Changelog📜
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[3.15.0-bb.0] 2024-02-07📜
Changed📜
- Updated gluon 0.4.7 -> 0.4.8
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.14.0 -> v3.15.0
[3.14.0-bb.8] 2024-01-31📜
Changed📜
- Updated
K8sPSPSeccomp
constraint to check forspec.securityContext.seccompProfile.type
instead ofseccomp.security.alpha.kubernetes.io/pod
&container.seccomp.security.alpha.kubernetes.io/[name]
as they were removed in Kubernetes 1.25
[3.14.0-bb.7] 2024-01-29📜
Changed📜
- Added keys to
allowedSELinuxOptions
to fix policy violation on emptyseLinuxOptions
invalues.yaml
- Removed duplicate
image
property invalues.yaml
[3.14.0-bb.6] 2024-01-24📜
Changed📜
- Added non-root securityContext to crd-cleanup containers
[3.14.0-bb.5] 2024-01-22📜
Changed📜
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.5 -> v1.28.6
[3.14.0-bb.4] 2024-01-12📜
Changed📜
- Updated gluon 0.4.6 -> 0.4.7
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.4 -> v1.28.5
[3.14.0-bb.3] 2024-01-09📜
Changed📜
- Updated gluon 0.4.4 -> 0.4.6
- Updated Chart appVersion to v3.14.0
[3.14.0-bb.2] 2023-12-11📜
Changed📜
- Updating OSCAL Component File.
[3.14.0-bb.1] 2023-11-28📜
Changed📜
- updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.3 -> v1.28.4
[3.14.0-bb.0] 2023-11-08📜
Changed📜
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.13.3 -> v3.14.0
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.3 -> v3.14.0
- Updated registry1.dso.mil/ironbank/big-bang/base 2.0.0 -> 2.1.0
[3.13.3-bb.3] 2023-11-02📜
Changed📜
- Hardened
gatekeeper-admin
ServiceAccount withautomountServiceAccountToken: false
(overriden at Pod spec-level due to app requirements) - Hardened ServiceAccounts in various
Jobs
withautomountServiceAccountToken: false
(overriden at Pod spec-level due to app requirements) - Disabled bb tests by default
[3.13.3-bb.2] 2023-11-02📜
Changed📜
- Update gluon resource
[3.13.3-bb.1] 2023-11-01📜
Changed📜
- Updated gluon 0.4.3 -> 0.4.4
[3.13.3-bb.0] 2023-11-01📜
Changed📜
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.2 -> v3.13.3
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.13.2 -> v3.13.3
- Updated gluon 0.4.1 -> 0.4.3
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.2 -> v1.28.3
[3.13.2-bb.0] 2023-10-11📜
Changed📜
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl 1.27.6 -> 1.28.2
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.0 -> v3.13.2
[3.13.0-bb.2] 2023-10-11📜
Removed📜
- OSCAL version update from 1.0.0 to 1.1.1
[3.13.0-bb.1] 2023-10-02📜
Removed📜
- Removed duplicate strategy
[3.13.0-bb.0] 2023-09-19📜
Changed📜
- Updated gluon 0.4.0 -> 0.4.1
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.12.0 -> v3.13.0
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl 1.27.3 -> 1.27.6
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.12.0 -> v3.13.0
[3.12.0-bb.4] 2023-06-20📜
Changed📜
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.4 -> v1.27.3
- Updated to latest gluon 0.3.2 -> 0.4.0
[3.12.0-bb.0] 2023-04-18📜
Changed📜
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.11.0 -> v3.12.0.
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.3 -> v1.26.4
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.11.0 -> v3.12.0
[3.11.0-bb.3] 2023-04-07📜
Changed📜
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.2 -> v1.26.3
[3.11.0-bb.2] 2023-03-09📜
Changed📜
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.1 -> v1.26.2
- Updated to latest gluon 0.3.2
[3.11.0-bb.1] 2023-02-23📜
Changed📜
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.25.6 -> v1.26.1
[3.11.1-bb.0]📜
Changed📜
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.10.0 -> v3.11.0.
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.25.4 -> v1.25.6
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.10.0 -> v3.11.0
[3.10.0-bb.2]📜
Changed📜
- Updated to work on OpenShift out of the box
[3.10.0-bb.1]📜
Changed📜
- Updated to latest kubectl v1.25.4
[3.10.0-bb.0]📜
Changed📜
- Updated to latest kubectl v1.25.3
- Updated to latest gatekeeper v3.10.0
- Updated chart to v3.10.0
[3.9.0-bb.3]📜
Changed📜
- Updated to latest kubectl v1.25.2
- Updated to latest gluon 0.3.1
[3.9.0-bb.2]📜
Changed📜
- Updated to latest kubectl v1.24.4
- Updated to latest gluon 0.3.0
[3.9.0-bb.1]📜
Changed📜
- Remove old Ingress API’s
[3.9.0-bb.0]📜
Changed📜
- Updated application and corresponding helm chart to v3.9.0
[3.8.1-bb.5] - 2022-07-25📜
Changed📜
- Removed
ProcMount
from Helm test to avoid conflicts withPodSecurityPolicy
in some K8S distributions
[3.8.1-bb.4] - 2022-07-22📜
Changed📜
- Fixed PodDisruptionBudget to default to the
v1
API when neitherv1
orv1beta1
are found. This should prevent it from being flagged as deprecated.
[3.8.1-bb.3]📜
Changed📜
- Add Openshift SCCs
[3.8.1-bb.2]📜
Changed📜
- Re-disabled PSP due to issues fixed in RKE2
[3.8.1-bb.1]📜
Changed📜
- Updated to latest gluon 0.2.10
[3.8.1-bb.0]📜
Changed📜
- Updated to latest IB image 3.8.1
- Updated to latest gluon 0.2.9
[3.8.0-bb.1]📜
Changed📜
- Added OSCAL component file
[3.8.0-bb.0]📜
Changed📜
- Updated application and corresponding helm chart to v3.8.0
[3.7.1-bb.0]📜
Changed📜
- Updated application and corresponding helm chart to v3.7.1
[3.7.0-bb.9]📜
Changed📜
- Updated kubectl images to 1.22.2
- Updated renovate to monitor all images including
kubectl
test and crd images
[3.7.0-bb.8]📜
Changed📜
- Updated kubectl image
[3.7.0-bb.7]📜
Changed📜
- Reenabled PSP due to issues on RKE2
[3.7.0-bb.6]📜
Changed📜
- Disabled PSP due to deprecation warning
[3.7.0-bb.5]📜
Fixed📜
- Update Chart.yaml to follow new standardization for release automation
- Added renovate check to update new standardization
[3.7.0-bb.4]📜
Fixed📜
- Missing emptyDir in PSP, copied from upstream fix: https://github.com/open-policy-agent/gatekeeper/commit/ae9e7dd1c8c5a23e748f0893468abe18218fa357
[3.7.0-bb.3]📜
Changed📜
- Relocated bbtest values
[3.7.0-bb.2]📜
Changed📜
- Refactoring helm tests
[3.7.0-bb.1]📜
Fixed📜
- Fixed missing kpt updates from 3.7.0 upgrade
[3.7.0-bb.0]📜
Changed📜
- Updated application and corresponding helm chart to v3.7.0
- Updated kubectl image
[3.6.0-bb.2]📜
Changed📜
- Enable OPA to log denies by default
[3.6.0-bb.1]📜
Changed📜
- Set validatingWebhookTimeoutSeconds to 15 seconds.
[3.6.0-bb.0]📜
Changed📜
- Updated application and corresponding helm chart to v3.6.0
[3.5.2-bb.2]📜
Added📜
- ConstraintTemplate CRD v1 version. Storage set to false.
[3.5.2-bb.1]📜
Changed📜
- Updated upgrade job to remove orphan or disabled constraints.
[3.5.2-bb.0]📜
Changed📜
- Updated application and corresponding helm chart to v3.5.2
[3.5.1-bb.16]📜
Changed📜
- Changed resource limits and requirements for manager pods
[3.5.1-bb.15]📜
Changed📜
- Changed names of several Constraint Templates to workaround upgrade problem when changing CRD schema
[3.5.1-bb.14]📜
Changed📜
- Fixed problems with K8sPSPHostNetworkingPorts template
- Added fine grained control of excluded resources using namespace and resource name
- Added chart label to controller to force reroll on chart upgrades
- Renamed constraint template
K8sRequiredPod
toK8sQualityOfService
and removed deprecated violations
Removed📜
- Deprecated constraint templates removed
K8sRequiredLabels
(useK8sRequiredLabelValues
instead)K8sIstioInjection
(useK8sRequiredLabelValues
instead )K8sPSPFSGroup
(useK8sPSPAllowedUsers
instead)
[3.5.1-bb.13]📜
Changed📜
- Updated Post-upgrade job to use imagePullSecrets
[3.5.1-bb.12]📜
Changed📜
- Removed Big Bang overrides from default values. Look in Big Bang repo under
chart/templates/gatekeeper/values.yaml
for overrides.
[3.5.1-bb.11]📜
Added📜
- Post-upgrade job to remove disabled constraints
Changed📜
- Moved constraint kind and name to values.yaml
[3.5.1-bb.10]📜
Changed📜
- Removed rule for
unique-service-selector
[3.5.1-bb.9]📜
Changed📜
- Changed the resource requests and limits to be equal
[3.5.1-bb.8]📜
Changed📜
- Excluded kube-system from all constraints through config
- Reverted values to no longer include kube-system as excluded
[3.5.1-bb.7]📜
Changed📜
- Set batch mode default to process 500 entries to reduce memory footprint
- Turned on match kind only to reduce memory footprint
- Increased audit interval to every 5 minutes
[3.5.1-bb.6]📜
Changed📜
- Updated constraint
no-host-namespace
enforcement to default deny - Removed monitoring namespace exception for constraint
host-networking
[3.5.1-bb.5]📜
Changed📜
- Remove duplicate keys in Chart.yaml
[3.5.1-bb.4]📜
Changed📜
- Updated constraint
https-only
enforcement to default deny
[3.5.1-bb.3]📜
Changed📜
- Updated constraint
volume-types
enforcement to default deny
[3.5.1-bb.2]📜
Changed📜
- Updated constraint
allowed-docker-registries
enforcement to default deny - Excluded kube-system namespace for constraint
allowed-docker-registries
[3.5.1-bb.1]📜
Changed📜
- Updated constraint
restrictedTaint
enforcement to default deny, added exception formonitoring
namespace for to allow prometheus-node-exporter pods
[3.5.1-bb.0]📜
Changed📜
- Updated application and corresponding helm chart to v3.5.1
[3.4.0-bb.19]📜
Changed📜
- Disabled
app-armor-profiles
constraint by default
[3.4.0-bb.18]📜
Changed📜
- Align Cluster Auditor default constraint values to Kubernetes Pod Security Standard
[3.4.0-bb.17]📜
Changed📜
- Updated constraint
selinux-policy
enforcement to default deny - added exception for logging namespace to selinux policy
[3.4.0-bb.16]📜
Changed📜
- Updated constraint
unique-ingress-hosts
enforcement to default deny
[3.4.0-bb.15]📜
Changed📜
- Updated constraint
host-networking
enforcement to default deny - added exemption for monitoring namespace, this will prevent the
K8sPSPHostNetworkingPorts
from reporting a violation on monitoring namespace.
[3.4.0-bb.14]📜
Changed📜
- Updated constraint
no-privileged-containers
enforcement to default deny - added exception for logging namespace to no-privileged-containers constraint
[3.4.0-bb.13]📜
Changed📜
- Updated constraint
banned-image-tags
enforcement to default deny - added violation to constraintTemplate
k8sbannedimagetags
to not allow containers with no specified tag
[3.4.0-bb.12]📜
Changed📜
- Changed nosysctls policy to deny
[3.4.0-bb.11]📜
Changed📜
- Reverted constraint
pods-have-istio
enforcement to default dryrun - Fixed podsHaveIstio disallowed regex sidecar.istio.io/inject to false and exclude istio-system namespace
[3.4.0-bb.10]📜
Changed📜
- Remove flexVolume and hostPath as default allowable for allowedFlexVolume constraint
[3.4.0-bb.9]📜
Changed📜
- Updated constraint
pods-have-istio
enforcement to default deny
[3.4.0-bb.8]📜
Modified📜
- Modified the default enforcement action of allowed-flex-volumes to deny
[3.4.0-bb.7]📜
Added📜
- Added network policies to lock down egress/ingress
Changed📜
- Move tests from bb-test-lib to gluon
[3.4.0-bb.6]📜
Modified📜
- Modified the default enforcement action of allowProcMount to deny.
[3.4.0-bb.5]📜
Changed📜
- Changed allowed-ips constraint to deny
[3.4.0-bb.4]📜
Changed📜
- Changed names of all constraints so that during upgrade, cluster-auditor will not delete them.
[3.4.0-bb.3]📜
Changed📜
- Updated CI values to only include ‘default’ namespace for deny actions
[3.4.0-bb.2]📜
Added📜
K8sDenySADefault
constraint template.K8sDenySADefault
constraint- Added
ServiceAccount
for good pod testing
Changed📜
- Removed
K8sDenyServiceAccountTokentAutoMount
constraint template - Updated test script to account for added SA.
[3.4.0-bb.1]📜
Added📜
- Constraints were moved from cluster-auditor to OPA gatekeeper package
Changed📜
- Constraint template library split into individual files
- Constraints renamed to match values.yaml
- Constraint Templates renamed to match kind
[3.4.0-bb.0]📜
Added📜
- Common labels on Big Bang created components
Changed📜
- Updated helm chart to upstream v3.4.0, which included the following notable items:
- Removal of Helm v2 support. See upgrade instructions
- Experimental use of Mutation
- Use of helm specified namespace vs. hardcoded
gatekeeper-system
- Update docs/ConstraintTemplates list with latest templates
[3.3.0-bb.5]📜
Changed📜
- Remove constraint templates K8sRequiredDeploymentLabels & K8sRequiredIronBankImages.
- The constraint templates are replaced with K8sRequiredLabelValues & K8sAllowedRepos
[3.3.0-bb.4]📜
Fixed📜
- Typo in K8sDenyServiceNodePort message
- Typo in K8sNoAnnotationValues message
- Missing “service” in gatekeeper config
[3.3.0-bb.3]📜
Changed📜
- More Constraint Templates
[3.3.0-bb.2]📜
Changed📜
- Added Constraint Templates
[3.3.0-bb.1]📜
Changed📜
- Added helm test
[3.3.0-bb.0]📜
Changed📜
- Added changelog
- update chart and image to v3.3.0
Last update:
2024-02-07 by Robert Massey