Highlights for the week ending May 5, 2023

Apps

  • falco-app version v0.5.2 adds a new Kyverno PolicyException allowing falco to run in clusters enforcing restricted Pod Security Standards, and replaces a deprecated toleration label.
  • kyverno-app version v0.14.4 introduces a new policy limiting the namespaces where Kyverno PolicyExceptions may be created. By default, customer exceptions may be created only in the policy-exceptions namespace.
  • security-bundle version 0.14.1 (and 0.14.0) includes new the versions of Falco, Kyverno, and Trivy Operator mentioned in this announcement. To make App configuration and diffs easier to work with in GitOps workflows, it also changes the way config values are passed to the bundled Apps: rather than passing a single multi-line string containing each App’s configuration, all keys under the App’s top-level key will be copied into the App’s values. This is a breaking configuration change. Users must change all places where they override default values of a security-bundle App. This is typically a one character change, an example of which is available in our PR changing our sample.
  • trivy-operator-app version 0.4.0 updates to upstream Trivy Operator v0.13.2 and introduces Cilium NetworkPolicies to support scanning in Clilium-based clusters.

Documentation

  • There is a new guide about achieving compliance with Pod Security Standards (PSS). Future releases will require all workloads to be compliant with these new standards, which differ slightly from the now-deprecated Pod Security Policies (PSP). Depending on your organization’s current security policy, this may require some migration effort, so we have provided this guide to encourage early planning and adoption.

This part of our documentation refers to our vintage product. The content may be not valid anymore for our current product. Please check our new documentation hub for the latest state of our docs.