Skip to content

Releases: gardener/gardener-extension-shoot-lakom-service

v0.17.0

22 Nov 08:55
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

🏃 Others

  • [OPERATOR] The following dependencies have been updated:
    • github.com/gardener/gardener v1.103.0 -> v1.106.0
    • k8s.io/api v0.29.8 -> v0.31.1
    • k8s.io/apimachinery v0.29.8 -> v0.31.1
    • k8s.io/client-go v0.29.8 -> v0.31.1
    • k8s.io/code-generator v0.29.8 -> v0.31.1
    • k8s.io/component-base v0.29.8 -> v0.31.1
    • sigs.k8s.io/controller-runtime v0.17.6 -> v0.19.0 by @vpnachev [#116]
  • [OPERATOR] The lakom components are now built using go version 1.23.3. by @dependabot[bot] [#121]
  • [DEVELOPER] gosec is made available for SAST(static application security testing), it can be run with make sast or make sast-report, but is also incorporated in the verify and verify-extended makefile targets. by @vpnachev [#116]

Helm Charts

  • lakom: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.17.0
  • shoot-lakom-admission: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-admission:v0.17.0
  • shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.17.0

Docker Images

  • gardener-extension-shoot-lakom-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-admission:v0.17.0
  • gardener-extension-shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.17.0
  • lakom: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.17.0

v0.16.0

22 Oct 08:14
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

🐛 Bug Fixes

  • [OPERATOR] A bug in the lakom extension controller trying to update the immutable roleRef field in the (Cluster)RoleBinding resource without recreating it has been fixed. by @vpnachev [#115]

Helm Charts

  • lakom: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.16.0
  • shoot-lakom-admission: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-admission:v0.16.0
  • shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.16.0

Docker Images

  • gardener-extension-shoot-lakom-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-admission:v0.16.0
  • gardener-extension-shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.16.0
  • lakom: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.16.0

v0.15.0

21 Oct 07:35
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

🐛 Bug Fixes

  • [OPERATOR] Fix permissions of lakom admission controller when it is installed with Cluster scope for a shoot cluster. by @vpnachev [#114]

Helm Charts

  • lakom: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.15.0
  • shoot-lakom-admission: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-admission:v0.15.0
  • shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.15.0

Docker Images

  • gardener-extension-shoot-lakom-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-admission:v0.15.0
  • gardener-extension-shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.15.0
  • lakom: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.15.0

v0.14.0

15 Oct 14:22
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

✨ New Features

  • [USER] Shoot lakom extension now supports various scope configurations so that it can be set to verify not only the gardener managed pods in the kube-system namespaces (KubeSystemManagedByGardener scope, which is also the default scope if not set explicitly), but the entire kube-system namespace (KubeSystem scope), or the entire cluster (Cluster scope). Check out usage-shoot-extension for more details how the lakom extension configuration can be customized. by @rrhubenov [#103]
  • [OPERATOR] It is now possible to disable installation of lakom admission webhook in the kube-system namespace of seed clusters. This is useful for managed seeds that have the lakom extension enabled with Cluster scope. To disable the installation, the seed must be annotated with service.lakom.extensions.gardener.cloud/enable-lakom-admission-controller=false by @rrhubenov [#106]
  • [OPERATOR] A new lakom component shoot-lakom-admission has been implemented, it serves admission controller verifying the lakom extension configuration in shoot resources. by @rrhubenov [#103]

🏃 Others

  • [OPERATOR] Lakom container resource demands have been reduced:
    • memory requests reduced from 64Mi to 25M
    • CPU requests have been dropped
    • Vertical scaling on CPU requests dropped
    • minAllowed of 32Mi memory dropped by @vpnachev [#110]
  • [OPERATOR] Lakom components are now built with go version 1.23.2. by @dependabot[bot] [#111]
  • [DEPENDENCY] The following third party dependencies have been updated:
    • github.com/gardener/gardener v1.103.0
    • github.com/google/go-containerregistry v0.20.0
    • k8s.io/api v0.29.8
    • k8s.io/apimachinery v0.29.8
    • k8s.io/client-go v0.29.8
    • k8s.io/code-generator v0.29.8
    • k8s.io/component-base v0.29.8
    • sigs.k8s.io/controller-runtime v0.17.6 by @vpnachev [#109]

Helm Charts

  • lakom: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.14.0
  • shoot-lakom-admission: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-admission:v0.14.0
  • shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.14.0

Docker Images

  • gardener-extension-shoot-lakom-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-admission:v0.14.0
  • gardener-extension-shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.14.0
  • lakom: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.14.0

v0.13.0

31 Jul 14:12
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

⚠️ Breaking Changes

  • [OPERATOR] The specification of the image in gardener-extension-shoot-lakom-service Helm chart has been changed. by @oliver-goetz [#98]
  • [OPERATOR] ⚠️ Lakom admission controller has removed the flag --cosign-public-key-path.
    The trusted public keys are now configurable via the flag --lakom-config-path as the file is no longer bundle of public keys, but a structured configuration in YAML or JSON format.
    Now each key must be named and optionally a signature verification algorithm can be specified. For more details, check the lakom usage page. by @vpnachev [#99]
  • [OPERATOR] ⚠️ Lakom extension controller helm chart values "controllers.cosignPublicKeys" changed its semantic, it is no longer list of keys, but list of tuple of name, key and optionally algorithm. The same change is applied to the extension configuration file field cosignPublicKeys. by @vpnachev [#99]
  • [OPERATOR] ⚠️ The lakom helm chart value cosign.publicKeys changed its semantic, it is no longer list of keys, but list of tuple of name, key and optionally algorithm. by @vpnachev [#99]

✨ New Features

  • [OPERATOR] Helm charts of extension and admission controller are published as OCI artifacts now. by @oliver-goetz [#98]
  • [OPERATOR] All pods in Managed Seed clusters will now be validated for trusted image signatures. by @rrhubenov [#91]
  • [OPERATOR] Lakom adds support for RSASSA-PSS scheme for signature verification next to RSASSA-PKCS1-v1_5, it can be configured via the algorithm field associated with each public key. The algorithm field also provides control over the hash func to be used. by @vpnachev [#99]
  • [DEVELOPER] Easy local development using skaffold deployments. by @rrhubenov [#93]

🏃 Others

  • [OPERATOR] Lakom application and lakom extension controller are now build with Go version 1.22.5 by @vpnachev [#101]
  • [OPERATOR] This extension is now using the new way of providing monitoring configuration (ref GEP-19) in case a shoot cluster's Prometheus has been migrated to management via prometheus-operator. by @rfranzke [#87]

Helm Charts

  • lakom: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/lakom:v0.13.0
  • shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-lakom-service:v0.13.0

Docker Images

  • gardener-extension-shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.13.0
  • lakom: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.13.0

v0.12.0

14 Mar 14:40
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

⚠️ Breaking Changes

  • [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references.
    by @ccwienk [#61]
  • [OPERATOR] ⚠️ Lakom admission webhooks now always use failure policy Fail and it is no longer possible to change it to Ignore. If you want to allow untrusted images
    • for the extension controller you can set the field allowUntrustedImages to true
    • for the lakom application you can set the flag --insecure-allow-untrusted-images to true
      Both configs are also exposed via the helm charts values and ControllerDeployment config. by @vpnachev [#74]
  • [DEVELOPER] The function pkg/lakom/verifysignature.IsNoMatchingSignature has been renamed to pkg/lakom/verifysignature.IsNoMatchingSignatures by @vpnachev [#72]

✨ New Features

  • [OPERATOR] Lakom gardener extension controller configuration has new field allowUntrustedImages, it is used to control the lakom admission controller flag --insecure-allow-untrusted-images. by @vpnachev [#74]
  • [USER] Lakom admission controller is extended with a new flag --insecure-allow-untrusted-images. When it is set, the admission webhook returns just warning but still allows the images that are not signed or are not signed with trusted keys. by @vpnachev [#74]

🐛 Bug Fixes

  • [OPERATOR] Fix a bug in the mitigation for wrongly cached image signatures verification results due to exceeded or canceled context. by @dimityrmirchev [#54]
  • [OPERATOR] A bug in the shoot-lakom-service controller that was causing the lakom CA secret for a shoot cluster to be recreated instead of restored during control plane migration has been fixed. by @vpnachev [#53]

🏃 Others

  • [DEVELOPER] The vendor directory has been dropped. by @vpnachev [#67]
  • [OPERATOR] Lakom application and lakom extension controller are now build with Go version 1.22.1 by @dependabot[bot] [#77]
  • [OPERATOR] The following dependencies have been updated:
    • github.com/gardener/service-account-issuer-discovery v0.2.0-> v0.6.0
    • github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419 -> v0.19.0
    • github.com/sigstore/cosign/v2 v2.0.2 -> v2.2.3
    • github.com/sigstore/sigstore v1.6.4 -> v1.8.1
    • golang.org/x/crypto v0.17.0 -> v0.19.0
    • golang.org/x/sync v0.3.0 -> v0.6.0
    • golang.org/x/tools v0.13.0 -> v0.18.0
    • helm.sh/helm/v3 v3.11.1 -> v3.14.2
    • k8s.io/* v0.28.4 -> v0.29.2 by @vpnachev [#72]
  • [OPERATOR] The following dependencies have been updated:
    • github.com/gardener/gardener v1.81.1 -> v1.88.0
    • k8s.io/* v0.28.2 -> v0.28.4
    • sigs.k8s.io/controller-runtime v0.16.2 -> v0.16.3 by @vpnachev [#67]

Docker Images

  • gardener-extension-shoot-lakom-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-lakom-service:v0.12.0
  • lakom: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/lakom:v0.12.0

v0.11.1

08 Dec 14:32
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

🐛 Bug Fixes

  • [OPERATOR] Fix a bug in the mitigation for wrongly cached image signatures verification results due to exceeded or canceled context. by @vpnachev [#58]

🏃 Others

  • [OPERATOR] Lakom application and lakom extension controller are now built with Go version 1.21.5. by @vpnachev [#59]

Docker Images

  • gardener-extension-shoot-lakom-service: eu.gcr.io/gardener-project/gardener/extensions/shoot-lakom-service:v0.11.1
  • lakom: eu.gcr.io/gardener-project/gardener/extensions/lakom:v0.11.1

v0.11.0

09 Nov 14:17
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

✨ New Features

  • [USER] Lakom admission webhooks now ignore the image pull secrets that does not exist in the cluster. by @vpnachev [#44]
  • [USER] shoot-lakom-service extension now supports Shoot Force Deletion. by @acumino [#45]
  • [USER] Lakom application now can be configured via the flag --use-only-image-pull-secrets to use only image pull secrets of the pod to authenticate against the OCI registry, i.e. it will not use the node identity or default docker configuration when the flag is set to true. by @vpnachev [#49]
  • [OPERATOR] Lakom extension controller now has a configuration option controllers.useOnlyImagePullSecrets which controls the value of the lakom flag --use-only-image-pull-secrets. by @vpnachev [#49]

🏃 Others

  • [OPERATOR] The base distroless OCI image is updated to debian 12. by @vpnachev [#46]
  • [OPERATOR] Lakom application and lakom extension controller are now built with Go version 1.21.4. by @vpnachev [#50]

Docker Images

gardener-extension-shoot-lakom-service: eu.gcr.io/gardener-project/gardener/extensions/shoot-lakom-service:v0.11.0
lakom: eu.gcr.io/gardener-project/gardener/extensions/lakom:v0.11.0

v0.10.0

11 Oct 11:30
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

⚠️ Breaking Changes

  • [OPERATOR] The shoot-lakom-service extension no longer supports Shoots with Кubernetes version < 1.24. by @shafeeqes [#34]

🏃 Others

  • [OPERATOR] The following dependency is updated:
    • github.com/gardener/gardener: v1.74.0-> v1.80.0
    • k8s.io/* : v0.26.3 -> v0.28.2
    • sigs.k8s.io/controller-runtime: v0.14.6-> v0.16.2 by @shafeeqes [#38]
  • [OPERATOR] The lakom extension binaries are now build with golang 1.21.3. by @vpnachev [#41]
  • [OPERATOR] The lakom binaries are now build with golang 1.21.1. by @vpnachev [#40]

v0.9.0

18 Aug 09:36
Compare
Choose a tag to compare

[gardener/gardener-extension-shoot-lakom-service]

🐛 Bug Fixes

  • [OPERATOR] A bug that was caching image signature verification status as unsigned due to wrongly returned NoMatchingSignature by the SDK is now mitigated. by @vpnachev [#28]

🏃 Others

  • [OPERATOR] Lakom binaries are now build with golang 1.21.0. by @vpnachev [#32]