1. Docs
  2. Changes and releases
  3. Security

Security

  • Security cert-manager-app v4.0.1

    Changed

    • Improved proxy settings by adding a proxy ConfigMap and setting upstream envFrom values for controller, webhook and cainjector.
  • Security cert-manager-app v4.0.0

    Changed

    • Breaking: Helm values to be passed to the upstream cert-manager chart will now need to use the cert-manager path instead of root. For example, the value crds.enabled: true must now be set with cert-manager.crds.enabled: true.
    • Moved vendored chart to helm/cert-manager/charts/ and adapted sync scripts to follow new structure.
  • Security starboard-exporter v1.1.0

    Added

    • Add vulnerability_published_date, vulnerability_target, and vulnerability_class metric labels for Trivy VulnerabilityReports.
    • Disable controllers for unsupported resource types to avoid errors in environments where these CRDs are not present.

    Changed

    • Configure RBAC for only enabled controllers in Helm Chart.
    • Disable WatchList semantics for kubescape VulnerabilityManifest.
    • Switch to EndpointSlices for peer discovery used by sharding.
    • Truncate the chart’s AppVersion when it is used in Kubernetes labels.

    Fixed

    • Sanitize the helm.sh/chart label so truncated versions cannot end with an invalid character (e.g. a trailing .).
  • Security external-secrets v2.5.0

    Changed

    • Updating to the v2.5.0 version.
  • Security falco-app v0.12.1

    Changed

    • Bumped DaemonSet updateStrategy.rollingUpdate.maxUnavailable to 10% so chart upgrades on larger management clusters can finish within the Flux HelmRelease timeout.
  • Security teleport-kube-agent-app v0.11.1

    Changed

    • Values: Tolerate node.cloudprovider.kubernetes.io/uninitialized.
    • Values: Ignore taints regardless of value.
    • Values: Pass HTTP proxy settings to sub-chart.
  • Security trivy-app v0.15.0

    Changed

    • Updated trivy to upstream version v0.70.0.
  • Security falco-app v0.12.0

    Changed

    • Updated falco to upstream version v0.44.0.
    • Updated k8s-metacollector to upstream version v0.1.2.
  • Security cloudnative-pg-app v0.1.0

    Added

    • Add io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility.

    Changed

    • Update cloudnative-pg to v1.29.1 (upstream chart v0.28.2).
    • Limit the namespaces watched by the operator to those where we currently expect Giant Swarm postgresql clusters.
    • Migrate chart metadata annotations to OCI-compatible format.
  • Security rbac-bootstrap-app v0.3.0

    Added

    • Add io.giantswarm.application.managed chart annotation for Backstage visibility.
    • Add optional cluster-reader ClusterRole (off by default, enabled via clusterReader.enabled: true) that aggregates into the built-in view ClusterRole and grants read access (get/list/watch) on cluster-scoped resources.

    Changed

    • Migrate chart metadata annotations to OCI-compatible format.