v2.4.0

Overview

This release is primarily focused on adding support for newer Kubernetes versions (v1.19+), but does introduce breaking changes for prior Kubernetes versions.

MagTape v2.3.3 should be used for Kubernetes versions below v1.19.0

MagTape v2.4.0 is using a newer release of the Kubernetes Python Client library which removed some previously deprecated API's and changed the way the CertificateSigningRequest resource is handled for the webhook Cert Bundle.

NOTE: The linux/ppc64le architecture was dropped for this release due to an issue with the underlying Python cryptography package. We will try and track this down to resolve in a future release.

Enhancements

• Bump Kubernetes Python Client to v23.3.0 to support new K8s versions (#120)
• Bump OPA version to v0.37.2, and move to using the "static" image for arm64 support (#109)
• Bump kube-mgmt to v4.1.1
• Bump KinD node images/matrix to test aginst k8s v1.19, v1.20, v1.21, and v1.22 for CI
• Bump KinD Github Action to v0.12.0 for CI
• Bump "black" Python linter to v22.3.0 for CI/local tooling
• Bump kubectl to v1.22.5 for CI
• Set "black" Python linter line length to 120 characters
• Move to admission.k8s.io/v1 for AdmissionReview
• Move to events.k8s.io/v1 for Events
• Move to admissionregistration.k8s.io/v1 for VWC
• Add sign verb for MagTape cluster RBAC
• Move to support v4.x of yq utility syntax for Makefile/CI

Other Changes

• Bump urllib3 from 1.26.4 to 1.26.5 in /app/magtape-init by @dependabot in #110
• Bump urllib3 from 1.26.4 to 1.26.5 in /app/magtape by @dependabot in #111
• policies.md by @kamleshjoshi8102 in #104
• fix: issue 113 GHA workflows using KinD are failing by @ilrudie in #114
• update byoc doc by @xytian315 in #116
• Updated CONTRIBUTING.md by @pramod74 in #119
• Support K8s v1.21+ by @phenixblue in #122

New Contributors

• @kamleshjoshi8102 made their first contribution in #104
• @xytian315 made their first contribution in #116
• @pramod74 made their first contribution in #119

Full Changelog: v2.3.3...v2.4.0

v2.3.3

Overview

This release contains a bug fix and some CI enhancements

Enhancements

• Add multi-arch image builds for release workflow, amd64, arm64, and ppc64le to start (#107 authored by @phenixblue)
• Fix typos in Makefile (#105 authored by @Freakin)
• Bump urllib3 to 1.26.4 (#101 authored by dependabot)

Bumps urllib3 from 1.26.3 to 1.26.4 in /app/magtape-init

• Release notes
• Changelog
• Commits

v2.3.2

Overview

This release includes a security fix

Security Fix

• Bumps jinja2 from 2.11.2 to 2.11.3. in /app/magtape (ref #99)

This contains a fix for a speed issue with the urlize filter. urlize is likely to be called on untrusted user input. For certain inputs some of the >regular expressions used to parse the text could take a very long time due to backtracking. As part of the fix, the email matching became >slightly stricter. The various speedups apply to urlize in general, not just the specific input cases.

PyPI: https://pypi.org/project/Jinja2/2.11.3/
Changes: https://jinja.palletsprojects.com/en/2.11.x/changelog/#version-2-11-3

v2.3.1

Overview

This release includes a fix for CVE-2020-36242 in the Python Cryptography package.

Fixes

Bump cryptography from 3.2 to 3.3.2 in /app/imageswap-init (Dependabot)

Bumps cryptography from 3.2 to 3.3.2.

• Release notes
• Changelog
• Commits

v2.3.0

Overview

This release has a breaking change, changes to RBAC, some new features, CI enhancements, changes to test mocking, and some updates to documentation.

Breaking Changes

• the MAGTAPE_SLACK_ANNOTATION environment variable has been removed and is no longer used for enabling user-defined slack alerts.

user-defined slack alerts

For better security the user-defined Slack Incoming Webhook URL is now defined via creation of a magtape-slack secret that includes the webhook-url key and a value set to the Slack Incoming Webhook URL (typical base64 encoding applies).

The README has an example of how you can create a properly formatted secret.

Enhancements

• Enable shellcheck linting for bash (#57 authored by @ilrudie)
• Cleanup Rego testing/mocking (#60)
• Update docker/build-push-action to v2 (#62 authored by @ilrudie)
• Update functional testing documentation (#65 authored by @ilrudie)
• Enable server-side warnings on policy failures (#66)
• Bump cryptography Python package from 2.9.2 to 3.2 (#68 authored by dependabot)
• Add logic to handle in-cluster and out-of-cluster kubernetes client configs for API calls (#77)
• Add RBAC rules to read secrets for user defined Slack Incoming Webhook URL's (#77)
• Add logic to handle custom Slack Webhook even if Default is unset (#77)
• Bump the engineerd/setup-kind Action to v05.0 to support the deprecations noted here (#77)
• Change add-path commands in rego-checks CI jobs (#77)
• Add ci-bootstrap Make target to pin versions for specific utilities (ie. kubectl) for more consistent CI (#77)
• Enables descriptive names for functional tests (#86)
• OPA version bumped to 0.25.2 (#88)

server-side warnings on policy failures

Server-side warnings were added in Kubernetes v1.19. This enhancement allows for messages to be surfaced to the end-users via kubectl and client-go. This gives MagTape yet another mechanism to display feedback on policy failures to the end-user. This change is transparent for Kubernetes releases prior to v1.19.

• Kubernetes Blog
• Kubernetes Enhancement Proposal
• Changes to Admission Response Struct

Version 2 for docker/build-push-action

Adopting version 2 of this action allows us to start consuming Docker buildx. This is transparent at the moment, but should allow us to more easily build images for e2e checks and relases across multiple architectures (amd64, ARM, ppc64le, etc.).

RBAC rule changes

Due to the change in how user-defined Slack Incoming Webhooks are applied, there's a need for the magtape-sa service account to read Secrets across all namespaces. This includes get, list, and watch actions.

v2.2.1

Overview

This release includes a security fix and some small supporting changes.

Security Fix

• Bump cryptography from 2.9.2 to 3.2 in /app/magtape-init (ref #68)

* **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant
  time, to protect against Bleichenbacher vulnerabilities. Due to limitations
  imposed by our API, we cannot completely mitigate this vulnerability and a
  future release will contain a new API which is designed to be resilient to
  these for contexts where it is required. Credit to **Hubert Kario** for
  reporting the issue. *CVE-2020-25659*
* Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
  will need to upgrade.
* Added basic support for PKCS7 signing (including SMIME) via
  :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.
.. _v3-1-1:


3.1.1 - 2020-09-22

Enhancements

• Backported some CI changes related to Image Builds (ref #62)

v2.2.0

Overview

This release focuses on some security, scalability, and CI enhancements.

Enhancements

• Add securityContext and non-root user for pod/containers (#47)
• Hardcode Gunicorn workers/threads to fix #48 (#49)
• Add HPA resource for horizontal scaling (#50)
• Add new framework for executing setup/teardown code between functional tests (#45) authored by @ilrudie
• Bump OPA to v0.23.2

Misc Notes

• Changes OPA container listening port from 443 to 8443 since a non-root user can't bind to ports below 1000. The OPA container isn't exposed outside of localhost, so this shouldn't present any issues

v2.1.5

Overview

This release adds new policies and enhances several CI workflow components.

New Policies

Authored by @jsteichen12

• Singleton Pods (Check ID: MT1007)
• Host Port (Check ID: MT1008)
• emptyDir Volume (Check ID: MT1009)
• Host Path (Check ID: MT1010)
• Node Port Range (Check ID: MT2002)

New CI Features

• Kubernetes Matrix for end-to-end testing. All commits/PR's are now tested against Kubernetes 1.16, 1.17, 1.18, and 1.19
• Rego linting and unit tests
• Code quality anallysis and static code scanning for Security/Best Practices

Misc Enhancements

• Enhancements for Advanced install workflow with Kustomize

v2.1.4

Overview

This release adds the approve verb to the RBAC config to account for newer changes to the Kubernetes certificates/CSR API as noted here. These changes were tested against K8s 1.14, 1.15, 1.16, 1.17, and 1.18.

v2.1.3

Overview

This release migrates to using the Gunicorn WSGI HTTP Server instead of the default Flask server. This change reduces average latency by about 75% in our normal benchmarking tests. This change also means the standard 3 replica deployment can handle almost 3 times the request rate as before.