21 Aug 11:53

v0.10.0

3f8de1e

v0.10.0 Latest

Latest

Welcome to our glorious v0.10.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.10.0/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.10.0

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

Add BPF-based log enricher (#2908, @mhils)
Adds an option (--audit-log-interval-seconds) to set the audit log interval for the JSON Log Enricher (#2867, @ngopalak-redhat)
Add In-Pod Activity Log recorder in audit JSON lines format (#2835, @ngopalak-redhat)
Add Request UID to JSON log enricher to correlate container and API Server Audit log (#2878, @ngopalak-redhat)
Add file system support for JSON Log Enricher Audit logging (#2871, @ngopalak-redhat)
Adds eBPF support to json audit log enricher (#2929, @ngopalak-redhat)
Adds support for kubectl node debugging for JSON Log enricher (#2907, @ngopalak-redhat)
Introduced log filtering capabilities for enrichers, configurable via SPOD, enabling filtering of audit JSON and log-enricher output based on custom rules. (#2909, @ngopalak-redhat)
Support for TLS 1.3 in SPO webhooks (#2954, @ngopalak-redhat)

Bug or Regression

Applies the changes to Seccomp and Apparmor profiles only whent here are effective changes in the CRs. (#2826, @ccojocar)

Other (Cleanup or Flake)

Removed support for in-memory btf because most kernels should now expose /sys/kernel/btf/vmlinux (#2969, @saschagrunert)
Switch to beta maturity with respect to community operators (operator hub). (#2818, @saschagrunert)

Dependencies

Added

github.com/DataDog/datadog-agent/comp/core/tagger/origindetection: v0.64.2
github.com/DataDog/datadog-agent/pkg/version: v0.64.2
github.com/DataDog/dd-trace-go/v2: v2.0.0
github.com/Masterminds/goutils: v1.1.1
github.com/Masterminds/sprig/v3: v3.3.0
github.com/cenkalti/backoff/v5: v5.0.2
github.com/cheggaaa/pb/v3: v3.1.6
github.com/containerd/containerd/v2: v2.1.1
github.com/google/go-github/v72: v72.0.0
github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus: v1.0.1
github.com/grpc-ecosystem/go-grpc-middleware/v2: v2.1.0
github.com/huandu/xstrings: v1.5.0
github.com/keybase/go-keychain: v0.0.1
github.com/mitchellh/copystructure: v1.2.0
github.com/mitchellh/reflectwalk: v1.0.2
github.com/moby/sys/atomicwriter: v0.1.0
github.com/olekukonko/errors: v1.1.0
github.com/olekukonko/ll: v0.0.9
github.com/olekukonko/ts: 78ecb04
github.com/opencontainers/cgroups: v0.0.4
github.com/puzpuzpuz/xsync/v3: v3.5.1
github.com/shirou/gopsutil/v4: v4.25.3
github.com/shopspring/decimal: v1.4.0
github.com/sigstore/rekor-tiles: v0.1.5
github.com/tink-crypto/tink-go-hcvault/v2: v2.3.0
go.etcd.io/gofail: v0.2.0
go.etcd.io/raft/v3: v3.6.0
go.yaml.in/yaml/v2: v2.4.2
go.yaml.in/yaml/v3: v3.0.3
goa.design/goa/v3: v3.20.1
golang.org/x/tools/go/expect: v0.1.0-deprecated
golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated
gonum.org/v1/gonum: v0.16.0
sigs.k8s.io/randfill: v1.0.0

Changed

cel.dev/expr: v0.19.1 → v0.24.0
chainguard.dev/go-grpc-kit: v0.17.7 → v0.17.10
chainguard.dev/sdk: v0.1.29 → v0.1.32
cloud.google.com/go/auth/oauth2adapt: v0.2.7 → v0.2.8
cloud.google.com/go/auth: v0.15.0 → v0.16.2
cloud.google.com/go/compute/metadata: v0.6.0 → v0.7.0
cloud.google.com/go/iam: v1.4.1 → v1.5.2
cloud.google.com/go/kms: v1.21.1 → v1.22.0
cloud.google.com/go/longrunning: v0.6.5 → v0.6.7
cloud.google.com/go/monitoring: v1.21.2 → v1.24.0
cloud.google.com/go/pubsub: v1.45.3 → v1.47.0
cloud.google.com/go/security: v1.18.4 → v1.18.5
cloud.google.com/go/storage: v1.49.0 → v1.50.0
cloud.google.com/go/trace: v1.11.2 → v1.11.3
cloud.google.com/go: v0.118.3 → v0.121.1
dario.cat/mergo: v1.0.1 → v1.0.2
github.com/AdaLogics/go-fuzz-headers: ced1acd → e8a1dd7
github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.17.1 → v1.18.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.8.2 → v1.10.1
github.com/Azure/azure-sdk-for-go/sdk/internal: v1.10.0 → v1.11.1
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.6.0 → v1.6.1
github.com/AzureAD/microsoft-authentication-library-for-go: v1.3.3 → v1.4.2
github.com/BurntSushi/toml: v1.4.0 → v1.5.0
github.com/DataDog/appsec-internal-go: v1.9.0 → v1.11.2
github.com/DataDog/datadog-agent/pkg/obfuscate: v0.58.0 → v0.64.2
github.com/DataDog/datadog-agent/pkg/proto: v0.58.0 → v0.64.2
github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.58.0 → v0.64.2
github.com/DataDog/datadog-agent/pkg/trace: v0.58.0 → v0.64.2
github.com/DataDog/datadog-agent/pkg/util/log: v0.58.0 → v0.64.2
github.com/DataDog/datadog-agent/pkg/util/scrubber: [v0.58.0 → v0.64.2...

Contributors

ccojocar, saschagrunert, and 2 other contributors

Assets 11

09 Apr 12:53

saschagrunert

v0.9.1

f463f98

v0.9.1

Welcome to our glorious v0.9.1 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.9.1/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.9.1

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

Enabled the Security Profiles Operator for ppc64le architecture with support for seccomp and SELinux profile management. (#2589, @pranitaT)
Users can turn off the controllers by explicitly setting the flags to false. (#2796, @jindijamie)

Dependencies

Added

drjosh.dev/zzglob: v0.4.0
github.com/DataDog/datadog-agent/pkg/proto: v0.58.0
github.com/DataDog/datadog-agent/pkg/trace: v0.58.0
github.com/DataDog/datadog-agent/pkg/util/log: v0.58.0
github.com/DataDog/datadog-agent/pkg/util/scrubber: v0.58.0
github.com/DataDog/go-runtime-metrics-internal: a14610d
github.com/DataDog/go-sqllexer: v0.0.14
github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/attributes: v0.20.0
github.com/bmatcuk/doublestar/v4: v4.6.1
github.com/chainguard-dev/clog: v1.5.1
github.com/cihub/seelog: f561c5e
github.com/dgraph-io/badger/v4: v4.5.1
github.com/dgraph-io/ristretto/v2: v2.1.0
github.com/eapache/queue/v2: 75960ed
github.com/envoyproxy/go-control-plane/envoy: v1.32.4
github.com/envoyproxy/go-control-plane/ratelimit: v0.1.0
github.com/go-ole/go-ole: v1.2.6
github.com/go-viper/mapstructure/v2: v2.2.1
github.com/jackc/pgerrcode: 6e2875d
github.com/jackc/pgpassfile: v1.0.0
github.com/jackc/pgservicefile: 5a60cdf
github.com/jackc/pgx/v5: v5.7.2
github.com/jackc/puddle/v2: v2.2.2
github.com/lufia/plan9stats: 115f729
github.com/power-devops/perfstat: c35f1ee
github.com/santhosh-tekuri/jsonschema/v5: v5.3.1
github.com/shirou/gopsutil/v3: v3.24.4
github.com/shoenig/go-m1cpu: v0.1.6
github.com/tklauser/go-sysconf: v0.3.12
github.com/tklauser/numcpus: v0.6.1
github.com/yusufpapurcu/wmi: v1.2.4
gitlab.com/gitlab-org/api/client-go: v0.127.0
go.opentelemetry.io/collector/component: v0.104.0
go.opentelemetry.io/collector/config/configtelemetry: v0.104.0
go.opentelemetry.io/collector/pdata/pprofile: v0.104.0
go.opentelemetry.io/collector/pdata: v1.11.0
go.opentelemetry.io/collector/semconv: v0.104.0

Changed

chainguard.dev/go-grpc-kit: v0.17.5 → v0.17.7
chainguard.dev/sdk: v0.1.23 → v0.1.29
cloud.google.com/go/auth/oauth2adapt: v0.2.6 → v0.2.7
cloud.google.com/go/auth: v0.13.0 → v0.15.0
cloud.google.com/go/iam: v1.2.2 → v1.4.1
cloud.google.com/go/kms: v1.20.4 → v1.21.1
cloud.google.com/go/longrunning: v0.6.2 → v0.6.5
cloud.google.com/go/security: v1.18.0 → v1.18.4
cloud.google.com/go/storage: v1.45.0 → v1.49.0
cloud.google.com/go/trace: v1.10.5 → v1.11.2
cloud.google.com/go: v0.116.0 → v0.118.3
cuelabs.dev/go/oci/ociregistry: a39bec0 → 2c00c10
cuelang.org/go: v0.9.2 → v0.12.1
github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.16.0 → v1.17.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.8.0 → v1.8.2
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.3.0 → v1.3.1
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal: v1.1.0 → v1.1.1
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.4.0 → v1.6.0
github.com/AzureAD/microsoft-authentication-library-for-go: v1.3.1 → v1.3.3
github.com/DataDog/appsec-internal-go: v1.7.0 → v1.9.0
github.com/DataDog/datadog-agent/pkg/obfuscate: v0.48.0 → v0.58.0
github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.48.1 → v0.58.0
github.com/DataDog/datadog-go/v5: v5.5.0 → v5.6.0
github.com/DataDog/go-libddwaf/v3: v3.3.0 → v3.5.1
github.com/DataDog/go-tuf: v1.0.2-0.5.2 → v1.1.0-0.5.2
github.com/Khan/genqlient: v0.7.0 → v0.8.0
github.com/agnivade/levenshtein: v1.1.1 → v1.2.0
github.com/avast/retry-go/v4: v4.6.0 → v4.6.1
github.com/aws/aws-sdk-go-v2/config: v1.28.7 → v1.29.10
github.com/aws/aws-sdk-go-v2/credentials: v1.17.48 → v1.17.63
github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.22 → v1.16.30
github.com/aws/a...

Contributors

jindijamie and pranitaT

Assets 21

25 Feb 15:05

saschagrunert

v0.9.0

184a7ca

v0.9.0

Welcome to our glorious v0.9.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.9.0/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.9.0

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

Add spoc install and spoc uninstall commands to quickly install profiles on the local machine for testing. (#2711, @mhils)
Add more metrics for AppArmor profile. (#2686, @ccojocar)
Add the complainMode flag into the ApparmorProfile CRD which allows to switch the apparmor profile into complain mode. (#2598, @ccojocar)
Add the eBPF based AppArmor profile recorder into the API. (#2296, @ccojocar)
AppArmor profiles can now have either an abstract or a concrete policy. (#2469, @mhils)
BPF recorder: Detect mkdir syscalls for profile creation (#2663, @mhils)
BPF recorder: Detect mknod syscalls for profile creation (#2668, @mhils)
BPF recorder: Detect unlink syscalls for profile creation (#2667, @mhils)
Change the scope of security profiles CRDs to be cluster wide. (#2735, @ccojocar)
Harden the bpf-recorder container with a custom seccomp profile. (#2626, @ccojocar)
Harden the security-profiles-operator and bpf-recorder containers with custom apparmor profiles when apparmor is enabled. (#2646, @ccojocar)
Make selinuxd images configurable in Helm chart (#2299, @mikroskeem)
Make the AppArmor recorder support readdir (#2555, @mhils)
Removed kube-rbac-proxy dependency in favor of the native controller-runtime feature. (#2595, @saschagrunert)
Spoc now correctly tracks child processes that clone(). (#2644, @mhils)
The AppArmor recorder is now better at detecting randomness in file paths and replacing it with placeholders. (#2702, @mhils)
The BPF profile recorder now excludes unnecessary permissions exercised during container init. (#2623, @mhils)
spoc record now drops privileges when spawning the process it observes. (#2412, @mhils)

Documentation

Added information that SELinux can be enabled/disabled in installation-usage.md. (#2298, @saschagrunert)
Fixed enableAppArmor boolean in installation-usage.md. (#2322, @saschagrunert)
Fixed enableAppArmor variable in installation-usage.md. (#2297, @saschagrunert)
Restructure and update the documentation, extend sections for apparmor and selinux recording and installation. (#2605, @ccojocar)

Bug or Regression

AppArmor profiles recorded by spoc now include the abstract profile only, which ensures that the raw profile does not diverge. (#2428, @mhils)
Cleanup unnecessary files from a recorded apparmor profile. (#2587, @ccojocar)
Fix AppArmor recording for workloads that use anonymous hugepages. (#2421, @mhils)
Fix a bug where AppArmor profiles with a name containing / or . weren't deleted properly. (#2710, @mhils)
Fix a bug where AppArmor profiles would contain the same path more than once. (#2377, @mhils)
Fix a bug where incorrect AppArmor profiles were generated for mkdir(). (#2712, @mhils)
Fix a bug where recorded AppArmor profiles would prevent executables from spawning. (#2554, @mhils)
Fix a bug where spoc would generate empty AppArmor profiles on systems without BPF LSM enabled. (#2385, @mhils)
Fix the daemon container security context to keep the local seccomp profile. (#2612, @ccojocar)
It replaces the variance such as task ID and container ID from files paths recorded in apparmor profile. (#2357, @ccojocar)
Permit AppArmor profiles with cap_sys_rawio to call (u)mount. (#2713, @mhils)

Other (Cleanup or Flake)

API BREAKING CHANGES: policy field removed from ApparmorProfile CRD, use instead the abstract field which automatically generates the policy before installation. (#2590, @ccojocar)
Updated kube-rbac-proxy to v0.16.0. (#2551, @saschagrunert)
Updated runc to v1.1.13. (#2311, @saschagrunert)

Dependencies

Added

cel.dev/expr: v0.19.1
chainguard.dev/sdk: v0.1.23
cloud.google.com/go/auth/oauth2adapt: v0.2.6
cloud.google.com/go/auth: v0.13.0
cloud.google.com/go/translate: v1.10.3
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider: v0.14.0
github.com/DataDog/go-libddwaf/v3: v3.3.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.25.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric: v0.48.1
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping: v0.48.1
github.com/antihax/optional: v1.0.0
github.com/antlr4-go/antlr/v4: v4.13.1
github.com/avast/retry-go/v4: v4.6.0
github.com/aws/aws-sdk-go-v2/service/route53: v1.44.0
github.com/chainguard-dev/slogctx: v1.2.2
github.com/checkpoint-restore/go-criu/v6: v6.3.0
github.com/containerd/errdefs/pkg: v0.3.0
github.com/containerd/platforms: v0.2.1
github.com/containerd/typeurl/v2: v2.2.3
github.com/coreos/go-oidc: v2.2.1+incompatible
github.com/go-http-utils/headers: fed159e
github.com/go-piv/piv-go/v2: v2.3.0
github.com/hairyhenderson/go-which: v0.2.0
github.com/hashicorp/golang-lru/v2: v2.0.7
github.com/in-toto/attestation: v1.1.0
github.com/moby/sys/capability: v0.4.0
github.com/moby/sys/userns: v0.1.0
github.com/planetscale/vtprotobuf: 0393e58
github.com/pquerna/cachecontrol: v0.1.0
github.com/rogpeppe/fastuuid: v1.2.0
github.com/sigstore/sigstore-go: v0.6.1
github.com/skeema/knownhosts: v1.3.0
github.com/smallstep/pkcs7: v0.1.1
github.com/theupdateframework/go-tuf/v2: v2.0.1
github.com/tink-crypto/tink-go-awskms/v2: [v2.1.0](https://github.com/tin...

Contributors

ccojocar, saschagrunert, and 2 other contributors

Assets 12

04 Jun 10:03

saschagrunert

v0.8.4

4c0611e

v0.8.4

Release notes

Welcome to our glorious v0.8.4 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.4/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.4

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

Added a spoc convert command to transform security profile YAML definitions to their raw representation. (#2201, @mhils)
spoc merge now combines AppArmor profiles with glob patterns in the first profile. (#2239, @mhils)
spoc merge now has a --check flag to ensure that a profile is a superset of other profiles. (#2240, @mhils)
spoc can now record Seccomp and AppArmor profiles simultaneously.
The AppArmor recorder is now significantly more robust (#2260, @mhils)

Documentation

Updated dead documentation link on how to constrain the spod to specific nodes. (#2266, @saschagrunert)

Bug or Regression

Fix spoc record to work with >15 character executable names. Make AppArmor profile generation more robust. (#2241, @mhils)
Fix dynamic clusters encounter finalizer mismatch when nodes are added and removed too quickly. (#2145, @jlowe64)

Dependencies

Added

github.com/DataDog/go-libddwaf/v2: v2.2.3
github.com/checkpoint-restore/checkpointctl: v1.1.0
github.com/checkpoint-restore/go-criu/v7: v7.1.0
github.com/go-jose/go-jose/v4: v4.0.1
github.com/go-task/slim-sprig/v3: v3.0.0
github.com/google/go-configfs-tsm: v0.2.2
github.com/moby/docker-image-spec: v1.3.1

Changed

bitbucket.org/creachadair/shell: v0.0.7 → v0.0.8
chainguard.dev/go-grpc-kit: v0.17.1 → v0.17.2
cloud.google.com/go/compute: v1.24.0 → v1.25.1
cloud.google.com/go/iam: v1.1.5 → v1.1.6
cloud.google.com/go/kms: v1.15.5 → v1.15.8
cloud.google.com/go/longrunning: v0.5.4 → v0.5.5
cloud.google.com/go/monitoring: v1.16.1 → v1.17.0
cloud.google.com/go/pubsub: v1.33.0 → v1.37.0
cloud.google.com/go/security: v1.15.4 → v1.15.6
cloud.google.com/go/storage: v1.35.1 → v1.39.1
cloud.google.com/go/trace: v1.10.2 → v1.10.4
cloud.google.com/go: v0.112.0 → v0.112.1
github.com/AdamKorcz/go-fuzz-headers-1: e936619 → 8b5d3ce
github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.9.1 → v1.10.0
github.com/Azure/azure-sdk-for-go/sdk/internal: v1.5.1 → v1.5.2
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.0.1 → v1.1.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.2.0 → v1.2.1
github.com/AzureAD/microsoft-authentication-library-for-go: v1.2.1 → v1.2.2
github.com/DATA-DOG/go-sqlmock: v1.5.0 → v1.5.2
github.com/DataDog/appsec-internal-go: v1.0.0 → v1.4.0
github.com/DataDog/datadog-agent/pkg/remoteconfig/state: 2549ba9 → v0.48.1
github.com/DataDog/datadog-go/v5: v5.3.0 → v5.4.0
github.com/DrJosh9000/zzglob: v0.0.17 → v0.1.0
github.com/Microsoft/go-winio: v0.6.1 → v0.6.2
github.com/Microsoft/hcsshim: v0.12.0-rc.3 → v0.12.3
github.com/aquasecurity/libbpfgo: 1.3 → 1.4
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: v1.4.13 → v1.6.1
github.com/aws/aws-sdk-go-v2/config: v1.26.6 → v1.27.9
github.com/aws/aws-sdk-go-v2/credentials: v1.16.16 → v1.17.9
github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.14.11 → v1.16.0
github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.11.76 → v1.16.9
github.com/aws/aws-sdk-go-v2/internal/configsources: v1.2.10 → v1.3.4
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.5.10 → v2.6.4
github.com/aws/aws-sdk-go-v2/internal/ini: v1.7.3 → v1.8.0
github.com/aws/aws-sdk-go-v2/internal/v4a: v1.1.4 → v1.3.3
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.10.4 → v1.11.1
github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.1.36 → v1.3.5
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.10.10 → v1.11.6
github.com/aws/aws-sdk-go-v2/service/internal/s3shared: v1.15.4 → v1.17.3
github.com/aws/aws-sdk-go-v2/service/kms: v1.27.9 → v1.30.0
github.com/aws/aws-sdk-go-v2/service/s3: v1.40.0 → v1.51.4
github.com/aws/aws-sdk-go-v2/service/sso: v1.18.7 → v1.20.3
github.com/aws/aws-sdk-go-v2/service/ssooidc: [v1.21.7 → v1.23.3](https://git...

Contributors

saschagrunert, mhils, and jlowe64

Assets 14

08 Apr 10:56

saschagrunert

v0.8.3

ea2bb9c

v0.8.3

Release notes

Welcome to our glorious v0.8.3 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.3/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.3

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

Add a new --no-start flag that allows spoc to record profiles without driving the process execution. (#2161, @mhils)
Added a spoc merge command to merge multiple security profiles from the command line. (#2136, @mhils)
Added initial support for merging AppArmor profiles with spoc merge. (#2140, @mhils)
Adds functionality to the profile binding functionality to establish a default seccomp/selinux profile for a given namespace.
Specific image bindings have priority over the default profiles allowing more tailored profiles for specific images while allowing customization of a default profile applied to all pods without having to specify specific images strings. (#1869, @CoreyCook8)
The spoc cli tool now features apparmor and raw-apparmor types to generate CRDs and raw apparmor profiles. (#1917, @0xmilkmix)

Bug or Regression

Fixed issue with crashing SPOD daemon by allowing clock_gettime syscall. (#2121, @CoreyCook8)
Fixed reporting of status and the policy usage string for RawSelinuxProfile CRs (#1496, @jhrozek)
Make the field disabling profiles after recording optional (#2033, @yuumasato)

Dependencies

Added

cuelabs.dev/go/oci/ociregistry: 93e78c0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns: v1.2.0
github.com/Venafi/vcert/v5: v5.3.0
github.com/containerd/errdefs: v0.1.0
github.com/moby/sys/user: v0.1.0
github.com/sosodev/duration: v1.2.0
golang.org/x/telemetry: b75ee88

Changed

cloud.google.com/go/compute: v1.23.3 → v1.24.0
cloud.google.com/go/firestore: v1.13.0 → v1.14.0
cloud.google.com/go/longrunning: v0.5.1 → v0.5.4
cloud.google.com/go/security: v1.15.1 → v1.15.4
cloud.google.com/go/storage: v1.33.0 → v1.35.1
cloud.google.com/go: v0.110.10 → v0.112.0
cuelang.org/go: v0.6.0 → v0.7.0
filippo.io/edwards25519: v1.0.0 → v1.1.0
github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.9.0 → v1.9.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.4.0 → v1.5.1
github.com/Azure/azure-sdk-for-go/sdk/internal: v1.5.0 → v1.5.1
github.com/AzureAD/microsoft-authentication-library-for-go: v1.2.0 → v1.2.1
github.com/Microsoft/hcsshim: v0.12.0-rc.1 → v0.12.0-rc.3
github.com/alecthomas/kingpin/v2: v2.3.2 → v2.4.0
github.com/aws/aws-sdk-go-v2/config: v1.25.11 → v1.26.6
github.com/aws/aws-sdk-go-v2/credentials: v1.16.9 → v1.16.16
github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.14.9 → v1.14.11
github.com/aws/aws-sdk-go-v2/internal/configsources: v1.2.8 → v1.2.10
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.5.8 → v2.5.10
github.com/aws/aws-sdk-go-v2/internal/ini: v1.7.1 → v1.7.3
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.10.3 → v1.10.4
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.10.8 → v1.10.10
github.com/aws/aws-sdk-go-v2/service/kms: v1.27.2 → v1.27.9
github.com/aws/aws-sdk-go-v2/service/sso: v1.18.2 → v1.18.7
github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.21.2 → v1.21.7
github.com/aws/aws-sdk-go-v2/service/sts: v1.26.2 → v1.26.7
github.com/aws/aws-sdk-go-v2: v1.23.5 → v1.24.1
github.com/aws/aws-sdk-go: v1.48.11 → v1.50.0
github.com/aws/smithy-go: v1.18.1 → v1.19.0
github.com/beevik/ntp: v1.3.0 → v1.3.1
github.com/buildkite/go-pipeline: v0.2.0 → v0.3.2
github.com/cert-manager/cert-manager: v1.13.3 → v1.14.4
github.com/cilium/ebpf: v0.7.0 → v0.9.1
github.com/cloudflare/circl: v1.3.5 → v1.3.7
github.com/cncf/xds/go: 8bd2eac → 0fa0005
github.com/containerd/containerd: v1.7.9 → v1.7.13
github.com/containernetworking/plugins: v1.3.0 → v1.4.0
github.com/containers/common: v0.57.1 → v0.58.1
github.com/containers/image/v5: v5.29.0 → v5.30.0
github.com/containers/storage: v1.51.0 → v1.53.0
github.com/coreos/go-oidc/v3: v3.7.0 → v3.9.0
github.com/cyberphone/json-canonicalization: 785e297 → ba74d44
github.com/danieljoos/wincred: v1.2.0 → v1.2.1
github.com/digitalocean/godo: [v1.102.1 → v1.107.0](https://github.com/digital...

Contributors

jhrozek, mhils, and 3 other contributors

Assets 14

19 Dec 10:56

saschagrunert

v0.8.2

44dbcbb

v0.8.2

Release notes

Welcome to our glorious v0.8.2 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.2/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.2

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Failing Test

Fixed upgrade issue introduced in v0.8.1. (#2023, @yuumasato)

Dependencies

Added

github.com/DATA-DOG/go-sqlmock: v1.5.0
github.com/Khan/genqlient: v0.6.0
github.com/alexflint/go-arg: v1.4.2
github.com/alexflint/go-scalar: v1.0.0
github.com/aws/aws-sdk-go-v2/feature/s3/manager: v1.11.76
github.com/buildkite/go-pipeline: v0.2.0

Changed

cloud.google.com/go/compute: v1.23.2 → v1.23.3
cloud.google.com/go/iam: v1.1.4 → v1.1.5
cloud.google.com/go/kms: v1.15.4 → v1.15.5
cloud.google.com/go: v0.110.9 → v0.110.10
github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.8.0 → v1.9.0
github.com/Azure/azure-sdk-for-go/sdk/internal: v1.4.0 → v1.5.0
github.com/DataDog/datadog-agent/pkg/obfuscate: v0.48.1 → v0.48.0
github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.48.1 → 2549ba9
github.com/DataDog/sketches-go: v1.4.3 → v1.4.2
github.com/andybalholm/brotli: v1.0.6 → v1.0.1
github.com/aws/aws-sdk-go-v2/config: v1.19.1 → v1.25.11
github.com/aws/aws-sdk-go-v2/credentials: v1.13.43 → v1.16.9
github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.13.13 → v1.14.9
github.com/aws/aws-sdk-go-v2/internal/configsources: v1.1.43 → v1.2.8
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.4.37 → v2.5.8
github.com/aws/aws-sdk-go-v2/internal/ini: v1.3.45 → v1.7.1
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.9.14 → v1.10.3
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.9.37 → v1.10.8
github.com/aws/aws-sdk-go-v2/service/kms: v1.24.7 → v1.27.2
github.com/aws/aws-sdk-go-v2/service/sso: v1.15.2 → v1.18.2
github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.17.3 → v1.21.2
github.com/aws/aws-sdk-go-v2/service/sts: v1.23.2 → v1.26.2
github.com/aws/aws-sdk-go-v2: v1.21.2 → v1.23.5
github.com/aws/aws-sdk-go: v1.47.0 → v1.48.11
github.com/aws/smithy-go: v1.15.0 → v1.18.1
github.com/buildkite/agent/v3: v3.58.0 → v3.59.0
github.com/buildkite/bintest/v3: v3.1.1 → v3.2.0
github.com/cert-manager/cert-manager: v1.13.2 → v1.13.3
github.com/containers/common: v0.57.0 → v0.57.1
github.com/ebitengine/purego: v0.5.0 → v0.5.0-alpha.1
github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
github.com/gabriel-vasile/mimetype: v1.4.3 → v1.4.2
github.com/go-openapi/spec: v0.20.9 → v0.20.11
github.com/go-openapi/strfmt: v0.21.7 → v0.21.8
github.com/go-openapi/validate: v0.22.1 → v0.22.3
github.com/go-rod/rod: v0.114.4 → v0.114.5
github.com/google/go-tpm-tools: v0.4.1 → v0.4.2
github.com/gorilla/mux: v1.8.0 → v1.8.1
github.com/hashicorp/go-retryablehttp: v0.7.4 → v0.7.5
github.com/jellydator/ttlcache/v3: v3.1.0 → v3.1.1
github.com/montanaflynn/stats: v0.6.6 → 1bf9dbc
github.com/open-policy-agent/opa: v0.58.0 → v0.59.0
github.com/pierrec/lz4/v4: v4.1.18 → v4.1.2
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.69.1 → v0.70.0
github.com/sigstore/cosign/v2: v2.2.1 → v2.2.2
github.com/sigstore/rekor: v1.3.3 → v1.3.4
github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.7.5 → v1.7.6
github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.7.5 → v1.7.6
github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.7.5 → v1.7.6
github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.7.5 → v1.7.6
github.com/sigstore/sigsto...

Contributors

yuumasato

Assets 14

30 Nov 09:59

saschagrunert

v0.8.1

d42108c

v0.8.1

Release notes

Welcome to our glorious v0.8.1 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.1/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.1

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

The ProfileRecorder CR gets a new attribute disableProfileAfterRecording that can be used to avoid installing profiles after recording. (#1712, @jhrozek)

Feature

Added support for platforms (os[/arch][/variant][:os_version]) when using seccomp OCI artifact profiles. (#1658, @saschagrunert)
Added an env variable to the Make file so we can use it to pass extra build arguments to enable features like FIPS. (#1945, @Vincent056)
Added disableOciArtifactSignatureVerification option to spod config to be able to disable signature verification for OCI artifact profiles. (#1804, @saschagrunert)

Bug or Regression

Fixed #1769 (#1770, @CoreyCook8)
Changed errnoRet value in the seccomp types definition to be the right type of uint.
Fixed bug on daemon rollout when SPOD config HostProcVolumePath is unset. (#1647, @saschagrunert)
Fixed SELinux policy constantly being processed. (#1843, @novaesis)
Fixed spod being stuck in UPDATING state because the webhook thinks it's requiring an update. (#1985, @saschagrunert)
Fixed an issue when we create a raw SELinux profile that inherits another SELinux profile. (#1904, @Vincent056)
Fixed an issue when we create a raw SELinux profile, we are not able to recognize the owner of the NodeStatus if a RawSelinuxProfile is being created. (#1889, @Vincent056)
Fixed missing nodestatus issues on some nodes when we have a crashed pod. (#1928, @Vincent056)
In conjunction to PR#1904, this pr is also needed in order to fix the SELinux profile inherit issue for OCPBUGS-17164, do not add inherit system container line when we have selinuxprofile inherit. (#1919, @Vincent056)
Support docker-in-docker for looking up the container ID in the ebpf based recorder (#1648, @slashben)
Updated kube-rbac-proxy to v0.15.0.
- Disable kube-rbac-proxy HTTP/2 support (#1940, @yuumasato)
Fixed file descriptor memory leak (#1879, @CoreyCook8)

Other (Cleanup or Flake)

Added an e2e test for apparmor profile which covers base functionality such as loading and unloading profiles into the cluster nodes. (#1684, @ccojocar)
Updated controller-runtime (#1700, @saschagrunert)
Updated cert-manager (#1709, @saschagrunert)
Updated libbpf (#1670, @saschagrunert)
Updated project to require golang 1.21. (#1854, @saschagrunert)
Updated runc and crun base profiles to their latest release. (#1650, @saschagrunert)

Contributors

ccojocar, saschagrunert, and 6 other contributors

Assets 14

18 Apr 09:52

saschagrunert

v0.8.0

b619a8f

v0.8.0

Release notes

Welcome to our glorious v0.8.0 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.8.0/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.0

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
| zeitgeist         | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

Added OCI seccomp base profile support if the baseProfileName if prefixed with oci://. (#1560, @saschagrunert)
SPO now auto selects the appropriate selinuxd image based on mapping in the security-profiles-operator-profile. If none of the entries match, SPO falls back to the image provided by RELATED_IMAGE_SELINUXD. (#1600, @jhrozek)

Bug or Regression

Fixed overriding args and error return values when merging profiles. (#1587, @saschagrunert)

Other (Cleanup or Flake)

Updated crun v1.8.3 and runc v1.1.5 base profiles. (#1586, @saschagrunert)

Contributors

saschagrunert and jhrozek

Assets 14

27 Mar 08:19

saschagrunert

v0.7.1

b101bf3

v0.7.1

Release notes

Welcome to our glorious v0.7.1 release of the security-profiles-operator! This is a small patch release as follow-up on v0.7.0. The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.7.1/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify --certificate-identity-regexp '.*'  --certificate-oidc-issuer-regexp '.*' \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.7.1

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Bug or Regression

Fixed a bug that prevents helm install to work when installing on a cluster where the namespace already exists. (#1568, @tuxerrante)

Dependencies

Added

Nothing has changed.

Changed

github.com/containers/common: v0.51.0 → v0.51.1
google.golang.org/grpc: v1.53.0 → v1.54.0

Removed

Nothing has changed.

Contributors

tuxerrante

Assets 5

22 Mar 13:52

saschagrunert

v0.7.0

aa0d083

v0.7.0

Release notes

Welcome to our glorious v0.7.0 release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.7.0/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify --certificate-identity-regexp '.*'  --certificate-oidc-issuer-regexp '.*' \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.7.0

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Deprecation

Removed default nginx profile from operator deployment. (#1361, @saschagrunert)

Feature

Added --base-syscalls to spoc record to ensure compatibility with OCI runtimes like runc and crun. (#1510, @saschagrunert)
Added spoc push/pull command to manage profiles in OCI registries. (#1551, @saschagrunert)
Added spoc run command for experimental testing of seccomp profiles. (#1534, @saschagrunert)
Added spoc binary, the Security Profiles Operator CLI. This new binary is also part of the default container images. (#1490, @saschagrunert)
Added option to record raw seccomp JSON profiles via spoc record -t raw-seccomp …. (#1508, @saschagrunert)
Added support for recording seccomp profiles via spoc record. (#1497, @saschagrunert)
Allow to configure a custom kubelet root directory for each node or a pool of nodes. (#1476, @ccojocar)
Allow to run the spoc CLI from an operator spoc/s subcommand. (#1492, @saschagrunert)
CLI change: --namespace flag should be specified when installing the helm chart (#1499, @tuxerrante)
Integrated enricher into spoc run (#1545, @saschagrunert)
Make the kubelet root directory configurable via KUBELET_DIR environment variable. (#1438, @ccojocar)
Make the priority class name configurable in th SPOD configuration. (#1488, @ccojocar)
Added registry, repository & tag in values.yaml to make SPO repo & image values configurable in helm charts. (#1396, @rahulroshan-kachchap)
Exposed enableSelinux, enableLogEnricher and enableAppArmor values in the helm chart values.yaml to make it configurable by the user during the deployment. (#1376, @rahulroshan-kachchap)

Documentation

Add a README.md to make user easily discover available SPO settings in the helm chart (#1542, @chenliu1993)
Automatically adding replaces and containerImage to OperatorHub manifest bundle. (#1326, @saschagrunert)
Switched to gcr.io/kubebuilder/kube-rbac-proxy from quay.io/brancz. (#1429, @saschagrunert)
Add an architecture diagram. (#1550, @ccojocar)

Bug or Regression

Add an option to enable memory optimization inside of spod daemon. (#1425, @ccojocar)
Fix memory optimization feature after upgrading to controller-runtime v0.14.5. (#1543, @ccojocar)
Fix profiling when bpf-recorder is enabled but SELinux is disabled. (#1420, @ccojocar)
Fix vagrant for Flatcar Linux to work with Kubernetes 1.26. (#1392, @ccojocar)
Fixed a bug where SELinux policies inheriting from another template than container
would not load correctly. (#1495, @jhrozek)
Install the default log enricher sccomp profile only when log enricher is enabled in the spod configuration. (#1388, @ccojocar)
Modified default operator seccomp profile for Amazon Linux 2 (5.4.226-129.415.amzn2.x86_64) (#1434, @saschagrunert)
Mount the custom kubelet root directory inside non-root-enabler container when is different from default. (#1447, @ccojocar)
Reworked the bpfrecorder to record syscalls per mntns intead of PID. (#1511, @ccojocar)
The ProfileRecording setting mergeStrategy=containers did not work
as expected, it was merging all containers from a single recording
into a single policy. This PR fixes the bug and now a single policy
is generated for each container. (#1380, @jhrozek)
Update the volume mount on the effective object of non-root-enabler container instead of a copy with no effect. (#1450, @ccojocar)
When using OLM to install the SPO from a bundle, SPO now defaults to installation in all namespaces and watching CRs across all namespaces. Please refer to https://olm.operatorframework.io/docs/advanced-tasks/operator-scoping-with-operatorgroups/ to learn how to scope the operator to either watch only a subset of namespaces or install SPO to a different namespace when using OLM.

Note that the other installation methods or the RESTRICT_TO_NAMESPACE environment variables are not affected by this change and work as before. (#1337, @jhrozek)

Other (Cleanup or Flake)

The events in the profilerecorder were renamed to be security-profile-agnostic. Previously, an event that included Seccomp in the name was used for all security profiles. (#1343, @jhrozek)
Updated vmlinux.h to be based on Fedora 37 (#1331, @saschagrunert)
Updated cert-manager to v1.10.1. (#1329, @saschagrunert)
Updated cert-manager to v1.11.0. (#1414, @saschagrunert)
Updated crun base seccomp profile to work with crun v1.8. (#1532, @saschagrunert)
Configure the SELinux type tag when the AppArmor is disabled regardless of EnableSelinux flag. (#1339, @ccojocar)
Update golangci-lint to version 1.51.0. (#1453, @ccojocar)
Use the PID when looking up the command in eBPF map. (#1311, @ccojocar)

Dependencies

Added

chainguard.dev/go-grpc-kit: v0.14.0
cloud.google.com/go/accessapproval: v1.5.0
cloud.google.com/go/accesscontextmanager: v1.4.0
cloud.google.com/go/aiplatform: v1.27.0
cloud.google.com/go/analytics: v0.12.0
cloud.google.com/go/apigateway: v1.4.0
cloud.google.com/go/apigeeconnect: v1.4.0
cloud.google.com/go/appengine: v1.5.0
cloud.google.com/go/area120: v0.6.0
cloud.google.com/go/artifactregistry: v1.9.0
cloud.google.com/go/asset: v1.10.0
cloud.google.com/go/assuredworkloads: v1.9.0
cloud.google.com/go/automl: v1.8.0
cloud.google.com/go/baremetalsolution: v0.4.0
cloud.google.com/go/batch: v0.4.0
cloud.google.com/go/beyondcorp: v0.3.0
cloud.google.com/go/billing: v1.7.0
cloud.google.com/go/binaryauthorization: v1.4.0
cloud.google.com/go/certificatemanager: v1.4.0
cloud.google.com/go/channel: v1.9.0
cloud.google.com/go/cloudbuild: v1.4.0
cloud.google.com/go/clouddms: v1.4.0
cloud.google.com/go/cloudtasks: v1.8.0
cloud.google.com/go/compute/metadata: v0.2.3
cloud.google.com/go/contactcenterinsights: v1.4.0
cloud.google.com/go/container: v1.7.0
cloud.google.com/go/containeranalysis: v0.6.0
cloud.google.com/go/datacatalog: v1.8.0
cloud.google.com/go/dataflow: v0.7.0
cloud.google.com/go/dataform: v0.5.0
cloud.google.com/go/datafusion: v1.5.0
cloud.google.com/go/datalabeling: v0.6.0
cloud.google.com/go/dataplex: v1.4.0
cloud.google.com/go/dataproc: v1.8.0
cloud.google.com/go/dataqna: v0.6.0
cloud.google.com/go/datastream: v1.5.0
cloud.google.com/go/deploy: v1.5.0
cloud.google.com/go/dialogflow: v1.19.0
cloud.google.com/go/dlp: v1.7.0
cloud.google.com/go/documentai: v1.10.0
cloud.google.com/go/domains: v0.7.0
cloud.google.com/go/edgecontainer: v0.2.0
cloud.google.com/go/errorreporting: v0.3.0
cloud.google.com/go/essentialcontacts: v1.4.0
cloud.google.com/go/eventarc: v1.8.0
cloud.google.com/go/filestore: v1.4.0
cloud.google.com/go/functions: v1.9.0
cloud.google.com/go/gaming: v1.8.0
cloud.google.com/go/gkebackup: v0.3.0
cloud.google.com/go/gkeconnect: v0.6.0
cloud.google.com/go/gkehub: v0.10.0
cloud.google.com/go/gkemulticloud: v0.4.0
cloud.google.com/go/gsuiteaddons: v1.4.0
cloud.google.com/go/iam: v0.8.0
cloud.google.com/go/iap: v1.5.0
cloud.google.com/go/ids: v1.2.0
cloud.google.com/go/iot: v1.4.0
cloud.google.com/go/kms: v1.8.0
cloud.google.com/go/language: v1.8.0
cloud.google.com/go/lifesciences: v0.6.0
cloud.google.com/go/logging: v1.6.1
cloud.google.com/go/longrunning: v0.3.0
cloud.google.com/go/managedidentities: v1.4.0
cloud.google.com/go/maps: v0.1.0
cloud.google.com/go/mediatranslation: v0.6.0
cloud.google.com/go/memcache: v1.7.0
cloud.google.com/go/metastore: v1.8.0
cloud.google.com/go/monitoring: v1.8.0
cloud.google.com/go/networkconnectivity: v1.7.0
cloud.google.com/go/networkmanagement: v1.5.0
cloud.google.com/go/networksecurity: v0.6.0
cloud.google.com/go/notebooks: v1.5.0
cloud.google.com/go/optimization: v1.2.0
cloud.google.com/go/orchestration: v1.4.0
cloud.google.com/go/orgpolicy: v1.5.0
cloud.google.com/go/osconfig: v1.10.0
cloud.google.com/go/oslogin: v1.7.0
cloud.google.com/go/phishingprotection: v0.6.0
cloud.google.com/go/policytroubleshooter: v1.4.0
cloud.google.com/go/privatecatalog: v0.6.0
cloud.google.com/go/pubsublite: v1.5.0
cloud.google.com/go/recaptchaenterprise/v2: v2.5.0
cloud.google.com/go/recommendationengine: v0.6.0
cloud.google.com/go/recommender: v1.8.0
cloud.google.com/go/redis: v1.10.0
cloud.google.com/go/resourcemanager: v1.4.0
cloud.google.com/go/resourcesettings: v1.4.0
cloud.google.com/go/retail: v1.11.0
cloud.google.com/go/run: v0.3.0
cloud.google.com/go/scheduler: v1.7.0
cloud.google.com/go/secretmanager: v1.9.0
cloud.google.com/go/security: v1.12.0
cloud.google.com/go/securitycenter:...

Contributors

ccojocar, saschagrunert, and 4 other contributors

Assets 5

Uh oh!

Releases: kubernetes-sigs/security-profiles-operator

v0.10.0

Changes by Kind

Feature

Bug or Regression

Other (Cleanup or Flake)

Dependencies

Added

Changed

Contributors

Uh oh!

v0.9.1

Changes by Kind

Feature

Dependencies

Added

Changed

Contributors

Uh oh!

v0.9.0

Changes by Kind

Feature

Documentation

Bug or Regression

Other (Cleanup or Flake)

Dependencies

Added

Contributors

Uh oh!

v0.8.4

Release notes

Changes by Kind

Feature

Documentation

Bug or Regression

Dependencies

Added

Changed

Contributors

Uh oh!

v0.8.3

Release notes

Changes by Kind

Feature

Bug or Regression

Dependencies

Added

Changed

Contributors

Uh oh!

v0.8.2

Release notes

Changes by Kind

Failing Test

Dependencies

Added

Changed

Contributors

Uh oh!

v0.8.1

Release notes

Changes by Kind

API Change

Feature

Bug or Regression

Other (Cleanup or Flake)

Contributors

Uh oh!

v0.8.0

Release notes

Changes by Kind

Feature

Bug or Regression

Other (Cleanup or Flake)

Contributors

Uh oh!

v0.7.1

Release notes

Changes by Kind