Changelogπ£
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[3.9.0-bb.2]π£
Changedπ£
- Updated to latest kubectl v1.24.4
- Updated to latest gluon 0.3.0
[3.9.0-bb.1]π£
Changedπ£
- Remove old Ingress APIβs
[3.9.0-bb.0]π£
Changedπ£
- Updated application and corresponding helm chart to v3.9.0
[3.8.1-bb.5] - 2022-07-25π£
Changedπ£
- Removed
ProcMount
from Helm test to avoid conflicts withPodSecurityPolicy
in some K8S distributions
[3.8.1-bb.4] - 2022-07-22π£
Changedπ£
- Fixed PodDisruptionBudget to default to the
v1
API when neitherv1
orv1beta1
are found. This should prevent it from being flagged as deprecated.
[3.8.1-bb.3]π£
Changedπ£
- Add Openshift SCCs
[3.8.1-bb.2]π£
Changedπ£
- Re-disabled PSP due to issues fixed in RKE2
[3.8.1-bb.1]π£
Changedπ£
- Updated to latest gluon 0.2.10
[3.8.1-bb.0]π£
Changedπ£
- Updated to latest IB image 3.8.1
- Updated to latest gluon 0.2.9
[3.8.0-bb.1]π£
Changedπ£
- Added OSCAL component file
[3.8.0-bb.0]π£
Changedπ£
- Updated application and corresponding helm chart to v3.8.0
[3.7.1-bb.0]π£
Changedπ£
- Updated application and corresponding helm chart to v3.7.1
[3.7.0-bb.9]π£
Changedπ£
- Updated kubectl images to 1.22.2
- Updated renovate to monitor all images including
kubectl
test and crd images
[3.7.0-bb.8]π£
Changedπ£
- Updated kubectl image
[3.7.0-bb.7]π£
Changedπ£
- Reenabled PSP due to issues on RKE2
[3.7.0-bb.6]π£
Changedπ£
- Disabled PSP due to deprecation warning
[3.7.0-bb.5]π£
Fixedπ£
- Update Chart.yaml to follow new standardization for release automation
- Added renovate check to update new standardization
[3.7.0-bb.4]π£
Fixedπ£
- Missing emptyDir in PSP, copied from upstream fix: https://github.com/open-policy-agent/gatekeeper/commit/ae9e7dd1c8c5a23e748f0893468abe18218fa357
[3.7.0-bb.3]π£
Changedπ£
- Relocated bbtest values
[3.7.0-bb.2]π£
Changedπ£
- Refactoring helm tests
[3.7.0-bb.1]π£
Fixedπ£
- Fixed missing kpt updates from 3.7.0 upgrade
[3.7.0-bb.0]π£
Changedπ£
- Updated application and corresponding helm chart to v3.7.0
- Updated kubectl image
[3.6.0-bb.2]π£
Changedπ£
- Enable OPA to log denies by default
[3.6.0-bb.1]π£
Changedπ£
- Set validatingWebhookTimeoutSeconds to 15 seconds.
[3.6.0-bb.0]π£
Changedπ£
- Updated application and corresponding helm chart to v3.6.0
[3.5.2-bb.2]π£
Addedπ£
- ConstraintTemplate CRD v1 version. Storage set to false.
[3.5.2-bb.1]π£
Changedπ£
- Updated upgrade job to remove orphan or disabled constraints.
[3.5.2-bb.0]π£
Changedπ£
- Updated application and corresponding helm chart to v3.5.2
[3.5.1-bb.16]π£
Changedπ£
- Changed resource limits and requirements for manager pods
[3.5.1-bb.15]π£
Changedπ£
- Changed names of several Constraint Templates to workaround upgrade problem when changing CRD schema
[3.5.1-bb.14]π£
Changedπ£
- Fixed problems with K8sPSPHostNetworkingPorts template
- Added fine grained control of excluded resources using namespace and resource name
- Added chart label to controller to force reroll on chart upgrades
- Renamed constraint template
K8sRequiredPod
toK8sQualityOfService
and removed deprecated violations
Removedπ£
- Deprecated constraint templates removed
K8sRequiredLabels
(useK8sRequiredLabelValues
instead)K8sIstioInjection
(useK8sRequiredLabelValues
instead )K8sPSPFSGroup
(useK8sPSPAllowedUsers
instead)
[3.5.1-bb.13]π£
Changedπ£
- Updated Post-upgrade job to use imagePullSecrets
[3.5.1-bb.12]π£
Changedπ£
- Removed Big Bang overrides from default values. Look in Big Bang repo under
chart/templates/gatekeeper/values.yaml
for overrides.
[3.5.1-bb.11]π£
Addedπ£
- Post-upgrade job to remove disabled constraints
Changedπ£
- Moved constraint kind and name to values.yaml
[3.5.1-bb.10]π£
Changedπ£
- Removed rule for
unique-service-selector
[3.5.1-bb.9]π£
Changedπ£
- Changed the resource requests and limits to be equal
[3.5.1-bb.8]π£
Changedπ£
- Excluded kube-system from all constraints through config
- Reverted values to no longer include kube-system as excluded
[3.5.1-bb.7]π£
Changedπ£
- Set batch mode default to process 500 entries to reduce memory footprint
- Turned on match kind only to reduce memory footprint
- Increased audit interval to every 5 minutes
[3.5.1-bb.6]π£
Changedπ£
- Updated constraint
no-host-namespace
enforcement to default deny - Removed monitoring namespace exception for constraint
host-networking
[3.5.1-bb.5]π£
Changedπ£
- Remove duplicate keys in Chart.yaml
[3.5.1-bb.4]π£
Changedπ£
- Updated constraint
https-only
enforcement to default deny
[3.5.1-bb.3]π£
Changedπ£
- Updated constraint
volume-types
enforcement to default deny
[3.5.1-bb.2]π£
Changedπ£
- Updated constraint
allowed-docker-registries
enforcement to default deny - Excluded kube-system namespace for constraint
allowed-docker-registries
[3.5.1-bb.1]π£
Changedπ£
- Updated constraint
restrictedTaint
enforcement to default deny, added exception formonitoring
namespace for to allow prometheus-node-exporter pods
[3.5.1-bb.0]π£
Changedπ£
- Updated application and corresponding helm chart to v3.5.1
[3.4.0-bb.19]π£
Changedπ£
- Disabled
app-armor-profiles
constraint by default
[3.4.0-bb.18]π£
Changedπ£
- Align Cluster Auditor default constraint values to Kubernetes Pod Security Standard
[3.4.0-bb.17]π£
Changedπ£
- Updated constraint
selinux-policy
enforcement to default deny - added exception for logging namespace to selinux policy
[3.4.0-bb.16]π£
Changedπ£
- Updated constraint
unique-ingress-hosts
enforcement to default deny
[3.4.0-bb.15]π£
Changedπ£
- Updated constraint
host-networking
enforcement to default deny - added exemption for monitoring namespace, this will prevent the
K8sPSPHostNetworkingPorts
from reporting a violation on monitoring namespace.
[3.4.0-bb.14]π£
Changedπ£
- Updated constraint
no-privileged-containers
enforcement to default deny - added exception for logging namespace to no-privileged-containers constraint
[3.4.0-bb.13]π£
Changedπ£
- Updated constraint
banned-image-tags
enforcement to default deny - added violation to constraintTemplate
k8sbannedimagetags
to not allow containers with no specified tag
[3.4.0-bb.12]π£
Changedπ£
- Changed nosysctls policy to deny
[3.4.0-bb.11]π£
Changedπ£
- Reverted constraint
pods-have-istio
enforcement to default dryrun - Fixed podsHaveIstio disallowed regex sidecar.istio.io/inject to false and exclude istio-system namespace
[3.4.0-bb.10]π£
Changedπ£
- Remove flexVolume and hostPath as default allowable for allowedFlexVolume constraint
[3.4.0-bb.9]π£
Changedπ£
- Updated constraint
pods-have-istio
enforcement to default deny
[3.4.0-bb.8]π£
Modifiedπ£
- Modified the default enforcement action of allowed-flex-volumes to deny
[3.4.0-bb.7]π£
Addedπ£
- Added network policies to lock down egress/ingress
Changedπ£
- Move tests from bb-test-lib to gluon
[3.4.0-bb.6]π£
Modifiedπ£
- Modified the default enforcement action of allowProcMount to deny.
[3.4.0-bb.5]π£
Changedπ£
- Changed allowed-ips constraint to deny
[3.4.0-bb.4]π£
Changedπ£
- Changed names of all constraints so that during upgrade, cluster-auditor will not delete them.
[3.4.0-bb.3]π£
Changedπ£
- Updated CI values to only include βdefaultβ namespace for deny actions
[3.4.0-bb.2]π£
Addedπ£
K8sDenySADefault
constraint template.K8sDenySADefault
constraint- Added
ServiceAccount
for good pod testing
Changedπ£
- Removed
K8sDenyServiceAccountTokentAutoMount
constraint template - Updated test script to account for added SA.
[3.4.0-bb.1]π£
Addedπ£
- Constraints were moved from cluster-auditor to OPA gatekeeper package
Changedπ£
- Constraint template library split into individual files
- Constraints renamed to match values.yaml
- Constraint Templates renamed to match kind
[3.4.0-bb.0]π£
Addedπ£
- Common labels on Big Bang created components
Changedπ£
- Updated helm chart to upstream v3.4.0, which included the following notable items:
- Removal of Helm v2 support. See upgrade instructions
- Experimental use of Mutation
- Use of helm specified namespace vs. hardcoded
gatekeeper-system
- Update docs/ConstraintTemplates list with latest templates
[3.3.0-bb.5]π£
Changedπ£
- Remove constraint templates K8sRequiredDeploymentLabels & K8sRequiredIronBankImages.
- The constraint templates are replaced with K8sRequiredLabelValues & K8sAllowedRepos
[3.3.0-bb.4]π£
Fixedπ£
- Typo in K8sDenyServiceNodePort message
- Typo in K8sNoAnnotationValues message
- Missing βserviceβ in gatekeeper config
[3.3.0-bb.3]π£
Changedπ£
- More Constraint Templates
[3.3.0-bb.2]π£
Changedπ£
- Added Constraint Templates
[3.3.0-bb.1]π£
Changedπ£
- Added helm test
[3.3.0-bb.0]π£
Changedπ£
- Added changelog
- update chart and image to v3.3.0
Last update:
2022-09-13 by michaelmcleroy