v0.4.2

Release notes

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.2/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

• Added more verbose output to operator version information. (#859, @saschagrunert)
• Automatically determine if cert-manager is required or not, for example in OpenShift deployments.
  • Automatically enable SELinux support in OpenShift deployments. (#810, @saschagrunert)
• Update BTF to remove unnecessary distributions. (#812, @saschagrunert)
• Updated metrics container to contain a read-only root filesystem. (#869, @saschagrunert)
• Add a new field selinuxTypeTag in the SPOD CRD which allows to configure the SELinux type in the SPOd deployment (#851, @ccojocar)
• Extend the ProfileRecording CRD with a containers list which allows to select only specific containers in a pod for which the profile will be recorded (#833, @ccojocar)

Documentation

• Added list of kernels supporting the bpf recorder via BTF. (#805, @saschagrunert)
• Added note about OpenShift in installation docs. (#813, @saschagrunert)

Other (Cleanup or Flake)

• Updated cert-manager to v1.7.1 (#804, @saschagrunert)
• Updated cert-manager to v1.7.2. (#863, @saschagrunert)
• Updated libbpf to v0.7.0 (#821, @saschagrunert)
• Keep retrieving the remaining profiles when a PID is no longer found. (#824, @ccojocar)

Dependencies

Added

• github.com/Azure/go-autorest/autorest/to: v0.4.0
• github.com/Azure/go-autorest/autorest/validation: v0.3.1
• github.com/MakeNowJust/heredoc: bb23615
• github.com/Masterminds/goutils: v1.1.1
• github.com/Masterminds/semver/v3: v3.1.1
• github.com/Masterminds/sprig/v3: v3.2.2
• github.com/Masterminds/squirrel: v1.5.0
• github.com/Nvveen/Gotty: cd52737
• github.com/Venafi/vcert/v4: v4.14.3
• github.com/akamai/AkamaiOPEN-edgegrid-golang: v1.1.1
• github.com/cenkalti/backoff/v3: v3.0.0
• github.com/chai2010/gettext-go: c6fed77
• github.com/cloudflare/cloudflare-go: v0.20.0
• github.com/common-nighthawk/go-figure: 734e95f
• github.com/cpu/goacmedns: v0.1.1
• github.com/dave/dst: v0.26.2
• github.com/dave/gopackages: 46e7023
• github.com/dave/jennifer: v1.2.0
• github.com/dave/kerr: bc25dd6
• github.com/dave/rebecca: v0.9.1
• github.com/digitalocean/godo: v1.65.0
• github.com/exponent-io/jsonpath: d6023ce
• github.com/fatih/camelcase: v1.0.0
• github.com/go-errors/errors: v1.0.1
• github.com/gobwas/glob: v0.2.3
• github.com/google/shlex: e7afc7f
• github.com/gosuri/uitable: v0.0.4
• github.com/gotestyourself/gotestyourself: v2.2.0+incompatible
• github.com/hashicorp/vault/api: v1.1.1
• github.com/hashicorp/vault/sdk: v0.2.1
• github.com/huandu/xstrings: v1.3.2
• github.com/jetstack/cert-manager: v1.7.2
• github.com/jmoiron/sqlx: v1.3.1
• github.com/lann/builder: 47ae307
• github.com/lann/ps: 62de8c4
• github.com/lib/pq: v1.10.0
• github.com/liggitt/tabwriter: 89fcab3
• github.com/mitchellh/copystructure: v1.1.1
• github.com/mitchellh/go-wordwrap: v1.0.0
• github.com/mitchellh/reflectwalk: v1.0.1
• github.com/monochromegane/go-gitignore: 205db1a
• github.com/munnerz/crd-schema-fuzz: v1.0.0
• github.com/openshift/api: b632c5f
• github.com/openshift/build-machinery-go: 7e33a7e
• github.com/patrickmn/go-cache: v2.1.0+incompatible
• github.com/pavel-v-chernykh/keystore-go/v4: v4.2.0
• github.com/pierrec/lz4: v2.5.2+incompatible
• github.com/rubenv/sql-migrate: 55d5740
• github.com/ryanuber/go-glob: v1.0.0
• github.com/shopspring/decimal: v1.2.0
• github.com/xlab/treeprint: a009c39
• go.starlark.net: 8dd3e2e
• golang.org/x/arch: b19384d
• gopkg.in/gorp.v1: v1.7.2
• gopkg.in/src-d/go-billy.v4: v4.3.0
• helm.sh/helm/v3: v3.7.1
• k8s.io/cli-runtime: v0.23.1
• k8s.io/kube-aggregator: v0.23.1
• k8s.io/kubectl: v0.23.1
• oras.land/oras-go: v0.4.0
• sigs.k8s.io/gateway-api: v0.3.0
• sigs.k8s.io/kustomize/api: v0.10.1
• sigs.k8s.io/kustomize/kyaml: v0.13.0
• software.sslmate.com/src/go-pkcs12: c5206de

Changed

• github.com/Azure/azure-sdk-for-go: v16.2.1+incompatible → v56.2.0+incompatible
• github.com/Azure/go-autorest/autorest/adal: v0.9.13 → v0.9.14
• github.com/Azure/go-autorest/autorest: v0.11.18 → v0.11.19
• github.com/aquasecurity/libbpfgo: 0.6.1 → 0.7.0
• github.com/asaskevich/govalidator: f61b66f → 21a406d
• github.com/aws/aws-sdk-go: v1.37.6 → v1.40.21
• github.com/carolynvs/magex: v0.6.0 → v0.7.0
• github.com/containerd/cgroups: v1.0.1 → v1.0.2
• github.com/containerd/continuity: v0.1.0 → v0.2.2
• github.com/containers/common: v0.47.3 → v0.47.5
• github.com/docker/cli: a8ff7f8 → v20.10.7+incompatible
• github.com/docker/distribution: v2.7.1+incompatible → v2.8.0+incompatible
• github.com/go-logr/logr: v1.2.2 → v1.2.3
• github.com/google/gofuzz: v1.1.0 → v1.2.0
• github.com/hashicorp/go-retryablehttp: v0.6.4 → v0.6.6
• github.com/hashicorp/go-sockaddr: v1.0.0 → v1.0.2
• github.com/kr/pretty: v0.2.1 → v0.3.0
• github.com/maxbrunsfeld/counterfeiter/v6: v6.4.1 → v6.5.0
• github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.54.0 → v0.55.1
• github.com/rogpeppe/go-internal: v1.3.0 → v1.6.1
• github.com/spf13/cobra: v1.3.0 → v1.4.0
• github.com/stretchr/testif...

v0.4.1

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.1/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

• Added support for Seccomp Profiles that make use of the Seccomp Notify feature. (#801, @alban)
• Added hostProcVolumePath option to spod to define a custom /proc volume on the host. (#788, @saschagrunert)
• Support verbosity=1 for log-enricher (#787, @saschagrunert)
• When deploying on OpenShift, cert-manager is no longer required. (#740, @jhrozek)

Bug or Regression

• Increase manager memory limit to 128MiB (#764, @saschagrunert)

Other (Cleanup or Flake)

• Updated libbpf to v0.6.1 (#796, @saschagrunert)

Dependencies

Added

• github.com/antlr/antlr4/runtime/Go/antlr: b48c857
• github.com/getkin/kin-openapi: v0.76.0
• github.com/google/cel-go: v0.9.0
• github.com/google/cel-spec: v0.6.0
• sigs.k8s.io/json: c049b76

Changed

• github.com/ReneKroon/ttlcache/v2: v2.10.0 → v2.11.0
• github.com/aquasecurity/libbpfgo: f097a01 → 0.6.1
• github.com/cespare/xxhash/v2: v2.1.1 → v2.1.2
• github.com/evanphx/json-patch: v4.11.0+incompatible → v4.12.0+incompatible
• github.com/fsnotify/fsnotify: v1.4.9 → v1.5.1
• github.com/go-logr/logr: v0.4.0 → v1.2.2
• github.com/go-logr/zapr: v0.4.0 → v1.2.0
• github.com/golang/glog: 23def4e → v1.0.0
• github.com/json-iterator/go: v1.1.11 → v1.1.12
• github.com/moby/term: 9d4ed18 → 3f7ff69
• github.com/modern-go/reflect2: v1.0.1 → v1.0.2
• github.com/onsi/ginkgo: v1.16.4 → v1.16.5
• github.com/onsi/gomega: v1.16.0 → v1.17.0
• github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.52.1 → v0.54.0
• github.com/prometheus/client_golang: v1.11.0 → v1.12.1
• github.com/prometheus/common: v0.26.0 → v0.32.1
• github.com/prometheus/procfs: v0.6.0 → v0.7.3
• github.com/yuin/goldmark: v1.3.5 → v1.4.0
• go.uber.org/goleak: v1.1.10 → v1.1.12
• go.uber.org/zap: v1.19.0 → v1.19.1
• golang.org/x/crypto: 0c34fe9 → 32db794
• golang.org/x/net: 37e1c6a → 491a49a
• golang.org/x/oauth2: 2e8d934 → 2bc19b1
• golang.org/x/sys: 0a5406a → da31bd3
• golang.org/x/term: 6a3ed07 → 6886f2d
• golang.org/x/tools: v0.1.5 → d4cc65f
• google.golang.org/genproto: f16073e → fe13028
• google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.1.0 → v1.2.0
• google.golang.org/grpc: v1.42.0 → v1.44.0
• k8s.io/api: v0.22.4 → v0.23.3
• k8s.io/apiextensions-apiserver: v0.22.3 → v0.23.0
• k8s.io/apimachinery: v0.22.4 → v0.23.3
• k8s.io/apiserver: v0.22.3 → v0.23.0
• k8s.io/client-go: v0.22.4 → v0.23.3
• k8s.io/code-generator: v0.22.3 → v0.23.0
• k8s.io/component-base: v0.22.3 → v0.23.0
• k8s.io/gengo: b6c5ce2 → 485abfe
• k8s.io/klog/v2: v2.10.0 → v2.40.1
• k8s.io/kube-openapi: 2043435 → e816edb
• k8s.io/utils: bdf08cb → 6203023
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.22 → v0.0.25
• sigs.k8s.io/controller-runtime: v0.10.3 → v0.11.0
• sigs.k8s.io/controller-tools: v0.7.0 → v0.8.0
• sigs.k8s.io/release-utils: v0.3.0 → v0.4.0
• sigs.k8s.io/structured-merge-diff/v4: v4.1.2 → v4.2.1
• sigs.k8s.io/yaml: v1.2.0 → v1.3.0

Removed

Nothing has changed.

v0.4.0

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

• A v1alpha2 version of the SelinuxProfile object has been introduced. This
  removes the raw CIL from the object itself and instead adds a simple policy
  language to ease the writing and parsing experience.

  Alongside, a RawSelinuxProfile object was also introduced. This contains a wrapped
  and raw representation of the policy. This was intended for folks to be able to take
  their existing policies into use as soon as possible. However, on validations are done here. (#675, @JAORMX)

• Add CRD type to represent AppArmor profiles. (#643, @pjbgf)

• Change seccomp profile type Architectures to []Arch from []*Arch (#671, @saschagrunert)

• Graduate seccomp profile API from v1alpha1 to v1beta1 (#674, @saschagrunert)

Feature

• Added Metrics for SELinux profiles (#470, @mrogers950)
• Added arm64 support for retrieving the correct syscall names within the log enricher. (#539, @saschagrunert)
• Added retry functionality to log enricher if container ID is still empty during pod creation. (#491, @saschagrunert)
• Added CLI flag -V and environment variable parsing SPO_VERBOSITY to set the logging verbosity. (#657, @saschagrunert)
• Added metrics-token secret to the operator namespace for metrics client retrieval. (#457, @saschagrunert)
• Added metrics service endpoint to the operator namespace, which now serves the security_profiles_operator_seccomp_profile metric. (#422, @saschagrunert)
• Added seccomp_profile_error_total metrics. (#461, @saschagrunert)
• Added verbosity option to spod configuration. Currently supports 0 (the default) and 1 for enhanced verbosity. (#665, @saschagrunert)
• Added automatic ServiceMonitor deployment if the CRD is available within the cluster. (#458, @saschagrunert)
• Added container ID caching to log enricher for performance reasons. (#509, @saschagrunert)
• Added libseccomp version output to version subcommand output. (#524, @saschagrunert)
• Added liveness and startup probe to operator daemon set to streamline the operator startup. (#430, @saschagrunert)
• Added log enricher metrics security_profiles_operator_seccomp_profile_audit_total and security_profiles_operator_selinux_profile_audit_total. (#492, @saschagrunert)
• Added logging to non-root-enabler (#486, @saschagrunert)
• Added name=spod label to metrics service. (#456, @saschagrunert)
• Added new seccomp profile recorder bpf. (#618, @saschagrunert)
• Added single TLS certificate for serving metrics. See installation-usage.md for more details. (#451, @saschagrunert)
• Added support for recording profiles by using the log enricher. (#513, @saschagrunert)
• Added syslog support for log enricher. (#531, @saschagrunert)
• Added the seccomp profile architecture to the bpf and log recorder. (#670, @saschagrunert)
• Adding profiling endpoint support via the SPOD configuration enableProfiling (#746, @saschagrunert)
• Automatically mount /dev/kmsg for log enricher usage if running with CRI-O and an allowed io.kubernetes.cri-o.Devices annotation. (#479, @saschagrunert)
• Changed DaemonSet update strategy to update all Pods in parallel. (#722, @saschagrunert)
• Deploying kube-rbac-proxy sidecar in SPOD for exposing metrics via the new metrics-spod and metrics-controller-runtime services. (#424, @saschagrunert)
• SPO's ProfileRecording CRD ProfileRecording which allows the admin to
  record workloads and create security policies was extended to allow
  recording SELinux profiles as well. In order to record a SELinux profile
  for a workload, set ProfileRecording.Spec.Kind to SelinuxProfile. (#592, @jhrozek)
• Show libbpf version in version subcommand (#742, @saschagrunert)
• Switched to unix domain sockets for the GRPC servers. (#631, @saschagrunert)
• This patch re-adds the no_bpf build tag triggered by the BPF_ENABLED=0 tag
  environment variable if set to 0. A developer can then build SPO without the
  built-in BPF support by running:
  BPF_ENABLED=0 make
  This is useful to build SPO in environments with older dependencies
  that don't allow building the in-tree BPF-based recorder. (#690, @jhrozek)
• Update example base profiles to their recent runtime versions. (#543, @saschagrunert)
• Update kube-rbac-proxy to v0.11.0 (#724, @saschagrunert)
• spod can load and unload AppArmor profiles into clusters host servers.
  spod now runs as root and privileged when apparmor is enabled. (#680, @pjbgf)

Documentation

• Added documentation about how to record profiles by using the log enricher. (#521, @saschagrunert)
• Added documentation how to use the automatically deployed ServiceMonitor with OpenShift as example platform. (#460, @saschagrunert)
• Added log enricher documentation to installation-usage.md. (#498, @saschagrunert)
• Added metrics documentation to installation-usage.md. (#449, @saschagrunert)
• Added table of contents to installation documentation. (#493, @saschagrunert)
• Changed documentation to reference main instead of master as default git branch. (#706, @saschagrunert)
• Fixed header links containing source code in installation-usage.md (#606, @saschagrunert)

Bug or Regression

• Do not retry container ID retrieval on container creation failures any more. (#612, @saschagrunert)

Other (Cleanup or Flake)

• An OpenShift deployment manifest was included in deploy/openshift.yaml (#695, @JAORMX)

• Bumps golang.org/x/text to fix advisory GO-2021-0113 (#655, @pjbgf)

• Log enricher now requires running auditd (/var/log/audit/audit.log) (#487, @saschagrunert)

• Log libseccomp version on operator startup. (#556, @saschagrunert)

• Removed CPU limits from SPOD and added resource requests/limits to manager and webhook. (#550, @saschagrunert)

• Selinuxd now uses containers from quay.io/security-profiles-operator (#750, @jhrozek)

• The directory /etc/selinux.d used to be mounted on the hosts in previous SPO versions.
  This is no longer the case, the directory was converted to an emptyDir instead,
  reducing the number of required host mounts. (#698, @jhrozek)

• The securityprofilenodestatus CR now links with the security profile its status
  it represents using label spo.x-k8s.io/profile-id. If the profile name is less
  than 64 characters long, then the label value is the profile name, otherwise it's
  kind-sha256hashofthename, trimmed to fit into 64 characters

  This change supports profile names whose names are over 64 characters. (#685, @jhrozek)

• Update cert-manager to v1.5.3 (#577, @saschagrunert)

v0.3.0

Welcome to the next iteration of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳

Please be aware that the operator now requires cert-manager as hard requirement. To install cert-manager, simply run:

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
$ kubectl --namespace cert-manager wait --for condition=ready pod -l app.kubernetes.io/instance=cert-manager

To install the operator afterwards, execute:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.3.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

• Adds a new CRD ProfileBinding to define a relationship between a Pod and a profile resource. Currently only supports the SeccompProfile kind. (#179, @cmurphy)
• Adds a new attribute status.seccompProfile\.localhostProfile and column SECCOMPPROFILE.LOCALHOSTPROFILE to indicate what should be included in a pod spec. (#166, @cmurphy)
• SelinuxPolicy has been removed and is now SelinuxProfile. (#396, @JAORMX)
• The DaemonSet configuration is now handled by a Custom Resource called
  SecurityProfilesOperatorDaemon. (#336, @JAORMX)
• The SelinuxProfile CRD no longer has the apply flag in the spec. (#406, @JAORMX)

Feature

• Added possibility to record seccomp profiles from replicas (#363, @saschagrunert)
• Added seccomp audit log enrichment feature (#251, @pjbgf)
• Added seccomp profile recording support via the OCI seccomp BPF hook (#247, @saschagrunert)
• Added toleration for the control-plane taint to support the renaming of "master" taints (#196, @pjbgf)
• Added minimum crun base profile (#291, @saschagrunert)
• Added multi-architecture support to the container image (amd64 and arm64 for now) (#296, @saschagrunert)
• Added the ability to delete seccomp profiles from nodes by deleting SeccompProfile resources. Added new fields activeWorkloads and status to the status subresource of the SeccompProfile kind. (#155, @cmurphy)
• Added UBI-based Dockerfile. (#172, @JAORMX)
• Automatically deploy the default profiles in the correct namespace without having a need for an additional kubectl apply command. (#269, @saschagrunert)
• Log enricher now supports SELinux log lines and runs unprivileged. (#339, @pjbgf)
• Removed docker.io/bash:5 container image dependency for non-root-enabler logic. (#306, @saschagrunert)
• The selinux component can now be enabled or disabled through the CongfiMap named config by toggling a boolean option called EnableSelinux.
  Since not all Linux distributions support SeLinux, its support is disabled by default. (#214, @jhrozek)
• The separate webhook deployment, which enabled the ProfileBinding and ProfileRecording resources, has now been merged into the main operator deployment manifest. (#387, @cmurphy)
• Updates to the SecurityProfilesOperatorDaemon object are now reflected in the daemonset. (#342, @JAORMX)
• Initial SELinux policy support is implemented. This adds a CRD called SelinuxPolicy, which the operator uses to ensure policies are installed on the nodes. (#165, @JAORMX)
• Conditions were added to the SelinuxPolicy object's status. (#174, @JAORMX)
• The main deployment method is now a Deployment object that requires a ConfigMap called "config". (#180, @JAORMX)

Documentation

• Added complain-mode seccomp profile that is safer to run in production workloads (#260, @pjbgf)
• Removed additional custom-profiles seccomp path from installation manual. (#414, @saschagrunert)

Failing Test

• The sigs.k8s.io/security-profiles-operator/api/v1alpha1 package which defined the SeccompProfile and SelinuxPolicy types was split into two packages, sigs.k8s.io/security-profiles-operator/api/seccompprofile/v1alpha1 and sigs.k8s.io/security-profiles-operator/api/selinuxpolicy/v1alpha1 and must be imported separately. (#178, @cmurphy)

Bug or Regression

• A bug where a profile could have been deleted while still in use by pods was fixed (#383, @jhrozek)
• A new node status controller now runs on the main operator Deployment.
  To standardize on a common status model, the SelinuxPolicy state was renamed to status.
  The controller manager now listens on the same namespaces as the DaemonSet does. And thus requires more RBAC permissions.
  The SecurityProfilesOperatorDaemon Custom Resource is now Namespaced and not Cluster scoped. (#389, @JAORMX)
• Fixed default nginx seccomp profile to work with crun (tested with v0.17) (#290, @saschagrunert)
• The security-profiles-operator now ships with separate service accounts for the daemon and webhook (#325, @JAORMX)

Other (Cleanup or Flake)

• Added support for seccomp CRD architecture SCMP_ARCH_NATIVE. (#272, @saschagrunert)
• Decreased docker builds duration by using cache (#243, @naveensrinivasan)
• Removed targetWorkload field from seccomp profile CRD (#350, @saschagrunert)
• The namespaced-operator deployment now relies on a ClusterRole and a ClusterRoleBinding instead of the previous Role And RoleBinding objects. It now more closely resembles the cluster-operator deployment. (#295, @JAORMX)
• The workload that handles SELinux policy installation (selinuxd) is no longer a privileged container. (#372, @JAORMX)
• Throw "profile saved to disk" event only if a profile modification happened on the node. (#370, @saschagrunert)

Dependencies

Added

• bazil.org/fuse: 371fbbd
• cloud.google.com/go/logging: v1.1.2
• github.com/Azure/azure-sdk-for-go: v42.3.0+incompatible
• github.com/Azure/go-autorest/autorest/to: v0.3.0
• github.com/Azure/go-autorest/autorest/validation: [v0.2.0](https://github.com/Azure/go-autorest/autorest...

v0.2.0

Welcome to the next release of the security-profiles-operator, the former seccomp-operator. We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳

To install the operator, simply run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.2.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

• Added new Custom Resource Definition seccompprofiles.seccomp-operator.k8s-sigs.io as an alternative to an annotated ConfigMap for defining seccomp profiles. (#125, @cmurphy)
• Seccomp profiles can now no longer be configured using the ConfigMap native resource, and instead may now only be defined using the provided SeccompProfile custom resource. (#138, @cmurphy)

Feature

• Added a new example SeccompProfile to provide a starting point on which to build custom profiles, and an attribute BaseProfileName to the SeccompProfile kind to allow merging syscalls from two profiles. (#152, @cmurphy)
• Added profile name to events (#129, @saschagrunert)
• Added Status field to SeccompProfile CRD to provide the path on disk to the profile. (#144, @cmurphy)

Documentation

• Renamed seccomp-operator to security-profiles-operator (#139, @saschagrunert)

Bug or Regression

• Fixed bug to reconcile all profiles in a configMap if one of them is invalid. (#122, @saschagrunert)
• Fixed error messages in operator log to be displayed correctly, without any additional "reason" field. (#124, @saschagrunert)

Dependencies

Added

• cloud.google.com/go/firestore: v1.1.0
• cloud.google.com/go/pubsub: v1.3.1
• cloud.google.com/go/storage: v1.11.0
• dmitri.shuralyov.com/gpu/mtl: 666a987
• github.com/14rcole/gopopulate: b175b21
• github.com/MakeNowJust/heredoc: bb23615
• github.com/Microsoft/go-winio: fc70bd9
• github.com/Microsoft/hcsshim: v0.8.9
• github.com/VividCortex/ewma: v1.1.1
• github.com/acarl005/stripansi: 5a71ef0
• github.com/armon/circbuf: bbbad09
• github.com/armon/go-metrics: f0300d1
• github.com/armon/go-radix: 7fddfc3
• github.com/bketelsen/crypt: 5cbc8cc
• github.com/cespare/xxhash/v2: v2.1.1
• github.com/chai2010/gettext-go: c6fed77
• github.com/checkpoint-restore/go-criu/v4: v4.0.2
• github.com/chzyer/logex: v1.1.10
• github.com/chzyer/readline: 2972be2
• github.com/chzyer/test: a1ea475
• github.com/cilium/ebpf: a9f01ed
• github.com/cncf/udpa/go: 269d4d4
• github.com/containerd/cgroups: bf292b2
• github.com/containerd/console: v1.0.0
• github.com/containerd/containerd: v1.3.2
• github.com/containerd/continuity: aaeac12
• github.com/containerd/fifo: a9fb20d
• github.com/containerd/go-runc: 5a6d9f3
• github.com/containerd/ttrpc: 0e0f228
• github.com/containerd/typeurl: a93fcdb
• github.com/containers/common: v0.26.3
• github.com/containers/image/v5: v5.7.0
• github.com/containers/libtrust: 14b9617
• github.com/containers/ocicrypt: v1.0.3
• github.com/containers/storage: v1.23.7
• github.com/coreos/go-systemd/v22: v22.0.0
• github.com/cyphar/filepath-securejoin: v0.2.2
• github.com/daviddengcn/go-colortext: 511bcaf
• github.com/docker/distribution: v2.7.1+incompatible
• github.com/docker/docker-credential-helpers: v0.6.3
• github.com/docker/go-connections: v0.4.0
• github.com/docker/go-metrics: v0.0.1
• github.com/docker/libtrust: aabc10e
• github.com/exponent-io/jsonpath: d6023ce
• github.com/fatih/camelcase: v1.0.0
• github.com/fvbommel/sortorder: v1.0.1
• github.com/go-gl/glfw/v3.3/glfw: 6f7a984
• github.com/go-gl/glfw: e6da0ac
• github.com/godbus/dbus/v5: v5.0.3
• github.com/godbus/dbus: ade71ed
• github.com/golangplus/bytes: 45c989f
• github.com/golangplus/fmt: 2a5d6d7
• github.com/golangplus/testing: af21d9c
• github.com/google/martian/v3: v3.0.0
• github.com/gorilla/mux: v1.7.4
• github.com/hashicorp/consul/api: v1.1.0
• github.com/hashicorp/consul/sdk: v0.1.1
• github.com/hashicorp/go-immutable-radix: v1.0.0
• github.com/hashicorp/go-msgpack: v0.5.3
• github.com/hashicorp/go-rootcerts: v1.0.0
• github.com/hashicorp/go-sockaddr: v1.0.0
• github.com/hashicorp/go-syslog: v1.0.0
• github.com/hashicorp/go-uuid: v1.0.1
• github.com/hashicorp/go.net: v0.0.1
• github.com/hashicorp/logutils: v1.0.0
• github.com/hashicorp/mdns: v1.0.0
• github.com/hashicorp/memberlist: v0.1.3
• github.com/hashicorp/serf: v0.8.2
• github.com/ianlancetaylor/demangle: 5e5cf60
• github.com/klauspost/pgzip: v1.2.5
• github.com/liggitt/tabwriter: 89fcab3
• github.com/lithammer/dedent: v1.1.0
• github.com/mattn/go-shellwords: v1.0.10
• github.com/miekg/dns: v1.0.14
• github.com/mistifyio/go-zfs: v2.1.1+incompatible
• github.com/mitchellh/cli: v1.0.0
• github.com/mitchellh/go-wordwrap: v1.0.0
• github.com/mitchellh/gox: v0.4.0
• github.com/mitchellh/iochan: v1.0.0
• github.com/moby/sys/mountinfo: [v0.4.0](https://github.com/moby/sys/mou...

v0.1.0

Welcome to the first release of the seccomp-operator, we hope you enjoy this release as much as we do! The initial set of features can be found in our documentation. 🥳

To install the operator, simply run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/seccomp-operator/v0.1.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #seccomp-operator channel.

Changes by Kind

Feature

• Added version,v subcommand and CLI parser (--version works too now) (#20, @saschagrunert)
• Added ability to restrict seccomp-operator to watch config maps in a single namespace (#94, @hasheddan)
• Added basic seccomp profile validation before syncing them on disk (#72, @saschagrunert)
• Added default operator profiles to the deployment. For now we added an nginx:1.19.1 profile (#54, @saschagrunert)
• Added manifest for deploying operator to watch for profile ConfigMaps in a single namespace. (#100, @hasheddan)
• Added new seccompProfile field to examples/pod.yaml, which can be used for Kubernetes releases > v1.19.0 (#90, @saschagrunert)
• Added support for seccomp operator in master nodes (#95, @pjbgf)
• Do not requeue after successfully writing profile to disk and do not immediately requeue on errors. (#101, @hasheddan)
• Link seccomp-operator statically for easier distribution (#16, @saschagrunert)
• Make rootless operator deployment the default (#38, @saschagrunert)
• Nodes not supporting seccomp will not reconcile profiles to disk. Additionally a warning event will be thrown for the config map. (#85, @saschagrunert)
• Operator now runs under a specific seccomp profile. (#52, @pjbgf)
• Profile controller will emit warning events on failure to get profile path or save profile to disk (#56, @hasheddan)
• Seccomp profiles can be created in any namespace now. Profiles end up in different subdirectories per namespace. (#49, @rhafer)