Skip to content

v0.15.0
Compare
Choose a tag to compare
@github-actions github-actions released this 24 Jan 21:13
· 137 commits to master since this release
v0.15.0
f5218bf
This commit was signed with the committer’s verified signature. The key has expired.
Silvenga Mark Lopez
GPG key ID: B862284A2975BD3B
Expired
Learn about vigilant mode.

Version v0.15.0 released!

This release contains optional manifest changes. This release may cause injected resources to shift after upgrading the operator.

Improvements

  • When AgentInjectors do not map to any known entities, the operator will now emit a log message, as this may be an undesired state.
  • Improved documentation defined in the CRD's.
  • Improved handling of failures during TLS webhook secret generation.
  • Injected Init Containers now drop all non-essential capabilities/permissions.
  • Injected Init Containers now define resource requests/limits.
  • Injected Init Containers now can execute as Non-Root. This behavior can be forced by the new CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true flag. The operator will enable this feature-flag by default in a future release. Note that this feature requires the support of the injected agent images, required versions are defined below.
  • The operator's installation manifests no longer forces a container UID, reducing installation friction in OpenShift.
  • Within K8s clusters, the operator now officially supports executing and injecting pods that have the Restricted policy applied (if CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true is set). This feature requires K8s v1.25. Pod Security Policies, deprecated in K8s v1.21, are not supported.
  • Within OpenShift clusters, the operator now officially supports executing and injecting pods that have the restricted SCC policy applied. Note that in some OpenShift versions where setting the seccomp policy is disallowed, the CONTRAST_SUPPRESS_SECCOMP_PROFILE=true flag must be set.

Bug Fixes

  • Bug and security updates to our dependencies.
  • During generation/updates of templated entities, the K8s API server could return an invalid result. If this occurred during the creation of a new entities, the operator could be left in an invalid state preventing a retry from occurring. The only work-around was to restart the operator. This has been fixed.
  • During pod deletions, the operator could return a new mutation patch that was empty. This would cause an error to be emitted by the API server "webhook returned response.patchType but not response.patch". This has been fixed.
  • When an explicit AgentConfiguration was specified in an AgentInjector, but did not exist in the same namespace, the operator wouldn't mark the AgentInjector as invalid. This state is now correctly handled and is logged.

Breaking Changes

  • The operator will now consider missing explicitly AgentConfiguration specified in an AgentInjector as invalid (previously, the missing AgentConfiguration was ignored).
  • If CONTRAST_RUN_INIT_CONTAINER_AS_NON_ROOT=true is specified, previous container images will no-longer work. The minimum versions are specified in the table below:
Type Minimum Version
dotnet-core 2.4.4
java 4.11.0
nodejs 4.30.0
nodejs-protect 5.2.0
php 1.8.0 
contrast/agent-operator:0.15.0
contrast/agent-operator@sha256:daa571d6c3c0c61369686fb9798bb69b91289573b2b02776b1b0f8b8f5316b58

quay.io/contrast/agent-operator:0.15.0
quay.io/contrast/agent-operator@sha256:daa571d6c3c0c61369686fb9798bb69b91289573b2b02776b1b0f8b8f5316b58
Assets 4
Loading