This is the intial public release of MagTape. Versions < 2.1.0 were internal only.
- Fixed a mistake with the URL used for installation in the Quickstart section of the Readme
This release contains several package updates geared towards fixing security related issues with CVE-2017-18342.
The updated pyyaml package required updates to the Kubernetes Python client library, moving primary support to Kubernetes 1.15+. Backwards compatibility to Kubernetes 1.13 should exist, but isn't tested/gauranteed.
This release migrates to using the Gunicorn WSGI HTTP Server instead of the default Flask server. This change reduces average latency by about 75% in our normal benchmarking tests. This change also means the standar 3 replica deployment can handle almost 3 times the request rate as before.
This release adds the approve
verb to the RBAC config to account for newer changes to the Kubernetes certificates/CSR API as noted here. These changes were tested against K8s 1.14, 1.15, 1.16, 1.17, and 1.18.
This release adds new policies and enhances several CI workflow components.
- Singleton Pods (Check ID: MT1007)
- Host Port (Check ID: MT1008)
- emptyDir Volume (Check ID: MT1009)
- Host Path (Check ID: MT1010)
- Node Port Range (Check ID: MT2002)
- Kubernetes Matrix for end-to-end testing. All commits/PR's are now tested against Kubernetes 1.16, 1.17, 1.18, and 1.19
- Rego linting and unit tests
- Code quality anallysis and static code scanning for Security/Best Practices
- Enhancements for Advanced install workflow with Kustomize
This release focuses on some security enhancements.
- Add securityContext and non-root user for pod/containers (#47)
- Hardcode Gunicorn workers/threads to fix #48 (#49)
- Add HPA resource for horizontal scaling (#50)
- Add new framework for executing setup/teardown code between functional tests (#45)
- Changes OPA container listening port from
443
to8443
since a non-root user can't bind to ports below 1000. The OPA container isn't exposed outside of localhost, so this shouldn't present any issues
This release has a breaking change, changes to RBAC, some new features, CI enhancements, changes to test mocking, and some updates to documentation.
- the
MAGTAPE_SLACK_ANNOTATION
environment variable has been removed and is no longer used for enabling user-defined slack alerts.
user-defined slack alerts
For better security the user-defined Slack Incoming Webhook URL is now defined via creation of a magtape-slack
secret that includes the webhook-url
key and a value set to the Slack Incoming Webhook URL (typical base64 encoding applies).
The README has an example of how you can create a properly formatted secret.
- Enable shellcheck linting for bash (#57 authored by @ilrudie)
- Cleanup Rego testing/mocking (#60)
- Update docker/build-push-action to v2 (#62 authored by @ilrudie)
- Update functional testing documentation (#65 authored by @ilrudie)
- Enable server-side warnings on policy failures (#66)
- Bump cryptography Python package from 2.9.2 to 3.2 (#68 authored by dependabot)
- Add logic to handle in-cluster and out-of-cluster kubernetes client configs for API calls (#77)
- Add RBAC rules to read secrets for user defined Slack Incoming Webhook URL's (#77)
- Add logic to handle custom Slack Webhook even if Default is unset (#77)
- Bump the engineerd/setup-kind Action to v05.0 to support the deprecations noted here (#77)
- Change add-path commands in rego-checks CI jobs (#77)
- Add ci-bootstrap Make target to pin versions for specific utilities (ie. kubectl) for more consistent CI (#77)
- Enabled descriptive names for functional tests (#86)
- OPA version bumped to 0.25.2 (#88)
server-side warnings on policy failures
Server-side warnings were added in Kubernetes v1.19. This enhancement allows for messages to be surfaced to the end-users via kubectl and client-go. This gives MagTape yet another mechanism to display feedback on policy failures to the end-user. This change is transparent for Kubernetes releases prior to v1.19.
Version 2 for docker/build-push-action
Adopting version 2 of this action allows us to start consuming Docker buildx
. This is transparent at the moment, but should allow us to more easily build images for e2e checks and relases across multiple architectures (amd64, ARM, ppc64le, etc.).
RBAC rule changes
Due to the change in how user-defined Slack Incoming Webhooks are applied, there's a need for the magtape-sa
service account to read Secrets across all namespaces. This includes get, list, and watch actions.
This release includes a fix for CVE-2020-36242
in the Python Cryptography package.
Bump cryptography from 3.2 to 3.3.2 in /app/imageswap-init (Dependabot)
Bumps jinja2 from 2.11.2 to 2.11.3. in /app/magtape (ref #99)
- PyPI: https://pypi.org/project/Jinja2/2.11.3/
- Changes: https://jinja.palletsprojects.com/en/2.11.x/changelog/#version-2-11-3
- Add multi-arch image builds for release workflow, amd64, arm64, and ppc64le to start (#107 authored by @phenixblue)
- Fix typos in Makefile (#105 authored by @Freakin)
- Bump urllib3 to 1.26.4 (#101 authored by dependabot)
Bumps urllib3 from 1.26.3 to 1.26.4 in /app/magtape-init
This release is primarily focused on adding support for newer Kubernetes versions (v1.19+), but does introdice breaking changes for prior Kubernetes versions.
MagTape v2.3.3 should be used for Kubernetes versions below v1.19.0
MagTape v2.4.0 is using a newer release of the Kubernetes Python Client library which removed some previously deprecated API's and changed the way the CertificateSigningRequest resource is handled for the webhook Cert Bundle.
- Bump Kubernetes Python Client to v23.3.0 to support new K8s versions (#120)
- Bump OPA version to v0.37.2, and move to using the "static" image for arm64 support (#109)
- Bump kube-mgmt to v4.1.1
- Bump KinD node images/matrix to test aginst k8s v1.19, v1.20, v1.21, and v1.22 for CI
- Bump KinD Github Action to v0.12.0 for CI
- Bump "black" Python linter to v22.3.0 for CI/local tooling
- Bump kubectl to v1.22.5 for CI
- Set "black" Python linter line length to 120 characters
- Move to
admission.k8s.io/v1
for AdmissionReview - Move to
events.k8s.io/v1
for Events - Move to
admissionregistration.k8s.io/v1
for VWC - Add
sign
verb for MagTape cluster RBAC - Move to support v4.x of
yq
utility syntax for Makefile/CI