github vmware-tanzu/pinniped v0.9.2

Release v0.9.2

Release Images

Image Registry
projects.registry.vmware.com/pinniped/pinniped-server:v0.9.2 VMware Harbor
docker.io/getpinniped/pinniped-server:v0.9.2 DockerHub

Changes

Pinniped v0.9.2 is a small security hardening release on top of the recent v0.9.1 release.

Minor Changes

  • We've made several changes to harden the impersonation proxy against potential future security vulnerabilities. These changes are proactive based on our understanding of potential issues:

    • The impersonation proxy now always authorizes every request, rather than deferring authorization to the Kubernetes API.

    • The impersonation proxy now uses a distinct service account with no RBAC privileges other than impersonation.

    • On clusters where anonymous authentication is disabled (such as AKS), the impersonation proxy now refuses anonymous requests. The Pinniped TokenCredentialRequest API is still allowed, since it is necessarily a pre-authentication API.

  • Upgraded Go from 1.16.4 to 1.16.5.

A complete list of changes (16 commits, 15 changed files with 1,197 additions and 210 deletions) can be found here.

latest release: v0.4.4
one month ago