Security
Changed
- Updated
trivy to upstream version v0.71.2.
Added
- Add optional policies for restricting debug access using ephemeral containers.
- Add
io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility. - Push to the
default catalog.
Changed
- Migrate chart annotations to OCI-compatible format (change
application.giantswarm.io/team to io.giantswarm.application.team, convert restrictions to annotations). - Updated
kyverno-policies to upstream version v1.17.2.
Changed
- Improved proxy settings by adding a proxy ConfigMap and setting upstream
envFrom values for controller, webhook and cainjector.
Changed
- Breaking: Helm values to be passed to the upstream
cert-manager chart will now need to use the cert-manager path instead of root. For example, the value crds.enabled: true must now be set with cert-manager.crds.enabled: true. - Moved vendored chart to
helm/cert-manager/charts/ and adapted sync scripts to follow new structure.
Added
- Add
vulnerability_published_date, vulnerability_target, and vulnerability_class metric labels for Trivy VulnerabilityReports. - Disable controllers for unsupported resource types to avoid errors in environments where these CRDs are not present.
Changed
- Configure RBAC for only enabled controllers in Helm Chart.
- Disable
WatchList semantics for kubescape VulnerabilityManifest. - Switch to EndpointSlices for peer discovery used by sharding.
- Truncate the chart’s
AppVersion when it is used in Kubernetes labels.
Fixed
- Sanitize the
helm.sh/chart label so truncated versions cannot end with an invalid character (e.g. a trailing .).
Changed
- Updating to the
v2.5.0 version.
Changed
- Bumped DaemonSet
updateStrategy.rollingUpdate.maxUnavailable to 10% so chart upgrades on larger management clusters can finish within the Flux HelmRelease timeout.
Changed
- Values: Tolerate
node.cloudprovider.kubernetes.io/uninitialized. - Values: Ignore taints regardless of value.
- Values: Pass HTTP proxy settings to sub-chart.
Changed
- Updated
trivy to upstream version v0.70.0.
Changed
- Updated
falco to upstream version v0.44.0. - Updated
k8s-metacollector to upstream version v0.1.2.