Changelogπ
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[3.16.3-bb.1] 2024-07-11π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.29.5 -> v1.29.6
[3.16.3-bb.0] 2024-06-04π
Changedπ
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.16.2 -> v3.16.3
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.16.2 -> v3.16.3
[3.16.2-bb.1] 2024-05-31π
Changedπ
- Revert disableAudit to false
[3.16.2-bb.0] 2024-05-24π
Changedπ
- Updated Chart appVersion to v3.16.2
[3.16.0-bb.1] 2024-05-24π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper
v3.16.0
->v3.16.2
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl
v1.29.4
->v1.29.5
[3.16.0-bb.0] 2024-05-14π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper
v3.15.1
->v3.16.0
- Updated ironbank/opensource/openpolicyagent/gatekeeper
v3.15.1
->v3.16.0
- Updated to latest gluon
0.4.9
->0.5.0
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl
v1.29.3
->v1.29.4
[3.15.0-bb.7] 2024-04-26π
Addedπ
- Add support for additional custom network policies through the values yaml
[3.15.0-bb.6] 2024-04-17π
Changedπ
- Updated gluon 0.4.8 -> 0.4.9
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.7 -> v1.29.3
[3.15.0-bb.5] 2024-04-16π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.6 -> v1.28.7
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.15.0 -> v3.15.1
[3.15.0-bb.4] 2024-04-10π
Changedπ
- Changed cypress test yaml files for k8s 1.29 compliance
[3.15.0-bb.3] 2024-04-01π
Changedπ
- Revert
K8sPSPSELinuxV2.yaml
andselinux-policy
update.
[3.15.0-bb.2] 2024-04-01π
Changedπ
- Updated Development Maintenance doc
[3.15.0-bb.1] 2024-03-25π
Changedπ
- Updated
K8sPSPSELinuxV2.yaml
andselinux-policy
violation.
[3.15.0-bb.0] 2024-02-07π
Changedπ
- Updated gluon 0.4.7 -> 0.4.8
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.14.0 -> v3.15.0
[3.14.0-bb.8] 2024-01-31π
Changedπ
- Updated
K8sPSPSeccomp
constraint to check forspec.securityContext.seccompProfile.type
instead ofseccomp.security.alpha.kubernetes.io/pod
&container.seccomp.security.alpha.kubernetes.io/[name]
as they were removed in Kubernetes 1.25
[3.14.0-bb.7] 2024-01-29π
Changedπ
- Added keys to
allowedSELinuxOptions
to fix policy violation on emptyseLinuxOptions
invalues.yaml
- Removed duplicate
image
property invalues.yaml
[3.14.0-bb.6] 2024-01-24π
Changedπ
- Added non-root securityContext to crd-cleanup containers
[3.14.0-bb.5] 2024-01-22π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.5 -> v1.28.6
[3.14.0-bb.4] 2024-01-12π
Changedπ
- Updated gluon 0.4.6 -> 0.4.7
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.4 -> v1.28.5
[3.14.0-bb.3] 2024-01-09π
Changedπ
- Updated gluon 0.4.4 -> 0.4.6
- Updated Chart appVersion to v3.14.0
[3.14.0-bb.2] 2023-12-11π
Changedπ
- Updating OSCAL Component File.
[3.14.0-bb.1] 2023-11-28π
Changedπ
- updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.3 -> v1.28.4
[3.14.0-bb.0] 2023-11-08π
Changedπ
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.13.3 -> v3.14.0
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.3 -> v3.14.0
- Updated registry1.dso.mil/ironbank/big-bang/base 2.0.0 -> 2.1.0
[3.13.3-bb.3] 2023-11-02π
Changedπ
- Hardened
gatekeeper-admin
ServiceAccount withautomountServiceAccountToken: false
(overriden at Pod spec-level due to app requirements) - Hardened ServiceAccounts in various
Jobs
withautomountServiceAccountToken: false
(overriden at Pod spec-level due to app requirements) - Disabled bb tests by default
[3.13.3-bb.2] 2023-11-02π
Changedπ
- Update gluon resource
[3.13.3-bb.1] 2023-11-01π
Changedπ
- Updated gluon 0.4.3 -> 0.4.4
[3.13.3-bb.0] 2023-11-01π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.2 -> v3.13.3
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.13.2 -> v3.13.3
- Updated gluon 0.4.1 -> 0.4.3
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.28.2 -> v1.28.3
[3.13.2-bb.0] 2023-10-11π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl 1.27.6 -> 1.28.2
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.13.0 -> v3.13.2
[3.13.0-bb.2] 2023-10-11π
Removedπ
- OSCAL version update from 1.0.0 to 1.1.1
[3.13.0-bb.1] 2023-10-02π
Removedπ
- Removed duplicate strategy
[3.13.0-bb.0] 2023-09-19π
Changedπ
- Updated gluon 0.4.0 -> 0.4.1
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.12.0 -> v3.13.0
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl 1.27.3 -> 1.27.6
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.12.0 -> v3.13.0
[3.12.0-bb.4] 2023-06-20π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.4 -> v1.27.3
- Updated to latest gluon 0.3.2 -> 0.4.0
[3.12.0-bb.0] 2023-04-18π
Changedπ
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.11.0 -> v3.12.0.
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.3 -> v1.26.4
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.11.0 -> v3.12.0
[3.11.0-bb.3] 2023-04-07π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.2 -> v1.26.3
[3.11.0-bb.2] 2023-03-09π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.26.1 -> v1.26.2
- Updated to latest gluon 0.3.2
[3.11.0-bb.1] 2023-02-23π
Changedπ
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.25.6 -> v1.26.1
[3.11.1-bb.0]π
Changedπ
- Updated ironbank/opensource/openpolicyagent/gatekeeper v3.10.0 -> v3.11.0.
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.25.4 -> v1.25.6
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.10.0 -> v3.11.0
[3.10.0-bb.2]π
Changedπ
- Updated to work on OpenShift out of the box
[3.10.0-bb.1]π
Changedπ
- Updated to latest kubectl v1.25.4
[3.10.0-bb.0]π
Changedπ
- Updated to latest kubectl v1.25.3
- Updated to latest gatekeeper v3.10.0
- Updated chart to v3.10.0
[3.9.0-bb.3]π
Changedπ
- Updated to latest kubectl v1.25.2
- Updated to latest gluon 0.3.1
[3.9.0-bb.2]π
Changedπ
- Updated to latest kubectl v1.24.4
- Updated to latest gluon 0.3.0
[3.9.0-bb.1]π
Changedπ
- Remove old Ingress APIβs
[3.9.0-bb.0]π
Changedπ
- Updated application and corresponding helm chart to v3.9.0
[3.8.1-bb.5] - 2022-07-25π
Changedπ
- Removed
ProcMount
from Helm test to avoid conflicts withPodSecurityPolicy
in some K8S distributions
[3.8.1-bb.4] - 2022-07-22π
Changedπ
- Fixed PodDisruptionBudget to default to the
v1
API when neitherv1
orv1beta1
are found. This should prevent it from being flagged as deprecated.
[3.8.1-bb.3]π
Changedπ
- Add Openshift SCCs
[3.8.1-bb.2]π
Changedπ
- Re-disabled PSP due to issues fixed in RKE2
[3.8.1-bb.1]π
Changedπ
- Updated to latest gluon 0.2.10
[3.8.1-bb.0]π
Changedπ
- Updated to latest IB image 3.8.1
- Updated to latest gluon 0.2.9
[3.8.0-bb.1]π
Changedπ
- Added OSCAL component file
[3.8.0-bb.0]π
Changedπ
- Updated application and corresponding helm chart to v3.8.0
[3.7.1-bb.0]π
Changedπ
- Updated application and corresponding helm chart to v3.7.1
[3.7.0-bb.9]π
Changedπ
- Updated kubectl images to 1.22.2
- Updated renovate to monitor all images including
kubectl
test and crd images
[3.7.0-bb.8]π
Changedπ
- Updated kubectl image
[3.7.0-bb.7]π
Changedπ
- Reenabled PSP due to issues on RKE2
[3.7.0-bb.6]π
Changedπ
- Disabled PSP due to deprecation warning
[3.7.0-bb.5]π
Fixedπ
- Update Chart.yaml to follow new standardization for release automation
- Added renovate check to update new standardization
[3.7.0-bb.4]π
Fixedπ
- Missing emptyDir in PSP, copied from upstream fix: https://github.com/open-policy-agent/gatekeeper/commit/ae9e7dd1c8c5a23e748f0893468abe18218fa357
[3.7.0-bb.3]π
Changedπ
- Relocated bbtest values
[3.7.0-bb.2]π
Changedπ
- Refactoring helm tests
[3.7.0-bb.1]π
Fixedπ
- Fixed missing kpt updates from 3.7.0 upgrade
[3.7.0-bb.0]π
Changedπ
- Updated application and corresponding helm chart to v3.7.0
- Updated kubectl image
[3.6.0-bb.2]π
Changedπ
- Enable OPA to log denies by default
[3.6.0-bb.1]π
Changedπ
- Set validatingWebhookTimeoutSeconds to 15 seconds.
[3.6.0-bb.0]π
Changedπ
- Updated application and corresponding helm chart to v3.6.0
[3.5.2-bb.2]π
Addedπ
- ConstraintTemplate CRD v1 version. Storage set to false.
[3.5.2-bb.1]π
Changedπ
- Updated upgrade job to remove orphan or disabled constraints.
[3.5.2-bb.0]π
Changedπ
- Updated application and corresponding helm chart to v3.5.2
[3.5.1-bb.16]π
Changedπ
- Changed resource limits and requirements for manager pods
[3.5.1-bb.15]π
Changedπ
- Changed names of several Constraint Templates to workaround upgrade problem when changing CRD schema
[3.5.1-bb.14]π
Changedπ
- Fixed problems with K8sPSPHostNetworkingPorts template
- Added fine grained control of excluded resources using namespace and resource name
- Added chart label to controller to force reroll on chart upgrades
- Renamed constraint template
K8sRequiredPod
toK8sQualityOfService
and removed deprecated violations
Removedπ
- Deprecated constraint templates removed
K8sRequiredLabels
(useK8sRequiredLabelValues
instead)K8sIstioInjection
(useK8sRequiredLabelValues
instead )K8sPSPFSGroup
(useK8sPSPAllowedUsers
instead)
[3.5.1-bb.13]π
Changedπ
- Updated Post-upgrade job to use imagePullSecrets
[3.5.1-bb.12]π
Changedπ
- Removed Big Bang overrides from default values. Look in Big Bang repo under
chart/templates/gatekeeper/values.yaml
for overrides.
[3.5.1-bb.11]π
Addedπ
- Post-upgrade job to remove disabled constraints
Changedπ
- Moved constraint kind and name to values.yaml
[3.5.1-bb.10]π
Changedπ
- Removed rule for
unique-service-selector
[3.5.1-bb.9]π
Changedπ
- Changed the resource requests and limits to be equal
[3.5.1-bb.8]π
Changedπ
- Excluded kube-system from all constraints through config
- Reverted values to no longer include kube-system as excluded
[3.5.1-bb.7]π
Changedπ
- Set batch mode default to process 500 entries to reduce memory footprint
- Turned on match kind only to reduce memory footprint
- Increased audit interval to every 5 minutes
[3.5.1-bb.6]π
Changedπ
- Updated constraint
no-host-namespace
enforcement to default deny - Removed monitoring namespace exception for constraint
host-networking
[3.5.1-bb.5]π
Changedπ
- Remove duplicate keys in Chart.yaml
[3.5.1-bb.4]π
Changedπ
- Updated constraint
https-only
enforcement to default deny
[3.5.1-bb.3]π
Changedπ
- Updated constraint
volume-types
enforcement to default deny
[3.5.1-bb.2]π
Changedπ
- Updated constraint
allowed-docker-registries
enforcement to default deny - Excluded kube-system namespace for constraint
allowed-docker-registries
[3.5.1-bb.1]π
Changedπ
- Updated constraint
restrictedTaint
enforcement to default deny, added exception formonitoring
namespace for to allow prometheus-node-exporter pods
[3.5.1-bb.0]π
Changedπ
- Updated application and corresponding helm chart to v3.5.1
[3.4.0-bb.19]π
Changedπ
- Disabled
app-armor-profiles
constraint by default
[3.4.0-bb.18]π
Changedπ
- Align Cluster Auditor default constraint values to Kubernetes Pod Security Standard
[3.4.0-bb.17]π
Changedπ
- Updated constraint
selinux-policy
enforcement to default deny - added exception for logging namespace to selinux policy
[3.4.0-bb.16]π
Changedπ
- Updated constraint
unique-ingress-hosts
enforcement to default deny
[3.4.0-bb.15]π
Changedπ
- Updated constraint
host-networking
enforcement to default deny - added exemption for monitoring namespace, this will prevent the
K8sPSPHostNetworkingPorts
from reporting a violation on monitoring namespace.
[3.4.0-bb.14]π
Changedπ
- Updated constraint
no-privileged-containers
enforcement to default deny - added exception for logging namespace to no-privileged-containers constraint
[3.4.0-bb.13]π
Changedπ
- Updated constraint
banned-image-tags
enforcement to default deny - added violation to constraintTemplate
k8sbannedimagetags
to not allow containers with no specified tag
[3.4.0-bb.12]π
Changedπ
- Changed nosysctls policy to deny
[3.4.0-bb.11]π
Changedπ
- Reverted constraint
pods-have-istio
enforcement to default dryrun - Fixed podsHaveIstio disallowed regex sidecar.istio.io/inject to false and exclude istio-system namespace
[3.4.0-bb.10]π
Changedπ
- Remove flexVolume and hostPath as default allowable for allowedFlexVolume constraint
[3.4.0-bb.9]π
Changedπ
- Updated constraint
pods-have-istio
enforcement to default deny
[3.4.0-bb.8]π
Modifiedπ
- Modified the default enforcement action of allowed-flex-volumes to deny
[3.4.0-bb.7]π
Addedπ
- Added network policies to lock down egress/ingress
Changedπ
- Move tests from bb-test-lib to gluon
[3.4.0-bb.6]π
Modifiedπ
- Modified the default enforcement action of allowProcMount to deny.
[3.4.0-bb.5]π
Changedπ
- Changed allowed-ips constraint to deny
[3.4.0-bb.4]π
Changedπ
- Changed names of all constraints so that during upgrade, cluster-auditor will not delete them.
[3.4.0-bb.3]π
Changedπ
- Updated CI values to only include βdefaultβ namespace for deny actions
[3.4.0-bb.2]π
Addedπ
K8sDenySADefault
constraint template.K8sDenySADefault
constraint- Added
ServiceAccount
for good pod testing
Changedπ
- Removed
K8sDenyServiceAccountTokentAutoMount
constraint template - Updated test script to account for added SA.
[3.4.0-bb.1]π
Addedπ
- Constraints were moved from cluster-auditor to OPA gatekeeper package
Changedπ
- Constraint template library split into individual files
- Constraints renamed to match values.yaml
- Constraint Templates renamed to match kind
[3.4.0-bb.0]π
Addedπ
- Common labels on Big Bang created components
Changedπ
- Updated helm chart to upstream v3.4.0, which included the following notable items:
- Removal of Helm v2 support. See upgrade instructions
- Experimental use of Mutation
- Use of helm specified namespace vs. hardcoded
gatekeeper-system
- Update docs/ConstraintTemplates list with latest templates
[3.3.0-bb.5]π
Changedπ
- Remove constraint templates K8sRequiredDeploymentLabels & K8sRequiredIronBankImages.
- The constraint templates are replaced with K8sRequiredLabelValues & K8sAllowedRepos
[3.3.0-bb.4]π
Fixedπ
- Typo in K8sDenyServiceNodePort message
- Typo in K8sNoAnnotationValues message
- Missing βserviceβ in gatekeeper config
[3.3.0-bb.3]π
Changedπ
- More Constraint Templates
[3.3.0-bb.2]π
Changedπ
- Added Constraint Templates
[3.3.0-bb.1]π
Changedπ
- Added helm test
[3.3.0-bb.0]π
Changedπ
- Added changelog
- update chart and image to v3.3.0
Last update:
2024-07-24 by Dax McDonald