Releases: kubernetes-sigs/security-profiles-operator
Releases Β· kubernetes-sigs/security-profiles-operator
v0.10.1
22c9486
This commit was signed with the committerβs verified signature.
saschagrunert
Sascha Grunert
Welcome to our glorious v0.10.1 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.10.1/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.10.1
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Cleanup
- Require go 1.25 to build. (#3025, @saschagrunert)
- Update runc seccomp base profile to match version v1.3.1. (#2993, @saschagrunert)
- Bump operator-sdk from v1.37.0 to v1.42.2 and opm from v1.37.0 to v1.65.0. (#3131, @saschagrunert)
Bug
- Update installation-usage.md to clarify audit log location. (#3024, @BhargaviGudi)
Dependencies
Added
- al.essio.dev/pkg/shellescape: v1.6.0
- buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go: 80ab13b
- buf.build/go/protovalidate: v1.1.3
- buf.build/go/protoyaml: v0.6.0
- cloud.google.com/go/pubsub/v2: v2.3.0
- connectrpc.com/connect: v1.19.1
- cyphar.com/go-pathrs: v0.2.4
- github.com/AliyunContainerService/ack-ram-tool/pkg/ecsmetadata: v0.0.10
- github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns: v1.3.0
- github.com/DataDog/go-libddwaf/v4: v4.3.2
- github.com/MakeNowJust/heredoc/v2: v2.0.1
- github.com/Masterminds/semver: v1.5.0
- github.com/Masterminds/sprig: v2.22.0
- github.com/akamai/AkamaiOPEN-edgegrid-golang/v13: v13.0.0
- github.com/alibabacloud-go/tea-utils/v2: v2.0.7
- github.com/aws/aws-sdk-go-v2/service/ec2: v1.279.2
- github.com/aws/aws-sdk-go-v2/service/signin: v1.0.8
- github.com/benbjohnson/clock: v1.3.5
- github.com/bitfield/gotestdox: v0.2.2
- github.com/buildkite/go-buildkite/v4: v4.13.1
- github.com/buildkite/test-engine-client: v1.6.0
- github.com/buildkite/zstash: v0.8.0
- github.com/bytecodealliance/wasmtime-go/v39: v39.0.1
- github.com/cenkalti/backoff: 309aa71
- github.com/clipperhouse/displaywidth: v0.11.0
- github.com/clipperhouse/uax29/v2: v2.7.0
- github.com/decred/dcrd/crypto/blake256: v1.1.0
- github.com/dgryski/go-farm: 3414d57
- github.com/dnephin/pflag: v1.0.7
- github.com/go-openapi/swag/cmdutils: v0.25.5
- github.com/go-openapi/swag/conv: v0.25.5
- github.com/go-openapi/swag/fileutils: v0.25.5
- github.com/go-openapi/swag/jsonname: v0.25.5
- github.com/go-openapi/swag/jsonutils: v0.25.5
- github.com/go-openapi/swag/jsonutils/fixtures_test: v0.25.5
- github.com/go-openapi/swag/loading: v0.25.5
- github.com/go-openapi/swag/mangling: v0.25.5
- github.com/go-openapi/swag/netutils: v0.25.5
- github.com/go-openapi/swag/stringutils: v0.25.5
- github.com/go-openapi/swag/typeutils: v0.25.5
- github.com/go-openapi/swag/yamlutils: v0.25.5
- github.com/go-openapi/testify/enable/yaml/v2: v2.4.1
- github.com/go-openapi/testify/v2: v2.4.1
- github.com/go-ozzo/ozzo-validation/v4: v4.3.0
- github.com/graph-gophers/graphql-go: v1.9.0
- github.com/hashicorp/go-hmac-drbg: a6e5a68
- github.com/hashicorp/go-secure-stdlib/cryptoutil: v0.1.1
- github.com/hashicorp/go-version: v1.7.0
- github.com/huandu/go-clone: v1.7.3
- github.com/huandu/go-sqlbuilder: v1.39.1
- github.com/lestrrat-go/dsig: v1.0.0
- github.com/lestrrat-go/dsig-secp256k1: v1.0.0
- github.com/lestrrat-go/httprc/v3: v3.0.4
- github.com/lestrrat-go/jwx/v3: [v3.0.1...
Contributors
saschagrunert and BhargaviGudi
Assets 17
- 18.6 KB
2026-05-05T11:07:32Z - 6.19 KB
2026-05-05T11:30:35Z - 92 MB
2026-05-05T11:30:35Z - 141 Bytes
2026-05-05T11:30:35Z - 6.12 KB
2026-05-05T11:30:35Z - 85.9 MB
2026-05-05T11:30:35Z - 91.7 MB
2026-05-05T11:30:36Z - 5.96 KB
2026-05-05T11:30:36Z - 141 Bytes
2026-05-05T11:30:36Z - 95.7 MB
2026-05-05T11:30:37Z -
2026-05-05T09:12:01Z -
2026-05-05T09:12:01Z - Loading
v0.10.0
Welcome to our glorious v0.10.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.10.0/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.10.0
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Add BPF-based log enricher (#2908, @mhils)
- Adds an option (
--audit-log-interval-seconds) to set the audit log interval for the JSON Log Enricher (#2867, @ngopalak-redhat) - Add In-Pod Activity Log recorder in audit JSON lines format (#2835, @ngopalak-redhat)
- Add Request UID to JSON log enricher to correlate container and API Server Audit log (#2878, @ngopalak-redhat)
- Add file system support for JSON Log Enricher Audit logging (#2871, @ngopalak-redhat)
- Adds eBPF support to json audit log enricher (#2929, @ngopalak-redhat)
- Adds support for kubectl node debugging for JSON Log enricher (#2907, @ngopalak-redhat)
- Introduced log filtering capabilities for enrichers, configurable via SPOD, enabling filtering of audit JSON and log-enricher output based on custom rules. (#2909, @ngopalak-redhat)
- Support for TLS 1.3 in SPO webhooks (#2954, @ngopalak-redhat)
Bug or Regression
- Applies the changes to Seccomp and Apparmor profiles only whent here are effective changes in the CRs. (#2826, @ccojocar)
Other (Cleanup or Flake)
- Removed support for in-memory btf because most kernels should now expose
/sys/kernel/btf/vmlinux(#2969, @saschagrunert) - Switch to
betamaturity with respect to community operators (operator hub). (#2818, @saschagrunert)
Dependencies
Added
- github.com/DataDog/datadog-agent/comp/core/tagger/origindetection: v0.64.2
- github.com/DataDog/datadog-agent/pkg/version: v0.64.2
- github.com/DataDog/dd-trace-go/v2: v2.0.0
- github.com/Masterminds/goutils: v1.1.1
- github.com/Masterminds/sprig/v3: v3.3.0
- github.com/cenkalti/backoff/v5: v5.0.2
- github.com/cheggaaa/pb/v3: v3.1.6
- github.com/containerd/containerd/v2: v2.1.1
- github.com/google/go-github/v72: v72.0.0
- github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: v1.0.1
- github.com/grpc-ecosystem/go-grpc-middleware/v2: v2.1.0
- github.com/huandu/xstrings: v1.5.0
- github.com/keybase/go-keychain: v0.0.1
- github.com/mitchellh/copystructure: v1.2.0
- github.com/mitchellh/reflectwalk: v1.0.2
- github.com/moby/sys/atomicwriter: v0.1.0
- github.com/olekukonko/errors: v1.1.0
- github.com/olekukonko/ll: v0.0.9
- github.com/olekukonko/ts: 78ecb04
- github.com/opencontainers/cgroups: v0.0.4
- github.com/puzpuzpuz/xsync/v3: v3.5.1
- github.com/shirou/gopsutil/v4: v4.25.3
- github.com/shopspring/decimal: v1.4.0
- github.com/sigstore/rekor-tiles: v0.1.5
- github.com/tink-crypto/tink-go-hcvault/v2: v2.3.0
- go.etcd.io/gofail: v0.2.0
- go.etcd.io/raft/v3: v3.6.0
- go.yaml.in/yaml/v2: v2.4.2
- go.yaml.in/yaml/v3: v3.0.3
- goa.design/goa/v3: v3.20.1
- golang.org/x/tools/go/expect: v0.1.0-deprecated
- golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated
- gonum.org/v1/gonum: v0.16.0
- sigs.k8s.io/randfill: v1.0.0
Changed
- cel.dev/expr: v0.19.1 β v0.24.0
- chainguard.dev/go-grpc-kit: v0.17.7 β v0.17.10
- chainguard.dev/sdk: v0.1.29 β v0.1.32
- cloud.google.com/go/auth/oauth2adapt: v0.2.7 β v0.2.8
- cloud.google.com/go/auth: v0.15.0 β v0.16.2
- cloud.google.com/go/compute/metadata: v0.6.0 β v0.7.0
- cloud.google.com/go/iam: v1.4.1 β v1.5.2
- cloud.google.com/go/kms: v1.21.1 β v1.22.0
- cloud.google.com/go/longrunning: v0.6.5 β v0.6.7
- cloud.google.com/go/monitoring: v1.21.2 β v1.24.0
- cloud.google.com/go/pubsub: v1.45.3 β v1.47.0
- cloud.google.com/go/security: v1.18.4 β v1.18.5
- cloud.google.com/go/storage: v1.49.0 β v1.50.0
- cloud.google.com/go/trace: v1.11.2 β v1.11.3
- cloud.google.com/go: v0.118.3 β v0.121.1
- dario.cat/mergo: v1.0.1 β v1.0.2
- github.com/AdaLogics/go-fuzz-headers: ced1acd β e8a1dd7
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.17.1 β v1.18.0
- github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.8.2 β v1.10.1
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.10.0 β v1.11.1
- github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.6.0 β v1.6.1
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.3.3 β v1.4.2
- github.com/BurntSushi/toml: v1.4.0 β v1.5.0
- github.com/DataDog/appsec-internal-go: v1.9.0 β v1.11.2
- github.com/DataDog/datadog-agent/pkg/obfuscate: v0.58.0 β v0.64.2
- github.com/DataDog/datadog-agent/pkg/proto: v0.58.0 β v0.64.2
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.58.0 β v0.64.2
- github.com/DataDog/datadog-agent/pkg/trace: v0.58.0 β v0.64.2
- github.com/DataDog/datadog-agent/pkg/util/log: v0.58.0 β v0.64.2
- github.com/DataDog/datadog-agent/pkg/util/scrubber: [v0.58.0 β v0.64.2...
Contributors
ccojocar, saschagrunert, and 2 other contributors
Assets 11
v0.9.1
Welcome to our glorious v0.9.1 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.9.1/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.9.1
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Enabled the Security Profiles Operator for
ppc64learchitecture with support for seccomp and SELinux profile management. (#2589, @pranitaT) - Users can turn off the controllers by explicitly setting the flags to false. (#2796, @jindijamie)
Dependencies
Added
- drjosh.dev/zzglob: v0.4.0
- github.com/DataDog/datadog-agent/pkg/proto: v0.58.0
- github.com/DataDog/datadog-agent/pkg/trace: v0.58.0
- github.com/DataDog/datadog-agent/pkg/util/log: v0.58.0
- github.com/DataDog/datadog-agent/pkg/util/scrubber: v0.58.0
- github.com/DataDog/go-runtime-metrics-internal: a14610d
- github.com/DataDog/go-sqllexer: v0.0.14
- github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/attributes: v0.20.0
- github.com/bmatcuk/doublestar/v4: v4.6.1
- github.com/chainguard-dev/clog: v1.5.1
- github.com/cihub/seelog: f561c5e
- github.com/dgraph-io/badger/v4: v4.5.1
- github.com/dgraph-io/ristretto/v2: v2.1.0
- github.com/eapache/queue/v2: 75960ed
- github.com/envoyproxy/go-control-plane/envoy: v1.32.4
- github.com/envoyproxy/go-control-plane/ratelimit: v0.1.0
- github.com/go-ole/go-ole: v1.2.6
- github.com/go-viper/mapstructure/v2: v2.2.1
- github.com/jackc/pgerrcode: 6e2875d
- github.com/jackc/pgpassfile: v1.0.0
- github.com/jackc/pgservicefile: 5a60cdf
- github.com/jackc/pgx/v5: v5.7.2
- github.com/jackc/puddle/v2: v2.2.2
- github.com/lufia/plan9stats: 115f729
- github.com/power-devops/perfstat: c35f1ee
- github.com/santhosh-tekuri/jsonschema/v5: v5.3.1
- github.com/shirou/gopsutil/v3: v3.24.4
- github.com/shoenig/go-m1cpu: v0.1.6
- github.com/tklauser/go-sysconf: v0.3.12
- github.com/tklauser/numcpus: v0.6.1
- github.com/yusufpapurcu/wmi: v1.2.4
- gitlab.com/gitlab-org/api/client-go: v0.127.0
- go.opentelemetry.io/collector/component: v0.104.0
- go.opentelemetry.io/collector/config/configtelemetry: v0.104.0
- go.opentelemetry.io/collector/pdata/pprofile: v0.104.0
- go.opentelemetry.io/collector/pdata: v1.11.0
- go.opentelemetry.io/collector/semconv: v0.104.0
Changed
- chainguard.dev/go-grpc-kit: v0.17.5 β v0.17.7
- chainguard.dev/sdk: v0.1.23 β v0.1.29
- cloud.google.com/go/auth/oauth2adapt: v0.2.6 β v0.2.7
- cloud.google.com/go/auth: v0.13.0 β v0.15.0
- cloud.google.com/go/iam: v1.2.2 β v1.4.1
- cloud.google.com/go/kms: v1.20.4 β v1.21.1
- cloud.google.com/go/longrunning: v0.6.2 β v0.6.5
- cloud.google.com/go/security: v1.18.0 β v1.18.4
- cloud.google.com/go/storage: v1.45.0 β v1.49.0
- cloud.google.com/go/trace: v1.10.5 β v1.11.2
- cloud.google.com/go: v0.116.0 β v0.118.3
- cuelabs.dev/go/oci/ociregistry: a39bec0 β 2c00c10
- cuelang.org/go: v0.9.2 β v0.12.1
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.16.0 β v1.17.1
- github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.8.0 β v1.8.2
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.3.0 β v1.3.1
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal: v1.1.0 β v1.1.1
- github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.4.0 β v1.6.0
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.3.1 β v1.3.3
- github.com/DataDog/appsec-internal-go: v1.7.0 β v1.9.0
- github.com/DataDog/datadog-agent/pkg/obfuscate: v0.48.0 β v0.58.0
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.48.1 β v0.58.0
- github.com/DataDog/datadog-go/v5: v5.5.0 β v5.6.0
- github.com/DataDog/go-libddwaf/v3: v3.3.0 β v3.5.1
- github.com/DataDog/go-tuf: v1.0.2-0.5.2 β v1.1.0-0.5.2
- github.com/Khan/genqlient: v0.7.0 β v0.8.0
- github.com/agnivade/levenshtein: v1.1.1 β v1.2.0
- github.com/avast/retry-go/v4: v4.6.0 β v4.6.1
- github.com/aws/aws-sdk-go-v2/config: v1.28.7 β v1.29.10
- github.com/aws/aws-sdk-go-v2/credentials: v1.17.48 β v1.17.63
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.22 β v1.16.30
- github.com/aws/a...
Contributors
jindijamie and pranitaT
Assets 21
v0.9.0
Welcome to our glorious v0.9.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.9.0/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.9.0
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Add
spoc installandspoc uninstallcommands to quickly install profiles on the local machine for testing. (#2711, @mhils) - Add more metrics for AppArmor profile. (#2686, @ccojocar)
- Add the complainMode flag into the ApparmorProfile CRD which allows to switch the apparmor profile into complain mode. (#2598, @ccojocar)
- Add the eBPF based AppArmor profile recorder into the API. (#2296, @ccojocar)
- AppArmor profiles can now have either an abstract or a concrete policy. (#2469, @mhils)
- BPF recorder: Detect
mkdirsyscalls for profile creation (#2663, @mhils) - BPF recorder: Detect
mknodsyscalls for profile creation (#2668, @mhils) - BPF recorder: Detect
unlinksyscalls for profile creation (#2667, @mhils) - Change the scope of security profiles CRDs to be cluster wide. (#2735, @ccojocar)
- Harden the bpf-recorder container with a custom seccomp profile. (#2626, @ccojocar)
- Harden the security-profiles-operator and bpf-recorder containers with custom apparmor profiles when apparmor is enabled. (#2646, @ccojocar)
- Make selinuxd images configurable in Helm chart (#2299, @mikroskeem)
- Make the AppArmor recorder support
readdir(#2555, @mhils) - Removed kube-rbac-proxy dependency in favor of the native controller-runtime feature. (#2595, @saschagrunert)
- Spoc now correctly tracks child processes that
clone(). (#2644, @mhils) - The AppArmor recorder is now better at detecting randomness in file paths and replacing it with placeholders. (#2702, @mhils)
- The BPF profile recorder now excludes unnecessary permissions exercised during container init. (#2623, @mhils)
spoc recordnow drops privileges when spawning the process it observes. (#2412, @mhils)
Documentation
- Added information that SELinux can be enabled/disabled in
installation-usage.md. (#2298, @saschagrunert) - Fixed
enableAppArmorboolean ininstallation-usage.md. (#2322, @saschagrunert) - Fixed
enableAppArmorvariable ininstallation-usage.md. (#2297, @saschagrunert) - Restructure and update the documentation, extend sections for apparmor and selinux recording and installation. (#2605, @ccojocar)
Bug or Regression
- AppArmor profiles recorded by spoc now include the abstract profile only, which ensures that the raw profile does not diverge. (#2428, @mhils)
- Cleanup unnecessary files from a recorded apparmor profile. (#2587, @ccojocar)
- Fix AppArmor recording for workloads that use anonymous hugepages. (#2421, @mhils)
- Fix a bug where AppArmor profiles with a name containing
/or.weren't deleted properly. (#2710, @mhils) - Fix a bug where AppArmor profiles would contain the same path more than once. (#2377, @mhils)
- Fix a bug where incorrect AppArmor profiles were generated for
mkdir(). (#2712, @mhils) - Fix a bug where recorded AppArmor profiles would prevent executables from spawning. (#2554, @mhils)
- Fix a bug where spoc would generate empty AppArmor profiles on systems without BPF LSM enabled. (#2385, @mhils)
- Fix the daemon container security context to keep the local seccomp profile. (#2612, @ccojocar)
- It replaces the variance such as task ID and container ID from files paths recorded in apparmor profile. (#2357, @ccojocar)
- Permit AppArmor profiles with
cap_sys_rawioto call(u)mount. (#2713, @mhils)
Other (Cleanup or Flake)
- API BREAKING CHANGES: policy field removed from ApparmorProfile CRD, use instead the abstract field which automatically generates the policy before installation. (#2590, @ccojocar)
- Updated kube-rbac-proxy to v0.16.0. (#2551, @saschagrunert)
- Updated runc to v1.1.13. (#2311, @saschagrunert)
Dependencies
Added
- cel.dev/expr: v0.19.1
- chainguard.dev/sdk: v0.1.23
- cloud.google.com/go/auth/oauth2adapt: v0.2.6
- cloud.google.com/go/auth: v0.13.0
- cloud.google.com/go/translate: v1.10.3
- github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider: v0.14.0
- github.com/DataDog/go-libddwaf/v3: v3.3.0
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.25.0
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric: v0.48.1
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping: v0.48.1
- github.com/antihax/optional: v1.0.0
- github.com/antlr4-go/antlr/v4: v4.13.1
- github.com/avast/retry-go/v4: v4.6.0
- github.com/aws/aws-sdk-go-v2/service/route53: v1.44.0
- github.com/chainguard-dev/slogctx: v1.2.2
- github.com/checkpoint-restore/go-criu/v6: v6.3.0
- github.com/containerd/errdefs/pkg: v0.3.0
- github.com/containerd/platforms: v0.2.1
- github.com/containerd/typeurl/v2: v2.2.3
- github.com/coreos/go-oidc: v2.2.1+incompatible
- github.com/go-http-utils/headers: fed159e
- github.com/go-piv/piv-go/v2: v2.3.0
- github.com/hairyhenderson/go-which: v0.2.0
- github.com/hashicorp/golang-lru/v2: v2.0.7
- github.com/in-toto/attestation: v1.1.0
- github.com/moby/sys/capability: v0.4.0
- github.com/moby/sys/userns: v0.1.0
- github.com/planetscale/vtprotobuf: 0393e58
- github.com/pquerna/cachecontrol: v0.1.0
- github.com/rogpeppe/fastuuid: v1.2.0
- github.com/sigstore/sigstore-go: v0.6.1
- github.com/skeema/knownhosts: v1.3.0
- github.com/smallstep/pkcs7: v0.1.1
- github.com/theupdateframework/go-tuf/v2: v2.0.1
- github.com/tink-crypto/tink-go-awskms/v2: [v2.1.0](https://github.com/tin...
Contributors
ccojocar, saschagrunert, and 2 other contributors
Assets 12
v0.8.4
Release notes
Welcome to our glorious v0.8.4 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.4/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.4
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Added a
spoc convertcommand to transform security profile YAML definitions to their raw representation. (#2201, @mhils) spoc mergenow combines AppArmor profiles with glob patterns in the first profile. (#2239, @mhils)spoc mergenow has a--checkflag to ensure that a profile is a superset of other profiles. (#2240, @mhils)spoccan now record Seccomp and AppArmor profiles simultaneously.
The AppArmor recorder is now significantly more robust (#2260, @mhils)
Documentation
- Updated dead documentation link on how to constrain the spod to specific nodes. (#2266, @saschagrunert)
Bug or Regression
- Fix
spoc recordto work with >15 character executable names. Make AppArmor profile generation more robust. (#2241, @mhils) - Fix dynamic clusters encounter finalizer mismatch when nodes are added and removed too quickly. (#2145, @jlowe64)
Dependencies
Added
- github.com/DataDog/go-libddwaf/v2: v2.2.3
- github.com/checkpoint-restore/checkpointctl: v1.1.0
- github.com/checkpoint-restore/go-criu/v7: v7.1.0
- github.com/go-jose/go-jose/v4: v4.0.1
- github.com/go-task/slim-sprig/v3: v3.0.0
- github.com/google/go-configfs-tsm: v0.2.2
- github.com/moby/docker-image-spec: v1.3.1
Changed
- bitbucket.org/creachadair/shell: v0.0.7 β v0.0.8
- chainguard.dev/go-grpc-kit: v0.17.1 β v0.17.2
- cloud.google.com/go/compute: v1.24.0 β v1.25.1
- cloud.google.com/go/iam: v1.1.5 β v1.1.6
- cloud.google.com/go/kms: v1.15.5 β v1.15.8
- cloud.google.com/go/longrunning: v0.5.4 β v0.5.5
- cloud.google.com/go/monitoring: v1.16.1 β v1.17.0
- cloud.google.com/go/pubsub: v1.33.0 β v1.37.0
- cloud.google.com/go/security: v1.15.4 β v1.15.6
- cloud.google.com/go/storage: v1.35.1 β v1.39.1
- cloud.google.com/go/trace: v1.10.2 β v1.10.4
- cloud.google.com/go: v0.112.0 β v0.112.1
- github.com/AdamKorcz/go-fuzz-headers-1: e936619 β 8b5d3ce
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.9.1 β v1.10.0
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.5.1 β v1.5.2
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.0.1 β v1.1.0
- github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.2.0 β v1.2.1
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.2.1 β v1.2.2
- github.com/DATA-DOG/go-sqlmock: v1.5.0 β v1.5.2
- github.com/DataDog/appsec-internal-go: v1.0.0 β v1.4.0
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state: 2549ba9 β v0.48.1
- github.com/DataDog/datadog-go/v5: v5.3.0 β v5.4.0
- github.com/DrJosh9000/zzglob: v0.0.17 β v0.1.0
- github.com/Microsoft/go-winio: v0.6.1 β v0.6.2
- github.com/Microsoft/hcsshim: v0.12.0-rc.3 β v0.12.3
- github.com/aquasecurity/libbpfgo: 1.3 β 1.4
- github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: v1.4.13 β v1.6.1
- github.com/aws/aws-sdk-go-v2/config: v1.26.6 β v1.27.9
- github.com/aws/aws-sdk-go-v2/credentials: v1.16.16 β v1.17.9
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.14.11 β v1.16.0
- github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.11.76 β v1.16.9
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.2.10 β v1.3.4
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.5.10 β v2.6.4
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.7.3 β v1.8.0
- github.com/aws/aws-sdk-go-v2/internal/v4a: v1.1.4 β v1.3.3
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.10.4 β v1.11.1
- github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.1.36 β v1.3.5
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.10.10 β v1.11.6
- github.com/aws/aws-sdk-go-v2/service/internal/s3shared: v1.15.4 β v1.17.3
- github.com/aws/aws-sdk-go-v2/service/kms: v1.27.9 β v1.30.0
- github.com/aws/aws-sdk-go-v2/service/s3: v1.40.0 β v1.51.4
- github.com/aws/aws-sdk-go-v2/service/sso: v1.18.7 β v1.20.3
- github.com/aws/aws-sdk-go-v2/service/ssooidc: [v1.21.7 β v1.23.3](https://git...
Contributors
saschagrunert, mhils, and jlowe64
Assets 14
v0.8.3
Release notes
Welcome to our glorious v0.8.3 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.3/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.3
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Add a new
--no-startflag that allows spoc to record profiles without driving the process execution. (#2161, @mhils) - Added a
spoc mergecommand to merge multiple security profiles from the command line. (#2136, @mhils) - Added initial support for merging AppArmor profiles with
spoc merge. (#2140, @mhils) - Adds functionality to the profile binding functionality to establish a default seccomp/selinux profile for a given namespace.
Specific image bindings have priority over the default profiles allowing more tailored profiles for specific images while allowing customization of a default profile applied to all pods without having to specify specific images strings. (#1869, @CoreyCook8) - The
spoccli tool now featuresapparmorandraw-apparmortypes to generate CRDs and raw apparmor profiles. (#1917, @0xmilkmix)
Bug or Regression
- Fixed issue with crashing SPOD daemon by allowing
clock_gettimesyscall. (#2121, @CoreyCook8) - Fixed reporting of status and the policy usage string for RawSelinuxProfile CRs (#1496, @jhrozek)
- Make the field disabling profiles after recording optional (#2033, @yuumasato)
Dependencies
Added
- cuelabs.dev/go/oci/ociregistry: 93e78c0
- github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns: v1.2.0
- github.com/Venafi/vcert/v5: v5.3.0
- github.com/containerd/errdefs: v0.1.0
- github.com/moby/sys/user: v0.1.0
- github.com/sosodev/duration: v1.2.0
- golang.org/x/telemetry: b75ee88
Changed
- cloud.google.com/go/compute: v1.23.3 β v1.24.0
- cloud.google.com/go/firestore: v1.13.0 β v1.14.0
- cloud.google.com/go/longrunning: v0.5.1 β v0.5.4
- cloud.google.com/go/security: v1.15.1 β v1.15.4
- cloud.google.com/go/storage: v1.33.0 β v1.35.1
- cloud.google.com/go: v0.110.10 β v0.112.0
- cuelang.org/go: v0.6.0 β v0.7.0
- filippo.io/edwards25519: v1.0.0 β v1.1.0
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.9.0 β v1.9.1
- github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.4.0 β v1.5.1
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.5.0 β v1.5.1
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.2.0 β v1.2.1
- github.com/Microsoft/hcsshim: v0.12.0-rc.1 β v0.12.0-rc.3
- github.com/alecthomas/kingpin/v2: v2.3.2 β v2.4.0
- github.com/aws/aws-sdk-go-v2/config: v1.25.11 β v1.26.6
- github.com/aws/aws-sdk-go-v2/credentials: v1.16.9 β v1.16.16
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.14.9 β v1.14.11
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.2.8 β v1.2.10
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.5.8 β v2.5.10
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.7.1 β v1.7.3
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.10.3 β v1.10.4
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.10.8 β v1.10.10
- github.com/aws/aws-sdk-go-v2/service/kms: v1.27.2 β v1.27.9
- github.com/aws/aws-sdk-go-v2/service/sso: v1.18.2 β v1.18.7
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.21.2 β v1.21.7
- github.com/aws/aws-sdk-go-v2/service/sts: v1.26.2 β v1.26.7
- github.com/aws/aws-sdk-go-v2: v1.23.5 β v1.24.1
- github.com/aws/aws-sdk-go: v1.48.11 β v1.50.0
- github.com/aws/smithy-go: v1.18.1 β v1.19.0
- github.com/beevik/ntp: v1.3.0 β v1.3.1
- github.com/buildkite/go-pipeline: v0.2.0 β v0.3.2
- github.com/cert-manager/cert-manager: v1.13.3 β v1.14.4
- github.com/cilium/ebpf: v0.7.0 β v0.9.1
- github.com/cloudflare/circl: v1.3.5 β v1.3.7
- github.com/cncf/xds/go: 8bd2eac β 0fa0005
- github.com/containerd/containerd: v1.7.9 β v1.7.13
- github.com/containernetworking/plugins: v1.3.0 β v1.4.0
- github.com/containers/common: v0.57.1 β v0.58.1
- github.com/containers/image/v5: v5.29.0 β v5.30.0
- github.com/containers/storage: v1.51.0 β v1.53.0
- github.com/coreos/go-oidc/v3: v3.7.0 β v3.9.0
- github.com/cyberphone/json-canonicalization: 785e297 β ba74d44
- github.com/danieljoos/wincred: v1.2.0 β v1.2.1
- github.com/digitalocean/godo: [v1.102.1 β v1.107.0](https://github.com/digital...
Contributors
jhrozek, mhils, and 3 other contributors
Assets 14
v0.8.2
Release notes
Welcome to our glorious v0.8.2 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.2/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.2
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Failing Test
- Fixed upgrade issue introduced in v0.8.1. (#2023, @yuumasato)
Dependencies
Added
- github.com/DATA-DOG/go-sqlmock: v1.5.0
- github.com/Khan/genqlient: v0.6.0
- github.com/alexflint/go-arg: v1.4.2
- github.com/alexflint/go-scalar: v1.0.0
- github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.11.76
- github.com/buildkite/go-pipeline: v0.2.0
Changed
- cloud.google.com/go/compute: v1.23.2 β v1.23.3
- cloud.google.com/go/iam: v1.1.4 β v1.1.5
- cloud.google.com/go/kms: v1.15.4 β v1.15.5
- cloud.google.com/go: v0.110.9 β v0.110.10
- github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.8.0 β v1.9.0
- github.com/Azure/azure-sdk-for-go/sdk/internal: v1.4.0 β v1.5.0
- github.com/DataDog/datadog-agent/pkg/obfuscate: v0.48.1 β v0.48.0
- github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.48.1 β 2549ba9
- github.com/DataDog/sketches-go: v1.4.3 β v1.4.2
- github.com/andybalholm/brotli: v1.0.6 β v1.0.1
- github.com/aws/aws-sdk-go-v2/config: v1.19.1 β v1.25.11
- github.com/aws/aws-sdk-go-v2/credentials: v1.13.43 β v1.16.9
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.13.13 β v1.14.9
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.1.43 β v1.2.8
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.4.37 β v2.5.8
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.3.45 β v1.7.1
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.9.14 β v1.10.3
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.9.37 β v1.10.8
- github.com/aws/aws-sdk-go-v2/service/kms: v1.24.7 β v1.27.2
- github.com/aws/aws-sdk-go-v2/service/sso: v1.15.2 β v1.18.2
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.17.3 β v1.21.2
- github.com/aws/aws-sdk-go-v2/service/sts: v1.23.2 β v1.26.2
- github.com/aws/aws-sdk-go-v2: v1.21.2 β v1.23.5
- github.com/aws/aws-sdk-go: v1.47.0 β v1.48.11
- github.com/aws/smithy-go: v1.15.0 β v1.18.1
- github.com/buildkite/agent/v3: v3.58.0 β v3.59.0
- github.com/buildkite/bintest/v3: v3.1.1 β v3.2.0
- github.com/cert-manager/cert-manager: v1.13.2 β v1.13.3
- github.com/containers/common: v0.57.0 β v0.57.1
- github.com/ebitengine/purego: v0.5.0 β v0.5.0-alpha.1
- github.com/felixge/httpsnoop: v1.0.3 β v1.0.4
- github.com/gabriel-vasile/mimetype: v1.4.3 β v1.4.2
- github.com/go-openapi/spec: v0.20.9 β v0.20.11
- github.com/go-openapi/strfmt: v0.21.7 β v0.21.8
- github.com/go-openapi/validate: v0.22.1 β v0.22.3
- github.com/go-rod/rod: v0.114.4 β v0.114.5
- github.com/google/go-tpm-tools: v0.4.1 β v0.4.2
- github.com/gorilla/mux: v1.8.0 β v1.8.1
- github.com/hashicorp/go-retryablehttp: v0.7.4 β v0.7.5
- github.com/jellydator/ttlcache/v3: v3.1.0 β v3.1.1
- github.com/montanaflynn/stats: v0.6.6 β 1bf9dbc
- github.com/open-policy-agent/opa: v0.58.0 β v0.59.0
- github.com/pierrec/lz4/v4: v4.1.18 β v4.1.2
- github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.69.1 β v0.70.0
- github.com/sigstore/cosign/v2: v2.2.1 β v2.2.2
- github.com/sigstore/rekor: v1.3.3 β v1.3.4
- github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.7.5 β v1.7.6
- github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.7.5 β v1.7.6
- github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.7.5 β v1.7.6
- github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.7.5 β v1.7.6
- github.com/sigstore/sigsto...
Contributors
yuumasato
Assets 14
v0.8.1
Release notes
Welcome to our glorious v0.8.1 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.1/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.1
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
API Change
- The
ProfileRecorderCR gets a new attribute disableProfileAfterRecording that can be used to avoid installing profiles after recording. (#1712, @jhrozek)
Feature
- Added support for platforms (
os[/arch][/variant][:os_version]) when using seccomp OCI artifact profiles. (#1658, @saschagrunert) - Added an env variable to the Make file so we can use it to pass extra build arguments to enable features like FIPS. (#1945, @Vincent056)
- Added
disableOciArtifactSignatureVerificationoption to spod config to be able to disable signature verification for OCI artifact profiles. (#1804, @saschagrunert)
Bug or Regression
- Fixed #1769 (#1770, @CoreyCook8)
ChangederrnoRetvalue in the seccomp types definition to be the right type of uint. - Fixed bug on daemon rollout when SPOD config
HostProcVolumePathis unset. (#1647, @saschagrunert) - Fixed SELinux policy constantly being processed. (#1843, @novaesis)
- Fixed spod being stuck in
UPDATINGstate because the webhook thinks it's requiring an update. (#1985, @saschagrunert) - Fixed an issue when we create a raw SELinux profile that inherits another SELinux profile. (#1904, @Vincent056)
- Fixed an issue when we create a raw SELinux profile, we are not able to recognize the owner of the
NodeStatusif aRawSelinuxProfileis being created. (#1889, @Vincent056) - Fixed missing nodestatus issues on some nodes when we have a crashed pod. (#1928, @Vincent056)
- In conjunction to PR#1904, this pr is also needed in order to fix the SELinux profile inherit issue for OCPBUGS-17164, do not add inherit system container line when we have selinuxprofile inherit. (#1919, @Vincent056)
- Support docker-in-docker for looking up the container ID in the ebpf based recorder (#1648, @slashben)
- Updated kube-rbac-proxy to v0.15.0.
- Disable kube-rbac-proxy HTTP/2 support (#1940, @yuumasato)
- Fixed file descriptor memory leak (#1879, @CoreyCook8)
Other (Cleanup or Flake)
- Added an e2e test for apparmor profile which covers base functionality such as loading and unloading profiles into the cluster nodes. (#1684, @ccojocar)
- Updated controller-runtime (#1700, @saschagrunert)
- Updated cert-manager (#1709, @saschagrunert)
- Updated libbpf (#1670, @saschagrunert)
- Updated project to require golang 1.21. (#1854, @saschagrunert)
- Updated runc and crun base profiles to their latest release. (#1650, @saschagrunert)
Contributors
ccojocar, saschagrunert, and 6 other contributors
Assets 14
v0.8.0
Release notes
Welcome to our glorious v0.8.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.0/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify \
--certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
--certificate-oidc-issuer https://accounts.google.com \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.0
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:
$ cosign verify-blob \
--certificate-identity sgrunert@redhat.com \
--certificate-oidc-issuer https://github.com/login/oauth \
--certificate spoc.amd64.cert \
--signature spoc.amd64.sig \
spoc.amd64
To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:
> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
| FILENAME | VALID | MESSAGE | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64 | OK | File validated successfully | - |
| spoc.amd64.cert | OK | File validated successfully | - |
| spoc.amd64.sha512 | OK | File validated successfully | - |
| spoc.amd64.sig | OK | File validated successfully | - |
| spoc.arm64 | OK | File validated successfully | - |
| spoc.arm64.cert | OK | File validated successfully | - |
| spoc.arm64.sha512 | OK | File validated successfully | - |
| spoc.arm64.sig | OK | File validated successfully | - |
| zeitgeist | OK | File validated successfully | - |
+-------------------+-------+-----------------------------+----------------+
The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Feature
- Added OCI seccomp base profile support if the
baseProfileNameif prefixed withoci://. (#1560, @saschagrunert) - SPO now auto selects the appropriate selinuxd image based on mapping in the security-profiles-operator-profile. If none of the entries match, SPO falls back to the image provided by
RELATED_IMAGE_SELINUXD. (#1600, @jhrozek)
Bug or Regression
- Fixed overriding args and error return values when merging profiles. (#1587, @saschagrunert)
Other (Cleanup or Flake)
- Updated crun v1.8.3 and runc v1.1.5 base profiles. (#1586, @saschagrunert)
Contributors
saschagrunert and jhrozek
Assets 14
v0.7.1
Release notes
Welcome to our glorious v0.7.1 release of the security-profiles-operator! This is a small patch release as follow-up on v0.7.0. The general usage and setup can be found in our documentation. π₯³ π―
To install the operator, run:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.7.1/deploy/operator.yaml
You can also verify the container image signature by using cosign:
$ cosign verify --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' \
registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.7.1
Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.
Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.
Changes by Kind
Bug or Regression
- Fixed a bug that prevents helm install to work when installing on a cluster where the namespace already exists. (#1568, @tuxerrante)
Dependencies
Added
Nothing has changed.
Changed
- github.com/containers/common: v0.51.0 β v0.51.1
- google.golang.org/grpc: v1.53.0 β v1.54.0
Removed
Nothing has changed.
Contributors
tuxerrante