Security
Added
- Prevent rbac-controller
fluxauth and externalresources resources from reconciling cluster namespaces - Dynamically bind
read-in-cluster-ns clusterRole if read-all clusterRole is bound in an org-namespace - Dynamically bind
write-in-cluster-ns clusterRole if cluster-admin clusterRole is bound in an org-namespace
Changed
- Renamed role
read-cluster-apps-in-cluster-ns to read-in-cluster-ns - Renamed role
write-cluster-apps-in-cluster-ns to write-in-cluster-ns - Renamed role binding
read-cluster-app to read-in-cluster-ns - Renamed role binding
write-cluster-apps to write-in-cluster-ns
Changed
- Policies no longer the
cluster-apps-operator.giantswarm.io/version label since cluster-apps-operator don’t use it.
Changed
- Update to upstream falco 1.17.2/0.31.0.
- Update to upstream falco-exporter 0.8.0/0.7.0.
Changed
- Add default audit log config file to
KubeadmControlPlane.
Changed
- Push to
giantswarm app catalog.
Changed
- Push to
giantswarm app catalog.
Added
- Added some chart metadata
Added
- Added
securityContext attribute to all deployments. - Add
application.giantswarm.io/values-schema and application.giantswarm.io/readme annotations to Chart.yaml; use app-build-suite to generate application.giantswarm.io/metadata.
Changed
- Run two replicas of
dex. - Update README for clarity.
- Update some role descriptions.
- Enhance log messages in the bootstrapping part, remove unneeded messages.
Added
- Add
externalresources resource that binds read-default-catalogs and read-releases roles for any subject with org-namespace access. - Add creation of
read-default-catalogs Role. - Add creation of
read-releases ClusterRole. - Improve logging for the
orgpermissions, clusternamespace, and rbac controllers.
