github kubernetes-sigs/security-profiles-operator v0.9.0
on GitHub

one day ago

Welcome to our glorious v0.9.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run: 

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.9.0/deploy/operator.yaml

You can also verify the container image signature by using cosign: 

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.9.0

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64: 

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run: 

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

  • Add spoc install and spoc uninstall commands to quickly install profiles on the local machine for testing. (#2711, @mhils)
  • Add more metrics for AppArmor profile. (#2686, @ccojocar)
  • Add the complainMode flag into the ApparmorProfile CRD which allows to switch the apparmor profile into complain mode. (#2598, @ccojocar)
  • Add the eBPF based AppArmor profile recorder into the API. (#2296, @ccojocar)
  • AppArmor profiles can now have either an abstract or a concrete policy. (#2469, @mhils)
  • BPF recorder: Detect mkdir syscalls for profile creation (#2663, @mhils)
  • BPF recorder: Detect mknod syscalls for profile creation (#2668, @mhils)
  • BPF recorder: Detect unlink syscalls for profile creation (#2667, @mhils)
  • Change the scope of security profiles CRDs to be cluster wide. (#2735, @ccojocar)
  • Harden the bpf-recorder container with a custom seccomp profile. (#2626, @ccojocar)
  • Harden the security-profiles-operator and bpf-recorder containers with custom apparmor profiles when apparmor is enabled. (#2646, @ccojocar)
  • Make selinuxd images configurable in Helm chart (#2299, @mikroskeem)
  • Make the AppArmor recorder support readdir (#2555, @mhils)
  • Removed kube-rbac-proxy dependency in favor of the native controller-runtime feature. (#2595, @saschagrunert)
  • Spoc now correctly tracks child processes that clone(). (#2644, @mhils)
  • The AppArmor recorder is now better at detecting randomness in file paths and replacing it with placeholders. (#2702, @mhils)
  • The BPF profile recorder now excludes unnecessary permissions exercised during container init. (#2623, @mhils)
  • spoc record now drops privileges when spawning the process it observes. (#2412, @mhils)

Documentation

  • Added information that SELinux can be enabled/disabled in installation-usage.md. (#2298, @saschagrunert)
  • Fixed enableAppArmor boolean in installation-usage.md. (#2322, @saschagrunert)
  • Fixed enableAppArmor variable in installation-usage.md. (#2297, @saschagrunert)
  • Restructure and update the documentation, extend sections for apparmor and selinux recording and installation. (#2605, @ccojocar)

Bug or Regression

  • AppArmor profiles recorded by spoc now include the abstract profile only, which ensures that the raw profile does not diverge. (#2428, @mhils)
  • Cleanup unnecessary files from a recorded apparmor profile. (#2587, @ccojocar)
  • Fix AppArmor recording for workloads that use anonymous hugepages. (#2421, @mhils)
  • Fix a bug where AppArmor profiles with a name containing / or . weren't deleted properly. (#2710, @mhils)
  • Fix a bug where AppArmor profiles would contain the same path more than once. (#2377, @mhils)
  • Fix a bug where incorrect AppArmor profiles were generated for mkdir(). (#2712, @mhils)
  • Fix a bug where recorded AppArmor profiles would prevent executables from spawning. (#2554, @mhils)
  • Fix a bug where spoc would generate empty AppArmor profiles on systems without BPF LSM enabled. (#2385, @mhils)
  • Fix the daemon container security context to keep the local seccomp profile. (#2612, @ccojocar)
  • It replaces the variance such as task ID and container ID from files paths recorded in apparmor profile. (#2357, @ccojocar)
  • Permit AppArmor profiles with cap_sys_rawio to call (u)mount. (#2713, @mhils)

Other (Cleanup or Flake)

  • API BREAKING CHANGES: policy field removed from ApparmorProfile CRD, use instead the abstract field which automatically generates the policy before installation. (#2590, @ccojocar)
  • Updated kube-rbac-proxy to v0.16.0. (#2551, @saschagrunert)
  • Updated runc to v1.1.13. (#2311, @saschagrunert)

Dependencies

Added

  • cel.dev/expr: v0.19.1
  • chainguard.dev/sdk: v0.1.23
  • cloud.google.com/go/auth/oauth2adapt: v0.2.6
  • cloud.google.com/go/auth: v0.13.0
  • cloud.google.com/go/translate: v1.10.3
  • github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider: v0.14.0
  • github.com/DataDog/go-libddwaf/v3: v3.3.0
  • github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.25.0
  • github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric: v0.48.1
  • github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping: v0.48.1
  • github.com/antihax/optional: v1.0.0
  • github.com/antlr4-go/antlr/v4: v4.13.1
  • github.com/avast/retry-go/v4: v4.6.0
  • github.com/aws/aws-sdk-go-v2/service/route53: v1.44.0
  • github.com/chainguard-dev/slogctx: v1.2.2
  • github.com/checkpoint-restore/go-criu/v6: v6.3.0
  • github.com/containerd/errdefs/pkg: v0.3.0
  • github.com/containerd/platforms: v0.2.1
  • github.com/containerd/typeurl/v2: v2.2.3
  • github.com/coreos/go-oidc: v2.2.1+incompatible
  • github.com/go-http-utils/headers: fed159e
  • github.com/go-piv/piv-go/v2: v2.3.0
  • github.com/hairyhenderson/go-which: v0.2.0
  • github.com/hashicorp/golang-lru/v2: v2.0.7
  • github.com/in-toto/attestation: v1.1.0
  • github.com/moby/sys/capability: v0.4.0
  • github.com/moby/sys/userns: v0.1.0
  • github.com/planetscale/vtprotobuf: 0393e58
  • github.com/pquerna/cachecontrol: v0.1.0
  • github.com/rogpeppe/fastuuid: v1.2.0
  • github.com/sigstore/sigstore-go: v0.6.1
  • github.com/skeema/knownhosts: v1.3.0
  • github.com/smallstep/pkcs7: v0.1.1
  • github.com/theupdateframework/go-tuf/v2: v2.0.1
  • github.com/tink-crypto/tink-go-awskms/v2: v2.1.0
  • github.com/tink-crypto/tink-go-gcpkms/v2: v2.2.0
  • github.com/tink-crypto/tink-go/v2: v2.2.0
  • go.opentelemetry.io/auto/sdk: v1.1.0
  • go.opentelemetry.io/contrib/detectors/gcp: v1.32.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.33.0
  • go.opentelemetry.io/otel/sdk/metric: v1.32.0
  • go.uber.org/mock: v0.5.0
  • gopkg.in/evanphx/json-patch.v4: v4.12.0
  • k8s.io/gengo/v2: 2b36238
  • kernel.org/pub/linux/libs/security/libcap/cap: v1.2.73
  • kernel.org/pub/linux/libs/security/libcap/psx: v1.2.73

Changed

Removed

  • github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper: v0.2.0
  • github.com/DataDog/go-libddwaf/v2: v2.2.3
  • github.com/PuerkitoBio/purell: v1.1.1
  • github.com/PuerkitoBio/urlesc: de5bf2a
  • github.com/andybalholm/brotli: v1.0.1
  • github.com/antlr/antlr4/runtime/Go/antlr/v4: 8188dc5
  • github.com/blendle/zapdriver: v1.3.1
  • github.com/checkpoint-restore/go-criu/v5: v5.3.0
  • github.com/dsnet/compress: f669936
  • github.com/go-kit/log: v0.2.1
  • github.com/go-logfmt/logfmt: v0.5.1
  • github.com/gomarkdown/markdown: 4d01890
  • github.com/google/gnostic: v0.5.7-v3refs
  • github.com/lithammer/dedent: v1.1.0
  • github.com/mholt/archiver/v3: v3.5.1
  • github.com/mmarkdown/mmark: v2.0.40+incompatible
  • github.com/mpvl/unique: cbe035f
  • github.com/nwaples/rardecode: v1.1.0
  • github.com/petermattis/goid: b0b1615
  • github.com/pierrec/lz4/v4: v4.1.2
  • github.com/sasha-s/go-deadlock: 237a954
  • github.com/shurcooL/sanitized_anchor_name: v1.0.0
  • github.com/xi2/xz: 48954b6
  • go.mozilla.org/pkcs7: 33d0574
  • go.opentelemetry.io/otel/exporters/otlp/internal/retry: v1.15.0
  • go.starlark.net: a134d8f
  • go4.org/intern: 6c62f75
  • go4.org/unsafe/assume-no-moving-gc: b99613f
  • inet.af/netaddr: b8eac61
  • knative.dev/pkg: 74c4be5
  • sigs.k8s.io/mdtoc: v1.3.0
Check out latest releases or
releases around kubernetes-sigs/security-profiles-operator v0.9.0

Don't miss a new security-profiles-operator release

NewReleases is sending notifications on new releases.

Get notifications