kubernetes-sigs/security-profiles-operator v1.0.0

on GitHub

Welcome to our glorious v1.0.0 release of the security-profiles-operator! 🥳 👯

This is the first stable release of the Security Profiles Operator! All CRD APIs have been graduated from alpha/beta to v1, providing a stable API surface for managing security profiles in Kubernetes. This release was preceded by a third-party security audit that found zero critical vulnerabilities, with all identified hardening areas addressed in this release. The general usage and setup can be found in our documentation, and a dedicated v1 migration guide is available to help with upgrading from previous versions.

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v1.0.0/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v1.0.0

Besides the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64, arm64 and ppc64le are attached to this release.

To verify the signature of spoc, download all release artifacts and run for amd64 (works in the same way for arm64 and ppc64le):

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --bundle spoc.amd64.bundle \
    spoc.amd64

We also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Changes

• Graduate all CRD APIs from alpha/beta to v1. (#3242, @saschagrunert)
• Replace external seccomp.Action and seccomp.Operator with SPO-owned types. (#3222, @saschagrunert)
• Fix seccomp field types per Kubernetes API conventions. (#3223, @saschagrunert)
• Group SPOD spec fields into substructs. (#3226, @saschagrunert)
• Convert SPOD bool fields to *bool for three-state semantics. (#3231, @saschagrunert)
• Add AppArmorProfile to ProfileBinding kinds. (#3215, @saschagrunert)
• Replace *[]string with []string in AppArmorProfile. (#3214, @saschagrunert)
• Move SecurityProfileNodeStatus fields into Spec/Status. (#3213, @saschagrunert)
• Move ConditionedStatus to shared api/common package. (#3196, @saschagrunert)
• Fix comment casing, add required/optional and enum markers, integrate kal. (#3240, @saschagrunert)
• Add validation markers, harden validation and symlink safety. (#3234, @saschagrunert)
• Fix ProfileRecording kind casing, switch bugs, and recorder validation. (#3232, @saschagrunert)

Feature

• Add enableInsecureMetricsAccess SPOD config option to allow unauthenticated metrics scraping on the daemon container. (#3265, @ccojocar)

Security

• Sanitize all input data rendered into the AppArmor profile template. (#3233, @ccojocar)
• Add safety bound check for path length in eBPF recorder. (#3264, @ccojocar)
• Cap the maximum number of recorded files and the file path length in the BPF recorder to avoid OOM. (#3246, @ccojocar)
• Fix data races, OOM guards, and performance in BPF recorder and container ID cache. (#3251, @saschagrunert)
• Add kubebuilder validation for HostProcVolumePath to prevent mounting other paths than /proc. (#3236, @ccojocar)
• Add kubebuilder validation for ListenerPath in SeccompProfile configuration. (#3239, @ccojocar)
• Anchor the regex to match only the SPO_EXEC_REQUIRED_UID and not other arguments of the command. (#3237, @ccojocar)
• Fix greedy operator in audit regexes. (#3238, @ccojocar)
• Verify the base profile OIDC on immutable image digest and add options to SPOD config to setup allowed identity and OIDC issuer regexp(s). (#3252, @ccojocar)
• Add SELinux semantic validation for dangerous types, classes and permissions. (#3261, @ccojocar)
• Improve the SELinux policy validation to check unescaped ) and use of restrictive global directives. (#3258, @ccojocar)

Bug

• Fix partial profiles never merged due to namespace filter. (#3241, @mirza-src)
• Make selinuxd policy compatible with refpolicy. (#3259, @mirza-src)
• Add default SELinux options so allowedSystemProfiles is applied. (#3243, @mirza-src)
• Skip binding when a referenced profile is not available. (#3257, @ccojocar)
• Make sure that the profiles are really bound when another profile exists in security context. (#3256, @ccojocar)
• Webhook should overwrite an existing recording annotation on a pod. (#3244, @ccojocar)
• Avoid overwriting existing AppArmor profiles. (#3225, @ccojocar)
• Combine the pid with the start time of the process when caching the container ID. (#3247, @ccojocar)
• Drop the labels with unbounded cardinality from Prometheus counters. (#3245, @ccojocar)
• Chown emptyDir mounts via fsGroup so cosign TUF cache works. (#3163, @Ca-moes)
• Fix SELinux policy reload job creation when SPOD pods are excluded from the daemon manager cache. (#3270, @miltalex)

Cleanup

• Extract shared reconciliation logic from profile controllers. (#3167, @saschagrunert)
• Cleanup high priority tech debt. (#3187, @saschagrunert)
• Add a dev container configuration. (#3189, @ccojocar)

Documentation

• Add v1 migration guide and update docs for API graduation. (#3248, @saschagrunert)
• Fix cluster-scoped seccomp path and SELinux usage format. (#3192, @Vincent056)

Dependencies

Added

• github.com/aperturerobotics/protobuf-go-lite: v0.14.0
• github.com/checkpoint-restore/go-criu/v8: v8.3.0
• github.com/mistifyio/go-zfs/v4: v4.0.0
• github.com/moby/sys/devices: v0.1.0
• k8s.io/streaming: v0.36.2

Changed

• cyphar.com/go-pathrs: v0.2.4 → v0.2.5
• github.com/BurntSushi/toml: v1.5.0 → v1.6.0
• github.com/aquasecurity/libbpfgo: 1.5.1 → 1.5.1
• github.com/cert-manager/cert-manager: v1.20.1 → v1.20.2
• github.com/checkpoint-restore/checkpointctl: v1.4.0 → v1.5.0
• github.com/cncf/xds/go: ee656c7 → dba9d58
• github.com/containerd/platforms: v1.0.0-rc.2 → v1.0.0-rc.4
• github.com/containers/ocicrypt: v1.2.1 → v1.3.0
• github.com/coreos/go-oidc: v2.3.0 → v2.5.0
• github.com/cyphar/filepath-securejoin: v0.6.1 → v0.7.0
• github.com/docker/cli: v29.4.0 → v29.5.3
• github.com/docker/docker-credential-helpers: v0.9.5 → v0.9.7
• github.com/docker/go-connections: v0.6.0 → v0.7.0
• github.com/envoyproxy/go-control-plane/envoy: v1.36.0 → v1.37.0
• github.com/envoyproxy/protoc-gen-validate: v1.3.0 → v1.3.3
• github.com/fatih/color: v1.18.0 → v1.19.0
• github.com/fsnotify/fsnotify: v1.9.0 → v1.10.1
• github.com/fxamacker/cbor/v2: v2.9.0 → v2.9.2
• github.com/go-openapi/jsonpointer: v0.22.5 → v0.23.1
• github.com/go-openapi/swag: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/cmdutils: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/conv: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/fileutils: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/jsonname: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/jsonutils: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/jsonutils/fixtures_test: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/loading: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/mangling: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/netutils: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/stringutils: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/typeutils: v0.25.5 → v0.26.0
• github.com/go-openapi/swag/yamlutils: v0.25.5 → v0.26.0
• github.com/go-openapi/testify/enable/yaml/v2: v2.4.1 → v2.4.2
• github.com/go-openapi/testify/v2: v2.4.1 → v2.4.2
• github.com/google/go-containerregistry: v0.21.5 → v0.21.7
• github.com/google/pprof: f64d9cf → 545e8a4
• github.com/hairyhenderson/go-which: v0.2.2 → v0.2.3
• github.com/in-toto/in-toto-golang: v0.10.0 → v0.11.0
• github.com/klauspost/compress: v1.18.5 → v1.18.6
• github.com/mattn/go-runewidth: v0.0.20 → v0.0.23
• github.com/mattn/go-sqlite3: v1.14.32 → v1.14.44
• github.com/moby/moby/api: v1.54.1 → v1.54.2
• github.com/moby/moby/client: v0.4.0 → v0.4.1
• github.com/moby/spdystream: v0.5.0 → v0.5.1
• github.com/onsi/ginkgo/v2: v2.28.0 → v2.29.0
• github.com/onsi/gomega: v1.39.1 → v1.41.0
• github.com/opencontainers/runc: v1.4.2 → v1.5.0
• github.com/opencontainers/runtime-tools: edf4cb3 → 8a4db57
• github.com/opencontainers/selinux: v1.13.1 → v1.14.1
• github.com/pkg/sftp: v1.13.9 → v1.13.10
• github.com/proglottis/gpgme: v0.1.5 → v0.1.6
• github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.90.1 → v0.92.0
• github.com/secure-systems-lab/go-securesystemslib: v0.10.0 → v0.11.0
• github.com/sigstore/sigstore: v1.10.5 → v1.10.6
• github.com/sylabs/sif/v2: v2.22.0 → v2.24.0
• github.com/vbatts/tar-split: v0.12.2 → v0.12.3
• github.com/vbauerster/mpb/v8: v8.10.2 → v8.12.0
• go.opentelemetry.io/contrib/detectors/gcp: v1.40.0 → v1.42.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.66.0 → v0.68.0
• go.podman.io/common: v0.67.1 → v0.68.0
• go.podman.io/image/v5: v5.39.2 → v5.40.0
• go.podman.io/storage: v1.62.0 → v1.63.0
• golang.org/x/crypto: v0.50.0 → v0.53.0
• golang.org/x/mod: v0.35.0 → v0.37.0
• golang.org/x/net: v0.53.0 → v0.56.0
• golang.org/x/sync: v0.20.0 → v0.21.0
• golang.org/x/sys: v0.43.0 → v0.46.0
• golang.org/x/telemetry: be6f6cb → fb80ec8
• golang.org/x/term: v0.42.0 → v0.44.0
• golang.org/x/text: v0.36.0 → v0.38.0
• golang.org/x/tools: v0.44.0 → v0.46.0
• google.golang.org/genproto/googleapis/api: 0b37fe3 → 9d38bb4
• google.golang.org/genproto/googleapis/rpc: d00831a → 9d38bb4
• google.golang.org/grpc: v1.80.0 → v1.81.1
• google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.6.1 → v1.6.2
• google.golang.org/protobuf: v1.36.11 → f2248ac
• k8s.io/api: v0.35.3 → v0.36.2
• k8s.io/apiextensions-apiserver: v0.35.2 → v0.36.2
• k8s.io/apimachinery: v0.35.3 → v0.36.2
• k8s.io/apiserver: v0.35.2 → v0.36.2
• k8s.io/cli-runtime: v0.35.3 → v0.36.2
• k8s.io/client-go: v0.35.3 → v0.36.2
• k8s.io/code-generator: v0.35.2 → v0.36.2
• k8s.io/component-base: v0.35.2 → v0.36.2
• k8s.io/kms: v0.35.2 → v0.36.2
• k8s.io/kube-openapi: 43fb72c → 865597e
• k8s.io/utils: b8788ab → ff6756f
• kernel.org/pub/linux/libs/security/libcap/cap: v1.2.76 → v1.2.78
• kernel.org/pub/linux/libs/security/libcap/psx: v1.2.76 → v1.2.78
• oras.land/oras-go/v2: v2.6.0 → v2.6.1
• sigs.k8s.io/controller-runtime: v0.23.3 → v0.24.1
• sigs.k8s.io/controller-tools: v0.20.1 → v0.21.0
• sigs.k8s.io/kustomize/api: v0.20.1 → v0.21.1
• sigs.k8s.io/kustomize/kyaml: v0.20.1 → v0.21.1
• sigs.k8s.io/structured-merge-diff/v6: v6.3.2 → v6.4.0
• tags.cncf.io/container-device-interface: v1.0.1 → v1.1.0

Removed

• github.com/checkpoint-restore/go-criu/v7: v7.2.0
• github.com/containernetworking/cni: v1.3.0
• github.com/containernetworking/plugins: v1.8.0
• github.com/docker/docker: v28.5.1
• github.com/gregjones/httpcache: 901d907
• github.com/mistifyio/go-zfs/v3: v3.1.0
• github.com/mndrix/tap-go: 629fa40
• github.com/xeipuuv/gojsonschema: v1.2.0