Releases: gardener/gardener-extension-shoot-lakom-service
Releases · gardener/gardener-extension-shoot-lakom-service
v0.17.0
[gardener/gardener-extension-shoot-lakom-service]
🏃 Others
[OPERATOR]
The following dependencies have been updated:- github.com/gardener/gardener v1.103.0 -> v1.106.0
- k8s.io/api v0.29.8 -> v0.31.1
- k8s.io/apimachinery v0.29.8 -> v0.31.1
- k8s.io/client-go v0.29.8 -> v0.31.1
- k8s.io/code-generator v0.29.8 -> v0.31.1
- k8s.io/component-base v0.29.8 -> v0.31.1
- sigs.k8s.io/controller-runtime v0.17.6 -> v0.19.0 by @vpnachev [#116]
[OPERATOR]
The lakom components are now built using go version 1.23.3. by @dependabot[bot] [#121][DEVELOPER]
gosec
is made available for SAST(static application security testing), it can be run withmake sast
ormake sast-report
, but is also incorporated in theverify
andverify-extended
makefile targets. by @vpnachev [#116]
Helm Charts
- lakom:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.17.0
- shoot-lakom-admission:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-admission:v0.17.0
- shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.17.0
Docker Images
- gardener-extension-shoot-lakom-admission:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-admission:v0.17.0
- gardener-extension-shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.17.0
- lakom:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.17.0
v0.16.0
[gardener/gardener-extension-shoot-lakom-service]
🐛 Bug Fixes
[OPERATOR]
A bug in the lakom extension controller trying to update the immutableroleRef
field in the(Cluster)RoleBinding
resource without recreating it has been fixed. by @vpnachev [#115]
Helm Charts
- lakom:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.16.0
- shoot-lakom-admission:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-admission:v0.16.0
- shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.16.0
Docker Images
- gardener-extension-shoot-lakom-admission:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-admission:v0.16.0
- gardener-extension-shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.16.0
- lakom:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.16.0
v0.15.0
[gardener/gardener-extension-shoot-lakom-service]
🐛 Bug Fixes
[OPERATOR]
Fix permissions of lakom admission controller when it is installed withCluster
scope for a shoot cluster. by @vpnachev [#114]
Helm Charts
- lakom:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.15.0
- shoot-lakom-admission:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-admission:v0.15.0
- shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.15.0
Docker Images
- gardener-extension-shoot-lakom-admission:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-admission:v0.15.0
- gardener-extension-shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.15.0
- lakom:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.15.0
v0.14.0
[gardener/gardener-extension-shoot-lakom-service]
✨ New Features
[USER]
Shoot lakom extension now supports various scope configurations so that it can be set to verify not only the gardener managed pods in the kube-system namespaces (KubeSystemManagedByGardener
scope, which is also the default scope if not set explicitly), but the entire kube-system namespace (KubeSystem
scope), or the entire cluster (Cluster
scope). Check out usage-shoot-extension for more details how the lakom extension configuration can be customized. by @rrhubenov [#103][OPERATOR]
It is now possible to disable installation of lakom admission webhook in thekube-system
namespace of seed clusters. This is useful for managed seeds that have the lakom extension enabled withCluster
scope. To disable the installation, the seed must be annotated withservice.lakom.extensions.gardener.cloud/enable-lakom-admission-controller=false
by @rrhubenov [#106][OPERATOR]
A new lakom componentshoot-lakom-admission
has been implemented, it serves admission controller verifying the lakom extension configuration in shoot resources. by @rrhubenov [#103]
🏃 Others
[OPERATOR]
Lakom container resource demands have been reduced:[OPERATOR]
Lakom components are now built with go version 1.23.2. by @dependabot[bot] [#111][DEPENDENCY]
The following third party dependencies have been updated:
Helm Charts
- lakom:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.14.0
- shoot-lakom-admission:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-admission:v0.14.0
- shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.14.0
Docker Images
- gardener-extension-shoot-lakom-admission:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-admission:v0.14.0
- gardener-extension-shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.14.0
- lakom:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.14.0
v0.13.0
[gardener/gardener-extension-shoot-lakom-service]
⚠️ Breaking Changes
[OPERATOR]
The specification of theimage
ingardener-extension-shoot-lakom-service
Helm chart has been changed. by @oliver-goetz [#98][OPERATOR]
⚠️ Lakom admission controller has removed the flag--cosign-public-key-path
.
The trusted public keys are now configurable via the flag--lakom-config-path
as the file is no longer bundle of public keys, but a structured configuration in YAML or JSON format.
Now each key must be named and optionally a signature verification algorithm can be specified. For more details, check the lakom usage page. by @vpnachev [#99][OPERATOR]
⚠️ Lakom extension controller helm chart values "controllers.cosignPublicKeys" changed its semantic, it is no longer list of keys, but list of tuple ofname
,key
and optionallyalgorithm
. The same change is applied to the extension configuration file fieldcosignPublicKeys
. by @vpnachev [#99][OPERATOR]
⚠️ Thelakom
helm chart valuecosign.publicKeys
changed its semantic, it is no longer list of keys, but list of tuple ofname
,key
and optionallyalgorithm
. by @vpnachev [#99]
✨ New Features
[OPERATOR]
Helm charts of extension and admission controller are published as OCI artifacts now. by @oliver-goetz [#98][OPERATOR]
All pods in Managed Seed clusters will now be validated for trusted image signatures. by @rrhubenov [#91][OPERATOR]
Lakom adds support forRSASSA-PSS
scheme for signature verification next toRSASSA-PKCS1-v1_5
, it can be configured via thealgorithm
field associated with each public key. The algorithm field also provides control over the hash func to be used. by @vpnachev [#99][DEVELOPER]
Easy local development using skaffold deployments. by @rrhubenov [#93]
🏃 Others
[OPERATOR]
Lakom application and lakom extension controller are now build with Go version 1.22.5 by @vpnachev [#101][OPERATOR]
This extension is now using the new way of providing monitoring configuration (ref GEP-19) in case a shoot cluster's Prometheus has been migrated to management viaprometheus-operator
. by @rfranzke [#87]
Helm Charts
- lakom:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.13.0
- shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.13.0
Docker Images
- gardener-extension-shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.13.0
- lakom:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.13.0
v0.12.0
[gardener/gardener-extension-shoot-lakom-service]
⚠️ Breaking Changes
[OPERATOR]
Change OCI Image Registry from GCR (eu.gcr.io/gardener-project
) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases
). Users should update their references.
by @ccwienk [#61][OPERATOR]
⚠️ Lakom admission webhooks now always use failure policyFail
and it is no longer possible to change it toIgnore
. If you want to allow untrusted images[DEVELOPER]
The functionpkg/lakom/verifysignature.IsNoMatchingSignature
has been renamed topkg/lakom/verifysignature.IsNoMatchingSignatures
by @vpnachev [#72]
✨ New Features
[OPERATOR]
Lakom gardener extension controller configuration has new fieldallowUntrustedImages
, it is used to control the lakom admission controller flag--insecure-allow-untrusted-images
. by @vpnachev [#74][USER]
Lakom admission controller is extended with a new flag--insecure-allow-untrusted-images
. When it is set, the admission webhook returns just warning but still allows the images that are not signed or are not signed with trusted keys. by @vpnachev [#74]
🐛 Bug Fixes
[OPERATOR]
Fix a bug in the mitigation for wrongly cached image signatures verification results due to exceeded or canceled context. by @dimityrmirchev [#54][OPERATOR]
A bug in theshoot-lakom-service
controller that was causing the lakom CA secret for a shoot cluster to be recreated instead of restored during control plane migration has been fixed. by @vpnachev [#53]
🏃 Others
[DEVELOPER]
Thevendor
directory has been dropped. by @vpnachev [#67][OPERATOR]
Lakom application and lakom extension controller are now build with Go version 1.22.1 by @dependabot[bot] [#77][OPERATOR]
The following dependencies have been updated:- github.com/gardener/service-account-issuer-discovery v0.2.0-> v0.6.0
- github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 -> v0.19.0
- github.com/sigstore/cosign/v2 v2.0.2 -> v2.2.3
- github.com/sigstore/sigstore v1.6.4 -> v1.8.1
- golang.org/x/crypto v0.17.0 -> v0.19.0
- golang.org/x/sync v0.3.0 -> v0.6.0
- golang.org/x/tools v0.13.0 -> v0.18.0
- helm.sh/helm/v3 v3.11.1 -> v3.14.2
- k8s.io/* v0.28.4 -> v0.29.2 by @vpnachev [#72]
[OPERATOR]
The following dependencies have been updated:
Docker Images
- gardener-extension-shoot-lakom-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.12.0
- lakom:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.12.0
v0.11.1
[gardener/gardener-extension-shoot-lakom-service]
🐛 Bug Fixes
[OPERATOR]
Fix a bug in the mitigation for wrongly cached image signatures verification results due to exceeded or canceled context. by @vpnachev [#58]
🏃 Others
[OPERATOR]
Lakom application and lakom extension controller are now built with Go version1.21.5
. by @vpnachev [#59]
Docker Images
- gardener-extension-shoot-lakom-service:
eu.gcr.io/gardener-project/gardener/extensions/shoot-lakom-service:v0.11.1
- lakom:
eu.gcr.io/gardener-project/gardener/extensions/lakom:v0.11.1
v0.11.0
[gardener/gardener-extension-shoot-lakom-service]
✨ New Features
[USER]
Lakom admission webhooks now ignore the image pull secrets that does not exist in the cluster. by @vpnachev [#44][USER]
shoot-lakom-service
extension now supports Shoot Force Deletion. by @acumino [#45][USER]
Lakom application now can be configured via the flag--use-only-image-pull-secrets
to use only image pull secrets of the pod to authenticate against the OCI registry, i.e. it will not use the node identity or default docker configuration when the flag is set totrue
. by @vpnachev [#49][OPERATOR]
Lakom extension controller now has a configuration optioncontrollers.useOnlyImagePullSecrets
which controls the value of the lakom flag--use-only-image-pull-secrets
. by @vpnachev [#49]
🏃 Others
[OPERATOR]
The base distroless OCI image is updated to debian 12. by @vpnachev [#46][OPERATOR]
Lakom application and lakom extension controller are now built with Go version1.21.4
. by @vpnachev [#50]
Docker Images
gardener-extension-shoot-lakom-service: eu.gcr.io/gardener-project/gardener/extensions/shoot-lakom-service:v0.11.0
lakom: eu.gcr.io/gardener-project/gardener/extensions/lakom:v0.11.0
v0.10.0
[gardener/gardener-extension-shoot-lakom-service]
⚠️ Breaking Changes
[OPERATOR]
Theshoot-lakom-service
extension no longer supports Shoots with Кubernetes version < 1.24. by @shafeeqes [#34]
🏃 Others
[OPERATOR]
The following dependency is updated:- github.com/gardener/gardener: v1.74.0-> v1.80.0
- k8s.io/* : v0.26.3 -> v0.28.2
- sigs.k8s.io/controller-runtime: v0.14.6-> v0.16.2 by @shafeeqes [#38]
[OPERATOR]
The lakom extension binaries are now build with golang 1.21.3. by @vpnachev [#41][OPERATOR]
The lakom binaries are now build with golang 1.21.1. by @vpnachev [#40]