Changelog
⚠️ Security
- GHSA-gxjc-74v5-3vx3 Moderate: Malformed ForbiddenAnnotations.Regex can bypass Tenant validation and trigger namespace admission panic
- GHSA-gjw4-3v3v-rqxg High: Tenant owner bypasses Capsule's forbidden namespace/service/node label and annotation enforcement because
ForbiddenListSpec.ExactMatchrunssort.SearchStrings(byte order) over a slice sorted case-insensitively - GHSA-f94q-w3w8-cj67 Moderate: hostnameRegexHandler.OnUpdate validates stale (old) Tenant regex, allowing invalid AllowedHostnames regex to bypass webhook validation
✨ New Features
- 755cef5: feat(rules): add service enforcement rules (#1982) (@oliverbaehler) - Read More
- 755cef5: feat(chart): add flowschema and apipriority (#1982) (@oliverbaehler)
- 0b11582: feat: add scheduler enforcement rule (#1971) (@oliverbaehler) - Read More
🐛 Bug fixes
- 8d89d68: fix(sec): corrects validation for regex objects (hostname and forbidden (#1983) (@oliverbaehler)
- 4e9e529: fix(webhook): remove dead diff code block that panics on nil namespace metadata (#1976) (@jouve)
Full Changelog: v0.13.6...v0.13.7
Check out what's new in this release
Docker Images
ghcr.io/projectcapsule/capsule:0.13.7ghcr.io/projectcapsule/capsule:latest
Helm Chart
View this release on Artifact Hub or use the OCI helm chart:
ghcr.io/projectcapsule/charts/capsule:0.13.7
Review the Major Changes section first before upgrading to a new version
Important
Kubernetes compatibility
Note that the Capsule project offers support only for the latest minor version of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors.
| Kubernetes version | Minimum required |
|---|---|
v1.35 |
>= 1.35.0 |
Thanks to all the contributors! 🚀 🦄
Contributors
jouve and oliverbaehler