Release notes

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.3/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

Added the ability to tag pods that present denials from either Seccomp or SELinux. This will happen through the 'spo.x-k8s.io/had-denials' label. (#846, @JAORMX)

Feature

Added the ability to use SelinuxProfile when creating profilebinding objects. (#854, @Vincent056)
The security_profiles_operator_selinux_profile_audit_total metric was actually enabled and uses the appropriate labels scraped from the audit.log file. (#916, @jhrozek)
The spod CR gains a new field webhookOptions which allows the webhooks' failurePolicy and namespaceSelector to be configurable. (#883, @jhrozek)
Added a syscall allow list in the SPOD configuration (#913, @ccojocar)
Make allowed seccomp actions configurable in the SPOD configuration. (#927, @ccojocar)
Make the tolerations of the webhook configurable via the SPOD configuration (#892, @ccojocar)

Documentation

It is now possible to install SPO from packages provided on operatorhub.io. User-facing documentation is provided in the installation-usage.md document. (#889, @jhrozek)

Bug or Regression

The security-profiles-operator namespace is now labeled with the following labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
To account for clusters that are enabling PSA and defaulting to the restricted one.

When using another namespace or creating the namespace with other means,
please ensure that the namespace has the above labels. (#944, @jhrozek)

Other (Cleanup or Flake)

Remove unnecessary configmap RBAC rules. (#942, @saschagrunert)
Updated cert-manager to v1.8.0. (#886, @saschagrunert)
Add SCMP_ACT_NOTIFY to the list of allowed seccomp actions (#929, @ccojocar)

Dependencies

Added

github.com/AdaLogics/go-fuzz-headers: 6c3934b
github.com/ahmetb/gen-crd-api-reference-docs: v0.3.0
github.com/andybalholm/brotli: v1.0.1
github.com/cert-manager/cert-manager: v1.8.0
github.com/dsnet/compress: f669936
github.com/go-logr/stdr: v1.2.2
github.com/golang-jwt/jwt/v4: v4.0.0
github.com/google/gnostic: v0.5.7-v3refs
github.com/googleapis/google-cloud-go-testing: bcd43fb
github.com/hashicorp/go-plugin: v1.4.3
github.com/hashicorp/go-secure-stdlib/mlock: v0.1.1
github.com/hashicorp/go-secure-stdlib/parseutil: v0.1.1
github.com/hashicorp/go-secure-stdlib/strutil: v0.1.1
github.com/hashicorp/yamux: 3520598
github.com/intel/goresctrl: v0.2.0
github.com/lithammer/dedent: v1.1.0
github.com/mholt/archiver/v3: v3.5.1
github.com/moby/sys/signal: v0.6.0
github.com/mogensen/kubernetes-split-yaml: v0.3.0
github.com/networkplumbing/go-nft: v0.2.0
github.com/nwaples/rardecode: v1.1.0
github.com/oklog/run: v1.0.0
github.com/pierrec/lz4/v4: v4.1.2
github.com/segmentio/asm: v1.1.3
github.com/segmentio/encoding: v0.3.3
github.com/xi2/xz: 48954b6
github.com/xrash/smetrics: 039620a
go.opentelemetry.io/otel/exporters/otlp/internal/retry: v1.3.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.3.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.3.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.3.0

Changed

bazil.org/fuse: 371fbbd → 5883e5a
cloud.google.com/go/firestore: v1.6.1 → v1.1.0
cloud.google.com/go/storage: v1.10.0 → v1.14.0
github.com/Azure/azure-sdk-for-go: v56.2.0+incompatible → v56.3.0+incompatible
github.com/Azure/go-autorest/autorest/adal: v0.9.14 → v0.9.15
github.com/Azure/go-autorest/autorest: v0.11.19 → v0.11.20
github.com/BurntSushi/toml: v1.0.0 → v1.1.0
github.com/Masterminds/squirrel: v1.5.0 → v1.5.2
github.com/Microsoft/go-winio: v0.5.1 → v0.5.2
github.com/ProtonMail/go-crypto: 428f8ea → a948124
github.com/armon/go-metrics: v0.3.10 → v0.3.9
github.com/carolynvs/magex: v0.7.0 → v0.8.1
github.com/cenkalti/backoff/v4: v4.1.1 → v4.1.2
github.com/census-instrumentation/opencensus-proto: v0.3.0 → v0.2.1
github.com/cncf/xds/go: a8f9461 → cb28da3
github.com/containerd/cgroups: v1.0.2 → v1.0.3
github.com/containerd/containerd: v1.5.9 → v1.6.4
github.com/containerd/go-cni: v1.0.2 → v1.1.5
github.com/containerd/imgcrypt: v1.1.1 → v1.1.4
github.com/containerd/stargz-snapshotter/estargz: v0.11.0 → v0.11.4
github.com/containernetworking/cni: v1.0.1 → v1.1.0
github.com/containernetworking/plugins: v1.0.1 → v1.1.1
github.com/containers/common: v0.47.5 → 400832f
github.com/containers/image/v5: v5.19.1 → v5.21.1
github.com/containers/libtrust: 14b9617 → 9c3a6c2
github.com/containers/ocicrypt: v1.1.2 → 566b808
github.com/containers/storage: v1.38.2 → v1.40.2
github.com/coreos/etcd: v3.3.15+incompatible → v3.3.13+incompatible
github.com/crossplane/crossplane-runtime: 85b19c2 → v0.16.0
github.com/docker/cli: v20.10.7+incompatible → v20.10.11+incompatible
github.com/docker/distribution: v2.8.0+incompatible → v2.8.1+incompatible
github.com/docker/docker: v20.10.12+incompatible → v20.10.15+incompatible
github.com/envoyproxy/go-control-plane: v0.10.1 → 49ff273
github.com/envoyproxy/protoc-gen-validate: v0.6.2 → v0.1.0
github.com/gobuffalo/flect: v0.2.3 → v0.2.5
github.com/godbus/dbus/v5: v5.0.6 → v5.1.0
github.com/golang/snappy: v0.0.3 → v0.0.4
github.com/google/cel-go: v0.9.0 → v0.10.1
github.com/google/martian/v3: v3.2.1 → v3.1.0
github.com/google/pprof: 4bb14d4 → 94a9f03
github.com/hashicorp/consul/api: v1.11.0 → v1.1.0
github.com/hashicorp/consul/sdk: v0.8.0 → v0.1.1
github.com/hashicorp/errwrap: v1.0.0 → v1.1.0
github.com/hashicorp/go-hclog: v1.0.0 → v0.16.2
github.com/hashicorp/go-uuid: v1.0.1 → v1.0.2
github.com/hashicorp/go-version: v1.1.0 → v1.2.0
github.com/hashicorp/mdns: v1.0.4 → v1.0.0
github.com/hashicorp/memberlist: v0.3.0 → v0.1.3
github.com/hashicorp/serf: v0.9.6 → v0.8.2
github.com/hashicorp/vault/api: v1.1.1 → v1.3.1
github.com/hashicorp/vault/sdk: v0.2.1 → v0.3.0
github.com/jmoiron/sqlx: v1.3.1 → v1.3.4
github.com/klauspost/compress: v1.14.2 → v1.15.2
github.com/lib/pq: v1.10.0 → v1.10.4
github.com/magefile/mage: v1.11.0 → v1.13.0
github.com/miekg/dns: v1.1.41 → v1.1.47
github.com/miekg/pkcs11: v1.0.3 → v1.1.1
github.com/mitchellh/cli: v1.1.0 → v1.0.0
github.com/mitchellh/copystructure: v1.1.1 → v1.2.0
github.com/mitchellh/reflectwalk: v1.0.1 → v1.0.2
github.com/moby/sys/mountinfo: v0.5.0 → v0.6.1
github.com/moby/sys/symlink: v0.1.0 → v0.2.0
github.com/onsi/ginkgo/v2: v2.0.0 → v2.1.4
github.com/onsi/gomega: v1.18.1 → v1.19.0
github.com/opencontainers/runc: v1.1.0 → v1.1.1
github.com/opencontainers/selinux: v1.10.0 → v1.10.1
github.com/ostreedev/ostree-go: 759a8c1 → 719684c
github.com/pascaldekloe/goe: v0.1.0 → 57f6aae
github.com/pelletier/go-toml: v1.9.4 → v1.9.3
github.com/pkg/sftp: v1.10.1 → v1.13.1
github.com/posener/complete: v1.2.3 → v1.1.1
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.55.1 → v0.57.0
github.com/prometheus/client_golang: v1.12.1 → v1.12.2
github.com/spf13/afero: v1.6.0 → v1.8.0
github.com/spf13/viper: v1.10.0 → v1.8.1
github.com/stretchr/testify: v1.7.1 → v1.7.2
github.com/sylabs/sif/v2: v2.3.1 → v2.7.0
github.com/tv42/httpunix: b75d861 → 2ba4b9c
github.com/urfave/cli/v2: v2.4.0 → v2.8.1
github.com/vbauerster/mpb/v7: v7.3.2 → v7.4.1
github.com/xeipuuv/gojsonpointer: df4f5c8 → 02993c4
go.etcd.io/etcd/client/v2: v2.305.1 → v2.305.0
go.etcd.io/etcd/client/v3: v3.5.0 → v3.5.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.20.0 → v0.28.0
go.opentelemetry.io/otel/sdk: v0.20.0 → v1.3.0
go.opentelemetry.io/otel/trace: v0.20.0 → v1.3.0
go.opentelemetry.io/otel: v0.20.0 → v1.3.0
go.opentelemetry.io/proto/otlp: v0.7.0 → v0.11.0
go.uber.org/atomic: v1.7.0 → v1.9.0
golang.org/x/crypto: e495a2d → 8634188
golang.org/x/sys: 039c03c → 9388b58
golang.org/x/time: 1f47c86 → 90d013b
google.golang.org/genproto: 00ab72f → 325a892
google.golang.org/grpc: v1.45.0 → v1.47.0
gopkg.in/cheggaaa/pb.v1: v1.0.27 → v1.0.25
gopkg.in/yaml.v3: 496545a → v3.0.1
helm.sh/helm/v3: v3.7.1 → v3.8.1
k8s.io/api: v0.23.5 → v0.24.1
k8s.io/apiextensions-apiserver: v0.23.5 → v0.24.0
k8s.io/apimachinery: v0.23.5 → v0.24.1
k8s.io/apiserver: v0.23.5 → v0.24.0
k8s.io/cli-runtime: v0.23.1 → v0.23.4
k8s.io/client-go: v0.23.5 → v0.24.1
k8s.io/code-generator: v0.23.5 → v0.24.0
k8s.io/component-base: v0.23.5 → v0.24.0
k8s.io/cri-api: v0.20.6 → v0.23.1
k8s.io/gengo: 485abfe → c02415c
k8s.io/klog: v0.4.0 → v0.2.0
k8s.io/kube-aggregator: v0.23.1 → v0.23.4
k8s.io/kube-openapi: e816edb → 3ee0da9
k8s.io/kubectl: v0.23.1 → v0.23.4
oras.land/oras-go: v0.4.0 → v1.1.0
sigs.k8s.io/controller-runtime: v0.11.2 → v0.12.1
sigs.k8s.io/controller-tools: v0.8.0 → v0.9.0
sigs.k8s.io/gateway-api: v0.3.0 → v0.4.1
sigs.k8s.io/json: c049b76 → 9f7c6b3
sigs.k8s.io/release-utils: v0.6.0 → v0.7.0

Removed

github.com/DataDog/datadog-go: v3.2.0+incompatible
github.com/Nvveen/Gotty: cd52737
github.com/cheggaaa/pb: v1.0.27
github.com/circonus-labs/circonus-gometrics: v2.3.1+incompatible
github.com/circonus-labs/circonusllhist: v0.1.3
github.com/coreos/go-etcd: v2.0.0+incompatible
github.com/cpuguy83/go-md2man: v1.0.10
github.com/globalsign/mgo: eeefdec
github.com/go-openapi/analysis: v0.19.2
github.com/go-openapi/errors: v0.19.2
github.com/go-openapi/loads: v0.19.2
github.com/go-openapi/runtime: v0.19.0
github.com/go-openapi/strfmt: v0.19.0
github.com/go-openapi/validate: v0.19.2
github.com/gophercloud/gophercloud: v0.1.0
github.com/gotestyourself/gotestyourself: v2.2.0+incompatible
github.com/iancoleman/strcase: v0.2.0
github.com/jetstack/cert-manager: v1.7.2
github.com/lyft/protoc-gen-star: v0.5.3
github.com/pborman/uuid: v1.2.0
github.com/remyoudompheng/bigfft: 52369c6
github.com/sagikazarmark/crypt: v0.3.0
github.com/sylabs/release-tools: v0.1.0
github.com/ugorji/go/codec: d75b2dc
gonum.org/v1/gonum: 3d26580
gonum.org/v1/netlib: 7672324
modernc.org/cc: v1.0.0
modernc.org/golex: v1.0.0
modernc.org/mathutil: v1.0.0
modernc.org/strutil: v1.0.0
modernc.org/xc: v1.0.0
sigs.k8s.io/structured-merge-diff: 6149e45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.4.3