1. Docs
  2. Changes and releases
  3. Security

Security

  • Security dex-app v1.34.3

    Added

    • Add utility function to determine whether the app is installed on a workload cluster

    Removed

    • Remove unused dex-k8s-authenticator-giantswarm resources
    • Stop pushing to openstack-app-collection.
  • Security external-secrets v0.6.1

    Added

    • Added NetworkPolicy by default when Cilium is not available

    Changed

    • Install PushSecret CRD by default to follow upstream
  • Security kyverno-app v0.14.7

    Added

    • Add resourceFilter for excluding Giant Swarm’s chart-operator from custom policies.
  • Security external-secrets v0.6.0

    Added

    • Added node-role.kubernetes.io/control-plane to crd install jobs toleration

    Changed

    • Updated templates to consistently use {{ include "external-secrets.name" . }} instead of {{ include "external-secrets.fullName" . }}
      • The conversion webhook on CRDs use {{ include "external-secrets.name" . }}
      • The ClusterRole previously called {{ include "external-secrets.fullName" . }}-servicebindings was renamed to {{ include "external-secrets.name" . }}-servicebindings
      • The external-secrets service account was renamed from using external-secrets.fullName to external-secrets.name by default

    Changed

    • Update external-secrets to v0.8.3
  • Security rbac-operator v0.33.5

    Fixed

    • Ensured that Automation SA in the default namespace is only updated in case there are actual changes
  • Security cert-manager-app v2.22.0

    Changed

    • Install giantswarm-selfsigned ClusterIssuer regardless of global.giantSwarmClusterIssuer.install value. It is required as a default component for Giant Swarm cluster installations.
  • Security kyverno-app v0.14.6

    Added

    • Add ClusterPolicy restrict-policy-kind-wildcards to prevent running (Cluster)Policies which match all API Kinds.
    • Add PolicyException for Giant Swarm’s chart-operator.
  • Security kyverno-policies v0.19.0

    Changed

    • Enable PSS Restricted policies by default.

    Removed

    • Stop pushing to openstack-app-collection.
  • Security kyverno-app v0.14.5

    Added

    • Add a webhooks cleanup job for ensuring deletion of Kyverno webhooks on chart uninstall.

    Changed

    • Replace deprecated toleration node-role.kubernetes.io/master with node-role.kubernetes.io/control-plane on CRD install job.
  • Security trivy-app v0.8.1

    Added

    • Add Cilium Network Policy to trivy.
    • Added Kyverno PolicyException for trivy-app.

    Changed

    • Modified the VerticalPodAutoscaler to make the Container Policies configurable.
    • Moved the VerticalPodAutoscaler.enabled flag to VerticalPodAutoscaler.trivy.enabled to align with other Apps.