Release v0.3.0 · kubernetes-sigs/security-profiles-operator

Welcome to the next iteration of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳

Please be aware that the operator now requires cert-manager as hard requirement. To install cert-manager, simply run:

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
$ kubectl --namespace cert-manager wait --for condition=ready pod -l app.kubernetes.io/instance=cert-manager

To install the operator afterwards, execute:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.3.0/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

Adds a new CRD ProfileBinding to define a relationship between a Pod and a profile resource. Currently only supports the SeccompProfile kind. (#179, @cmurphy)
Adds a new attribute status.seccompProfile\.localhostProfile and column SECCOMPPROFILE.LOCALHOSTPROFILE to indicate what should be included in a pod spec. (#166, @cmurphy)
SelinuxPolicy has been removed and is now SelinuxProfile. (#396, @JAORMX)
The DaemonSet configuration is now handled by a Custom Resource called
SecurityProfilesOperatorDaemon. (#336, @JAORMX)
The SelinuxProfile CRD no longer has the apply flag in the spec. (#406, @JAORMX)

Feature

Added possibility to record seccomp profiles from replicas (#363, @saschagrunert)
Added seccomp audit log enrichment feature (#251, @pjbgf)
Added seccomp profile recording support via the OCI seccomp BPF hook (#247, @saschagrunert)
Added toleration for the control-plane taint to support the renaming of "master" taints (#196, @pjbgf)
Added minimum crun base profile (#291, @saschagrunert)
Added multi-architecture support to the container image (amd64 and arm64 for now) (#296, @saschagrunert)
Added the ability to delete seccomp profiles from nodes by deleting SeccompProfile resources. Added new fields activeWorkloads and status to the status subresource of the SeccompProfile kind. (#155, @cmurphy)
Added UBI-based Dockerfile. (#172, @JAORMX)
Automatically deploy the default profiles in the correct namespace without having a need for an additional kubectl apply command. (#269, @saschagrunert)
Log enricher now supports SELinux log lines and runs unprivileged. (#339, @pjbgf)
Removed docker.io/bash:5 container image dependency for non-root-enabler logic. (#306, @saschagrunert)
The selinux component can now be enabled or disabled through the CongfiMap named config by toggling a boolean option called EnableSelinux.
Since not all Linux distributions support SeLinux, its support is disabled by default. (#214, @jhrozek)
The separate webhook deployment, which enabled the ProfileBinding and ProfileRecording resources, has now been merged into the main operator deployment manifest. (#387, @cmurphy)
Updates to the SecurityProfilesOperatorDaemon object are now reflected in the daemonset. (#342, @JAORMX)
Initial SELinux policy support is implemented. This adds a CRD called SelinuxPolicy, which the operator uses to ensure policies are installed on the nodes. (#165, @JAORMX)
Conditions were added to the SelinuxPolicy object's status. (#174, @JAORMX)
The main deployment method is now a Deployment object that requires a ConfigMap called "config". (#180, @JAORMX)

Documentation

Added complain-mode seccomp profile that is safer to run in production workloads (#260, @pjbgf)
Removed additional custom-profiles seccomp path from installation manual. (#414, @saschagrunert)

Failing Test

The sigs.k8s.io/security-profiles-operator/api/v1alpha1 package which defined the SeccompProfile and SelinuxPolicy types was split into two packages, sigs.k8s.io/security-profiles-operator/api/seccompprofile/v1alpha1 and sigs.k8s.io/security-profiles-operator/api/selinuxpolicy/v1alpha1 and must be imported separately. (#178, @cmurphy)

Bug or Regression

A bug where a profile could have been deleted while still in use by pods was fixed (#383, @jhrozek)
A new node status controller now runs on the main operator Deployment.
To standardize on a common status model, the SelinuxPolicy state was renamed to status.
The controller manager now listens on the same namespaces as the DaemonSet does. And thus requires more RBAC permissions.
The SecurityProfilesOperatorDaemon Custom Resource is now Namespaced and not Cluster scoped. (#389, @JAORMX)
Fixed default nginx seccomp profile to work with crun (tested with v0.17) (#290, @saschagrunert)
The security-profiles-operator now ships with separate service accounts for the daemon and webhook (#325, @JAORMX)

Other (Cleanup or Flake)

Added support for seccomp CRD architecture SCMP_ARCH_NATIVE. (#272, @saschagrunert)
Decreased docker builds duration by using cache (#243, @naveensrinivasan)
Removed targetWorkload field from seccomp profile CRD (#350, @saschagrunert)
The namespaced-operator deployment now relies on a ClusterRole and a ClusterRoleBinding instead of the previous Role And RoleBinding objects. It now more closely resembles the cluster-operator deployment. (#295, @JAORMX)
The workload that handles SELinux policy installation (selinuxd) is no longer a privileged container. (#372, @JAORMX)
Throw "profile saved to disk" event only if a profile modification happened on the node. (#370, @saschagrunert)

Dependencies

Added

bazil.org/fuse: 371fbbd
cloud.google.com/go/logging: v1.1.2
github.com/Azure/azure-sdk-for-go: v42.3.0+incompatible
github.com/Azure/go-autorest/autorest/to: v0.3.0
github.com/Azure/go-autorest/autorest/validation: v0.2.0
github.com/Azure/go-autorest: v14.2.0+incompatible
github.com/GoogleCloudPlatform/k8s-cloud-provider: 27a4ced
github.com/Microsoft/hcsshim/test: 43a75bb
github.com/Shopify/logrus-bugsnag: 577dee2
github.com/alexflint/go-filemutex: 72bdc8e
github.com/bitly/go-simplejson: v0.5.0
github.com/bmizerany/assert: b7ed37b
github.com/bshuster-repo/logrus-logstash-hook: v0.4.1
github.com/buger/jsonparser: f4dd9f5
github.com/bugsnag/bugsnag-go: b1d1530
github.com/bugsnag/osext: 0dd3f91
github.com/bugsnag/panicwrap: e2c2850
github.com/cenkalti/backoff/v4: v4.1.0
github.com/containerd/aufs: 20793ff
github.com/containerd/btrfs: 918d888
github.com/containerd/go-cni: v1.0.1
github.com/containerd/imgcrypt: 7ed62a5
github.com/containerd/nri: dbaa18c
github.com/containerd/stargz-snapshotter/estargz: 2b97b58
github.com/containerd/zfs: dde8f0f
github.com/containernetworking/cni: v0.8.0
github.com/containernetworking/plugins: v0.8.6
github.com/coreos/go-iptables: v0.4.5
github.com/d2g/dhcp4: a1d1b6c
github.com/d2g/dhcp4client: v1.0.0
github.com/d2g/dhcp4server: 7d4a0a7
github.com/d2g/hardwareaddr: e7d9fbe
github.com/denverdino/aliyungo: a747050
github.com/dnaeon/go-vcr: v1.0.1
github.com/docker/cli: a8ff7f8
github.com/docker/go-events: e31b211
github.com/form3tech-oss/jwt-go: v3.2.2+incompatible
github.com/fullsailor/pkcs7: d7302db
github.com/garyburd/redigo: 535138d
github.com/go-ini/ini: v1.25.4
github.com/go-task/slim-sprig: 348f09d
github.com/gogo/googleapis: v1.4.0
github.com/golang/snappy: v0.0.3
github.com/gomarkdown/markdown: 8c8b381
github.com/google/go-containerregistry: v0.3.0
github.com/google/go-github/v33: v33.0.0
github.com/google/go-intervals: v0.0.2
github.com/gorilla/handlers: 60c7bfd
github.com/j-keck/arping: 2cf9dc6
github.com/juju/ansiterm: 720a095
github.com/lunixbochs/vtclean: 2d01aac
github.com/magefile/mage: v1.10.0
github.com/manifoldco/promptui: v0.8.0
github.com/marstr/guid: v1.1.0
github.com/miekg/pkcs11: v1.0.3
github.com/mitchellh/osext: 5e2d6d4
github.com/mmarkdown/mmark: v2.0.40+incompatible
github.com/moby/spdystream: v0.2.0
github.com/moby/sys/symlink: v0.1.0
github.com/ncw/swift: v1.0.47
github.com/pelletier/go-buffruneio: v0.2.0
github.com/rivo/uniseg: v0.2.0
github.com/rubiojr/go-vhd: 0bfd3b3
github.com/safchain/ethtool: 42ed695
github.com/satori/go.uuid: v1.2.0
github.com/shirou/gopsutil/v3: v3.20.12
github.com/src-d/gcfg: v1.4.0
github.com/stefanberger/go-pkcs11uri: 78d3cae
github.com/stoewer/go-strcase: v1.2.0
github.com/vbauerster/mpb/v6: v6.0.3
github.com/vdemeester/k8s-pkg-credentialprovider: f1d1696
github.com/vmware/govmomi: v0.20.3
github.com/yvasiyarov/go-metrics: 57bccd1
github.com/yvasiyarov/gorelic: a9bba5b
github.com/yvasiyarov/newrelic_platform_go: b21fdbd
go.uber.org/goleak: v1.1.10
go.uber.org/tools: 2cfd321
golang.org/dl: 82a15e2
golang.org/x/term: 7de9c90
google.golang.org/cloud: 975617b
gopkg.in/airbrake/gobrake.v2: v2.0.9
gopkg.in/gcfg.v1: v1.2.0
gopkg.in/gemnasium/logrus-airbrake-hook.v2: v2.1.2
gopkg.in/src-d/go-billy.v4: v4.3.2
gopkg.in/src-d/go-git-fixtures.v3: v3.5.0
gopkg.in/src-d/go-git.v4: v4.13.1
k8s.io/cloud-provider: v0.18.8
k8s.io/cri-api: v0.20.1
k8s.io/csi-translation-lib: v0.18.8
k8s.io/kubernetes: v1.13.0
k8s.io/legacy-cloud-providers: v0.18.8
sigs.k8s.io/mdtoc: v1.0.1

Changed

cloud.google.com/go/storage: v1.11.0 → v1.12.0
cloud.google.com/go: v0.65.0 → v0.75.0
github.com/Azure/go-autorest/autorest/adal: v0.8.2 → v0.9.5
github.com/Azure/go-autorest/autorest/date: v0.2.0 → v0.3.0
github.com/Azure/go-autorest/autorest/mocks: v0.3.0 → v0.4.1
github.com/Azure/go-autorest/autorest: v0.9.6 → v0.11.1
github.com/Azure/go-autorest/logger: v0.1.0 → v0.2.0
github.com/Azure/go-autorest/tracing: v0.5.0 → v0.6.0
github.com/GoogleCloudPlatform/testgrid: v0.0.22 → v0.0.38
github.com/Microsoft/go-winio: fc70bd9 → 6eac466
github.com/Microsoft/hcsshim: v0.8.9 → v0.8.16
github.com/StackExchange/wmi: 5d04971 → cbe6696
github.com/aws/aws-sdk-go: v1.15.78 → v1.31.6
github.com/checkpoint-restore/go-criu/v4: v4.0.2 → v4.1.0
github.com/cilium/ebpf: a9f01ed → v0.2.0
github.com/cncf/udpa/go: 269d4d4 → efcf912
github.com/containerd/cgroups: bf292b2 → 8a68de5
github.com/containerd/console: v1.0.0 → v1.0.1
github.com/containerd/containerd: v1.3.2 → v1.5.0-beta.4
github.com/containerd/continuity: aaeac12 → 50096c9
github.com/containerd/fifo: a9fb20d → 115abcc
github.com/containerd/go-runc: 5a6d9f3 → 16b287b
github.com/containerd/ttrpc: 0e0f228 → v1.0.2
github.com/containerd/typeurl: a93fcdb → v1.0.1
github.com/containers/common: v0.26.3 → v0.37.0
github.com/containers/image/v5: v5.7.0 → v5.11.1
github.com/containers/ocicrypt: v1.0.3 → v1.1.0
github.com/containers/storage: v1.23.7 → v1.30.0
github.com/coreos/go-systemd/v22: v22.0.0 → v22.1.0
github.com/creack/pty: v1.1.9 → v1.1.11
github.com/crossplane/crossplane-runtime: v0.10.0 → v0.13.0
github.com/docker/docker: a9416c6 → 646072e
github.com/envoyproxy/go-control-plane: v0.9.4 → v0.9.7
github.com/go-git/go-git-fixtures/v4: v4.0.1 → f56387b
github.com/go-git/go-git/v5: v5.1.0 → v5.2.0
github.com/go-logr/logr: v0.3.0 → v0.4.0
github.com/go-logr/zapr: v0.1.0 → v0.2.0
github.com/go-ole/go-ole: v1.2.1 → v1.2.4
github.com/go-openapi/analysis: v0.19.5 → v0.19.2
github.com/go-openapi/loads: v0.19.4 → v0.19.2
github.com/go-openapi/runtime: v0.19.4 → v0.19.0
github.com/go-openapi/strfmt: v0.19.3 → v0.19.0
github.com/go-openapi/validate: v0.19.5 → v0.19.2
github.com/go-sql-driver/mysql: v1.4.0 → v1.5.0
github.com/gobuffalo/flect: v0.1.5 → v0.2.2
github.com/gogo/protobuf: v1.3.1 → v1.3.2
github.com/golang/protobuf: v1.4.2 → v1.4.3
github.com/google/go-cmp: v0.5.2 → v0.5.5
github.com/google/martian/v3: v3.0.0 → v3.1.0
github.com/google/pprof: 1a94d86 → b9804c9
github.com/google/uuid: v1.1.2 → v1.1.4
github.com/googleapis/gnostic: v0.4.1 → v0.5.1
github.com/gorilla/mux: v1.7.4 → v1.8.0
github.com/hashicorp/go-multierror: v1.1.0 → v1.1.1
github.com/ianlancetaylor/demangle: 5e5cf60 → 28f6c0f
github.com/jmespath/go-jmespath: 0b12d6b → v0.3.0
github.com/kisielk/errcheck: v1.2.0 → v1.5.0
github.com/klauspost/compress: v1.11.1 → v1.12.1
github.com/mattn/go-colorable: v0.1.4 → v0.1.8
github.com/mattn/go-isatty: v0.0.11 → v0.0.12
github.com/mattn/go-runewidth: v0.0.9 → v0.0.10
github.com/mattn/go-shellwords: v1.0.10 → v1.0.11
github.com/maxbrunsfeld/counterfeiter/v6: v6.2.3 → v6.4.1
github.com/mistifyio/go-zfs: v2.1.1+incompatible → f784269
github.com/mitchellh/mapstructure: v1.1.2 → v1.4.1
github.com/moby/sys/mountinfo: v0.4.0 → v0.4.1
github.com/moby/term: 672ec06 → df9cb8a
github.com/mrunalp/fileutils: 7d4729f → v0.5.0
github.com/nxadm/tail: v1.4.4 → v1.4.8
github.com/onsi/ginkgo: v1.14.2 → v1.16.1
github.com/onsi/gomega: v1.10.3 → v1.11.0
github.com/opencontainers/image-spec: 775207b → 79b036d
github.com/opencontainers/runc: v1.0.0-rc91 → v1.0.0-rc93
github.com/opencontainers/runtime-spec: 237cc4f → e6143ca
github.com/opencontainers/selinux: v1.6.0 → v1.8.0
github.com/prometheus/procfs: v0.1.3 → v0.6.0
github.com/psampaz/go-mod-outdated: v0.6.0 → v0.7.0
github.com/saschagrunert/go-modiff: v1.2.0 → v1.2.1
github.com/sendgrid/rest: v2.6.1+incompatible → v2.6.2+incompatible
github.com/sendgrid/sendgrid-go: v3.6.3+incompatible → v3.7.2+incompatible
github.com/sirupsen/logrus: v1.7.0 → v1.8.1
github.com/spf13/cobra: v1.1.1 → v1.1.3
github.com/stretchr/testify: v1.6.1 → v1.7.0
github.com/syndtr/gocapability: d983527 → 42c35b4
github.com/ulikunitz/xz: v0.5.8 → v0.5.10
github.com/urfave/cli: v1.22.1 → v1.22.2
github.com/willf/bitset: d5bec33 → v1.1.11
github.com/yuin/goldmark: v1.2.1 → v1.3.1
go.etcd.io/etcd: 3cf2f69 → dd1b699
go.opencensus.io: v0.22.4 → v0.22.5
go.uber.org/atomic: v1.4.0 → v1.6.0
go.uber.org/multierr: v1.1.0 → v1.5.0
go.uber.org/zap: v1.10.0 → v1.15.0
golang.org/x/crypto: 75b2880 → 7f63de1
golang.org/x/lint: 738671d → 83fdc39
golang.org/x/mod: v0.3.0 → v0.4.0
golang.org/x/net: a7d1128 → 0fccb6f
golang.org/x/oauth2: 5d25da1 → 01de73c
golang.org/x/sync: 6e8e738 → 09787c9
golang.org/x/sys: fdedc70 → 4fbd30e
golang.org/x/text: v0.3.3 → v0.3.5
golang.org/x/time: 555d28b → 3af7569
golang.org/x/tools: 39188db → v0.1.0
gomodules.xyz/jsonpatch/v2: v2.0.1 → v2.1.0
google.golang.org/api: v0.32.0 → v0.36.0
google.golang.org/appengine: v1.6.6 → v1.6.7
google.golang.org/genproto: 0bd0a95 → 22ae2b1
google.golang.org/grpc: v1.31.1 → v1.34.0
gopkg.in/check.v1: 8fa4692 → 038fdea
gopkg.in/square/go-jose.v2: v2.3.1 → v2.5.1
gopkg.in/yaml.v2: v2.3.0 → v2.4.0
gopkg.in/yaml.v3: 9f266ea → eeeca48
gotest.tools/v3: v3.0.2 → v3.0.3
k8s.io/api: v0.19.3 → v0.20.5
k8s.io/apiextensions-apiserver: v0.18.6 → v0.20.2
k8s.io/apimachinery: v0.19.3 → v0.21.0
k8s.io/apiserver: v0.18.6 → v0.20.2
k8s.io/client-go: v0.19.2 → v0.20.5
k8s.io/code-generator: v0.19.2 → v0.20.2
k8s.io/component-base: v0.19.2 → v0.20.2
k8s.io/gengo: 8167cfd → 83324d8
k8s.io/klog/v2: v2.4.0 → v2.8.0
k8s.io/kube-openapi: 6aeccd4 → 591a79e
k8s.io/release: v0.4.1 → v0.7.0
k8s.io/utils: 4140de9 → fddb29f
sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.7 → v0.0.14
sigs.k8s.io/controller-runtime: v0.6.3 → v0.8.3
sigs.k8s.io/controller-tools: v0.2.4 → v0.5.0
sigs.k8s.io/structured-merge-diff/v4: v4.0.1 → v4.1.0

Removed

github.com/MakeNowJust/heredoc: bb23615
github.com/agnivade/levenshtein: v1.0.1
github.com/andreyvit/diff: c7f18ee
github.com/chai2010/gettext-go: c6fed77
github.com/daviddengcn/go-colortext: 511bcaf
github.com/exponent-io/jsonpath: d6023ce
github.com/fatih/camelcase: v1.0.0
github.com/golangplus/bytes: 45c989f
github.com/golangplus/fmt: 2a5d6d7
github.com/golangplus/testing: af21d9c
github.com/liggitt/tabwriter: 89fcab3
github.com/lithammer/dedent: v1.1.0
github.com/mitchellh/go-wordwrap: v1.0.0
github.com/tidwall/pretty: v1.0.0
github.com/vektah/gqlparser: v1.1.2
go.mongodb.org/mongo-driver: v1.1.2
k8s.io/cli-runtime: v0.19.2
k8s.io/kubectl: v0.19.2
k8s.io/metrics: v0.19.2
sigs.k8s.io/kustomize: v2.0.3+incompatible

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.3.0