v0.4.3

Release notes

Welcome to our glorious next release of the security-profiles-operator! We hope you enjoy this release as much as we do! The general usage and setup can be found in our documentation. 🥳 👯

To install the operator, run:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/v0.4.3/deploy/operator.yaml

Feel free to provide us any kind of feedback in the official Kubernetes Slack #security-profiles-operator channel.

Changes by Kind

API Change

• Added the ability to tag pods that present denials from either Seccomp or SELinux. This will happen through the 'spo.x-k8s.io/had-denials' label. (#846, @JAORMX)

Feature

• Added the ability to use SelinuxProfile when creating profilebinding objects. (#854, @Vincent056)
• The security_profiles_operator_selinux_profile_audit_total metric was actually enabled and uses the appropriate labels scraped from the audit.log file. (#916, @jhrozek)
• The spod CR gains a new field webhookOptions which allows the webhooks' failurePolicy and namespaceSelector to be configurable. (#883, @jhrozek)
• Added a syscall allow list in the SPOD configuration (#913, @ccojocar)
• Make allowed seccomp actions configurable in the SPOD configuration. (#927, @ccojocar)
• Make the tolerations of the webhook configurable via the SPOD configuration (#892, @ccojocar)

Documentation

• It is now possible to install SPO from packages provided on operatorhub.io. User-facing documentation is provided in the installation-usage.md document. (#889, @jhrozek)

Bug or Regression

• The security-profiles-operator namespace is now labeled with the following labels:
  pod-security.kubernetes.io/enforce: privileged
  pod-security.kubernetes.io/audit: privileged
  pod-security.kubernetes.io/warn: privileged
  To account for clusters that are enabling PSA and defaulting to the restricted one.

  When using another namespace or creating the namespace with other means,
  please ensure that the namespace has the above labels. (#944, @jhrozek)

Other (Cleanup or Flake)

• Remove unnecessary configmap RBAC rules. (#942, @saschagrunert)
• Updated cert-manager to v1.8.0. (#886, @saschagrunert)
• Add SCMP_ACT_NOTIFY to the list of allowed seccomp actions (#929, @ccojocar)

Dependencies

Added

• github.com/AdaLogics/go-fuzz-headers: 6c3934b
• github.com/ahmetb/gen-crd-api-reference-docs: v0.3.0
• github.com/andybalholm/brotli: v1.0.1
• github.com/cert-manager/cert-manager: v1.8.0
• github.com/dsnet/compress: f669936
• github.com/go-logr/stdr: v1.2.2
• github.com/golang-jwt/jwt/v4: v4.0.0
• github.com/google/gnostic: v0.5.7-v3refs
• github.com/googleapis/google-cloud-go-testing: bcd43fb
• github.com/hashicorp/go-plugin: v1.4.3
• github.com/hashicorp/go-secure-stdlib/mlock: v0.1.1
• github.com/hashicorp/go-secure-stdlib/parseutil: v0.1.1
• github.com/hashicorp/go-secure-stdlib/strutil: v0.1.1
• github.com/hashicorp/yamux: 3520598
• github.com/intel/goresctrl: v0.2.0
• github.com/lithammer/dedent: v1.1.0
• github.com/mholt/archiver/v3: v3.5.1
• github.com/moby/sys/signal: v0.6.0
• github.com/mogensen/kubernetes-split-yaml: v0.3.0
• github.com/networkplumbing/go-nft: v0.2.0
• github.com/nwaples/rardecode: v1.1.0
• github.com/oklog/run: v1.0.0
• github.com/pierrec/lz4/v4: v4.1.2
• github.com/segmentio/asm: v1.1.3
• github.com/segmentio/encoding: v0.3.3
• github.com/xi2/xz: 48954b6
• github.com/xrash/smetrics: 039620a
• go.opentelemetry.io/otel/exporters/otlp/internal/retry: v1.3.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.3.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.3.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.3.0

Changed

• bazil.org/fuse: 371fbbd → 5883e5a
• cloud.google.com/go/firestore: v1.6.1 → v1.1.0
• cloud.google.com/go/storage: v1.10.0 → v1.14.0
• github.com/Azure/azure-sdk-for-go: v56.2.0+incompatible → v56.3.0+incompatible
• github.com/Azure/go-autorest/autorest/adal: v0.9.14 → v0.9.15
• github.com/Azure/go-autorest/autorest: v0.11.19 → v0.11.20
• github.com/BurntSushi/toml: v1.0.0 → v1.1.0
• github.com/Masterminds/squirrel: v1.5.0 → v1.5.2
• github.com/Microsoft/go-winio: v0.5.1 → v0.5.2
• github.com/ProtonMail/go-crypto: 428f8ea → a948124
• github.com/armon/go-metrics: v0.3.10 → v0.3.9
• github.com/carolynvs/magex: v0.7.0 → v0.8.1
• github.com/cenkalti/backoff/v4: v4.1.1 → v4.1.2
• github.com/census-instrumentation/opencensus-proto: v0.3.0 → v0.2.1
• github.com/cncf/xds/go: a8f9461 → cb28da3
• github.com/containerd/cgroups: v1.0.2 → v1.0.3
• github.com/containerd/containerd: v1.5.9 → v1.6.4
• github.com/containerd/go-cni: v1.0.2 → v1.1.5
• github.com/containerd/imgcrypt: v1.1.1 → v1.1.4
• github.com/containerd/stargz-snapshotter/estargz: v0.11.0 → v0.11.4
• github.com/containernetworking/cni: v1.0.1 → v1.1.0
• github.com/containernetworking/plugins: v1.0.1 → v1.1.1
• github.com/containers/common: v0.47.5 → 400832f
• github.com/containers/image/v5: v5.19.1 → v5.21.1
• github.com/containers/libtrust: 14b9617 → 9c3a6c2
• github.com/containers/ocicrypt: v1.1.2 → 566b808
• github.com/containers/storage: v1.38.2 → v1.40.2
• github.com/coreos/etcd: v3.3.15+incompatible → v3.3.13+incompatible
• github.com/crossplane/crossplane-runtime: 85b19c2 → v0.16.0
• github.com/docker/cli: v20.10.7+incompatible → v20.10.11+incompatible
• github.com/docker/distribution: v2.8.0+incompatible → v2.8.1+incompatible
• github.com/docker/docker: v20.10.12+incompatible → v20.10.15+incompatible
• github.com/envoyproxy/go-control-plane: v0.10.1 → 49ff273
• github.com/envoyproxy/protoc-gen-validate: v0.6.2 → v0.1.0
• github.com/gobuffalo/flect: v0.2.3 → v0.2.5
• github.com/godbus/dbus/v5: v5.0.6 → v5.1.0
• github.com/golang/snappy: v0.0.3 → v0.0.4
• github.com/google/cel-go: v0.9.0 → v0.10.1
• github.com/google/martian/v3: v3.2.1 → v3.1.0
• github.com/google/pprof: 4bb14d4 → 94a9f03
• github.com/hashicorp/consul/api: v1.11.0 → v1.1.0
• github.com/hashicorp/consul/sdk: v0.8.0 → v0.1.1
• github.com/hashicorp/errwrap: v1.0.0 → v1.1.0
• github.com/hashicorp/go-hclog: v1.0.0 → v0.16.2
• github.com/hashicorp/go-uuid: v1.0.1 → v1.0.2
• github.com/hashicorp/go-version: v1.1.0 → v1.2.0
• github.com/hashicorp/mdns: v1.0.4 → v1.0.0
• github.com/hashicorp/memberlist: v0.3.0 → v0.1.3
• github.com/hashicorp/serf: v0.9.6 → v0.8.2
• github.com/hashicorp/vault/api: v1.1.1 → v1.3.1
• github.com/hashicorp/vault/sdk: v0.2.1 → v0.3.0
• github.com/jmoiron/sqlx: v1.3.1 → v1.3.4
• github.com/klauspost/compress: v1.14.2 → v1.15.2
• github.com/lib/pq: v1.10.0 → v1.10.4
• github.com/magefile/mage: v1.11.0 → v1.13.0
• github.com/miekg/dns: v1.1.41 → v1.1.47
• github.com/miekg/pkcs11: v1.0.3 → v1.1.1
• github.com/mitchellh/cli: v1.1.0 → v1.0.0
• github.com/mitchellh/copystructure: v1.1.1 → v1.2.0
• github.com/mitchellh/reflectwalk: v1.0.1 → v1.0.2
• github.com/moby/sys/mountinfo: v0.5.0 → v0.6.1
• github.com/moby/sys/symlink: v0.1.0 → v0.2.0
• github.com/onsi/ginkgo/v2: v2.0.0 → v2.1.4
• github.com/onsi/gomega: v1.18.1 → v1.19.0
• github.com/opencontainers/runc: v1.1.0 → v1.1.1
• github.com/opencontainers/selinux: v1.10.0 → v1.10.1
• github.com/ostreedev/ostree-go: 759a8c1 → 719684c
• github.com/pascaldekloe/goe: v0.1.0 → 57f6aae
• github.com/pelletier/go-toml: v1.9.4 → v1.9.3
• github.com/pkg/sftp: v1.10.1 → v1.13.1
• github.com/posener/complete: v1.2.3 → v1.1.1
• github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring: v0.55.1 → v0.57.0
• github.com/prometheus/client_golang: v1.12.1 → v1.12.2
• github.com/spf13/afero: v1.6.0 → v1.8.0
• github.com/spf13/viper: v1.10.0 → v1.8.1
• github.com/stretchr/testify: v1.7.1 → v1.7.2
• github.com/sylabs/sif/v2: v2.3.1 → v2.7.0
• github.com/tv42/httpunix: b75d861 → 2ba4b9c
• github.com/urfave/cli/v2: v2.4.0 → v2.8.1
• github.com/vbauerster/mpb/v7: v7.3.2 → v7.4.1
• github.com/xeipuuv/gojsonpointer: df4f5c8 → 02993c4
• go.etcd.io/etcd/client/v2: v2.305.1 → v2.305.0
• go.etcd.io/etcd/client/v3: v3.5.0 → v3.5.1
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.20.0 → v0.28.0
• go.opentelemetry.io/otel/sdk: v0.20.0 → v1.3.0
• go.opentelemetry.io/otel/trace: v0.20.0 → v1.3.0
• go.opentelemetry.io/otel: v0.20.0 → v1.3.0
• go.opentelemetry.io/proto/otlp: v0.7.0 → v0.11.0
• go.uber.org/atomic: v1.7.0 → v1.9.0
• golang.org/x/crypto: e495a2d → 8634188
• golang.org/x/sys: 039c03c → 9388b58
• golang.org/x/time: 1f47c86 → 90d013b
• google.golang.org/genproto: 00ab72f → 325a892
• google.golang.org/grpc: v1.45.0 → v1.47.0
• gopkg.in/cheggaaa/pb.v1: v1.0.27 → v1.0.25
• gopkg.in/yaml.v3: 496545a → v3.0.1
• helm.sh/helm/v3: v3.7.1 → v3.8.1
• k8s.io/api: v0.23.5 → v0.24.1
• k8s.io/apiextensions-apiserver: v0.23.5 → v0.24.0
• k8s.io/apimachinery: v0.23.5 → v0.24.1
• k8s.io/apiserver: v0.23.5 → v0.24.0
• k8s.io/cli-runtime: v0.23.1 → v0.23.4
• k8s.io/client-go: v0.23.5 → v0.24.1
• k8s.io/code-generator: v0.23.5 → v0.24.0
• k8s.io/component-base: v0.23.5 → v0.24.0
• k8s.io/cri-api: v0.20.6 → v0.23.1
• k8s.io/gengo: 485abfe → c02415c
• k8s.io/klog: v0.4.0 → v0.2.0
• k8s.io/kube-aggregator: v0.23.1 → v0.23.4
• k8s.io/kube-openapi: e816edb → 3ee0da9
• k8s.io/kubectl: v0.23.1 → v0.23.4
• oras.land/oras-go: v0.4.0 → v1.1.0
• sigs.k8s.io/controller-runtime: v0.11.2 → v0.12.1
• sigs.k8s.io/controller-tools: v0.8.0 → v0.9.0
• sigs.k8s.io/gateway-api: v0.3.0 → v0.4.1
• sigs.k8s.io/json: c049b76 → 9f7c6b3
• sigs.k8s.io/release-utils: v0.6.0 → v0.7.0

Removed

• github.com/DataDog/datadog-go: v3.2.0+incompatible
• github.com/Nvveen/Gotty: cd52737
• github.com/cheggaaa/pb: v1.0.27
• github.com/circonus-labs/circonus-gometrics: v2.3.1+incompatible
• github.com/circonus-labs/circonusllhist: v0.1.3
• github.com/coreos/go-etcd: v2.0.0+incompatible
• github.com/cpuguy83/go-md2man: v1.0.10
• github.com/globalsign/mgo: eeefdec
• github.com/go-openapi/analysis: v0.19.2
• github.com/go-openapi/errors: v0.19.2
• github.com/go-openapi/loads: v0.19.2
• github.com/go-openapi/runtime: v0.19.0
• github.com/go-openapi/strfmt: v0.19.0
• github.com/go-openapi/validate: v0.19.2
• github.com/gophercloud/gophercloud: v0.1.0
• github.com/gotestyourself/gotestyourself: v2.2.0+incompatible
• github.com/iancoleman/strcase: v0.2.0
• github.com/jetstack/cert-manager: v1.7.2
• github.com/lyft/protoc-gen-star: v0.5.3
• github.com/pborman/uuid: v1.2.0
• github.com/remyoudompheng/bigfft: 52369c6
• github.com/sagikazarmark/crypt: v0.3.0
• github.com/sylabs/release-tools: v0.1.0
• github.com/ugorji/go/codec: d75b2dc
• gonum.org/v1/gonum: 3d26580
• gonum.org/v1/netlib: 7672324
• modernc.org/cc: v1.0.0
• modernc.org/golex: v1.0.0
• modernc.org/mathutil: v1.0.0
• modernc.org/strutil: v1.0.0
• modernc.org/xc: v1.0.0
• sigs.k8s.io/structured-merge-diff: 6149e45