Release date: 2022-01-31
This prerelease comes with support for automatically getting credentials from Azure and Google Cloud when scanning images in ACR and GCR. To configure autologin for ACR, ECR or GCR please see the cloud providers authentication guide.
Platform admins can disable cross-namespace references with the
--no-cross-namespace-refs=true flag. When this flag is set,
image policies can only refer to image repositories in the same namespace
as the policy object, preventing tenants from accessing another tenant's repositories.
Starting with this version, the controller deployment conforms to the Kubernetes restricted pod security standard:
- all Linux capabilities were dropped
- the root filesystem was set to read-only
- the seccomp profile was set to the runtime default
- run as non-root was enabled
- the user and group ID was set to 65534
Breaking changes:
- The use of new seccomp API requires Kubernetes 1.19.
- The controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user ID of 'controller' in their PodSecurityPolicy.
Features:
- Get credentials from GCP/Azure when needed #194
- Allow disabling cross-namespace references to image repositories #228
Improvements:
- Publish SBOM and sign release artifacts #227
- Drop capabilities, enable seccomp and enforce runAsNonRoot #223
- Refactor Fuzz implementation #221
- Clarifications for auto-login feature #219
Fixes:
- Fix scheme validation check when using host:port #222
- Fix makefile envtest and controller-gen usage #218
Release date: 2022-01-07
This prerelease comes with an update to the Kubernetes and controller-runtime dependencies to align them with the Kubernetes 1.23 release.
In addition, the controller is now built with Go 1.17 and Alpine 3.15.
Improvements:
Release date: 2021-11-23
This prerelease updates Alpine to v3.14, and several dependencies to their latest
version. Solving an issue with rest_client_request_latency_seconds_.* high
cardinality metrics.
To enhance the experience of consumers observing the ImagePolicy and ImageRepository
objects using kstatus, a default of -1 is now configured for the observedGeneration
to ensure it does not report a false positive in the time the controller has not marked
the resource with a Ready condition yet.
Improvements:
- Set default observedGeneration to -1 #189
- Update Alpine to v3.14 #203
- Update dependencies #204
- Update github.com/opencontainers/image-spec to v1.0.2 #205
Release date: 2021-11-12
This prerelease comes with a regression bug fix for when policies reference repositories in the same namespace.
Fixes:
- Fix watched same-ns image repos trigger reconcile #199
Release date: 2021-11-11
This prerelease comes with a bug fix for when policies reference repositories across namespaces.
Fixes:
- Watched cross-ns image repos trigger reconcile #196
Release date: 2021-10-19
This prerelease adds experimental support for automatically getting credentials from AWS when scanning an image in Elastic Container Registry (ECR).
Improvements:
- Get credentials from AWS ECR when needed #174
Release date: 2021-10-08
This prerelease comes with an (experimental) introduction of ACLs for allowing cross-namespace
access to ImageRepository resources. You can read more about how they work in the
pull request that
introduced them.
In addition, a bug has been fixed that caused the controller to segfault when a malformed SemVer was defined.
Improvements:
- [RFC] Add ACL support for allowing cross-namespace access to image repository #162
Fixes:
- policy: Handle failure due to invalid semver range #172
Release date: 2021-08-05
This prerelease comes with an update to the Kubernetes and controller-runtime
dependencies to align them with the Kubernetes v1.21.3 release, including an update
of Badger to v3.2103.1.
Improvements:
- Update dependencies #160
Release date: 2021-06-28
This prerelease promotes the API version from v1alpha2 to v1beta1.
v1alpha2
and v1beta1 APIs.
You may wish to migrate v1alpha2 YAML files to v1beta1, in
preparation for v1alpha2 being deprecated (eventually; there is no
date set at the time of writing). This is simply a case of setting the
apiVersion field value:
`apiVersion: image.toolkit.fluxcd.io/v1beta1`
Improvements:
- Let people set the number of controller workers with a flag #153
Release date: 2021-06-10
This prerelease comes with an update to the Kubernetes and controller-runtime
dependencies to align them with the Kubernetes 1.21 release, including an update
of Badger to v3.2103.0.
Improvements:
- Better error reporting for image policy evaluation #144
- Update Go and Badger #149
- Update dependencies #150
- Add nightly builds workflow and allow RC releases #151
Release date: 2021-04-29
This prerelease comes with improvements to error reporting.
Fixes:
Release date: 2021-04-21
This prerelease comes with breaking changes to the image.toolkit.fluxcd.io APIs.
The v1alpha1 APIs have been promoted to v1alpha2, while the version has
changed the API definitions have not, and upgrading can be done by changing
the version in your manifests for the ImageRepository and ImagePolicy kinds.
Improvements:
Fixes:
- Parse docker auths and use only hostname #119
Release date: 2021-04-06
This prerelease comes with a breaking change to the leader election ID
from e189b2df.fluxcd.io to image-reflector-controller-leader-election
to be more descriptive. This change should not have an impact on most
installations, as the default replica count is 1. If you are running
a setup with multiple replicas, it is however advised to scale down
before upgrading.
The controller exposes a gauge metric to track the suspended status
of ImageRepository objects: gotk_suspend_status{kind,name,namespace}.
Improvements:
- Set leader election deadline to 30s #125
- Record suspension metrics #123
Release date: 2021-03-16
This prerelease comes with updates to the runtime packages.
Improvements:
- Update dependencies #121
Fixes:
- Fix
last scanprint column forImageRepository#119
Release date: 2021-02-24
This prerelease comes with various updates to the controller's
dependencies; most notable the go-containerregistry library
was upgrade from v0.1.1 to v0.4.0.
The Kubernetes custom resource definitions are packaged as a multi-doc YAML asset and published on the GitHub release page.
Improvements:
Release date: 2021-02-12
This prerelease comes with support for defining policies with numerical ordering.
Features:
Improvements:
Release date: 2021-02-01
This prerelease comes with support for supplying a client cert, key and CA (self-singed TLS) to be used for authentication with container image registries.
Release date: 2021-01-22
This prerelease comes with a new argument flag to set the database's
memory mapped value log file size in bytes (--storage-value-log-file-size),
with a 32bit ARMv7 friendly default of 1<<28 (256MiB).
Release date: 2021-01-21
This prerelease comes with two new argument flags,
introduced to support configuring the QPS
(--kube-api-qps) and burst (--kube-api-burst) while communicating
with the Kubernetes API server.
The LocalObjectReference from the Kubernetes core has been replaced
with our own, making the name a required field. The impact of this
should be limited to direct API consumers only, as the field was
already required by controller logic.
Release date: 2021-01-16
This prerelease comes with updates to Kubernetes and Badger dependencies. The Kubernetes packages were updated to v1.20.2 and Badger to v3.2011.0.
Release date: 2021-01-13
This is the second MINOR prerelease, adding support for selecting images using regular expressions.
Other notable changes:
controller-runtimedependency has been upgraded tov0.7.0.- The container image for ARMv7 and ARM64 that used to be published
separately as
image-reflector-controller:*-arm64has been merged with the AMD64 image.
Release date: 2020-12-10
This is the first prerelease of image-reflector-controller and its API. The purpose of the controller is to scan image repositories, and calculate a "latest image" according to some specification. Automation (e.g., the image-automation-controller) can use that information to run updates, so that the latest image is deployed.
The controller and API conform to the conventions of the GitOps
Toolkit, so will be compatible with (and soon, included in) the flux
CLI and dashboards and so on.
This release supports:
- supplying a docker-registry secret as credentials for accessing an image repository
- selecting images according to a semver range.
- selecting images according to alphabetical order (ascending or descending)
- keeping the database on a volume (e.g., a PersistentVolumeClaim) so that it survives restarts