Highlights

  • Highlights for the week ending May 20, 2022

    User interfaces

    Via the web UI, you can now not only inspect your own permissions for the Management API. As an admin, you can also inspect permissions for a specific group or user. If you use the web UI with single sign-on, please try it out! You’ll find the function in the user menu (top right) under Permissions.

    The kubectl gs get apps command output now provides a new column NOTES where you can find useful information in case a deployment of an app failed. Check the documentation for an example.

    kubectl gs login for creating a workload cluster certificate now supports arbitrary context names, in case you don’t want to name them after our convention, starting with a gs-.

  • Highlights for the week ending May 13, 2022

    User interfaces

    Our web UI, as of v1.42.0, provides a great new feature to all customers with single sign-on (SSO). As a user you can now inspect which permissions you have in the Management API, with regard to certain use cases and individually for each organization.

    The kubectl-gs commands for creating cluster and node pool resources (kubect gs template cluster and kubect gs template nodepool) now produce v1beta1 resources (previously v1alpha2 on AWS and v1alpha3 on Azure).

    Documentation

    In case you wonder how to access the Management API from your pipeline, this is for you: we now have a dedicated page on how to authenticate with the Management API for programmatic access. The article provides step by step instructions and a shell script explaining how to create a kubectl config file that includes service account credentials.

    Apps

    nginx-ingress-controller-app version v2.12.0 drops support for cluster.profile and reduces default resource requests.

    external-dns-app version v2.11.0 adds support for DNSEndpoint custom resources.

    linkerd2-app version v0.7.0 updates to upstream version stable-2.11.2. Before upgrading to this release, please upgrade linkerd2-cni-app to v0.7.0

    linkerd2-cni-app version v0.7.0 updates to upstream version stable-2.11.2. This release should be used together with linkerd2-app v0.7.0

  • Highlights for the week ending May 06, 2022

    Apps

    • dex-app v1.25.0 contains an update to the upstream version v2.31.1, which includes security patches for dependencies. This version also includes support for OIDC group name prefixing for the LDAP connector, and provides more details in token refresh logs to facilitate debugging.
  • Highlights for the week ending April 29, 2022

    Apps

    • security-pack version v0.2.0 upgrades to Starboard (app) v0.7.1, Trivy (app) v0.3.0, and starboard-exporter v0.4.0, including new security scan types, new available metrics, and various performance and stability improvements.
    • starboard-app version v0.7.1 (including v0.7.0) updates to Starboard version 0.15.3, introducing support for ClusterComplianceReport generation including an in-cluster benchmark for the NSA + CISA Kubernetes Hardening Guide.
    • starboard-exporter version v0.4.1 (including v0.4.0) adds support for collecting ConfigAuditReport metrics, and introduces a configurable load-spreading feature to reduce the spikiness of the exporter’s resource consumption.
    • trivy-app version v0.3.0 updates to Trivy version 0.25.0.

    User interfaces

    The web UI now displays which cgroups version a node pool uses. This requires the web UI to be using the Management API.

  • Highlights for the week ending April 22, 2022

    General

    This week we have provided updates for nginx-ingress-controller-app, external-dns-app and fluent-logshipping-app. Aditionally kubectl-gs is now available for Windows.

    Apps

    • nginx-ingress-controller-app v2.11.0 upgrades the ingress-nginx controller container image to v1.2.0. Among other changes, this release introduces deep inspection on Ingress objects. This may increase CPU usage.
    • external-dns-app v2.10.0 updates the container image of external-dns to v0.11.0
    • fluent-logshipping-app v0.7.1 and v0.7.0 updates fluentbit to v1.9.1 and disables fluentbit if no inputs or outputs are defined. ´log_stream_prefix´ is deprecated for cloudwatch_logs plugin and therefor moved to ´log_stream_name´

    User interfaces

    kubectl-gs is now available for Windows. If you already have kubectl and Krew installed, all it takes is kubectl krew install gs. For more information, please head to the installation docs.

    The web UI now allows to retry creating a cluster or node pool, in case the form submission fails.

  • Highlights for the week ending April 15, 2022

    Apps

    User interfaces

    When installing apps into workload clusters via the web UI, it is now much easier to see what cluster you are installing to. Also we are displaying in the catalog which apps are installed in that cluster already.

    Documentation

    We improved our kubectl-gs installation instructions so they are easier to follow and we added info for ARM binaries for Linux and macOS.

  • Highlights for the week ending April 8, 2022

    Apps

    • dashboards versions v2.1.0 and v2.0.0 adds all dashboards form g8s-grafana, grafana sidecar annotation to all config maps, dashboard for ceph cluster usage in KVM. Splits each dashboards in specific configmaps and makes the mixin dashboard private.
    • efk-stack-app version v0.7.3 adds team annotations in Chart.yaml for alert routing and fixes deprecated api for rbac.
    • kyverno-app version v0.10.0 updates to Kyverno version 1.6.2 including performance and stability improvements.
    • kyverno-policies version v0.17.1 includes policies for enforcing Kubernetes Pod Security Standards (PSS). This is the first release of this app intended for use outside Giant Swarm’s own clusters.
    • nginx-ingress-controller-app versions v2.10.0 and v2.1.4 fix CVE-2022-0778 in OpenSSL and CVE-2022-23308 in libxml2.
    • security-pack version v0.1.0 enables Kyverno installation by default, updates to Falco app version 0.3.2, and includes the kyverno-policies app for PSS policy enforcement.

    Documentation

    The first iteration of our GitOps template repository gitops-template is available. It covers documented examples that show how we envision management of Giant Swarm resources (organizations, workload cluster templates and instances) with GitOps. This template is the pattern we recommend and support. This is still a work in progress: we will continue adding more use cases so major changes and revisions could happen.

  • Highlights for the week ending April 1, 2022

    User interfaces

    In our Web UI we now explain how to upgrade a cluster via the Management API (spoiler: kubectl gs update cluster) if an upgrade is available. On Azure you’ll now also find information regarding the Azure Tenant in which the workload cluster is running.

    In Grafana you have a new dashboard Kubernetes Proxy, which you can use to drill down into the kube-proxy metrics of your workload clusters.

  • Highlights for the week ending March 25, 2022

    Apps

    • falco-app v0.3.2 changes the default driver from the kernel module to ebpf, supporting Linux kernel versions used in CAPI clusters.
    • security-pack v0.0.1 has been released to the playground catalog as convenient way to install multiple security pack components at once.
    • starboard-app v0.6.0 updates to Starboard version 0.14.1 and uses the newer Trivy 0.24.0 backend.
    • trivy-app v0.2.0 updates to Trivy version 0.24.0.

    User interfaces

    The kubectl gs template catalog command provides a new flag --visibility to control whether the catalog should be visible in the web interface.

    Documentation

    For customers using clusters on AWS or Azure, we added more information on how to spread workloads over several availability zones for better availability/resilience. If you haven’t heard of topologySpreadConstraints before, check our example.

  • Highlights for the week ending March 11, 2022

    Apps

    kong-app v2.7.2 fixes an issue with permissions in the CRD installation.

    User interfaces

    kubectl gs get catalog <name> command’s output has been extended with app description column.

    Documentation

    Authentication for the Management API has been updated with an example of how to create kubeconfig for programmatic access.