Skip to content

CHANGELOG.md

Latest commit

 

History

History
446 lines (267 loc) · 12.2 KB

CHANGELOG.md

File metadata and controls

446 lines (267 loc) · 12.2 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Added

  • Add io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility.
  • Push to the default catalog.

Changed

  • Migrate chart annotations to OCI-compatible format (change application.giantswarm.io/team to io.giantswarm.application.team, convert restrictions to annotations).
  • Updated kyverno-policies to upstream version v1.17.2.

0.25.0 - 2026-02-04

Changed

  • Update to upstream Kyverno Policies version v1.17.0.

0.24.0 - 2025-06-19

Changed

  • Update to upstream Kyverno Policies version v1.14.2.

Notes

This release includes an upstream update. Please refer to the following Release Notes from upstream for the latest changes:

0.23.0 - 2025-02-25

Added

  • Add supplemental security and best practices policies:
    • check-resources-request-and-limits-ratio
    • check-serviceaccount-secrets
    • disallow-gitrepo-volume
    • disallow-latest-tag
    • prevent-bare-pods
    • require-container-requests-and-limits
    • require-emptydir-requests-and-limits
    • require-pod-probes
    • restrict-binding-clusteradmin
    • restrict-binding-system-groups
    • restrict-sa-automount-sa-token

0.22.0 - 2025-02-20

Added

  • Add supplemental policies restrict-external-ips, require-ro-rootfs, and enable upstream policy require-non-root-groups.
  • Add supplemental policy to generate default deny-all Network Policies in newly created namespaces.

Changed

  • Update to upstream Kyverno Policies version 1.13.4.

0.21.1 - 2024-12-11

Changed

  • Add application.giantswarm.io/team label to policies.

0.21.0 - 2024-09-25

Changed

  • Update to upstream Kyverno Policies version 1.12.5.
  • Don't push to vsphere-app-collection, capz-app-collection, capa-app-collection or cloud-director-app-collection. We started to consume kyverno-policies from security-bundle.

0.20.2 - 2023-12-06

Fixed

  • Fix team ownership

0.20.1 - 2023-09-21

Changed

  • Update to upstream Kyverno Policies version 1.10.3.

0.20.0 - 2023-06-23

Changed

  • Update to upstream Kyverno Policies version 1.10.0.
  • Update CI to use newer ats and the abs executor.

0.19.0 - 2023-05-31

Changed

  • Enable PSS Restricted policies by default.

Removed

  • Stop pushing to openstack-app-collection.

0.18.1 - 2023-02-15

Added

  • Push to cloud-director app collection.
  • Push to capz app collection.

0.18.0 - 2022-11-16

Changed

  • Update to upstream v1.7.5 policies.

0.17.2 - 2022-08-05

0.17.1 - 2022-04-06

Added

  • Push policies to giantswarm catalog.

0.17.0 - 2022-04-05

Changed

  • Track upstream PSS policies with a subtree.
  • Push PSS policies to AWS, Azure, KVM, OpenStack, and VSphere catalogs and collections.
  • Remove catalog and collections push for common and shared policies.

0.16.0 - 2022-03-02

Changed

  • Policies no longer the cluster-apps-operator.giantswarm.io/version label since cluster-apps-operator don't use it.

0.15.0 - 2022-02-28

Changed

  • Add default audit log config file to KubeadmControlPlane.

0.14.0 - 2022-01-19

Added

  • Support all API versions for CAPI resources

Changed

  • Default Azure subscription ID by getting value directly from organization credentials secret.

0.13.2 - 2022-01-13

Fixed

  • Fixed block-bulk-certconfigs-delete policy

0.13.1 - 2022-01-13

Added

  • Add block-bulk-certconfigs-delete policy

0.13.0 - 2022-01-05

Added

  • Add policies-openstack for OpenStack-specific policies.
  • Add policy for OpenStack which defaults failureDomain based on MachineDeployment request's machine-deployment.giantswarm.io/failure-domain label.

0.12.0 - 2021-12-09

Added

  • Add cluster-apps-operator.giantswarm.io/watching label to Cluster CRs so they will be watched by cluster-apps-operator >=v1.1.0 (deployed by an app collection) in addition to <v1.1.0 (deployed by release-operator).

0.11.0 - 2021-11-30

Added

  • Tilt support.

Changed

  • The api-server extraVolumes are appended instead of over writing the existing ones.

0.10.0 - 2021-11-19

Added

  • Policy to apply audit-policy.yaml to kubeadmconfig

Changed

  • Apply policies to v20 even when v20 contains suffixes in its name.

0.9.2 - 2021-10-26

Changed

  • Remove PodSecurityPolicy from the enabled api-server admission plugins.

0.9.1 - 2021-10-20

Fixed

  • Removed encryption-provider-config and audit-policy-file flags until we can confirm the file exists on the machine images

0.9.0 - 2021-10-19

Added

  • CircleCI job to validate policies

Changed

  • Updated kubelet and api server flags to handle duplicates

0.8.0 - 2021-10-13

Added

  • kubelet and api server flags for CAPI clusters.

0.7.1 - 2021-10-12

Fixed

  • Fix annotation name in subscription id defaulting rule.

0.7.0 - 2021-10-12

Added

  • Default SubscriptionID field for AzureCluster CRs.

Changed

  • Add test setup for vsphere policies.

0.6.2 - 2021-10-11

Added

  • Set kubelet extra argument node-ip for worker and masters.
  • Validate deprecated APIs.

0.6.1 - 2021-10-06

0.6.0 - 2021-10-06

Changed

  • Use ats for integration testing instead of abs.
  • Rename vmware chart and policies to vsphere.

0.6.0 - 2021-10-05

Added

  • Add CRDs related to kubeadm controlplane to CI.
  • Add policies to configure default disk sizes and disk initialization for CAPA cluster.

Changed

  • Keep existing node-labels when ensuring the role=worker label exists in KubeadmConfigs.

0.5.0 - 2021-09-13

Added

  • Add AWS CNI security group rules to AWSCluster CR.

0.4.0 - 2021-09-03

Added

  • Default spec.location field for CAPZ AzureMachinePool CRs.

0.3.0 - 2021-09-02

Added

  • Default spec.location field for CAPZ AzureCluster CRs.

0.2.0 - 2021-08-31

Changed

  • Ensure controllerManager's extra arg allocate-node-cidrs is set to true in KubeadmControlPlane for Azure clusters.

0.1.3 - 2021-08-27

Changed

  • Ensure that kubeadm configs are not defaulted for control planes.

0.1.2 - 2021-08-25

Removed

  • Remove Service Monitor policy pending upstream bug fix.

0.1.1 - 2021-08-25

Fixed

  • Fix group controlplane for AWSManagedControlPlaneCR.

0.1.0 - 2021-08-25

Added

  • Defaulting region and sshKeyName in AWSManagedControlPlane CR.

0.0.11 - 2021-08-23

Changed

  • Enable labeling policies to work with v1alpha4 types.

0.0.10 - 2021-08-18

Fixed

  • Ensure the Silence Cluster policy do not replace matchers.

0.0.9 - 2021-08-17

Fixed

  • Fix CI issues for policies-shared.

0.0.8 - 2021-08-17

Added

  • Add Service Monitor policy to configure the default labelling schema.

0.0.7 - 2021-08-11

Added

  • Add documentation to test cases.
  • Add policy to not silence heartbeats

Changed

  • Restructured test fixtures.

0.0.6 - 2021-07-16

0.0.5 - 2021-07-16

Added

  • Add default for cluster description.
  • Add defaulting to set custom labels on worker nodes.

0.0.4 - 2021-07-14

0.0.3 - 2021-07-13

Added

  • Add default for aws control plane instance type.

0.0.2 - 2021-07-12

Added

  • Add defaulting for aws values.
  • Add integration tests for aws.

Changed

  • Reduced number of policy files.
  • Restructured CI setup to use Makefile.

0.0.1 - 2021-06-02