v2/internal/v4a: v1.1.4 → v1.3.3
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.10.4 → v1.11.1
- github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.1.36 → v1.3.5
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.10.10 → v1.11.6
- github.com/aws/aws-sdk-go-v2/service/internal/s3shared: v1.15.4 → v1.17.3
- github.com/aws/aws-sdk-go-v2/service/kms: v1.27.9 → v1.30.0
- github.com/aws/aws-sdk-go-v2/service/s3: v1.40.0 → v1.51.4
- github.com/aws/aws-sdk-go-v2/service/sso: v1.18.7 → v1.20.3
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.21.7 → v1.23.3
- github.com/aws/aws-sdk-go-v2/service/sts: v1.26.7 → v1.28.5
- github.com/aws/aws-sdk-go-v2: v1.24.1 → v1.26.0
- github.com/aws/aws-sdk-go: v1.50.0 → v1.51.6
- github.com/aws/smithy-go: v1.19.0 → v1.20.1
- github.com/buildkite/agent/v3: v3.59.0 → v3.62.0
- github.com/cert-manager/cert-manager: v1.14.4 → v1.14.5
- github.com/cilium/ebpf: v0.9.1 → v0.11.0
- github.com/cncf/xds/go: 0fa0005 → 8a4994d
- github.com/containerd/cgroups/v3: v3.0.2 → v3.0.3
- github.com/containerd/containerd: v1.7.13 → v1.7.17
- github.com/containernetworking/plugins: v1.4.0 → v1.5.0
- github.com/containers/common: v0.58.1 → v0.59.0
- github.com/containers/image/v5: v5.30.0 → v5.31.0
- github.com/containers/ocicrypt: v1.1.9 → v1.1.10
- github.com/containers/storage: v1.53.0 → v1.54.0
- github.com/coreos/go-oidc/v3: v3.9.0 → v3.10.0
- github.com/creack/pty: v1.1.20 → v1.1.21
- github.com/cyphar/filepath-securejoin: v0.2.4 → v0.2.5
- github.com/distribution/reference: v0.5.0 → v0.6.0
- github.com/docker/docker: v25.0.5+incompatible → v26.1.3+incompatible
- github.com/ebitengine/purego: v0.5.0-alpha.1 → v0.5.0
- github.com/gliderlabs/ssh: v0.3.5 → v0.3.6
- github.com/go-chi/chi/v5: v5.0.10 → v5.0.11
- github.com/go-logr/logr: v1.4.1 → v1.4.2
- github.com/go-openapi/analysis: v0.22.0 → v0.23.0
- github.com/go-openapi/errors: v0.21.1 → v0.22.0
- github.com/go-openapi/jsonpointer: v0.20.2 → v0.21.0
- github.com/go-openapi/jsonreference: v0.20.4 → v0.21.0
- github.com/go-openapi/loads: v0.21.5 → v0.22.0
- github.com/go-openapi/runtime: v0.27.1 → v0.28.0
- github.com/go-openapi/spec: v0.20.13 → v0.21.0
- github.com/go-openapi/strfmt: v0.22.2 → v0.23.0
- github.com/go-openapi/swag: v0.22.10 → v0.23.0
- github.com/go-openapi/validate: v0.22.4 → v0.24.0
- github.com/go-sql-driver/mysql: v1.7.1 → v1.8.1
- github.com/golang-jwt/jwt/v5: v5.2.0 → v5.2.1
- github.com/gomarkdown/markdown: 3b9f472 → 4d01890
- github.com/google/certificate-transparency-go: v1.1.7 → v1.1.8
- github.com/google/go-tpm-tools: v0.4.2 → v0.4.3
- github.com/google/pprof: ff6d637 → a892ee0
- github.com/google/rpmpack: v0.5.0 → v0.6.0
- github.com/google/trillian: v1.5.3 → v1.6.0
- github.com/google/wire: v0.5.0 → v0.6.0
- github.com/googleapis/gax-go/v2: v2.12.0 → v2.12.3
- github.com/grpc-ecosystem/grpc-gateway/v2: v2.18.1 → v2.19.1
- github.com/hashicorp/vault/api: v1.10.0 → v1.12.2
- github.com/klauspost/compress: v1.17.7 → v1.17.8
- github.com/lestrrat-go/jwx/v2: v2.0.18 → v2.0.19
- github.com/onsi/ginkgo/v2: v2.14.0 → v2.18.0
- github.com/onsi/gomega: v1.30.0 → v1.33.1
- github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.73.0 → v0.74.0
- github.com/prometheus/client_golang: v1.19.0 → v1.19.1
- github.com/prometheus/common: v0.48.0 → v0.51.1
- github.com/redis/go-redis/v9: v9.3.0 → v9.5.1
- github.com/rivo/uniseg: v0.4.4 → v0.4.7
- github.com/sassoftware/relic/v7: v7.6.1 → v7.6.2
- github.com/sigstore/fulcio: v1.4.3 → v1.4.5
- github.com/sigstore/protobuf-specs: v0.2.1 → v0.3.0
- github.com/sigstore/rekor: v1.3.4 → v1.3.6
- github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.8.1 → v1.8.3
- github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.8.1 → v1.8.3
- github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.8.1 → v1.8.3
- github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.8.1 → v1.8.3
- github.com/sigstore/sigstore: v1.8.2 → v1.8.3
- github.com/stefanberger/go-pkcs11uri: 78d3cae → 7828495
- github.com/sylabs/sif/v2: v2.15.1 → v2.16.0
- github.com/ulikunitz/xz: v0.5.11 → v0.5.12
- github.com/vbauerster/mpb/v8: v8.7.2 → v8.7.3
- github.com/veraison/go-cose: v1.2.0 → v1.2.1
- github.com/zalando/go-keyring: v0.2.2 → v0.2.3
- go.etcd.io/bbolt: v1.3.9 → v1.3.10
- go.etcd.io/etcd/api/v3: v3.5.11 → v3.5.12
- go.etcd.io/etcd/client/pkg/v3: v3.5.11 → v3.5.12
- go.etcd.io/etcd/client/v2: v2.305.10 → v2.305.12
- go.etcd.io/etcd/client/v3: v3.5.11 → v3.5.12
- go.etcd.io/etcd/etcdctl/v3: v3.5.10 → v3.5.12
- go.etcd.io/etcd/etcdutl/v3: v3.5.10 → v3.5.12
- go.etcd.io/etcd/pkg/v3: v3.5.10 → v3.5.12
- go.etcd.io/etcd/raft/v3: v3.5.10 → v3.5.12
- go.etcd.io/etcd/server/v3: v3.5.10 → v3.5.12
- go.etcd.io/etcd/tests/v3: v3.5.10 → v3.5.12
- go.etcd.io/etcd/v3: v3.5.10 → v3.5.12
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.47.0 → v0.49.0
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.47.0 → v0.49.0
- go.opentelemetry.io/contrib/propagators/aws: v1.20.0 → v1.22.0
- go.opentelemetry.io/contrib/propagators/b3: v1.20.0 → v1.22.0
- go.opentelemetry.io/contrib/propagators/jaeger: v1.20.0 → v1.22.0
- go.opentelemetry.io/contrib/propagators/ot: v1.20.0 → v1.22.0
- go.opentelemetry.io/otel/exporters/otlp/internal/retry: v1.16.0 → v1.15.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.21.0 → v1.22.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.21.0 → v1.22.0
- go.opentelemetry.io/otel/metric: v1.22.0 → v1.24.0
- go.opentelemetry.io/otel/sdk: v1.22.0 → v1.24.0
- go.opentelemetry.io/otel/trace: v1.22.0 → v1.24.0
- go.opentelemetry.io/otel: v1.22.0 → v1.24.0
- go.step.sm/crypto: v0.42.1 → v0.44.2
- go.uber.org/zap: v1.26.0 → v1.27.0
- go4.org/unsafe/assume-no-moving-gc: e7c30c7 → b99613f
- gocloud.dev: v0.34.0 → v0.37.0
- golang.org/x/crypto: v0.22.0 → v0.23.0
- golang.org/x/exp: 814bf88 → 9bf2ced
- golang.org/x/net: v0.24.0 → v0.25.0
- golang.org/x/oauth2: v0.17.0 → v0.18.0
- golang.org/x/sys: v0.19.0 → v0.20.0
- golang.org/x/telemetry: b75ee88 → f48c80b
- golang.org/x/term: v0.19.0 → v0.20.0
- golang.org/x/text: v0.14.0 → v0.15.0
- golang.org/x/tools: v0.18.0 → v0.21.0
- google.golang.org/api: v0.162.0 → v0.172.0
- google.golang.org/genproto/googleapis/api: 6ceb2ff → 94a12d6
- google.golang.org/genproto/googleapis/bytestream: 1f4bbc5 → 94a12d6
- google.golang.org/genproto/googleapis/rpc: 6ceb2ff → 94a12d6
- google.golang.org/genproto: 6ceb2ff → c811ad7
- google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.3.0 → v1.4.0
- google.golang.org/grpc: v1.63.0 → v1.64.0
- google.golang.org/protobuf: v1.33.0 → v1.34.1
- gopkg.in/DataDog/dd-trace-go.v1: v1.56.1 → v1.59.0
- k8s.io/api: v0.29.3 → v0.29.5
- k8s.io/apiextensions-apiserver: v0.29.3 → v0.29.5
- k8s.io/apimachinery: v0.29.3 → v0.29.5
- k8s.io/apiserver: v0.29.3 → v0.29.5
- k8s.io/client-go: v0.29.3 → v0.29.5
- k8s.io/code-generator: v0.29.3 → v0.29.5
- k8s.io/component-base: v0.29.3 → v0.29.5
- k8s.io/kms: v0.29.3 → v0.29.5
- sigs.k8s.io/controller-runtime: v0.17.2 → v0.17.3
- sigs.k8s.io/mdtoc: v1.1.0 → v1.3.0
- sigs.k8s.io/release-utils: v0.7.7 → v0.8.1
- tags.cncf.io/container-device-interface: v0.6.2 → v0.7.2