Skip to content

ChangelogπŸ“œ

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[1.5.0-bb.22] - 2024-09-04πŸ“œ

ChangedπŸ“œ

  • Removed Kiali labels from package, run input labels through tpl to evaluate template expressions

[1.5.0-bb.21] - 2024-07-30πŸ“œ

ChangedπŸ“œ

  • Add pod labels required by Kiali

[1.5.0-bb.20] - 2024-07-24πŸ“œ

ChangedπŸ“œ

  • Removed redundant entries in package test-values.yaml already in package values.yaml

[1.5.0-bb.19] - 2024-07-03πŸ“œ

ChangedπŸ“œ

  • Removing the shared authorization policies

[1.5.0-bb.18] - 2024-06-25πŸ“œ

ChangedπŸ“œ

  • Updated DEVELOPMENT_MAINTENANCE.md with instructions for integration testing in pipeline

[1.5.0-bb.17] - 2024-06-03πŸ“œ

ChangedπŸ“œ

  • Updated to gluon 0.5.0

[1.5.0-bb.16] - 2024-04-24πŸ“œ

AddedπŸ“œ

  • Add support for additional custom network policies through the values yaml

[1.5.0-bb.15] - 2024-03-18πŸ“œ

ChangedπŸ“œ

  • Add istio egress whitelist

[1.5.0-bb.14] - 2024-02-23πŸ“œ

ChangedπŸ“œ

  • README.md fix

[1.5.0-bb.13] - 2024-01-24πŸ“œ

ChangedπŸ“œ

  • Updated gluon to 4.8; allow consumers to utilize custom scripts

[1.5.0-bb.12] - 2024-1-3πŸ“œ

ChangedπŸ“œ

  • Added support for Istio Authorization Policies

[1.5.0-bb.11] - 2023-11-30πŸ“œ

ChangedπŸ“œ

  • Updating OSCAL Component File.

[1.5.0-bb.10] - 2023-11-02πŸ“œ

ChangedπŸ“œ

  • Hardened opa-exporter ServiceAccount with automountServiceAccountToken: false (overriden at Pod spec-level due to app requirements)

[1.5.0-bb.9] - 2023-10-06πŸ“œ

ChangedπŸ“œ

  • Updated OSCAL version from 1.0.0 to 1.1.1

[1.5.0-bb.8] - 2023-09-19πŸ“œ

FixedπŸ“œ

  • Updated to gluon 0.4.1 and Cypress 13.x
  • Updated Cypress tests to work with Cypress 13.x

[1.5.0-bb.7] - 2023-08-24πŸ“œ

FixedπŸ“œ

  • Updated test to work when there are multiple targets present

[1.5.0-bb.6] - 2023-08-22πŸ“œ

FixedπŸ“œ

  • Updated namespace for grafana dependency and reverted test values back to using the monitoring namespace

[1.5.0-bb.5] - 2023-08-16πŸ“œ

FixedπŸ“œ

  • Update path and formatting in dependencies.yaml under tests directory

[1.5.0-bb.4] - 2023-05-26πŸ“œ

AddedπŸ“œ

  • Added OpenShift support

[1.5.0-bb.3] - 2023-05-19πŸ“œ

ChangedπŸ“œ

  • Update cypress tests for compatibility with latest monitoring version (45.27.2)

[1.5.0-bb.2] - 2023-01-17πŸ“œ

ChangedπŸ“œ

  • Update gluon to new registry1 location + latest version (0.3.2)

[1.5.0-bb.1] - 2022-10-26πŸ“œ

AddedπŸ“œ

  • Added contributing doc

[1.5.0-bb.0] - 2022-09-16πŸ“œ

ChangedπŸ“œ

  • ironbank/bigbang/cluster-auditor/opa-exporter updated from 0.0.4 to 0.0.7

[1.4.0-bb.10]πŸ“œ

FixedπŸ“œ

  • Resolved issues with cypress tests

[1.4.0-bb.9]πŸ“œ

ChangedπŸ“œ

  • Removed mTLS exception

[1.4.0-bb.8]πŸ“œ

UpdatedπŸ“œ

  • Fixed dashboard check in cypress test

[1.4.0-bb.7]πŸ“œ

UpdatedπŸ“œ

  • PrometheusRule resource for OPA constraint alerts

[1.4.0-bb.6]πŸ“œ

UpdatedπŸ“œ

  • Cypress test now checks the table with the list of violations and the β€œviolations by kind” bar chart for a β€œno data” message.

[1.4.0-bb.5]πŸ“œ

AddedπŸ“œ

  • added securityContext: capabilities: drop: ALL
  • Updated gluon to 0.2.10

[1.4.0-bb.4]πŸ“œ

ChangedπŸ“œ

  • Updated securityContext user and group to nonroot

[1.4.0-bb.3]πŸ“œ

ChangedπŸ“œ

  • Fixed typo in OSCAL document

[1.4.0-bb.2]πŸ“œ

AddedπŸ“œ

  • CI tests to verify violations index

[1.4.0-bb.1]πŸ“œ

AddedπŸ“œ

  • Added Tempo Zipkin Egress Policy

[1.4.0-bb.0]πŸ“œ

AddedπŸ“œ

  • New Kptfile to follow other package version of kpt

ChangedπŸ“œ

  • Image version to v0.0.4
  • App version to 0.0.4

[1.3.0-bb.1]πŸ“œ

AddedπŸ“œ

  • Added peerauthentication/mtls support with istio

[1.3.0-bb.0]πŸ“œ

AddedπŸ“œ

  • Added OSCAL component for Cluster Auditor

[1.2.0-bb.1]πŸ“œ

ChangedπŸ“œ

  • Update Chart.yaml to follow new standardization for release automation
  • Added renovate check to update new standardization

[1.2.0-bb.0]πŸ“œ

ChangedπŸ“œ

  • Updated docs to reflect new cluster auditor architecture

[1.1.1-bb.0]πŸ“œ

ChangedπŸ“œ

  • Fixed template error for Istio annotation in BigBang

[1.1.0-bb.0]πŸ“œ

ChangedπŸ“œ

  • Add Istio annotation

[1.0.3-bb.0]πŸ“œ

ChangedπŸ“œ

  • Moved bbtest values from test-values.yaml into values.yaml to allow for overrides

[1.0.2-bb.0]πŸ“œ

ChangedπŸ“œ

  • Added networkpolicies to support istio sidecars
  • Updated ports/servicemonitor to support scraping metrics properly

[1.0.1-bb.0]πŸ“œ

ChangedπŸ“œ

  • fixed duplicate app.kubernetes/version

[1.0.0-bb.0]πŸ“œ

AddedπŸ“œ

  • Created a new namespace cluster auditor.
  • Added opa exporter.
  • Added grafana dashboard.
  • Removed the old cluster auditor.

[0.3.0-bb.7]πŸ“œ

ChangedπŸ“œ

  • fixed duplicate nodeselector in deployment template.

[0.3.0-bb.6]πŸ“œ

ChangedπŸ“œ

  • Updated config to align watched resources with latest OPA Gatekeeper names
  • Turned off apparmor violation in defaults
  • Removed unique service selector in defaults

[0.3.0-bb.5]πŸ“œ

ChangedπŸ“œ

  • Switched away from the (unmaintained and oddly behaving) jq fluentd filter.
  • Now using the exec_filter to execute jq directly.
  • Added in an additional filter to avoid getting duplicates stored to elastic–elasticsearch_genid

[0.3.0-bb.4]πŸ“œ

AddedπŸ“œ

  • Updated Network Policy to allow Openshift DNS Egress

[0.3.0-bb.3]πŸ“œ

AddedπŸ“œ

  • Added Network Policy for Istio Sidecar metrics.

[0.3.0-bb.2]πŸ“œ

AddedπŸ“œ

  • Condititional statement to chart/templates/bigbang/network-policies/kube-system-allow-egress.yaml based on if networkPolicies is enabled.

[0.3.0-bb.1]πŸ“œ

ChangedπŸ“œ

  • Updated configmap to collect noDefaultServiceAccount violations.

[0.3.0-bb.0]πŸ“œ

RemovedπŸ“œ

  • Moved all constraints out of cluster-auditor and into OPA gatekeeper package.
  • Moved all constraint tests out of cluster-auditor and into OPA gatekeeper package.

[0.2.0-bb.6]πŸ“œ

AddedπŸ“œ

  • Helm function in API Egress Network Policy Template to avoid crashes when non 0.0.0.0/0 CIDR is specified

[0.2.0-bb.5]πŸ“œ

AddedπŸ“œ

  • networkPolicies.enabled toggle to chart values.
  • network policy resource templates to cover the following:
  • allow in namespace ingress/egress (with release.name appended, otherwise will overlap with existing NP in logging Release namespace)
  • allow egress to kube-api and kube-dns ports 443 and 53 respectively.
  • allow ingress from opa-collector pod to elasticsearch labeled pods

[0.2.0-bb.4]πŸ“œ

AddedπŸ“œ

  • Added CI test for constraints
  • Added Bad k8s objects for testing
  • Added Good k8s objects for testing
  • Updated helper scripts

[0.2.0-bb.3]πŸ“œ

AddedπŸ“œ

  • Added constraints: K8sImageDigests, K8sUniqueServiceSelector, K8sPSPAllowPrivilegeEscalationContainer, K8sPSPPrvilegedContainer, K8sPSPHostNetworkingPorts, K8sPSPSeccomp, K8sPSPReadOnlyRootFilesystem, K8sPSPSELinuxV2, and K8sContainerRatios.
  • Common labels added to all resources
  • Metadata for constraints added as annotations to all constrains

ChangedπŸ“œ

  • Standardized all constraints for match and parameters values

FixedπŸ“œ

  • Fixed minor bugs in OPA Gatekeeper configuration to watch PSPAllowPrivilegeEscalationContainer, PSPFlexVolumes, and ContainerLimits

[0.2.0-bb.2]πŸ“œ

AddedπŸ“œ

  • added configmap for new constraint

[0.2.0-bb.1]πŸ“œ

AddedπŸ“œ

  • Added more constraints

[0.2.0-bb.0]πŸ“œ

AddedπŸ“œ

  • Added more constraints, and modified values file.

[0.1.8-bb.2]πŸ“œ

AddedπŸ“œ

  • Affinity and node selector values passthroughs added, documented