1. Docs
  2. Changes and releases
  3. Security

Security

  • Security starboard-exporter v1.0.2

    Fixed

    • Disable the kubescape scanner input by default.
  • Security athena v1.15.0

    Added

    • Add Gateway API support with HTTPRoute template (.Values.route).
    • Add support for SecurityPolicy resources for authentication via Envoy Gateway.

    Changed

    • Make Ingress resource conditional with .Values.ingress.enabled (defaults to true for backwards compatibility).
  • Security starboard-exporter v1.0.1

    Fixed

    • Downgrade k8s client libraries to v1.34 versions to fix a regression (#135895).
  • Security starboard-exporter v1.0.0

    Announcements

    • starboard-exporter now supports kubescape! In addition to Trivy VulnerabilityReports, starboard-exporter now also supports reconciliation of Kubescape VulnerabilityManifests. Metrics have been updated to include a scanner label, indicating the source type of the data. Trivy and Kubescape can be used simultaneously, or individually toggled on and off. See the README for more information.
    • There is a breaking change to one of the CLI flags in this version. The --vulnerability-scans-enabled flag has been renamed to --trivy-vulnerability-scans-enabled in order to facilitate the new Kubescape scanner support. Users installing via the Helm chart are not affected.

    Added

    • Support for Kubescape vulnerability scanning via VulnerabilityManifest CR.
    • Scanner label (scanner="trivy" or scanner="kubescape") to all vulnerability metrics to distinguish between scanning sources.
    • Command-line flag --kubescape-vulnerability-scans-enabled.
    • Helm values configuration for enabling/disabling individual scanners under exporter.vulnerabilityReports.scanners.
    • Added backwards compatibility for legacy vulnerabilityReports.enabled Helm value (now enables Trivy scanner)

    Changed

    • Renamed Trivy-specific functions and constants to include “Trivy” prefix to distinguish them from Kubescape components while maintaining shared metrics.
    • Command-line flag --vulnerability-scans-enabled to --trivy-vulnerability-scans-enabled (Breaking Change).
  • Security auth-bundle v0.3.0

    Changed

    • Update dependency dex to version v2.1.5.
    • Update dependency ingress-nginx-app to version v4.2.1.
  • Security dex-app v2.1.5

    Added

    • Add muster as a confidential static client for muster OAuth authentication (server-side OAuth proxy).
    • Auto-include muster in dex-k8s-authenticator trustedPeers for seamless token exchange.
  • Security dex-app v2.1.4

    Added

    • Auto-include mcpKubernetes in dex-k8s-authenticator trustedPeers for seamless token exchange.
  • Security dex-app v2.1.3

    Added

    • Add PodLogs for log collection.
    • Add Gateway API HTTPRoute support as an alternative to Ingress.

    Changed

    • Fix support for using a private CA in the ingresses
  • Security kyverno-app v0.22.0

    Changed

    • Update kyverno to upstream version v1.16.1.

    Notes

    This release includes an upstream update. Please refer to the following Release Notes from upstream for the latest changes:

  • Security teleport-kube-agent-app v0.10.7

    Added

    • Add ephemeral-storage requests and limits to satisfy Kyverno policy require-emptydir-requests-and-limits.

    Changed

    • Enable upstream-provided Prometheus PodMonitor to scrape metrics from Teleport Kube Agent pods.