🎉 Security & Performance Improvements 🎉
-Docs @ v0.32.0
-Examples @ v0.32.0
Installation one-liner
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.32.0/release.yaml
⚠️ Known Issues
- #4483 Implicit parameter mapping incorrectly passes params from the top-level
PipelineorPipelineRuntotaskRefPipeline Tasks. Mapping should only occur from top-level resource to Pipeline Tasks with in-linetaskSpec. This issue only affects users withenable-api-fields: alphain thefeature-flagsConfigMapstored in thetekton-pipelinesnamespace.
Changes
Features
- ✨ Match k8s recommended restricted PSP. (#4439)
tekton-pipelines PodSecurityPolicy now drops all capabilities and enables default
seccomp/apparmor annotations. This should not affect user Runs unless you are
running in the tekton-pipelines namespace (which we generally do not recommend).
- ✨ Avoid API server call to get Pod when sidecars are stopped (#4374)
Avoids calls to the API server to stop sidecars when sidecars are already stopped
- ✨ Lockdown /tekton/step folders to their own steps. (#4352)
The /tekton/steps directory is now read-only and subdirectories in /tekton/steps are now symlinks. The content for the resolved paths remains the same.
Fixes
Scripts will no longer print their commands and arguments by default in order to limit unexpected exposure of sensitive values.
- 🐛 set activeDeadlineSeconds to max for tasks with notimeouts (#4450)
Set activeDeadlineSeconds to max. permitted value (MaxInt32) for a task with 0s timeout (no timeouts).
This commit fixes the bug where a task with 0s timeout was failing with out of range error.
-
🐛 test/sidecar_test.go: replace t.Errorfs with t.Fatalfs (#4436)
-
🐛 Select entrypoint command based on runtime platform (#4420)
Changes the way image commands are passed to the entrypoint executor, enabling more correct behavior in heterogeneous clusters, and allowing for multi-platform image references to be passed to generated Pods.
- 🐛 Merge default PodTemplate's affinity field (#4406)
Fixes an issue that default PodTemplate's affinity field is ignored.
- 🐛 Pass explicit platforms list when publishing images (#4480)
- 🐛 Bump GoogleContainerTools/skaffold revision from v0.32.0 to v1.32.0 (#4423)
Misc
-
🔨 Fix links in expressions migrations announcements (#4462)
-
🔨 Pick up latest (k8s 0.22 libs) (#4449)
The pipelines clients are now compatible with k8s.io/client-go v0.22.x
- 🔨 Refactor PipelineRun timeout logic (#4447)
[Bug fix] Handle cases where PipelineRun task timeouts are greater than Pipeline.Timeouts.Task or Pipeline.Timeouts.Finally
-
🔨 Remove --enable-basic-auth from the development guide (#4442)
-
🔨 subcommands_test: Group command tests with t.Run. (#4437)
-
🔨 Reduce RBAC permissions for Tekton controller/webhook roles. (#4434)
Tekton tekton-pipelines-controller-tenant-access and tekton-pipelines-webhook-cluster-access
ClusterRole permissions are reduced to better fit least privilege.
This should have no effect on the Pipelines Controller/Webhook itself, but may impact users
if they were relying on these roles for other uses.
-
🔨 Don't install golangci-lint with curl|bash, use go install, introduce the tools folder (#4411)
-
🔨 Clean up RunsToCompletion interface (#4479)
-
🔨 Reduce duplication in TaskRun reconciler tests (#4441)
-
🔨 Add image replacement for amd64 specific image (#4456)
-
🔨 Skip creds-init-only-mounts-provided-credentials test for linux/s390x (#4452)
-
🔨 Remove unused informers (#4459)
Reduce memory footprint of the pipeline controller
Docs
- 📖 updating README to include v0.31.0 release links (#4429)
Adding links to the latest release - v0.31.0
Thanks
Thanks to these contributors who contributed to v0.32.0!
- ❤️ @Siddhesh-Ghadi
- ❤️ @barthy1
- ❤️ @devholic
- ❤️ @guillaumerose
- ❤️ @imjasonh
- ❤️ @jerop
- ❤️ @lbernick
- ❤️ @mattmoor
- ❤️ @pritidesai
- ❤️ @sbwsg
- ❤️ @smaftoul
- ❤️ @vdemeester
- ❤️ @wlynch
Extra shout-out for awesome release notes:
- 😍 @devholic
- 😍 @guillaumerose
- 😍 @imjasonh
- 😍 @jerop
- 😍 @lbernick
- 😍 @mattmoor
- 😍 @pritidesai
- 😍 @smaftoul
- 😍 @vdemeester
- 😍 @wlynch