uselagoon/lagoon v2.2.0

lagoon-core v2.2.0

on GitHub

This release is built on the https://github.com/uselagoon/lagoon-images/releases/tag/21.10.0 images

Three important Alpha stability features here:

Add default Kubernetes network policy support by @smlx in #2536

In order to better provide namespace isolation, a NetworkPolicy has been implemented to prevent inter-namespace communication. This can be enabled in a number of fashions:

• Forced for all namespaces in the controller (via variable LAGOON_FEATURE_FLAG_FORCE_ISOLATION_NETWORK_POLICY=true)
• Individually per project or environment (via variable LAGOON_FEATURE_FLAG_ISOLATION_NETWORK_POLICY=true)
• Set as default for all namespaces in the controller (via variable LAGOON_FEATURE_FLAG_DEFAULT_ISOLATION_NETWORK_POLICY=true)

Implement rootless workloads by @smlx in #2481

In order to better provide protection against workloads running as root, a SecurityContext has been set for services, along with an init container that will ensure namespaces have the correct permissions in their file storage. This can be enabled in a number of fashions:

• Forced for all namespaces in the controller (via variable LAGOON_FEATURE_FLAG_FORCE_ROOTLESS_WORKLOAD=true)
• Individually per project or environment (via variable LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD=true)
• Set as default for all namespaces in the controller (via variable LAGOON_FEATURE_FLAG_DEFAULT_ROOTLESS_WORKLOAD=true)

Validate ingress annotation snippets against an allow-list by @tobybellwood in #2889

There is now a lagoon-linter step that runs as part of the build & deploy process that will inspect defined routes for correct configuration of nginx annotation snippets (in response to CVE-2021-25742. Instead of disallowing snippets entirely (which is the current recommended remediation), Lagoon has opted to utilise a linter (https://github.com/uselagoon/lagoon-linter) to process an allowlist of defined snippets. The catch here is that the linter will not lint files that are not valid YAML.

To check a .lagoon.yml file yourself, download and extract the binary from https://github.com/uselagoon/lagoon-linter/releases and run it against your .lagoon.yml file locally. If the linter exits successfully (no output), the file is ok.

What's Changed

• update refs in makefile by @tobybellwood in #2884
• docs: make clear where .env files are loaded from by @pmelab in #2886
• Add default Kubernetes network policy support by @smlx in #2536
• Additional SSH service changes by @shreddedbacon in #2881
• Validate ingress annotation snippets against an allow-list by @tobybellwood in #2889
• Document new feature flags by @smlx in #2541
• Add fastly configuration to autogenerated routes if enabled by @shreddedbacon in #2883
• Implement rootless workloads by @smlx in #2481

New Contributors

• @pmelab made their first contribution in #2886

Full Changelog: v2.1.0...v2.2.0