Highlights for the week ending May 5, 2023
Apps
- falco-app version v0.5.2 adds a new Kyverno
PolicyException
allowing falco to run in clusters enforcingrestricted
Pod Security Standards, and replaces a deprecated toleration label. - kyverno-app version v0.14.4 introduces a new policy limiting the namespaces where Kyverno
PolicyExceptions
may be created. By default, customer exceptions may be created only in thepolicy-exceptions
namespace. - security-bundle version 0.14.1 (and 0.14.0) includes new the versions of Falco, Kyverno, and Trivy Operator mentioned in this announcement. To make App configuration and diffs easier to work with in GitOps workflows, it also changes the way config values are passed to the bundled Apps: rather than passing a single multi-line string containing each App’s configuration, all keys under the App’s top-level key will be copied into the App’s values. This is a breaking configuration change. Users must change all places where they override default values of a security-bundle App. This is typically a one character change, an example of which is available in our PR changing our sample.
- trivy-operator-app version 0.4.0 updates to upstream Trivy Operator v0.13.2 and introduces Cilium NetworkPolicies to support scanning in Clilium-based clusters.
Documentation
- There is a new guide about achieving compliance with Pod Security Standards (PSS). Future releases will require all workloads to be compliant with these new standards, which differ slightly from the now-deprecated Pod Security Policies (PSP). Depending on your organization’s current security policy, this may require some migration effort, so we have provided this guide to encourage early planning and adoption.