3.2.0.azl1.genpolicy0

Release Notes

• Added support new confidential CSI driver types (cc-managed-csi, cc-local-csi driver, cc-azurefile-csi drivers)
• Added support for pulling container image layers using containerd (-d). This enables:
  • Managed identity authentication to private registries
  • Support for images with v1 manifest and prettyjws media type
• Added support for read-only hostPath in pod spec
• Updated caching mechanism for image layers to allow to run in parallel
• Added version flag (-v)
• Added support for non-default namespace names. It may now be specified in the genpolicy-settings.json file.
• You may now also specify persistent volume claims (PVCs) using -c param (for e.g. CSI driver)
• Improved handling of images that have layers with special symlinks (tarfsindex crate)
• Added persistent storage support for statefulsets

What's Changed

• genpolicy sync with upstream [1/3] by @Redent0r in #171
• genpolicy sync upstream [2/3] by @Redent0r in #172
• genpolicy sync upstream [3/3] by @Redent0r in #173
• genpolicy: use containerd_client by @Redent0r in #163
• genpolicy: support read-only hostPath by @Redent0r in #175
• genpolicy: add support for cc-managed-csi by @sprt in #174
• genpolicy: add --version flag by @Redent0r in #176
• genpolicy: add support for cc-local-csi by @sprt in #178
• genpolicy: add missing cache improvements by @Redent0r in #181
• genpolicy: add support for cc-azurefile-csi driver by @arc9693 in #180
• genpolicy: add persistent storage support for stateful sets by @arc9693 in #199

Limitations and important notes

• This release is only compatible with Kata components based on release 3.2.0.azl0 and onwards
• Building method has been updated from cargo build to LIBC=gnu BUILD_TYPE= make
• Removed -i option. Simplify path handling with explicit flags for rules.rego (-p) and genpolicy-settings.json (-j)
• Authentication to private registries is not supported on Windows
• Windows support will be deprecated next release
• Doesn't support CronJob deployment
• Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
• Only supports pods that use IPv4 addresses

Full Changelog: 3.2.0.azl0.genpolicy1...3.2.0.azl1.genpolicy0

3.2.0.azl2

This release only applies #197 over 3.2.0.azl1. This is needed to upgrade to LSG release v2405.9.2
Full Changelog: 3.2.0.azl1...3.2.0.azl2

3.2.0.azl1

Release Notes

• Reliability fixes for tarfs driver (ex. support for directories with many files in container images)
• Improved handling of images that have layers with special symlinks (tarfsindex crate)
• Add support to handle SMB mounts in the guest VM to work with the cc-azurefile-csi driver
• Improved agent shutdown behavior
• Use PCI segments 1+ for blk devices. This adds support for container images with more than 31 layers
• Remove opa and replaced with regorus
  • Improves policy diagnosis and debugging
• Improved cleanup behavior of clh process where sometimes the process would occasionally linger after requesting to kill it

What's Changed

• tarfs reliability fixes by @wedsonaf in #160
• Adapt code for vanilla Kata by @sprt in #154
• tarindex: Add special symlink name handling by @miz060 in #159
• Add support to handle SMB mounts by @arc9693 in #169
• agent: shutdown vm on exit when agent is used as init process by @Redent0r in #179
• runtime: agent: use PCI segments 1+ for blk devices by @danmihai1 in #183
• agent: use regorus instead of opa by @danmihai1 in #184
• clh: isClhRunning waits for full timeout when clh exits by @Redent0r in #182
• rootfs: Stop building and shipping OPA by @Redent0r in #187

Full Changelog: 3.2.0.azl0...3.2.0.azl1

Limitations and important notes

• This release requires genpolicy release 3.2.0.azl0.genpolicy1 and onwards

3.2.0.azl0.genpolicy1

Release notes

• Added support for optional Env value in docker image config. This fixes an error on the latest version of commonly used images, such as busybox

What's Changed

• genpolicy: fix optional docker image config Env support by @Redent0r in #168

Limitations and Important Notes

• Doesn't support CronJob deployment
• Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
• Only supports pods the use IPv4 addresses
• Doesn't support identity token based authentication for private registries

Full Changelog: 3.2.0.azl0.genpolicy...3.2.0.azl0.genpolicy1

3.2.0.azl0.genpolicy0

Release notes

• Added support for following fields: envFrom, shareProcessNamespace, runAsUser, seccompProfile, priorityClassName, and podDisruptionBudget
• Fixed error where policy generation panics if cache file doesn't exists
• Block symlinks with directory traversal in CopyFileRequest

What's Changed

• genpolicy: Add support for envFrom by @Redent0r in #128
• genpolicy: pick up improvements from upstream by @danmihai1 in #149
• genpolicy: add shareProcessNamespace support by @danmihai1 in #150
• genpolicy: don't panic without cache file by @danmihai1 in #151
• genpolicy: add support for runAsUser by @danmihai1 in #153
• genpolicy: Add support for seccompProfile field by @Redent0r in #152
• genpolicy: add priorityClassName as a field in PodSpec interface by @arc9693 in #145
• genpolicy: add support for PodDisruptionBudget spec by @arc9693 in #156
• genpolicy: block all relative paths for copyFile requests by @Redent0r in #166

Limitations and Important Notes

• Doesn't support CronJob deployment
• Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
• Only supports pods the use IPv4 addresses
• Doesn't support identity token based authentication for private registries

Full Changelog: genpolicy-0.6.2-5...genpolicy-0.6.2-6

3.2.0.azl0

• Aligning with the latest vanilla Kata release, both packages now use the same sources based on upstream v3.2.0 plus some Microsoft changes for AKS
• osbuilder: use Azure Linux PMC UVM build meta-package

There is no new release of genpolicy with this version, please keep using genpolicy 0.6.2-5.

genpolicy-0.6.2-5

Release notes

• Policy generation improvements

What's Changed

• genpolicy: reject some of the CopyFile requests by @danmihai1 in #136
• genpolicy: block some symlink create requests by @danmihai1 in #137
• genpolicy: reject kernel_modules by @danmihai1 in #139
• genpolicy: validate create sandbox storages by @danmihai1 in #139
• genpolicy: reject create custom hook settings by @danmihai1 in #140

Full Changelog: genpolicy-0.6.2-4...genpolicy-0.6.2-5

Limitations and Important Notes

• Doesn't support CronJob deployment
• Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
• Only supports pods the use IPv4 addresses
• subPath field in the volume mount is not supported
• Pod Disruption Budget is not supported
• Priority Classes are not supported
• User managed identity based ACR authentication is not supported

cc-0.6.3

• merge upstream 3.2 code base
• utarfs: implement the enumeration of xattrs
• enforce restrictive policy
• alignment of memory allocation between vanilla Kata and Kata-CC

genpolicy-0.6.2-4

Release notes

• Add support for images with application/vnd.oci.image.index.v1+json manifest media type, such as latest versions of docker.io/library/busybox and docker.io/library/ubuntu

What's Changed

• genpolicy: Update oci_distribution to 0.10.0 by @Redent0r in #129
• lib: Add type definition for Windows support by @Redent0r in #134

Full Changelog: https://github.com/microsoft/kata-containers/commits/genpolicy-0.6.2-4

Limitations and Important Notes

• Doesn't support CronJob deployment
• Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
• Only supports pods the use IPv4 addresses
• subPath field in the volume mount is not supported
• Pod Disruption Budget is not supported
• Priority Classes are not supported

genpolicy-0.6.2-3

Release notes

• Add support for running genpolicy concurrently
• Update default configuration to deny UpdateEphemeralMountsRequest by default

What's Changed

• Update caching mechanism to allow for concurrent genpolicy runs by @SethHollandsworth in #113
• genpolicy: deny UpdateEphemeralMountsRequest by @danmihai1 in #126

Full Changelog: genpolicy-0.6.2-2...genpolicy-0.6.2-3

Limitations and Important Notes

• Doesn't support CronJob deployment
• Doesn't support the UDP protocol for Services, LoadBalancers, and EndpointSlices
• Only supports pods the use IPv4 addresses
• subPath field in the volume mount is not supported
• Pod Disruption Budget is not supported
• Priority Classes are not supported