v0.9.1

Welcome to our glorious v0.9.1 release of the security-profiles-operator! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.9.1/deploy/operator.yaml

You can also verify the container image signature by using cosign:

$ cosign verify \
    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
    --certificate-oidc-issuer https://accounts.google.com \
    registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.9.1

Beside the operator image, we now also ship spoc, the official Security Profiles Operator Command Line Interface! Binaries for amd64 and arm64 are attached to this release.

To verify the signature of spoc. download all release artifacts and run for amd64 (works in the same way for arm64:

$ cosign verify-blob \
    --certificate-identity sgrunert@redhat.com \
    --certificate-oidc-issuer https://github.com/login/oauth \
    --certificate spoc.amd64.cert \
    --signature spoc.amd64.sig \
    spoc.amd64

To verify the Bill of Materials (BOM) using the bom tool, download the artifacts into a build directory and run:

> bom validate -e spoc.spdx -d build/
+-------------------+-------+-----------------------------+----------------+
|     FILENAME      | VALID |           MESSAGE           | INVALID HASHES |
+-------------------+-------+-----------------------------+----------------+
| spoc.amd64        | OK    | File validated successfully | -              |
| spoc.amd64.cert   | OK    | File validated successfully | -              |
| spoc.amd64.sha512 | OK    | File validated successfully | -              |
| spoc.amd64.sig    | OK    | File validated successfully | -              |
| spoc.arm64        | OK    | File validated successfully | -              |
| spoc.arm64.cert   | OK    | File validated successfully | -              |
| spoc.arm64.sha512 | OK    | File validated successfully | -              |
| spoc.arm64.sig    | OK    | File validated successfully | -              |
+-------------------+-------+-----------------------------+----------------+

The .spdx file is signed as well and we also provide .sha512 sum files for the binaries.

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

Feature

• Enabled the Security Profiles Operator for ppc64le architecture with support for seccomp and SELinux profile management. (#2589, @pranitaT)
• Users can turn off the controllers by explicitly setting the flags to false. (#2796, @jindijamie)

Dependencies

Added

• drjosh.dev/zzglob: v0.4.0
• github.com/DataDog/datadog-agent/pkg/proto: v0.58.0
• github.com/DataDog/datadog-agent/pkg/trace: v0.58.0
• github.com/DataDog/datadog-agent/pkg/util/log: v0.58.0
• github.com/DataDog/datadog-agent/pkg/util/scrubber: v0.58.0
• github.com/DataDog/go-runtime-metrics-internal: a14610d
• github.com/DataDog/go-sqllexer: v0.0.14
• github.com/DataDog/opentelemetry-mapping-go/pkg/otlp/attributes: v0.20.0
• github.com/bmatcuk/doublestar/v4: v4.6.1
• github.com/chainguard-dev/clog: v1.5.1
• github.com/cihub/seelog: f561c5e
• github.com/dgraph-io/badger/v4: v4.5.1
• github.com/dgraph-io/ristretto/v2: v2.1.0
• github.com/eapache/queue/v2: 75960ed
• github.com/envoyproxy/go-control-plane/envoy: v1.32.4
• github.com/envoyproxy/go-control-plane/ratelimit: v0.1.0
• github.com/go-ole/go-ole: v1.2.6
• github.com/go-viper/mapstructure/v2: v2.2.1
• github.com/jackc/pgerrcode: 6e2875d
• github.com/jackc/pgpassfile: v1.0.0
• github.com/jackc/pgservicefile: 5a60cdf
• github.com/jackc/pgx/v5: v5.7.2
• github.com/jackc/puddle/v2: v2.2.2
• github.com/lufia/plan9stats: 115f729
• github.com/power-devops/perfstat: c35f1ee
• github.com/santhosh-tekuri/jsonschema/v5: v5.3.1
• github.com/shirou/gopsutil/v3: v3.24.4
• github.com/shoenig/go-m1cpu: v0.1.6
• github.com/tklauser/go-sysconf: v0.3.12
• github.com/tklauser/numcpus: v0.6.1
• github.com/yusufpapurcu/wmi: v1.2.4
• gitlab.com/gitlab-org/api/client-go: v0.127.0
• go.opentelemetry.io/collector/component: v0.104.0
• go.opentelemetry.io/collector/config/configtelemetry: v0.104.0
• go.opentelemetry.io/collector/pdata/pprofile: v0.104.0
• go.opentelemetry.io/collector/pdata: v1.11.0
• go.opentelemetry.io/collector/semconv: v0.104.0

Changed

• chainguard.dev/go-grpc-kit: v0.17.5 → v0.17.7
• chainguard.dev/sdk: v0.1.23 → v0.1.29
• cloud.google.com/go/auth/oauth2adapt: v0.2.6 → v0.2.7
• cloud.google.com/go/auth: v0.13.0 → v0.15.0
• cloud.google.com/go/iam: v1.2.2 → v1.4.1
• cloud.google.com/go/kms: v1.20.4 → v1.21.1
• cloud.google.com/go/longrunning: v0.6.2 → v0.6.5
• cloud.google.com/go/security: v1.18.0 → v1.18.4
• cloud.google.com/go/storage: v1.45.0 → v1.49.0
• cloud.google.com/go/trace: v1.10.5 → v1.11.2
• cloud.google.com/go: v0.116.0 → v0.118.3
• cuelabs.dev/go/oci/ociregistry: a39bec0 → 2c00c10
• cuelang.org/go: v0.9.2 → v0.12.1
• github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.16.0 → v1.17.1
• github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.8.0 → v1.8.2
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.3.0 → v1.3.1
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal: v1.1.0 → v1.1.1
• github.com/Azure/azure-sdk-for-go/sdk/storage/azblob: v1.4.0 → v1.6.0
• github.com/AzureAD/microsoft-authentication-library-for-go: v1.3.1 → v1.3.3
• github.com/DataDog/appsec-internal-go: v1.7.0 → v1.9.0
• github.com/DataDog/datadog-agent/pkg/obfuscate: v0.48.0 → v0.58.0
• github.com/DataDog/datadog-agent/pkg/remoteconfig/state: v0.48.1 → v0.58.0
• github.com/DataDog/datadog-go/v5: v5.5.0 → v5.6.0
• github.com/DataDog/go-libddwaf/v3: v3.3.0 → v3.5.1
• github.com/DataDog/go-tuf: v1.0.2-0.5.2 → v1.1.0-0.5.2
• github.com/Khan/genqlient: v0.7.0 → v0.8.0
• github.com/agnivade/levenshtein: v1.1.1 → v1.2.0
• github.com/avast/retry-go/v4: v4.6.0 → v4.6.1
• github.com/aws/aws-sdk-go-v2/config: v1.28.7 → v1.29.10
• github.com/aws/aws-sdk-go-v2/credentials: v1.17.48 → v1.17.63
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.22 → v1.16.30
• github.com/aws/aws-sdk-go-v2/internal/configsources: v1.3.26 → v1.3.34
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.6.26 → v2.6.34
• github.com/aws/aws-sdk-go-v2/internal/ini: v1.8.1 → v1.8.3
• github.com/aws/aws-sdk-go-v2/service/ecr: v1.20.2 → v1.40.3
• github.com/aws/aws-sdk-go-v2/service/ecrpublic: v1.18.2 → v1.31.2
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.12.1 → v1.12.3
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.12.7 → v1.12.15
• github.com/aws/aws-sdk-go-v2/service/kms: v1.37.8 → v1.38.1
• github.com/aws/aws-sdk-go-v2/service/sso: v1.24.8 → v1.25.1
• github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.28.7 → v1.29.2
• github.com/aws/aws-sdk-go-v2/service/sts: v1.33.3 → v1.33.17
• github.com/aws/aws-sdk-go-v2: v1.32.7 → v1.36.3
• github.com/aws/aws-sdk-go: v1.55.5 → v1.55.6
• github.com/aws/smithy-go: v1.22.1 → v1.22.2
• github.com/awslabs/amazon-ecr-credential-helper/ecr-login: 8841054 → v0.9.1
• github.com/beevik/ntp: v1.3.1 → v1.4.3
• github.com/buildkite/agent/v3: v3.81.0 → v3.95.1
• github.com/buildkite/go-pipeline: v0.13.1 → v0.13.3
• github.com/buildkite/interpolate: v0.1.3 → v0.1.5
• github.com/buildkite/roko: v1.2.0 → v1.3.1
• github.com/cncf/xds/go: b4127c9 → cff3c89
• github.com/containerd/containerd: v1.7.21 → v1.7.25
• github.com/containerd/errdefs: v0.3.0 → v1.0.0
• github.com/containers/common: v0.62.0 → v0.62.3
• github.com/containers/image/v5: v5.34.0 → v5.34.3
• github.com/containers/storage: v1.57.1 → v1.57.2
• github.com/decred/dcrd/dcrec/secp256k1/v4: v4.3.0 → v4.4.0
• github.com/dgryski/trifles: dd97f9a → f50d829
• github.com/emicklei/proto: v1.12.1 → v1.13.4
• github.com/envoyproxy/go-control-plane: v0.13.1 → v0.13.4
• github.com/envoyproxy/protoc-gen-validate: v1.1.0 → v1.2.1
• github.com/fullstorydev/grpcurl: v1.9.1 → v1.9.2
• github.com/gabriel-vasile/mimetype: v1.4.3 → v1.4.8
• github.com/gliderlabs/ssh: v0.3.7 → v0.3.8
• github.com/go-chi/chi/v5: v5.1.0 → v5.2.1
• github.com/go-jose/go-jose/v3: v3.0.3 → v3.0.4
• github.com/go-openapi/errors: v0.22.0 → v0.22.1
• github.com/go-openapi/swag: v0.23.0 → v0.23.1
• github.com/go-playground/validator/v10: v10.18.0 → v10.26.0
• github.com/golang-jwt/jwt/v4: v4.5.1 → v4.5.2
• github.com/golang-jwt/jwt/v5: v5.2.1 → v5.2.2
• github.com/golang/glog: v1.2.3 → v1.2.4
• github.com/google/certificate-transparency-go: v1.2.1 → v1.3.1
• github.com/google/flatbuffers: v2.0.8+incompatible → v24.12.23+incompatible
• github.com/google/s2a-go: v0.1.8 → v0.1.9
• github.com/googleapis/enterprise-certificate-proxy: v0.3.4 → v0.3.6
• github.com/grpc-ecosystem/grpc-gateway/v2: v2.25.1 → v2.26.1
• github.com/hashicorp/vault/api: v1.15.0 → v1.16.0
• github.com/in-toto/attestation: v1.1.0 → v1.1.1
• github.com/klauspost/compress: v1.17.11 → v1.18.0
• github.com/lestrrat-go/jwx/v2: v2.1.1 → v2.1.4
• github.com/magiconair/properties: v1.8.7 → v1.8.9
• github.com/mitchellh/mapstructure: v1.5.0 → 8508981
• github.com/open-policy-agent/opa: v0.68.0 → v1.1.0
• github.com/opencontainers/image-spec: v1.1.0 → v1.1.1
• github.com/opencontainers/runc: v1.2.5 → v1.2.6
• github.com/opencontainers/runtime-spec: v1.2.0 → v1.2.1
• github.com/pelletier/go-toml/v2: v2.2.2 → v2.2.3
• github.com/philhofer/fwd: v1.1.2 → fbbf495
• github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.80.1 → v0.81.0
• github.com/prometheus/client_golang: v1.21.0 → v1.22.0
• github.com/prometheus/prometheus: v0.47.2 → v0.51.0
• github.com/protocolbuffers/txtpbfmt: 084445f → 20d2c9e
• github.com/rogpeppe/go-internal: v1.13.1 → a5dc8ff
• github.com/sagikazarmark/locafero: v0.4.0 → v0.7.0
• github.com/sigstore/cosign/v2: v2.4.1 → v2.5.0
• github.com/sigstore/fulcio: v1.6.4 → v1.6.6
• github.com/sigstore/protobuf-specs: v0.3.3 → v0.4.1
• github.com/sigstore/rekor: v1.3.8 → v1.3.9
• github.com/sigstore/sigstore-go: v0.6.1 → v0.7.1
• github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.8.12 → v1.9.1
• github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.8.12 → v1.9.1
• github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.8.12 → v1.9.1
• github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.8.12 → v1.9.1
• github.com/sigstore/sigstore: v1.8.12 → v1.9.1
• github.com/sigstore/timestamp-authority: v1.2.2 → v1.2.5
• github.com/spf13/afero: v1.11.0 → v1.12.0
• github.com/spf13/cast: v1.7.0 → v1.7.1
• github.com/spf13/cobra: v1.8.1 → v1.9.1
• github.com/spf13/viper: v1.19.0 → v1.20.1
• github.com/spiffe/go-spiffe/v2: v2.3.0 → v2.5.0
• github.com/theupdateframework/go-tuf/v2: v2.0.1 → v2.0.2
• github.com/tink-crypto/tink-go/v2: v2.2.0 → v2.3.0
• github.com/tinylib/msgp: v1.1.8 → v1.2.1
• github.com/urfave/cli/v2: v2.27.5 → v2.27.6
• github.com/vektah/gqlparser/v2: v2.5.16 → v2.5.19
• github.com/yuin/goldmark: v1.4.13 → v1.7.8
• github.com/zeebo/errs: v1.3.0 → v1.4.0
• go.etcd.io/etcd/client/v2: v2.305.16 → v2.305.17
• go.etcd.io/etcd/etcdctl/v3: v3.5.13 → v3.5.17
• go.etcd.io/etcd/etcdutl/v3: v3.5.13 → v3.5.17
• go.etcd.io/etcd/pkg/v3: v3.5.16 → v3.5.17
• go.etcd.io/etcd/raft/v3: v3.5.16 → v3.5.17
• go.etcd.io/etcd/server/v3: v3.5.16 → v3.5.17
• go.etcd.io/etcd/tests/v3: v3.5.13 → v3.5.17
• go.etcd.io/etcd/v3: v3.5.13 → v3.5.17
• go.opentelemetry.io/contrib/detectors/gcp: v1.32.0 → v1.34.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.58.0 → v0.59.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.59.0
• go.opentelemetry.io/contrib/propagators/aws: v1.29.0 → v1.35.0
• go.opentelemetry.io/contrib/propagators/b3: v1.29.0 → v1.35.0
• go.opentelemetry.io/contrib/propagators/jaeger: v1.29.0 → v1.35.0
• go.opentelemetry.io/contrib/propagators/ot: v1.29.0 → v1.35.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.33.0 → v1.35.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.33.0 → v1.35.0
• go.opentelemetry.io/otel/metric: v1.33.0 → v1.35.0
• go.opentelemetry.io/otel/sdk/metric: v1.32.0 → v1.34.0
• go.opentelemetry.io/otel/sdk: v1.33.0 → v1.35.0
• go.opentelemetry.io/otel/trace: v1.33.0 → v1.35.0
• go.opentelemetry.io/otel: v1.33.0 → v1.35.0
• go.opentelemetry.io/proto/otlp: v1.4.0 → v1.5.0
• go.step.sm/crypto: v0.56.0 → v0.60.0
• go.uber.org/automaxprocs: v1.5.3 → v1.6.0
• golang.org/x/crypto: v0.33.0 → v0.37.0
• golang.org/x/mod: v0.23.0 → v0.24.0
• golang.org/x/net: v0.35.0 → v0.39.0
• golang.org/x/oauth2: v0.25.0 → v0.29.0
• golang.org/x/sync: v0.11.0 → v0.13.0
• golang.org/x/sys: v0.30.0 → v0.32.0
• golang.org/x/term: v0.29.0 → v0.31.0
• golang.org/x/text: v0.22.0 → v0.24.0
• golang.org/x/time: v0.9.0 → v0.11.0
• golang.org/x/tools: v0.29.0 → v0.30.0
• google.golang.org/api: v0.216.0 → v0.227.0
• google.golang.org/genproto/googleapis/api: 6b3ec00 → a0af3ef
• google.golang.org/genproto/googleapis/bytestream: 6982302 → e70fdf4
• google.golang.org/genproto/googleapis/rpc: 6982302 → e70fdf4
• google.golang.org/genproto: e639e21 → a0af3ef
• google.golang.org/grpc: v1.70.0 → v1.71.1
• google.golang.org/protobuf: v1.36.5 → v1.36.6
• gopkg.in/DataDog/dd-trace-go.v1: v1.67.0 → v1.72.1
• gotest.tools/v3: v3.5.1 → v3.5.2
• k8s.io/api: v0.32.2 → v0.32.3
• k8s.io/apiextensions-apiserver: v0.32.1 → v0.32.2
• k8s.io/apimachinery: v0.32.2 → v0.32.3
• k8s.io/apiserver: v0.32.1 → v0.32.2
• k8s.io/cli-runtime: v0.32.2 → v0.32.3
• k8s.io/client-go: v0.32.2 → v0.32.3
• k8s.io/code-generator: v0.32.1 → v0.32.2
• k8s.io/component-base: v0.32.1 → v0.32.2
• k8s.io/kms: v0.32.1 → v0.32.2
• sigs.k8s.io/controller-runtime: v0.20.2 → v0.20.4
• sigs.k8s.io/controller-tools: v0.17.2 → v0.17.3
• sigs.k8s.io/release-utils: v0.11.0 → v0.11.1

Removed

• cloud.google.com/go/compute: v1.25.1
• cloud.google.com/go/firestore: v1.15.0
• github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys: v0.10.0
• github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal: v0.7.1
• github.com/DrJosh9000/zzglob: v0.3.4
• github.com/Masterminds/goutils: v1.1.1
• github.com/Masterminds/sprig/v3: v3.3.0
• github.com/armon/go-metrics: v0.4.1
• github.com/cenkalti/backoff/v3: v3.2.2
• github.com/cespare/xxhash: v1.1.0
• github.com/chainguard-dev/slogctx: v1.2.2
• github.com/dgraph-io/badger/v3: v3.2103.5
• github.com/dgraph-io/ristretto: v0.1.1
• github.com/dgryski/go-farm: a6ae236
• github.com/go-piv/piv-go: v1.11.0
• github.com/google/go-configfs-tsm: v0.2.2
• github.com/google/go-tpm-tools: v0.4.4
• github.com/google/go-tpm: v0.9.2
• github.com/google/go-tspi: v0.3.0
• github.com/googleapis/google-cloud-go-testing: 1c9a4c6
• github.com/hashicorp/consul/api: v1.28.2
• github.com/hashicorp/go-immutable-radix: v1.3.1
• github.com/hashicorp/serf: v0.10.1
• github.com/huandu/xstrings: v1.5.0
• github.com/jmespath/go-jmespath/internal/testify: v1.5.1
• github.com/matttproud/golang_protobuf_extensions/v2: v2.0.0
• github.com/mitchellh/copystructure: v1.2.0
• github.com/mitchellh/reflectwalk: v1.0.2
• github.com/nats-io/nats.go: v1.34.0
• github.com/nats-io/nkeys: v0.4.7
• github.com/nats-io/nuid: v1.0.1
• github.com/peterbourgon/diskv/v3: v3.0.1
• github.com/sagikazarmark/crypt: v0.19.0
• github.com/schollz/jsonstore: v1.1.0
• github.com/shopspring/decimal: v1.4.0
• github.com/smallstep/assert: 82e2b9b
• github.com/smallstep/go-attestation: 413678f
• github.com/xanzy/go-gitlab: v0.109.0
• github.com/xeipuuv/gojsonschema: v1.2.0