Security

  • Changed

    • Updated trivy to upstream version v0.71.2.
  • Added

    • Add optional policies for restricting debug access using ephemeral containers.
    • Add io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility.
    • Push to the default catalog.

    Changed

    • Migrate chart annotations to OCI-compatible format (change application.giantswarm.io/team to io.giantswarm.application.team, convert restrictions to annotations).
    • Updated kyverno-policies to upstream version v1.17.2.
  • Changed

    • Improved proxy settings by adding a proxy ConfigMap and setting upstream envFrom values for controller, webhook and cainjector.
  • Changed

    • Breaking: Helm values to be passed to the upstream cert-manager chart will now need to use the cert-manager path instead of root. For example, the value crds.enabled: true must now be set with cert-manager.crds.enabled: true.
    • Moved vendored chart to helm/cert-manager/charts/ and adapted sync scripts to follow new structure.
  • Added

    • Add vulnerability_published_date, vulnerability_target, and vulnerability_class metric labels for Trivy VulnerabilityReports.
    • Disable controllers for unsupported resource types to avoid errors in environments where these CRDs are not present.

    Changed

    • Configure RBAC for only enabled controllers in Helm Chart.
    • Disable WatchList semantics for kubescape VulnerabilityManifest.
    • Switch to EndpointSlices for peer discovery used by sharding.
    • Truncate the chart’s AppVersion when it is used in Kubernetes labels.

    Fixed

    • Sanitize the helm.sh/chart label so truncated versions cannot end with an invalid character (e.g. a trailing .).
  • Changed

    • Updating to the v2.5.0 version.
  • Changed

    • Bumped DaemonSet updateStrategy.rollingUpdate.maxUnavailable to 10% so chart upgrades on larger management clusters can finish within the Flux HelmRelease timeout.
  • Changed

    • Values: Tolerate node.cloudprovider.kubernetes.io/uninitialized.
    • Values: Ignore taints regardless of value.
    • Values: Pass HTTP proxy settings to sub-chart.
  • Changed

    • Updated trivy to upstream version v0.70.0.
  • Changed

    • Updated falco to upstream version v0.44.0.
    • Updated k8s-metacollector to upstream version v0.1.2.